Discussion:
No Attributes are released
Farzan Qureshi
2014-08-19 01:11:27 UTC
Permalink
Hi,


I have following in my attribute-resolver.xml:

<!-- Use AD objectGUID for ImmutableID -->
<resolver:AttributeDefinition id="ImmutableID" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="objectGUID">
<resolver:Dependency ref="myLDAP" />

<resolver:AttributeEncoder xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
</resolver:AttributeDefinition>


<!-- mail for Windows Azure AD User ID
<resolver:AttributeDefinition id="UserId"
xsi:type="ad:Simple"
sourceAttributeID="mail">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="IDPEmail"
friendlyName="UserId" />
</resolver:AttributeDefinition>
-->


I am integrating Office365. But when I login I see in idp-process.logs that

12:39:37.563 - WARN
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:491]
- No attribute of principal 'testuser' can be encoded in to a
NameIdentifier of required format 'urn:oasis:names:tc:SAML:2.0:nameid-for$
12:39:37.600 - INFO [Shibboleth-Audit:1028] -
20140819T003937Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_c8cf79d6-b53d-4714-aefd-506feffb11cb|urn:federation:MicrosoftOnline|urn:mace:shibboleth:2.0:profiles:saml2:sso|
https://idp.ro$
12:47:21.649 - INFO
[edu.internet2.middleware.shibboleth.common.config.attribute.filtering.ShibbolethAttributeFilteringEngineBeanDefinitionParser:54]
- Parsing configuration for attribute filtering engine
shibboleth.AttributeFilterEngine


An ideas?
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Cantor, Scott
2014-08-19 01:19:55 UTC
Permalink
Post by Farzan Qureshi
An ideas?
You're not releasing ImmutableID to that SP?

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Farzan Qureshi
2014-08-19 01:26:59 UTC
Permalink
I am releasing it. The config is in attribute-filter.

Farzan Qureshi
------------------
Network Administrator & Helpdesk support
Rosmini College
Post by Cantor, Scott
Post by Farzan Qureshi
An ideas?
You're not releasing ImmutableID to that SP?
-- Scott
--
To unsubscribe from this list send an email to
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Cantor, Scott
2014-08-19 01:41:04 UTC
Permalink
Post by Farzan Qureshi
I am releasing it. The config is in attribute-filter.
Then it has no values or your filter rule doesn't apply. Take your pick.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
David Bantz
2014-08-19 02:00:17 UTC
Permalink
the logs at debug should list the attributes resolved, then which attribute filters applied (and which did not) and which attributes were then left after filtering
(telling you whether the attribute had no value to start, or was not in the result set after filtering)

David Bantz
Post by Cantor, Scott
Post by Farzan Qureshi
I am releasing it. The config is in attribute-filter.
Then it has no values or your filter rule doesn't apply. Take your pick.
-- Scott
--
Farzan Qureshi
2014-08-19 02:20:55 UTC
Permalink
Hi David,

Sorry to ask but how I can access debug logs?

Farzan Qureshi
------------------
Network Administrator & Helpdesk support
Rosmini College
Post by David Bantz
the logs at debug should list the attributes resolved, then which
attribute filters applied (and which did not) and which attributes were
then left after filtering
(telling you whether the attribute had no value to start, or was not in
the result set after filtering)
David Bantz
Post by Cantor, Scott
Post by Farzan Qureshi
I am releasing it. The config is in attribute-filter.
Then it has no values or your filter rule doesn't apply. Take your pick.
-- Scott
--
To unsubscribe from this list send an email to
--
To unsubscribe from this list send an email to
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
David Bantz
2014-08-19 02:27:34 UTC
Permalink
idp-process.log

