Uploaded image for project: 'Identity Provider'
  1. Identity Provider
  2. IDP-871

Attribute release flow fails if no AttributeContext is present

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.2.0
    • Fix Version/s: 3.2.1, 3.3.0
    • Component/s: Attribute Consent
    • Labels:
      None
    • Environment:

      Windows Server 2008R2 x64

      Description

      Add 'cn' attribute definition to attribute-resolver.xml
      <resolver:AttributeDefinition id="cn" xsi:type="ad:Simple" sourceAttributeID="cn">
      <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:cn" encodeType="false" />
      <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" encodeType="false" />
      </resolver:AttributeDefinition>

      Add attribute to attribute-filter.xml to the AttributeFilterPolicy section.

      <AttributeFilterPolicy id="example1">
      <PolicyRequirementRule xsi:type="OR"> ... </PolicyRequirementRule>
      <AttributeRule attributeID="cn">
      <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      </AttributeFilterPolicy>

      Configure NameId to use cn value in saml-nameid.xml in the shibboleth.SAML2NameIDGenerators list

      <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
      p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
      p:attributeSourceIds="#{

      {'cn'}

      }" />

      Logs says:
      2015-11-24 15:45:41,871 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:84] - Profile Action SelectProfileInterceptorFlow: Selecting flow intercept/attribute-release
      2015-11-24 15:45:42,059 - DEBUG [net.shibboleth.idp.consent.storage.impl.ConsentSerializer:104] - symbolics '

      {postOfficeBox=115, commonName=105, eduPersonPrimaryAffiliation=305, eduPersonNickname=302, mobileNumber=103, title=112, initials=118, preferredLanguage=205, eduPersonPrimaryOrgUnitDN=306, eduPersonEntitlement=301, street=109, homePhone=101, departmentNumber=200, employeeType=203, eduPersonScopedAffiliation=308, employeeNumber=202, jpegPhoto=204, postalCode=114, postalAddress=113, eduPersonOrgDN=303, pagerNumber=104, eduPersonPrincipalName=307, eduPersonAffiliation=300, stateProvince=108, homePostalAddress=102, surname=106, displayName=201, eduPersonAssurance=309, email=100, locality=107, eduPersonOrgUnitDN=304, telephoneNumber=116, givenName=117, organizationalUnit=111, organizationName=110}

      '
      2015-11-24 15:45:42,199 - DEBUG [net.shibboleth.idp.consent.flow.impl.InitializeConsentContext:47] - Profile Action InitializeConsentContext: Created consent context 'ConsentContext{previousConsents={}, chosenConsents={}}'
      2015-11-24 15:45:42,215 - DEBUG [net.shibboleth.idp.consent.flow.ar.impl.InitializeAttributeReleaseContext:47] - Profile Action InitializeAttributeReleaseContext: Created attribute release context 'AttributeReleaseContext{consentableAttributes={}}'
      2015-11-24 15:45:42,231 - DEBUG [net.shibboleth.idp.consent.flow.ar.impl.AbstractAttributeReleaseAction:148] - Profile Action PopulateAttributeReleaseContext: Found attributeContext 'null'
      2015-11-24 15:45:42,231 - ERROR [net.shibboleth.idp.consent.flow.ar.impl.AbstractAttributeReleaseAction:150] - Profile Action PopulateAttributeReleaseContext: Unable to locate attribute context
      2015-11-24 15:45:42,246 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: InvalidProfileContext

        Attachments

        1. idp-process.log
          66 kB
          roboburned@idp.protectnetwork.org

          Activity

            People

            Assignee:
            tzeller@shibboleth.net Tom Zeller
            Reporter:
            roboburned@idp.protectnetwork.org roboburned@idp.protectnetwork.org
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 30 minutes
                30m