Shibboleth Developers

["Yifan (Eric) Jiang" <>]

Hi Chad,

Thank you for the information.

According to the "Expressing Support in Metadata" section in the
article, the value of <NameIDFormat> in metadata should match the
nameIDFormat attribute of <PrincipalConnector> element. 

For example, the nameIDFormat in attribute-resolver.xml contains
"urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified". Is that mean I
have to add another <NameIDFormat> element with value
"urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified"? Am I correct?

Thanks

Eric

-----Original Message-----
From: Chad La Joie 
[mailto:]
 
Sent: Tuesday, 4 December 2007 2:36 a.m.
To: 

Subject: Re: SAML attribute query exception

Nate's right.  You can find documentation for this here:

https://spaces.internet2.edu/display/SHIB2/IdPNameIdentifier

Nate Klingenstein wrote:
> Eric,
> 
> Assuming you are indeed being asked to authenticate and that's not 
> misconfigured, this time you need an appropriate principal connector 
> defined, and appropriate release for it configured.  In particular, in

> attribute-resolver.xml, you need something like:
> 
>     <resolver:PrincipalConnector xsi:type="Direct" 
> xmlns="urn:mace:shibboleth:2.0:resolver:pc"
>                                  id="saml1UnspecDirect"
>                                  
> nameIDFormat="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified"
/>
> 
>     <resolver:PrincipalConnector xsi:type="Direct" 
> xmlns="urn:mace:shibboleth:2.0:resolver:pc"
>                                  id="saml2UnspecDirect"
>                                  
> nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
/>
> 
> and
> 
>     <resolver:AttributeDefinition id="principalName" 
> xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
>         <resolver:AttributeEncoder
xsi:type="SAML1StringNameIdentifier" 
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>                                    
> nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />
>         
>         <resolver:AttributeEncoder xsi:type="SAML2StringNameID" 
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>                                    
> nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />
>                                    
>         <resolver:AttributeEncoder
xsi:type="SAML1StringNameIdentifier" 
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>                                    
> nameFormat="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" />
>                                    
>    </resolver:AttributeDefinition>
> 
> You will also need a release policy in attribute-filter.xml such as:
> 
>     <AttributeFilterPolicy id="releasePrincipalToAnyone">
>         <PolicyRequirementRule xsi:type="basic:ANY" />
> 
>         <AttributeRule attributeID="principalName">
>             <PermitValueRule xsi:type="basic:ANY" />
>         </AttributeRule>
>     </AttributeFilterPolicy>
> 
> There is no privacy preserved in those settings, but give them a try
to 
> see if the provider will function.
> Nate.
> 
> On 3 Dec 2007, at 03:47, Yifan (Eric) Jiang wrote:
> 
>> 16:40:33.749 ERROR 
>>
[edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1Prof
ileHandler] 
>> Error resolving attributes for SAML request from relying party 
>> urn:mace:federation.org.au:bestgrid.org
>>
>>
edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeR
esolutionException: 
>> No principal connector available to resolve a subject name with
format 
>> urn:mace:shibboleth:1.0:nameIdentifier for relying party 
>> urn:mace:federation.org.au:bestgrid.org
>>
>>
> 

-- 
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
 http://www.switch.ch