Shibboleth SP Not Resolving Attributes sent by Shibboleth IDP

Question

I have a working Shibboleth IDP & SP, but some of the attributes are not getting resolved by SP.

On the IDP logs you can see the below values are released, but SP is not picking them up.

Attributes Released : commonName,transientId,surname,givenName,sAMAccountName

Below are the log files.

Shibboleth IDP - Logs

18:18:15.267 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute commonName has 1 values after filtering
18:18:15.267 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute transientId has 1 values after filtering
18:18:15.267 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute surname has 1 values after filtering
18:18:15.267 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute givenName has 1 values after filtering
18:18:15.267 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute sAMAccountName has 1 values after filtering
18:18:15.267 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:106] - Removing attribute from return set, no more values: displayName
18:18:15.267 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:114] - Filtered attributes for principal edison.  The following attributes remain: [commonName, transientId, surname, givenName, sAMAccountName]
18:18:15.268 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:247] - Encoded attribute commonName with encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
18:18:15.268 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:263] - Attribute transientId was not encoded (filtered by query, or no SAML2AttributeEncoder attached).
18:18:15.268 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:247] - Encoded attribute surname with encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
18:18:15.268 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:247] - Encoded attribute givenName with encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
18:18:15.269 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:247] - Encoded attribute sAMAccountName with encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
18:18:15.289 - INFO [Shibboleth-Audit:1028] - 20170601T124815Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_f29312df4af4e495770ee67f15bb462c|https://10.1.50.11/shibboleth|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://10.1.50.11:8443/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_15e1d92e1a8d5a07c2cd84808b540f77|edison|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|commonName,transientId,surname,givenName,sAMAccountName,|_a4ba91c098206a53a94b5ed2deeefbc9||

