| Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
docpublic:systemes:shibboleth:idpproxy [2021/06/09 14:48]
adminjp [Subject Principal] |
docpublic:systemes:shibboleth:idpproxy [2021/06/09 15:07] (current)
adminjp [pass-though attributes] |
| 2021-02-03 22:41:08,400 -- DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:519] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute 'canonicalName' has 1 values after post-processing | 2021-02-03 22:41:08,400 -- DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:519] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute 'canonicalName' has 1 values after post-processing |
| </code> | </code> |
| | |
| | but then, next log line, it fails : |
| | |
| | <code> |
| | 2021-02-03 22:41:08,408 -- ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception |
| | java.lang.NullPointerException: null |
| | at net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl.collectExportingDataConnectors(AttributeResolverImpl.java:542) |
| | 2021-02-03 22:41:08,413 -- INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:142] - Profile Action SelectAuthenticationFlow: Moving incomplete flow authn/SAML to intermediate set |
| | </code> |
| | |
| | That was a bug in 4.0.1, shib-user list responded : // you can't use the exporting feature with connectors that produce no data until it's fixed. Just don't do the exporting trick for now if they occasionally produce no results.// |
| | |
| | Indeed , I don't use ldap attributes in the context of the IDPProxy, it just pass-through attributes sent from upstreamIDPs, |
| | so remove "myLDAP" Data connector from attribute-resolver.xml as it not necessary in that context (which produced no value, and hence the bug) |
| | |
| | then back to idp-preocess.log, the flow continues : |
| | |
| | <code> |
| | 2021-02-04 09:13:52,444 -- DEBUG [net.shibboleth.idp.authn.impl.AttributeSourcedSubjectCanonicalization:171] - Profile Action AttributeSourcedSubjectCanonicalization: Using attribute canonicalName string value jehan.procaccia@imtbs-tsp.eu as input to transforms |
| | 2021-02-04 09:13:52,445 -- DEBUG [net.shibboleth.idp.authn.AbstractSubjectCanonicalizationAction:218] - Profile Action AttributeSourcedSubjectCanonicalization: trimming whitespace of input string 'jehan.procaccia@imtbs-tsp.eu' |
| | 2021-02-04 09:13:52,451 -- DEBUG [net.shibboleth.idp.authn.impl.FinalizeAuthentication:118] - Profile Action FinalizeAuthentication: Canonical principal name was established as 'jehan.procaccia@imtbs-tsp.eu' |
| | 2021-02-04 09:13:52,456 -- DEBUG [net.shibboleth.idp.session.impl.UpdateSessionWithAuthenticationResult:222] - Profile Action UpdateSessionWithAuthenticationResult: Creating new session for principal jehan.procaccia@imtbs-tsp.eu |
| | </code> |
| | |
| | ===== pass-though attributes ===== |
| | |
| | ThenI encontered an issue regarding pass-through attributes, only the subject Princicpal was transmetted to the SP : |
| | |
| | <code> |
| | 2021-02-04 09:13:52,451 -- DEBUG [net.shibboleth.idp.authn.impl.FinalizeAuthentication:118] - Profile Action FinalizeAuthentication: Canonical principal name was established as 'jehan.procaccia@imtbs-tsp.eu' |
| | 2021-02-04 09:13:52,500 - 157.159.52.132 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:139] - Attribute Definition 'uid': produced an attribute with the following values [StringAttributeValue{value=jehan.procaccia@imtbs-tsp.eu}] |
| | </code> |
| | |
| | But the other ones resolved before => eduPersonPrincipalName, eduPersonScopedAffiliation, uid ; |
| | |
| | <code> |
| | 2021-02-04 09:13:52,301 -- DEBUG [net.shibboleth.idp.attribute.filter.AttributeFilterPolicy:153] - Attribute Filter Policy 'saml-proxy-pass-through' Applying attribute filter policy to current set of attributes: [mail, eduPersonPrincipalName, eduPersonScopedAffiliation, uid] |
| | </code> |
| | |
| | got lost in the process . |
| | |
| | The solution was in the Doc : https://wiki.shibboleth.net/confluence/display/IDP4/SubjectDataConnector |
| | |
| | A new dataConnector for the IPD-proxy (attribute-resolver.xml) was needed : |
| | |
| | <code> |
| | <DataConnector id="passthroughAttributes" xsi:type="Subject" exportAttributes="mail givenName sn eduPersonAffiliation eduPersonPrincipalName" /> |
| | </code> |
| | |
| | there is no need to add to that Dataconnector a derivated AttributeDefinition , which I've done in the 1st place but then commented and it still worked fine |
| | |
| | :!: not needed :!: |
| | <code> |
| | <!-- <AttributeDefinition xsi:type="Simple" id="sn"> |
| | <InputDataConnector ref="passthroughAttributes" attributeNames="sn" /> |
| | </AttributeDefinition> --> |
| | </code> |
| | |
| | |
| | ===== Raw shibboleth-users ML threads ===== |
| | |
| | All this was possible thanks to the Mailing list shibboleth-users , cf this thread for details |
| | * https://marc.info/?t=161193758600001&r=1&w=2 |
