Custom attribute for Shib SP

Discussion:

Zico

2014-10-03 20:40:21 UTC

Hello,

I am trying to connect my Shib SP with ADFS. It's working mostly other
than attribute mapping. For ADFS, I am trying to map
"urn:oid:0.9.2342.19200300.100.1.1" as "CustomChecker" attribute. Is
it possible? I know, this urn is for UID but, is it possible to pass
this urn as "CustomChecker" or anything like that other than UID?

Here is my stack trace which shows the failure though:

2014-10-03 12:55:22 DEBUG Shibboleth.AttributeExtractor.XML [2]:
unable to extract attributes, unknown XML object type: samlp:Response
2014-10-03 12:55:22 DEBUG Shibboleth.AttributeExtractor.XML [2]:
unable to extract attributes, unknown XML object type:
{urn:oasis:names:tc:SAML:2.0:assertion}AuthnStatement
2014-10-03 12:55:22 INFO Shibboleth.AttributeExtractor.XML [2]:
skipping unmapped SAML 2.0 Attribute with Name:
urn:oid:0.9.2342.19200300.100.1.1,
Format:urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

And, here is how I am trying to modify my attribute in attribute-map.xml:

<Attribute
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
name="urn:oid:0.9.2342.19200300.100.1.1" id="CustomChecker">
</Attribute>

--
Best,
Zico

Cantor, Scott

2014-10-03 20:53:08 UTC

Permalink

2014-10-03 12:55:22 INFO Shibboleth.AttributeExtractor.XML [2]: skipping
unmapped SAML 2.0 Attribute with Name: urn:oid:0.9.2342.19200300.100.1.1,
Format:urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
<Attribute
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
name="urn:oid:0.9.2342.19200300.100.1.1" id="CustomChecker">
</Attribute>

That would work, so you are not in fact using the map you think you are.
Or you just didn't restart the processes after changing it.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

Zico

2014-10-03 20:58:49 UTC

Permalink

Umm... restarted couple of times actually. Using IIS here for SP btw.

Post by Cantor, Scott

That would work, so you are not in fact using the map you think you are.
Or you just didn't restart the processes after changing it.
-- Scott
--
To unsubscribe from this list send an email to

--
Best,
Zico

Cantor, Scott

2014-10-03 21:01:52 UTC

Permalink

Post by Zico
Umm... restarted couple of times actually. Using IIS here for SP btw.

I can only go by what you're saying, so I will repeat the same answer.
Either you didn't restart or it's not actually using the configuration
file you think it is. The former is more likely. That file is not reloaded
anymore by default, so it won't take affect unless shibd and IIS are both
restarted.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

Zico

2014-10-03 21:04:47 UTC

Permalink

Thanks Scott; I'll double check.

Post by Cantor, Scott

Post by Zico
Umm... restarted couple of times actually. Using IIS here for SP btw.

--
Best,
Zico

Peter Schober

2014-10-03 22:35:30 UTC

Permalink

Post by Zico
urn:oid:0.9.2342.19200300.100.1.1,
Format:urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Note the name format.

Post by Zico
<Attribute
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
name="urn:oid:0.9.2342.19200300.100.1.1" id="CustomChecker">
</Attribute>

Note the different name format.
-peter

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

Cantor, Scott

2014-10-03 23:55:34 UTC

Permalink

Post by Peter Schober

Post by Zico
urn:oid:0.9.2342.19200300.100.1.1,
Format:urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Note the name format.

Post by Zico
And, here is how I am trying to modify my attribute in
<Attribute
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
name="urn:oid:0.9.2342.19200300.100.1.1" id="CustomChecker">
</Attribute>

Note the different name format.

Yep, missed it. That is indeed the reason.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org