Editing attribute-resolver.xml to release eduPersonTargetedID as urn:mace:dir:attribute-def rather than urn:oid for SAML 1 requests
22 views
Skip to first unread message
Duncan Brannen
Jul 25, 2011, 8:56:54 AM7/25/11
to us...@shibboleth.net
Hi All,
Since we went live with our 2.3 IDP (from 1.3) one of our
service providers is no longer able to pick up the eduPersonTargetedID
variable. They're using SAML1 and from what I can see, in 1.3 they'd
get,
<Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue
Scope="st-andrews.ac.uk">Pe1e6eQsvqxmXyohKjO9L0InhPM=</AttributeValue></Attribute>
where as with 2.3 they get
<saml1:Attribute AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<saml1:AttributeValue>
<saml2:NameID
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://login-test.st-andrews.ac.uk/idp/shibboleth"
SPNameQualifier="https://sp.eblib.com/shibboleth">Pe1e6eQsvqxmXyohKjO9L0InhPM=</saml2:NameID>
</saml1:AttributeValue>
</saml1:Attribute>
If I edit the AttributeEncoder line of eduPersonTargetedID in
attribute-resolver.xml from
<resolver:AttributeEncoder xsi:type="enc:SAML1XMLObject"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
to
<resolver:AttributeEncoder xsi:type="enc:SAML1XMLObject"
name="urn:mace:dir:attribute-def:eduPersonTargetedID" />
Then I get something I think they can work with.
<saml1:Attribute
AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<saml1:AttributeValue>
<saml2:NameID
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://login-test.st-andrews.ac.uk/idp/shibboleth"
SPNameQualifier="https://sp.eblib.com/shibboleth">Pe1e6eQsvqxmXyohKjO9L0InhPM=</saml2:NameID>
</saml1:AttributeValue>
</saml1:Attribute>
Am I creating problems for the future by doing this / is there
a better way to do this?
Thanks,
Duncan
--
The University of St Andrews is a charity registered in Scotland : No
SC013532
--
To unsubscribe from this group, send email to
users+un...@shibboleth.net
Since we went live with our 2.3 IDP (from 1.3) one of our
service providers is no longer able to pick up the eduPersonTargetedID
variable. They're using SAML1 and from what I can see, in 1.3 they'd
get,
<Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue
Scope="st-andrews.ac.uk">Pe1e6eQsvqxmXyohKjO9L0InhPM=</AttributeValue></Attribute>
where as with 2.3 they get
<saml1:Attribute AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<saml1:AttributeValue>
<saml2:NameID
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://login-test.st-andrews.ac.uk/idp/shibboleth"
SPNameQualifier="https://sp.eblib.com/shibboleth">Pe1e6eQsvqxmXyohKjO9L0InhPM=</saml2:NameID>
</saml1:AttributeValue>
</saml1:Attribute>
If I edit the AttributeEncoder line of eduPersonTargetedID in
attribute-resolver.xml from
<resolver:AttributeEncoder xsi:type="enc:SAML1XMLObject"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
to
<resolver:AttributeEncoder xsi:type="enc:SAML1XMLObject"
name="urn:mace:dir:attribute-def:eduPersonTargetedID" />
Then I get something I think they can work with.
<saml1:Attribute
AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<saml1:AttributeValue>
<saml2:NameID
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://login-test.st-andrews.ac.uk/idp/shibboleth"
SPNameQualifier="https://sp.eblib.com/shibboleth">Pe1e6eQsvqxmXyohKjO9L0InhPM=</saml2:NameID>
</saml1:AttributeValue>
</saml1:Attribute>
Am I creating problems for the future by doing this / is there
a better way to do this?
Thanks,
Duncan
--
The University of St Andrews is a charity registered in Scotland : No
SC013532
--
To unsubscribe from this group, send email to
users+un...@shibboleth.net
Cantor, Scott E.
Jul 25, 2011, 9:49:00 AM7/25/11
to us...@shibboleth.net
On 7/25/11 8:56 AM, "Duncan Brannen" <d...@st-andrews.ac.uk> wrote:
>Am I creating problems for the future by doing this / is there
>a better way to do this?
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID
>Am I creating problems for the future by doing this / is there
>a better way to do this?
I think that addresses the entire issue.
-- Scott
Duncan Brannen
Jul 26, 2011, 3:40:15 AM7/26/11
to us...@shibboleth.net
Thanks Scott,
That was useful, seems we have some providers who need
the deprecated value released via SAML1. I'll get in touch with
the federation helpdesk and see what they're recommending to do
with these.
Cheers,
Duncan
On 25/07/2011 14:49, Cantor, Scott E. wrote:
> On 7/25/11 8:56 AM, "Duncan Brannen"<d...@st-andrews.ac.uk> wrote:
>> Am I creating problems for the future by doing this / is there
>> a better way to do this?
>
> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID
>
> I think that addresses the entire issue.
>
> -- Scott
>
--
The University of St Andrews is a charity registered in Scotland : No
SC013532
SC013532
Chad La Joie
Jul 26, 2011, 7:19:51 AM7/26/11
to us...@shibboleth.net
Probably the easiest thing to do is to create two different attribute
definitions. One that encodes to the deprecated form and one that
encodes to the new form. Then create a special attribute filter rule
that will remove the new form and release the deprecated form for those
legacy SPs.
On 7/26/11 3:40 AM, Duncan Brannen wrote:
>
> Thanks Scott,
> That was useful, seems we have some providers who need
> the deprecated value released via SAML1. I'll get in touch with
> the federation helpdesk and see what they're recommending to do
> with these.
>
> Cheers,
> Duncan
>
>
> On 25/07/2011 14:49, Cantor, Scott E. wrote:
>> On 7/25/11 8:56 AM, "Duncan Brannen"<d...@st-andrews.ac.uk> wrote:
>>> Am I creating problems for the future by doing this / is there
>>> a better way to do this?
>>
>> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID
>>
>> I think that addresses the entire issue.
>>
>> -- Scott
>>
>
--
Chad La Joie
http://itumi.biz
trusted identities, delivered
definitions. One that encodes to the deprecated form and one that
encodes to the new form. Then create a special attribute filter rule
that will remove the new form and release the deprecated form for those
legacy SPs.
On 7/26/11 3:40 AM, Duncan Brannen wrote:
>
> Thanks Scott,
> That was useful, seems we have some providers who need
> the deprecated value released via SAML1. I'll get in touch with
> the federation helpdesk and see what they're recommending to do
> with these.
>
> Cheers,
> Duncan
>
>
> On 25/07/2011 14:49, Cantor, Scott E. wrote:
>> On 7/25/11 8:56 AM, "Duncan Brannen"<d...@st-andrews.ac.uk> wrote:
>>> Am I creating problems for the future by doing this / is there
>>> a better way to do this?
>>
>> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID
>>
>> I think that addresses the entire issue.
>>
>> -- Scott
>>
>
--
http://itumi.biz
trusted identities, delivered
Cantor, Scott E.
Jul 26, 2011, 9:44:02 AM7/26/11
to us...@shibboleth.net
>
>On 7/26/11 3:40 AM, Duncan Brannen wrote:
>>
>> Thanks Scott,
>> That was useful, seems we have some providers who need
>> the deprecated value released via SAML1.
That is not deprecated, it's wrong. Deprecated would imply it was ever
>On 7/26/11 3:40 AM, Duncan Brannen wrote:
>>
>> Thanks Scott,
>> That was useful, seems we have some providers who need
>> the deprecated value released via SAML1.
correct.
-- Scott
Reply all
Reply to author
Forward
0 new messages