shibboleth-dev - Re: problems with transientId
Subject: Shibboleth Developers
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: problems with transientId
- Date: Mon, 03 Dec 2007 13:34:37 -0800
- Organization: SWITCH
Okay, check your IdP metadata. Does it say it only supports the shib handle? I suspect so.
But yeah, given that the IdP is only seeing the shib format as an option then you are getting the expected behavior; it can't encode because there isn't a SAML 2 encoder for the shib format (and their normally shouldn't be).
So, the real issue is the list of supported name formats. As I mentioned before the IdP will look at it's own metadata, if it's available, and use that in conjunction with the SP metadata. So if the SP says it supports the shib and saml 2 transient formats and the IdP metadata says the IdP only supports the shib format then the intersected list if only the shib format. I suspect that's the issue.
wrote:
ok, more info:
1) I've attached the tail portion of my idp-process log.
2) from my metadata, here's the name formats that the SP will accept:
<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
3) from my resolver file, here's my definition of transientid
<!-- Name Identifier related attributes -->
<resolver:AttributeDefinition id="transientId" xsi:type="TransientId" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
<resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />
<resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
</resolver:AttributeDefinition>
here's my novice read of the log file...
the IdP chose to use this name format:
Supported NameID formats: [urn:mace:shibboleth:1.0:nameIdentifier]
but then concluded:
No principal attribute supported encoding into a supported name ID format.
count me confused.....
suggestions?
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
- problems with transientId, Steven_Carmody, 12/03/2007
- Re: problems with transientId, Chad La Joie, 12/03/2007
- Re: problems with transientId, Steven_Carmody, 12/03/2007
- Re: problems with transientId, Chad La Joie, 12/03/2007
- Re: problems with transientId, Steven_Carmody, 12/03/2007
- Re: problems with transientId, Chad La Joie, 12/03/2007
- Re: problems with transientId, Steven_Carmody, 12/03/2007
- Re: problems with transientId, Chad La Joie, 12/03/2007
Archive powered by MHonArc 2.6.16.