> Unfortunately, Shibboleth (2.3.6) is discarding the ImmutableID attribute because "no
> SAML2AttributeEncoder was attached to it." (grepped logs below).

That may be OK - you have told Shibboleth to take this ImmutableID and encode it in the "NameID" part of the "packet of stuff"
(technical terms) which gets sent to the SP.

You have not told the IdP to take it and encode it in the "Attribute" part of the "packet of stuff". And that is all that the logs
(they are debug) are telling you.

If I go over to testshib (https://sp.testshib.org/cgi-bin/splog.cgi?lines=15000&logname=shibd.log) and look at what the SP gets it
includes this:

<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://newt.kent.ac.uk/idp/shibboleth"
SPNameQualifier="https://sp.testshib.org/shibboleth-sp">_ed96dd0c72e397f07f07e56fcd825fd7</saml2:NameID>

So the question is whether {ed96dd0c-72e3-97f0-7f-07-e5-6f-cd-82-5f-d7} is the objectguid that you have in your AD for that
principal?





> -----Original Message-----
> From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of
> Matthew Slowe
> Sent: 08 August 2012 14:28
> To: [log in to unmask]
> Subject: [Am I being a dunce?] Attribute ImmutableID was not encoded because no SAML2AttributeEncoder
> was attached to it.
>
> Afternoon all,
>
> I'm trying to set up a (test) IDP to talk to Azure for Office365 by following some official MS
> documentation at http://technet.microsoft.com/en-us/library/jj205463.
>
> Azure requires two extra attributes to be asserted as part of the SAML2 conversation (ImmutableID
> [objectguid from AD] and UserID [upn from AD] -- no comments on namespace or functionality, please,
> I'm just following their instructions and evaluating!) which I've configured to go off to our AD and
> grab (appears to be working ok) and then configured to release to TestShib before I actually
> reconfigure our test Office365 tenancy.
>
> Unfortunately, Shibboleth (2.3.6) is discarding the ImmutableID attribute because "no
> SAML2AttributeEncoder was attached to it." (grepped logs below).
>
> UserId appears to be working ok on testshib:
>
> <saml2:Attribute FriendlyName="UserId" Name="IDPEmail"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
> xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">[log in to unmask]</saml2:AttributeValue></saml2:Attribute>
>
> I appear to be too stupid (or too sleepy) to work this out. any ideas?
>
> Config for these attributes:
>
> <!-- Use AD objectGUID for ImmutableID --> <resolver:AttributeDefinition id="ImmutableID"
> xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
> sourceAttributeID="objectGUID">
> <resolver:Dependency ref="WindowsAD" />
>
> <resolver:AttributeEncoder xsi:type="SAML2StringNameID"
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
> nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-
> format:persistent" /> </resolver:AttributeDefinition>
>
> Hopefully relevant logs but happy to post more (or more config) if required:
>
> 12:19:12.691 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:13
> 7] - shibboleth.AttributeResolver resolved, for principal ms1, the attributes: [uid,
> eduPersonPrincipalName, transientId, eduPersonScopedAffiliation, unikentaspirerole,
> eduPersonEntitlement, UserId, eduPersonTargetedID.old, eduPersonTargetedID, ImmutableID]
> 12:19:12.698 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringE
> ngine:130] - Evaluating if filter policy releaseImmutableIDToAzure is active for principal ms1
> 12:19:12.698 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringE
> ngine:139] - Filter policy releaseImmutableIDToAzure is active for principal ms1
> 12:19:12.698 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringE
> ngine:163] - Processing permit value rule for attribute ImmutableID for principal ms1
> 12:19:12.704 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringE
> ngine:109] - Attribute ImmutableID has 1 values after filtering
> 12:19:12.705 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringE
> ngine:114] - Filtered attributes for principal ms1. The following attributes remain: [transientId,
> eduPersonScopedAffiliation, eduPersonTargetedID.old, eduPersonTargetedID, ImmutableID]
> 12:19:12.708 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:226]
> - Attribute ImmutableID was not encoded because no SAML2AttributeEncoder was attached to it.
> 12:19:12.719 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:523]
> - Retaining attribute ImmutableID which may be encoded to via
> edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
> 12:19:12.724 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:573]
> - Removing attribute ImmutableID, it can not be encoded in to a name identifier of an acceptable
> format
>
> Ta,
> --
> Matthew Slowe
> Server Infrastructure Team e: [log in to unmask]
> IS, University of Kent t: +44 (0)1227 824265
> Canterbury, UK w: www.kent.ac.uk