Reputation: 1
Shibboleth Attributes not Mapping
We are having an issue with Shibboleth and Apache Server. I am integrating with an SSO portal for a Tomcat application. I have the integration with the SSO portal figured out, but we are having an issue with the mapping of the attributes. We are obtaining a NameID which is the email address. I don’t know what I am missing. I can see the email in the Shibd.log, but I cannot see any attributes in the Shibboleth.sso/Session Here is my configuration for the attribute-map:
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute>
<Attribute name="emailAddress" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" id="emailAddress">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name" defaultQualifiers="true" />
</Attribute>
<Attribute name="mail" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="mail">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name" defaultQualifiers="true" />
</Attribute>
</Attributes>
Here is what I have in the Attribute-Policy:
<afp:AttributeFilterPolicyGroup
xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:afp="urn:mace:shibboleth:2.0:afp"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<afp:AttributeFilterPolicy>
<!-- This policy is in effect in all cases. -->
<afp:PolicyRequirementRule xsi:type="ANY"/>
<!-- Catch-all that passes everything else through unmolested. -->
<afp:AttributeRule attributeID="*" permitAny="true"/>
</afp:AttributeFilterPolicy>
</afp:AttributeFilterPolicyGroup>
The Shibd.log has the following verbiage:
019-12-16 16:48:23 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
2019-12-16 16:48:23 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute emailAddress, Format/Namespace:urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
2019-12-16 16:48:23 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute mail, Format/Namespace:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
However, as previously mentioned we cannot see any attributes in Shibboleth.sso/Session
Am I missing anything?
Upvotes: 0
Views: 1245
Answers (1)
Reputation: 1
This was fixed by adding the attributes:
<Attribute name="urn:mace:dir:attribute-def:mail" id="SHIB_MAIL"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="SHIB_MAIL"/>
This was the only attribute that showed up in the attribute portion of the SP Session.
Upvotes: 0
Related Questions
- Shibboleth SP Not Resolving Attributes sent by Shibboleth IDP
- How to configure Shibboleth2 to send SAML response via header to app
- Signing auth request in shibboleth SP
- Single Sign-On in Spring by using SAML Extension and Shibboleth
- Shibboleth IDP Unable To Resolved Attribute
- Shibboleth return username as HTTP Header instead of SAML attribute
- onelogin SSO shibboleth ACS config
- understanding Shibboleth and SAML
- What is causing this Shibboleth error: SAML 2 SSO profile is not configured for relying party?
- Shibboleth Configuration