Shibboleth SP - Logs

2017-06-01 19:06:12 INFO Shibboleth.Application : building AttributeExtractor of type XML...
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : loaded XML resource (/etc/shibboleth/attribute-map.xml)
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:uid
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:0.9.2342.19200300.100.1.1
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:eduPersonScopedAffiliation
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.9
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:eduPersonAffiliation
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.1
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:cn
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.3
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:sn
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.4
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:ou
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.11
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:o
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.10
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:0.9.2342.19200300.100.1.3
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:mail
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:eduPersonTargetedID
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.10
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
2017-06-01 19:06:12 INFO Shibboleth.Application : building AttributeFilter of type XML...
2017-06-01 19:06:12 INFO Shibboleth.AttributeFilter : reload thread started...running when signaled
2017-06-01 19:06:12 INFO Shibboleth.AttributeFilter : loaded XML resource (/etc/shibboleth/attribute-policy.xml)
2017-06-01 19:06:12 INFO Shibboleth.Application : building AttributeResolver of type Query...
2017-06-01 19:06:12 INFO Shibboleth.Application : building CredentialResolver of type File...
2017-06-01 19:06:12 INFO XMLTooling.SecurityHelper : loading private key from file (/etc/shibboleth/sp-key.pem)
2017-06-01 19:06:12 INFO XMLTooling.SecurityHelper : loading certificate(s) from file (/etc/shibboleth/sp-cert.pem)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default::getHeaders::Application)
2017-06-01 19:06:12 INFO Shibboleth.Listener : listener service starting
2017-06-01 19:06:14 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.42
2017-06-01 19:06:14 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:1.2.840.113556.1.4.221
2017-06-01 19:06:14 INFO Shibboleth.SessionCache [1]: new session created: ID (_c699b07ff63f25bc28ef60abd9344a33) IdP (https://10.1.50.11:8443/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (10.1.50.11)
2017-06-01 19:06:41 INFO Shibboleth.AttributeExtractor.XML [3]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.42
2017-06-01 19:06:41 INFO Shibboleth.AttributeExtractor.XML [3]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:1.2.840.113556.1.4.221
2017-06-01 19:06:41 INFO Shibboleth.SessionCache [3]: new session created: ID (_c3f9a98ce69aa26654851f25cbd03b7f) IdP (https://10.1.50.11:8443/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (10.1.50.11)
edison@DLSYS1X031:/var/log/shibboleth$ tail -n 100 shibd.log
2017-06-01 19:06:12 INFO Shibboleth.Config : shibboleth 2.5.2 library initialization complete
2017-06-01 19:06:12 INFO Shibboleth.Config : reload thread started...running when signaled
2017-06-01 19:06:12 INFO Shibboleth.Config : loaded XML resource (/etc/shibboleth/shibboleth2.xml)
2017-06-01 19:06:12 INFO Shibboleth.Config : Shibboleth SP Version 2.5.2
2017-06-01 19:06:12 INFO Shibboleth.Config : Library versions: log4shib 1.0.8, Xerces-C 3.1.1, XML-Security-C 1.7.2, XMLTooling-C 1.5.3, OpenSAML-C 2.5.3, Shibboleth 1.5.2
2017-06-01 19:06:12 INFO Shibboleth.Config : building ListenerService of type UnixListener...
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (set::RelayState)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (get::RelayState)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (set::PostData)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (get::PostData)
2017-06-01 19:06:12 INFO Shibboleth.Config : no StorageService plugin(s) installed, using (mem) in-memory instance
2017-06-01 19:06:12 INFO Shibboleth.Config : no ReplayCache specified, using arbitrary StorageService instance
2017-06-01 19:06:12 INFO Shibboleth.Config : no ArtifactMap specified, building in-memory ArtifactMap...
2017-06-01 19:06:12 INFO Shibboleth.Config : no SessionCache specified, using StorageService-backed instance
2017-06-01 19:06:12 INFO XMLTooling.StorageService : cleanup thread started...running every 900 seconds
2017-06-01 19:06:12 INFO Shibboleth.SessionCache : bound to arbitrary StorageService
2017-06-01 19:06:12 INFO Shibboleth.SessionCache : StorageService for 'lite' use not set, using standard StorageService
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (find::StorageService::SessionCache)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (remove::StorageService::SessionCache)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (touch::StorageService::SessionCache)
2017-06-01 19:06:12 INFO Shibboleth.Config : building SecurityPolicyProvider of type XML...
2017-06-01 19:06:12 INFO Shibboleth.SecurityPolicyProvider.XML : reload thread started...running when signaled
2017-06-01 19:06:12 INFO Shibboleth.SecurityPolicyProvider.XML : loaded XML resource (/etc/shibboleth/security-policy.xml)
2017-06-01 19:06:12 INFO OpenSAML.SecurityPolicyRule.Conditions : building SecurityPolicyRule of type Audience
2017-06-01 19:06:12 INFO OpenSAML.SecurityPolicyRule.Conditions : building SecurityPolicyRule of type Audience
2017-06-01 19:06:12 INFO OpenSAML.SecurityPolicyRule.Conditions : building SecurityPolicyRule of type Ignore
2017-06-01 19:06:12 INFO OpenSAML.SecurityPolicyRule.Conditions : building SecurityPolicyRule of type Ignore
2017-06-01 19:06:12 INFO OpenSAML.SecurityPolicyRule.Conditions : building SecurityPolicyRule of type Ignore
2017-06-01 19:06:12 INFO Shibboleth.Config : automatically blacklisting security algorithm (http://www.w3.org/2001/04/xmldsig-more#rsa-md5)
2017-06-01 19:06:12 INFO Shibboleth.Config : automatically blacklisting security algorithm (http://www.w3.org/2001/04/xmldsig-more#md5)
2017-06-01 19:06:12 INFO Shibboleth.Config : automatically blacklisting security algorithm (http://www.w3.org/2001/04/xmlenc#rsa-1_5)
