Attributes not being released despite attribute-filter.xml #45
Comments
|
I appear to have the same problem when using the provided attribute-resolver.xml and attribute-filter.xml. The only attributes that receive value are sub, preferred_username and email. |
|
It appears to be an issue with shibboleth.consent.attribute-release.WhitelistedAttributeIDs in conf/intercept/consent-intercept-config.xml It appears that if you do define any values on that list, the OIDC code will only release attributes listed there. That's not how the SAML consent mechanism uses that list. Is this the intended behavior? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The only attributes being release in my installation are sub, preferrered_username, and email.
I can't figure it out. Here's "family_name", for example:
attribute-resolver.xml:
<resolver:AttributeDefinition xsi:type="ad:Simple" id="family_name" sourceAttributeID="sn">
<resolver:Dependency ref="myLDAP"/>
<resolver:DisplayName xml:lang="en">Last Name</resolver:DisplayName>
</resolver:AttributeDefinition>
attribute-filter.xml:
<AttributeFilterPolicy id="oidcDefault">
<PolicyRequirementRule xsi:type="Requester" value="client" />
...
<AttributeRule attributeID="family_name">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
...
</AttributeFilterPolicy>
2017-06-01 16:30:16,583 - DEBUG [net.shibboleth.idp.attribute.filter.AttributeRule:168] - x.x.x.x - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_42307a9728ebd21ca2ca88247b5e2460' Filtering values for attribute 'family_name' which currently contains 1 values
2017-06-01 16:30:16,583 - DEBUG [net.shibboleth.idp.attribute.filter.AttributeRule:177] - x.x.x.x - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_42307a9728ebd21ca2ca88247b5e2460' Filter has permitted the release of 1 values for attribute 'family_name'
2017-06-01 16:30:16,608 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:189] - x.x.x.x - Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for attribute 'family_name' remained after filtering
2017-06-01 16:30:20,985 - DEBUG [net.shibboleth.idp.consent.flow.ar.impl.ReleaseAttributes:94] - x.x.x.x - Profile Action ReleaseAttributes: Releasing attributes '{umichUniqueId=IdPAttribute{id=umichUniqueId, displayNames={}, displayDescriptions={}, encoders=[], values=[StringAttributeValue{value=a428e55d-387f-424e-880d-25b800a84ea8
}]}, umichCosignFactor=IdPAttribute{id=umichCosignFactor, displayNames={}, displayDescriptions={}, encoders=[net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder@952f3be5, net.shibboleth.idp.saml.attribute.encoding.impl.SAML1StringAttributeEncoder@30a3444c], values=[StringAttributeValue{value=UMICH.EDU}]}, family_name=IdPAttribute{id=family_name, displayNames={en=Last Name}, displayDescriptions={}, encoders=[], values=[StringAttributeValue{value=Jensen}]}, email=IdPAttribute{id=email, displayNames={en=E-mail}, displayDescriptions={}, encoders=[net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder@7af7b1d5, net.shibboleth.idp.saml.attribute.encoding.impl.SAML1StringAttributeEncoder@61ffc98a, net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder@c68bc123], values=[StringAttributeValue{value=[email protected]}]}}'
{"sub":"bjensen","name":null,"preferred_username":"bjensen","given_name":null,"family_name":null,"middle_name":null,"nickname":null,"profile":null,"picture":null,"website":null,"gender":null,"zoneinfo":null,"locale":null,"updated_at":null,"birthdate":null,"email":"[email protected]","email_verified":null,"phone_number":null,"phone_number_verified":null}
The text was updated successfully, but these errors were encountered: