Uploaded image for project: 'Identity Provider'
  1. Identity Provider
  2. IDP-714

PersistentSAML2NameIDGenerator fails to see attributes not being released

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 3.1.1
    • Fix Version/s: None
    • Labels:
      None
    • Environment:

      IdP 3.1.1
      Tomcat 7
      CentOS 6.6
      OpenJDK 1.7.0_75

      Description

      Hi,

      I'm trying to get my head around using persistent ID as a NameID instead of the eduPersonTargetedID attribute (OID 1.3.6.1.4.1.5923.1.1.1.10).

      I've started editing saml-nameid.properties and saml-nameid.xml - uncommenting the bean ref ````<ref bean="shibboleth.SAML2PersistentGenerator" />```` and setting

      idp.persistentId.sourceAttribute
      idp.persistentId.salt

      and also setting

      idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

      I used ```uid``` as the source attribute. I already did have uid imported as an IdP attribute from LDAP (````<resolver:AttributeDefinition id="uid" xsi:type="ad:Simple" sourceAttributeID="uid">````), but PersistentSAML2NameIDGenerator was failing with:

      2015-05-05 15:32:04,840 - DEBUG [net.shibboleth.idp.saml.nameid.impl.PersistentSAML2NameIDGenerator:189] - Checking for source attribute uid
      2015-05-05 15:32:04,841 - INFO [net.shibboleth.idp.saml.nameid.impl.PersistentSAML2NameIDGenerator:218] - Attribute sources [uid] did not produce a usable source identifier
      

      It started working after I explictly released the attribute in attribute-filter.xml

      I can see in PersistentSAML2NameIDGenerator.getIdentifier() that the attribute is being looked up in the AttributeContext retrieved from the ProfileContext.

      I would understand why the attribute is not found if the attribute filter removes it, but to me as a deployer, this seems to be a bug.

      I should be able to define PersistentNameID based on a source attribute without having to release the source attribute.

      I can still imagine a workaround like defining the attribute without any encoder, but that makes it a hack...

      Did I get right what's happening?

      And is there a reasonable fix for it?

      Thanks a lot in advance for getting back to me!

      Cheers,
      Vlad

        Attachments

          Activity

            People

            Assignee:
            cantor.2@osu.edu Scott Cantor
            Reporter:
            vme28@canterbury.ac.nz Vladimir Mencl
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: