2.5, AttributeExtractor, from Metadata
Steven Carmody
<AttributeExtractor type="Metadata" errorURL="errorURL"
DisplayName="displayName"/>
the log files indicate that, at startup, Shib is recognizing this
element ....
but when I hit my target site, I don't see anything in the log files
related to processing this...
all my SP does is dump out the received info -- it prints out the
attributes seent by my IDP, but I don't see either of the elements I was
expecting from the IDP's metadata ....
maybe I just mis-understand this new feature -- I thought these values
would be provided to my app in the usual way ? Or are they only
available via the templates used by the AttributeChecker ?
--
To unsubscribe from this list send an email to dev-uns...@shibboleth.net
Cantor, Scott
> would be provided to my app in the usual way ? Or are they only
> available via the templates used by the AttributeChecker ?
You probably didn't add the metadataAttributePrefix setting to the ApplicationDefaults element. I believe this is documunted.
For reasons of "not rewriting whole sections of core code", all the metadata extraction plugins have to run through the hacks I used to disambiguate user attributes from metadata tags that happen to be identical. It also just avoids accidents, by ensuring that nothing you name accidentally that matches a user extraction rule ever collides.
-- Scott
Steven Carmody
>> maybe I just mis-understand this new feature -- I thought these values
>> would be provided to my app in the usual way ? Or are they only
>> available via the templates used by the AttributeChecker ?
>
> You probably didn't add the metadataAttributePrefix setting to the
ApplicationDefaults element. I believe this is documunted.
>
that's was it!
thanks!
Steven Carmody
>
> ApplicationDefaults element. I believe this is documunted.
>
my shibboleth2.xml contains this element:
<AttributeExtractor type="Metadata" errorURL="errorURL"
DisplayName="displayName"/>
and my IDP's metadata contains this:
<IDPSSODescriptor errorURL="http://stc-test16.cis.brown.edu/errorURL"
protocolSupportEnumeration="urn:mace:shibboleth:1.0
urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">brown.edu</shibmd:Scope>
<mdui:UIInfo>
<mdui:DisplayName xml:lang="en">Brown Test IDP (STC) (display
name)</mdui:DisplayName>
my shibd log file indicates that shibd is finding DisplayName, but there
is no mention of errorURL ... and my App that dumps out the received
info shows DisplayName but not errorURL
is something in the wrong place ?
Thanks!
Cantor, Scott
> is no mention of errorURL ... and my App that dumps out the received
> info shows DisplayName but not errorURL
>
> is something in the wrong place ?
No, but the variable would not be displayName or errorURL, it would be prefix-errorURL or prefix-displayName. Are you sure you're not getting mixed up with the user's displayName (thus proving my point about the prefix)?
I'm not sure what shibd evidence you mean either. I don't think there's much if any logging related to this.
-- Scott
Steven Carmody
>> my shibd log file indicates that shibd is finding DisplayName, but
>> there is no mention of errorURL ... and my App that dumps out the
>> received info shows DisplayName but not errorURL
>>
>> is something in the wrong place ?
>
> No, but the variable would not be displayName or errorURL, it would
> be prefix-errorURL or prefix-displayName. Are you sure you're not
> getting mixed up with the user's displayName (thus proving my point
> about the prefix)?
Right .. here's what gets dumped out:
[displayName] => Steven T. Carmody
[eppn] => s...@brown.edu
[givenName] => Steven
[mail] => Steven_...@Brown.EDU
[metadatadisplayName] => Brown Test IDP (STC) (display name)
[sn] => Carmody
>
> I'm not sure what shibd evidence you mean either. I don't think
> there's much if any logging related to this.
>
there isn't a decoding stmt for metadatadisplayName, but it does show up
in the filtering step...
