Skip to Content.
Sympa Menu

shibboleth-dev - Re: SAML attribute query exception

Subject: Shibboleth Developers

List archive

Re: SAML attribute query exception


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: SAML attribute query exception
  • Date: Mon, 03 Dec 2007 14:58:59 -0800
  • Organization: SWITCH
Yes, you need to have as many formats listed in metadata as you have configured within the IdP.

Yifan (Eric) Jiang wrote:
Hi Chad,

Thank you for the information.

According to the "Expressing Support in Metadata" section in the
article, the value of <NameIDFormat> in metadata should match the
nameIDFormat attribute of <PrincipalConnector> element.
For example, the nameIDFormat in attribute-resolver.xml contains
"urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified". Is that mean I
have to add another <NameIDFormat> element with value
"urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified"? Am I correct?

Thanks

Eric

-----Original Message-----
From: Chad La Joie [mailto:] Sent: Tuesday, 4 December 2007 2:36 a.m.
To:

Subject: Re: SAML attribute query exception

Nate's right. You can find documentation for this here:

https://spaces.internet2.edu/display/SHIB2/IdPNameIdentifier

Nate Klingenstein wrote:
Eric,

Assuming you are indeed being asked to authenticate and that's not misconfigured, this time you need an appropriate principal connector defined, and appropriate release for it configured. In particular, in

attribute-resolver.xml, you need something like:

<resolver:PrincipalConnector xsi:type="Direct" xmlns="urn:mace:shibboleth:2.0:resolver:pc"
id="saml1UnspecDirect"
nameIDFormat="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified"
/>
<resolver:PrincipalConnector xsi:type="Direct" xmlns="urn:mace:shibboleth:2.0:resolver:pc"
id="saml2UnspecDirect"
nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
/>
and

<resolver:AttributeDefinition id="principalName" xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
<resolver:AttributeEncoder
xsi:type="SAML1StringNameIdentifier"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />
<resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />
<resolver:AttributeEncoder
xsi:type="SAML1StringNameIdentifier"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" />
</resolver:AttributeDefinition>

You will also need a release policy in attribute-filter.xml such as:

<AttributeFilterPolicy id="releasePrincipalToAnyone">
<PolicyRequirementRule xsi:type="basic:ANY" />

<AttributeRule attributeID="principalName">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>

There is no privacy preserved in those settings, but give them a try
to
see if the provider will function.
Nate.

On 3 Dec 2007, at 03:47, Yifan (Eric) Jiang wrote:

16:40:33.749 ERROR
[edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1Prof
ileHandler]
Error resolving attributes for SAML request from relying party urn:mace:federation.org.au:bestgrid.org


edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeR
esolutionException:
No principal connector available to resolve a subject name with
format
urn:mace:shibboleth:1.0:nameIdentifier for relying party urn:mace:federation.org.au:bestgrid.org




--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch

Archive powered by MHonArc 2.6.16.

Top of Page