Afternoon all,
I'm trying to set up a (test) IDP to talk to Azure for Office365 by following some official MS documentation at http://technet.microsoft.com/en-us/library/jj205463.
Azure requires two extra attributes to be asserted as part of the SAML2 conversation (ImmutableID [objectguid from AD] and UserID [upn from AD] -- no comments on namespace or functionality, please, I'm just following their instructions and evaluating!) which I've configured to go off to our AD and grab (appears to be working ok) and then configured to release to TestShib before I actually reconfigure our test Office365 tenancy.
Unfortunately, Shibboleth (2.3.6) is discarding the ImmutableID attribute because "no SAML2AttributeEncoder was attached to it." (grepped logs below).
UserId appears to be working ok on testshib:
<saml2:Attribute FriendlyName="UserId" Name="IDPEmail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[log in to unmask]</saml2:AttributeValue></saml2:Attribute>
I appear to be too stupid (or too sleepy) to work this out… any ideas?
Config for these attributes:
<!-- Use AD objectGUID for ImmutableID -->
<resolver:AttributeDefinition id="ImmutableID" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="objectGUID">
<resolver:Dependency ref="WindowsAD" />
<resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
</resolver:AttributeDefinition>
Hopefully relevant logs but happy to post more (or more config) if required:
12:19:12.691 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:137] - shibboleth.AttributeResolver resolved, for principal ms1, the attributes: [uid, eduPersonPrincipalName, transientId, eduPersonScopedAffiliation, unikentaspirerole, eduPersonEntitlement, UserId, eduPersonTargetedID.old, eduPersonTargetedID, ImmutableID]
12:19:12.698 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy releaseImmutableIDToAzure is active for principal ms1
12:19:12.698 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:139] - Filter policy releaseImmutableIDToAzure is active for principal ms1
12:19:12.698 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing permit value rule for attribute ImmutableID for principal ms1
12:19:12.704 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute ImmutableID has 1 values after filtering
12:19:12.705 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:114] - Filtered attributes for principal ms1. The following attributes remain: [transientId, eduPersonScopedAffiliation, eduPersonTargetedID.old, eduPersonTargetedID, ImmutableID]
12:19:12.708 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:226] - Attribute ImmutableID was not encoded because no SAML2AttributeEncoder was attached to it.
12:19:12.719 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:523] - Retaining attribute ImmutableID which may be encoded to via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
12:19:12.724 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:573] - Removing attribute ImmutableID, it can not be encoded in to a name identifier of an acceptable format
Ta,
--
Matthew Slowe
Server Infrastructure Team e: [log in to unmask]
IS, University of Kent t: +44 (0)1227 824265
Canterbury, UK w: www.kent.ac.uk
|