2017-06-01 19:06:12 INFO Shibboleth.Config : building ProtocolProvider of type XML...
2017-06-01 19:06:12 INFO Shibboleth.ProtocolProvider.XML : loaded XML resource (/etc/shibboleth/protocols.xml)
2017-06-01 19:06:12 WARN Shibboleth.Application : insecure cookieProps setting, set to "https" for SSL/TLS-only usage
2017-06-01 19:06:12 WARN Shibboleth.Application : handlerSSL should be enabled for SSL/TLS-enabled web sites
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (run::AssertionLookup)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/Login::run::SAML2SI)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/Login::run::Shib1SI)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SAML2/POST)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SAML2/POST-SimpleSign)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SAML2/Artifact)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SAML2/ECP)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SAML/POST)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SAML/Artifact)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/Logout::run::SAML2LI)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/Logout::run::LocalLI)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SLO/SOAP)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SLO/Redirect)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SLO/POST)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SLO/Artifact)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/NIM/SOAP)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/NIM/Redirect)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/NIM/POST)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/NIM/Artifact)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/Artifact/SOAP::run::SAML2Artifact)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/Metadata)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/Status)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/DiscoFeed)
2017-06-01 19:06:12 INFO Shibboleth.DiscoveryFeed : feed files will be cached in /var/cache/shibboleth/
2017-06-01 19:06:12 INFO Shibboleth.Application : building MetadataProvider of type XML...
2017-06-01 19:06:12 INFO OpenSAML.MetadataProvider.XML : loaded XML resource (/etc/shibboleth/idp-Metadata.xml)
2017-06-01 19:06:12 INFO Shibboleth.Application : no TrustEngine specified or installed, using default chain {ExplicitKey, PKIX}
2017-06-01 19:06:12 INFO OpenSAML.MetadataProvider.XML : reload thread started...running when signaled
2017-06-01 19:06:12 INFO Shibboleth.Application : building AttributeExtractor of type XML...
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : loaded XML resource (/etc/shibboleth/attribute-map.xml)
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:uid
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:0.9.2342.19200300.100.1.1
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:eduPersonScopedAffiliation
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.9
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:eduPersonAffiliation
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.1
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:cn
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.3
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:sn
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.4
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:ou
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.11
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:o
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.10
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:0.9.2342.19200300.100.1.3
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:mail
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:eduPersonTargetedID
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.10
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
2017-06-01 19:06:12 INFO Shibboleth.Application : building AttributeFilter of type XML...
2017-06-01 19:06:12 INFO Shibboleth.AttributeFilter : reload thread started...running when signaled
2017-06-01 19:06:12 INFO Shibboleth.AttributeFilter : loaded XML resource (/etc/shibboleth/attribute-policy.xml)
2017-06-01 19:06:12 INFO Shibboleth.Application : building AttributeResolver of type Query...
2017-06-01 19:06:12 INFO Shibboleth.Application : building CredentialResolver of type File...
2017-06-01 19:06:12 INFO XMLTooling.SecurityHelper : loading private key from file (/etc/shibboleth/sp-key.pem)
2017-06-01 19:06:12 INFO XMLTooling.SecurityHelper : loading certificate(s) from file (/etc/shibboleth/sp-cert.pem)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default::getHeaders::Application)
2017-06-01 19:06:12 INFO Shibboleth.Listener : listener service starting
2017-06-01 19:06:14 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.42
2017-06-01 19:06:14 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:1.2.840.113556.1.4.221
2017-06-01 19:06:14 INFO Shibboleth.SessionCache [1]: new session created: ID (_c699b07ff63f25bc28ef60abd9344a33) IdP (https://10.1.50.11:8443/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (10.1.50.11)
2017-06-01 19:06:41 INFO Shibboleth.AttributeExtractor.XML [3]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.42
2017-06-01 19:06:41 INFO Shibboleth.AttributeExtractor.XML [3]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:1.2.840.113556.1.4.221
2017-06-01 19:06:41 INFO Shibboleth.SessionCache [3]: new session created: ID (_c3f9a98ce69aa26654851f25cbd03b7f) IdP (https://10.1.50.11:8443/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (10.1.50.11)
2017-06-01 19:21:12 INFO XMLTooling.StorageService : purged 4 expired record(s) from storage

I guess this is where it fails, is there something wrong ?

2017-06-01 19:06:41 INFO Shibboleth.AttributeExtractor.XML [3]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.42
2017-06-01 19:06:41 INFO Shibboleth.AttributeExtractor.XML [3]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:1.2.840.113556.1.4.221

Edison Trutwein · Accepted Answer

Managed to get the issue resolved after mapping the correct attribute id in attribute-map.xml

Shibboleth SP Not Resolving Attributes sent by Shibboleth IDP

Answers (1)

Related Questions