2012-02-23 11:23:14 DEBUG Shibboleth.AttributeDecoder.Scoped [4]:
decoding ScopedAttribute (eppn) from SAML 2 Attribute
(urn:oid:1.3.6.1.4.1.5923.1.1.1.6) with 1 value(s)
2012-02-23 11:23:14 DEBUG Shibboleth.AttributeDecoder.String [4]:
decoding SimpleAttribute (sn) from SAML 2 Attribute (urn:oid:2.5.4.4)
with 1 value(s)
2012-02-23 11:23:14 DEBUG Shibboleth.AttributeDecoder.String [4]:
decoding SimpleAttribute (givenName) from SAML 2 Attribute
(urn:oid:2.5.4.42) with 1 value(s)
2012-02-23 11:23:14 DEBUG Shibboleth.AttributeDecoder.String [4]:
decoding SimpleAttribute (mail) from SAML 2 Attribute
(urn:oid:0.9.2342.19200300.100.1.3) with 1 value(s)
2012-02-23 11:23:14 DEBUG Shibboleth.AttributeDecoder.String [4]:
decoding SimpleAttribute (displayName) from SAML 2 Attribute
(urn:oid:2.16.840.1.113730.3.1.241) with 1 value(s)
2012-02-23 11:23:14 DEBUG Shibboleth.AttributeFilter [4]: filtering 6
attribute(s) from (https://stc-test16.cis.brown.edu/idp/shibboleth)
2012-02-23 11:23:14 DEBUG Shibboleth.AttributeFilter [4]: applying
filtering rule(s) for attribute (metadatadisplayName) from
(https://stc-test16.cis.brown.edu/idp/shibboleth)
2012-02-23 11:23:14 DEBUG Shibboleth.AttributeFilter [4]: applying
filtering rule(s) for attribute (displayName) from
(https://stc-test16.cis.brown.edu/idp/shibboleth)
2012-02-23 11:23:14 DEBUG Shibboleth.AttributeFilter [4]: applying
filtering rule(s) for attribute (mail) from
(https://stc-test16.cis.brown.edu/idp/shibboleth)
2012-02-23 11:23:14 DEBUG Shibboleth.AttributeFilter [4]: applying
filtering rule(s) for attribute (givenName) from
(https://stc-test16.cis.brown.edu/idp/shibboleth)
2012-02-23 11:23:14 DEBUG Shibboleth.AttributeFilter [4]: applying
filtering rule(s) for attribute (sn) from
(https://stc-test16.cis.brown.edu/idp/shibboleth)
2012-02-23 11:23:14 DEBUG Shibboleth.AttributeFilter [4]: applying
filtering rule(s) for attribute (eppn) from
(https://stc-test16.cis.brown.edu/idp/shibboleth)
Cantor, Scott
I don't know what the problem is then, I have a working configuration that includes errorURL and there's nothing unusual about it.
> there isn't a decoding stmt for metadatadisplayName, but it does show up
> in the filtering step...
Ok. All I can think is there's metadata without it that's in the way of the file you're modifying, but if there's only one source and you start over and it doesn't show up, I don't have any ideas.
Is there only one IdP role in the metadata?
-- Scott
Steven Carmody
>
> Ok. All I can think is there's metadata without it that's in the way
> of the file you're modifying, but if there's only one source and you
> start over and it doesn't show up, I don't have any ideas.
this particular SP is loading my test metadata, the Brown campus
federation metadata, and the IC metadata.
>
> Is there only one IdP role in the metadata?
>
Within those three files, this particular IDP only occurs once -- in my
test metadata file.
However, there are many IDPs in those three files ....
On the plus side, let me note that I'm successfully receiving several
other elements from the IDPs metadata entry:
[displayName] => Steven T. Carmody
[eppn] => s...@brown.edu
[givenName] => Steven
[mail] => Steven_...@Brown.EDU
[sn] => Carmody
[metadata-description] => Brown Test IDP (STC) desc.
[metadata-displayName] => Brown Test IDP (STC) (display name)
[metadata-informationURL] => http://www.brown.edu/
[metadata-organizationName] => Brown -- STC Test IDP (NAME)
One more question -- is there any way to retrieve the Contacts elements
? Since there maybe more than one ?
Cantor, Scott
> other elements from the IDPs metadata entry:
Hmm, errorURL is like the simplest case. I can't reproduce that, at least not on Windows, I'll have to wait for myself or somebody else to try it.
> One more question -- is there any way to retrieve the Contacts elements
> ? Since there maybe more than one ?
The documentation covers that in some detail.
-- Scott