Skip to Content.
Sympa Menu

shibboleth-dev - Re: problems with transientId

Subject: Shibboleth Developers

List archive

Re: problems with transientId


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: problems with transientId
  • Date: Mon, 03 Dec 2007 11:24:08 -0800
  • Organization: SWITCH

In the log message, prior to the error, the IdP will tell which name formats it's going to attempt to use. Is transient listed?

The log message about it not encoding it as an attribute because there is no SAML attribute encoder attached is fine. You probably don't want it in the attribute statement anyways.


wrote:
I'm using the 2.0 SP and 2.0 IdP....

the SP sends this AuthnRequest:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="1" Destination="https://stc-test11.cis.brown.edu/idp/profile/saml2/Redirect/SSO"; ID="_27602a12eb4b52a607963a0b5008bf91" IssueInstant="2007-12-03T18:13:39Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://stc-test11.cis.brown.edu/Shibboleth.sso/Metadata</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>

and I get this error:

Attribute transientId was not encoded because no SAML2AttributeEncoder was attached to it
No principal attribute supported encoding into a supported name ID format.

I have this definition in my resolver file:

<!-- Name Identifier related attributes -->
<resolver:AttributeDefinition id="transientId" xsi:type="TransientId" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
<resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />

<resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
</resolver:AttributeDefinition>

and this in my filter file (this comes in the distributed file):

<!-- Release the transient ID to anyone -->
<AttributeFilterPolicy id="releaseTransientIdToAnyone">
<PolicyRequirementRule xsi:type="basic:ANY" />

<AttributeRule attributeID="transientId">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>

</AttributeFilterPolicy>

suggestions?

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch



Archive powered by MHonArc 2.6.16.

Top of Page