cf https://wiki.shibboleth.net/confluence/display/SHIB2/IdPLogging

set the logging level in logging.xml (to DEBUG or other levels)
Post by Farzan Qureshi
Hi David,
Sorry to ask but how I can access debug logs?
Farzan Qureshi
------------------
Network Administrator & Helpdesk support
Rosmini College
the logs at debug should list the attributes resolved, then which attribute filters applied (and which did not) and which attributes were then left after filtering
(telling you whether the attribute had no value to start, or was not in the result set after filtering)
David Bantz
Post by Cantor, Scott
Post by Farzan Qureshi
I am releasing it. The config is in attribute-filter.
Then it has no values or your filter rule doesn't apply. Take your pick.
-- Scott
--
--
Farzan Qureshi
2014-08-19 02:30:42 UTC
Permalink
Thanks David. I will do it.

Kind regards,

Farzan Qureshi
------------------
Network Administrator & Helpdesk support
Rosmini College
Post by Farzan Qureshi
idp-process.log
cf https://wiki.shibboleth.net/confluence/display/SHIB2/IdPLogging
set the logging level in logging.xml (to DEBUG or other levels)
Hi David,
Sorry to ask but how I can access debug logs?
Farzan Qureshi
------------------
Network Administrator & Helpdesk support
Rosmini College
Post by David Bantz
the logs at debug should list the attributes resolved, then which
attribute filters applied (and which did not) and which attributes were
then left after filtering
(telling you whether the attribute had no value to start, or was not in
the result set after filtering)
David Bantz
Post by Cantor, Scott
Post by Farzan Qureshi
I am releasing it. The config is in attribute-filter.
Then it has no values or your filter rule doesn't apply. Take your pick.
-- Scott
--
To unsubscribe from this list send an email to
--
To unsubscribe from this list send an email to
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
presented in this email are solely those of the author and do not
necessarily represent those of the company. Finally, the recipient should
check this email and any attachments for the presence of viruses. Rosmini
College accepts no liability for any damage caused by any virus
transmitted by this email.--
To unsubscribe from this list send an email to
--
To unsubscribe from this list send an email to
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Rob Gorrell
2014-08-19 14:27:38 UTC
Permalink
Farzan,

my attribute definitions in attribute-resolver.xml look identical to what
you posted, but did you also include that objectGUID is a binary attribute
in your myLDAP DataConnecter?
<LDAPProperty name="java.naming.ldap.attributes.binary" value="objectGUID"/>

-Rob
Post by Farzan Qureshi
Hi,
<!-- Use AD objectGUID for ImmutableID -->
<resolver:AttributeDefinition id="ImmutableID" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="objectGUID">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
</resolver:AttributeDefinition>
<!-- mail for Windows Azure AD User ID
<resolver:AttributeDefinition id="UserId"
xsi:type="ad:Simple"
sourceAttributeID="mail">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="IDPEmail"
friendlyName="UserId" />
</resolver:AttributeDefinition>
-->
I am integrating Office365. But when I login I see in idp-process.logs that
12:39:37.563 - WARN
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:491]
- No attribute of principal 'testuser' can be encoded in to a
NameIdentifier of required format 'urn:oasis:names:tc:SAML:2.0:nameid-for$
12:39:37.600 - INFO [Shibboleth-Audit:1028] -
20140819T003937Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_c8cf79d6-b53d-4714-aefd-506feffb11cb|urn:federation:MicrosoftOnline|urn:mace:shibboleth:2.0:profiles:saml2:sso|
https://idp.ro$
12:47:21.649 - INFO
[edu.internet2.middleware.shibboleth.common.config.attribute.filtering.ShibbolethAttributeFilteringEngineBeanDefinitionParser:54]
- Parsing configuration for attribute filtering engine
shibboleth.AttributeFilterEngine
An ideas?
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
presented in this email are solely those of the author and do not
necessarily represent those of the company. Finally, the recipient should
check this email and any attachments for the presence of viruses. Rosmini
College accepts no liability for any damage caused by any virus
transmitted by this email.
--
To unsubscribe from this list send an email to
--
Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA
Loading...