Shibboleth Developers

[Chad La Joie <>]

No, that was a bug in the IdP, it's already been fixed.  It occurs when 
your configuration results in request that would not include in a NameID 
(likely because the attribute that would have been encoded in that way 
is filtered out).

On 7/2/10 8:44 AM, Yang Xiang wrote:
> Hi,
>
> I installed the v2.2 snapshot today and got some errors regarding
> REMOTE_USER. The same configuration (of IdP and SP) worked fine with IdP
> v2.1.5. Following are the error messages:
> ----------------------------------
> 14:02:23.471 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:459]
>  - Resolving attributes for principal 'yang' for SAML request from relying 
> party 'http://localhost/test-sp1'
> 14:02:23.472 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:118]
>  - shibboleth.AttributeResolver resolving attributes for principal yang
> 14:02:23.472 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:249]
>  - Specific attributes for principal yang were not requested, resolving all 
> attributes.
> 14:02:23.472 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:285]
>  - Resolving attribute transientId for principal yang
> 14:02:23.473 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:307]
>  - Resolved attribute transientId containing 1 values
> 14:02:23.474 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:136]
>  - shibboleth.AttributeResolver resolved, for principal yang, the attributes: 
> [transientId]
> 14:02:23.474 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:70]
>  - shibboleth.AttributeFilterEngine filtering 1 attributes for principal yang
> 14:02:23.474 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:122]
>  - Evaluating if filter policy releaseTransientIdToAnyone is active for 
> principal yang
> 14:02:23.474 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:131]
>  - Filter policy releaseTransientIdToAnyone is active for principal yang
> 14:02:23.475 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:156]
>  - Processing permit value rule for attribute transientId for principal yang
> 14:02:23.475 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:106]
>  - Filtered attributes for principal yang.  The following attributes remain: 
> [transientId]
> 14:02:23.477 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:487]
>  - Creating attribute statement in response to SAML request 
> '_155999400e33f99c476b5b28cac39a52' from relying party 
> 'http://localhost/test-sp1'
> 14:02:23.477 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:225]
>  - Attribute transientId was not encoded because no SAML2AttributeEncoder was 
> attached to it.
> 14:02:23.478 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:127]
>  - No attributes remained after encoding and filtering by value, no attribute 
> statement built
> 14:02:23.482 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:825]
>  - Attemping to build NameID for principal 'yang' in response to request from 
> relying party 'http://localhost/test-sp1
> 14:02:23.482 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:514]
>  - Relying party 'http://localhost/test-sp1' supports the name formats: 
> [urn:mace:shibboleth:1.0:nameIdentifier]
> 14:02:23.482 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:446]
>  - Relying party 'http://localhost/test-sp1' supports the name formats: 
> [urn:mace:shibboleth:1.0:nameIdentifier]
> 14:02:23.482 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:458]
>  - No attributes for principal 'yang' supports encoding into a supported 
> NameIdentifier format for relying party 'http://localhost/test-sp1'
> 14:02:23.487 - ERROR
> [edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:88]
>  - Error occured while processing request
> java.lang.NullPointerException: null
>         at
> edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.buildNameId(AbstractSAML2ProfileHandler.java:837)
>  [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
>         at
> edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.buildNameId(SSOProfileHandler.java:584)
>  [shibboleth-identityprovider-2.2.0-SNAPSHOT.jar:na]
>
> ---------------
>
> I just noticed that the error was caused by the method
> edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler.selectNameIDAttributeAndEncoder(Class<T>,
>  BaseSAMLProfileRequestContext) while no encoder could be found.
>
> This is not a config error, isn't it?
>
> Yang

--
Chad La Joie
http://itumi.biz
trusted identities, delivered