Getting eppn=null why loging with Shibboleth

[Alexandre Abreu]

Hi guys, 

I have a dataverse working in another server (say server 1). Now, in server 2, I deployed dataverse using docker.
From server 1, I copied the configuration files (Attribute-map, attribute-policy, shibboleth2, etc...) just changing the places that make reference to the name of server 1.
However, when I try to login with Shibboleth, I'm getting the following message:

" Problem with Identity Provider – The SAML assertion for "eppn" was null. Please contact support.

"

Here is my attribute-map.xml

<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" id="eppn"/>

<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" id="givenName"/>

<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" id="sn"/>

<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" id="mail"/>

</Attributes>

and my attribute-policy.xml

<afp:AttributeFilterPolicyGroup

xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"

xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"

xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"

xmlns:afp="urn:mace:shibboleth:2.0:afp"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<afp:PermitValueRule id="ScopingRules" xsi:type="AND">

<Rule xsi:type="NOT">

<Rule xsi:type="AttributeValueRegex" regex="@"/>

</Rule>

<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>

</afp:PermitValueRule>

<afp:AttributeFilterPolicy>

<!-- This policy is in effect in all cases. -->

<afp:PolicyRequirementRule xsi:type="ANY"/>

<!-- Filter out undefined affiliations and ensure only one primary. -->

<afp:AttributeRule attributeID="eppn">

<afp:PermitValueRule xsi:type="ANY"/>

</afp:AttributeRule>

<afp:AttributeRule attributeID="givenName">

<afp:PermitValueRule xsi:type="ANY"/>

</afp:AttributeRule>

<afp:AttributeRule attributeID="sn">

<afp:PermitValueRule xsi:type="ANY"/>

</afp:AttributeRule>

<afp:AttributeRule attributeID="mail">

<afp:PermitValueRule xsi:type="ANY"/>

</afp:AttributeRule>

</afp:AttributeFilterPolicy>

</afp:AttributeFilterPolicyGroup>

I'm needing some help on this... =/ I saw some similar problems but I could not solve this yet...

Thanks in advance!

Alexandre

[Philip Durbin]

I just put this in IRC but I recommend dropping down a level from Dataverse to Shibboleth to troubleshoot. Please take a look at https://dataverse.example.edu/Shibboleth.sso/Session (for your hostname) and look for eppn and other attributes you expect. If they aren't present, Dataverse won't see them. There's more to read on this at http://guides.dataverse.org/en/4.20/installation/shibboleth.html#exchange-metadata-with-your-identity-provider

The other thing to keep in mind is that even if your Identity Provider (IdP) is releasing attributes (like eppn) to your working server (server 1), that doesn't necessarily mean they are releasing those attributes to your new server (server 2). The test above should help confirm this.

I hope this helps!

Phil

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/b0adde4f-e1df-483a-9d7f-9983088ca711%40googlegroups.com.

--

Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin