Getting attributes from IDP via Asimba

By: Hao Bin Kwan Account Admin 28 Feb 2017 at 11:47 a.m. CST

3 Responses
Hao Bin Kwan gravatar
Hi, I'm trying to retrieve attributes from external IDP with the following setup: SP -> Shibboleth -> Interception script -> Asimba -> multiple IDP Mr. Mohib suggested to uncomment the following from asimba.xml and it does help a little, now I'm able to obtain uid attribute from IDP. ``` <!-- <gather> <attribute name="whitelist-attribute-name" /> </gather> --> ``` However I'm still missing a other attributes which I also need from IDP (I already released them in "Asimba self" of Trust Relationship). Few questions for asimba whitelist-attribute-name: 1. Can you briefly explain how does this work and how do I get more attributes from IDP? (eg. mail, displayname, department, etc) 2. Right now I configured asimba and sp in trust relationship to release all of the attributes I wish to retrieve so is there anywhere else I need to change? 3. uid returned in the form of [UserName] => !testqod5!!;testqod5 (as this user is 'enrolled' because saml_deployment_type = enroll), why and how can I get only a single username/uid? I've also attached the log (from asimba to login to external idp): http://pastebin.com/sEQvvTn0 for your reference. Thank you.
CentOS72
closed

Answers

By Aliaksandr Samuseu staff 28 Feb 2017 at 12:41 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Hao. I believe you need to edit this part of `asimba.xml` file and restart Tomcat: ``` <attributerelease class="com.alfaariss.oa.engine.attribute.release.configuration.ConfigurationFactory"> <policy id="asimba.releasepolicy.1" friendlyname="Default Attribute Release policy" enabled="true"> <attribute name="firstname" ></attribute> <attribute name="lastname" ></attribute> <attribute name="email" ></attribute> <attribute name="role" ></attribute> <attribute name="country" ></attribute> <!-- country is defined in <global ..> attribute section --> <!-- when all available attributes can be released, use the wildcard "*" for name, like: <attribute name="*" ></attribute> Asimba Baseline keeps the password in the same format as the attributes, so allowing all attributes to be released, would expose the password as well! --> </policy> </attributerelease> ``` ...to make it look like this: ``` <attributerelease class="com.alfaariss.oa.engine.attribute.release.configuration.ConfigurationFactory"> <policy id="asimba.releasepolicy.1" friendlyname="Default Attribute Release policy" enabled="true"> <attribute name="firstname" ></attribute> <attribute name="lastname" ></attribute> <attribute name="email" ></attribute> <attribute name="role" ></attribute> <attribute name="country" ></attribute> <attribute name="*" ></attribute> <!-- country is defined in <global ..> attribute section --> <!-- when all available attributes can be released, use the wildcard "*" for name, like: <attribute name="*" ></attribute> Asimba Baseline keeps the password in the same format as the attributes, so allowing all attributes to be released, would expose the password as well! --> </policy> </attributerelease> ``` Note the additional element `<attribute name="*" ></attribute>` in the second snippet. It instructs to pass all attributes Asimba will receive from IdPs to auth script. Then you can do whatever you want with them in the script, and additionally limit what is being sent to SPs by tweaking their TRs You shouldn't need to do anything else to release your attributes. Please try this for now, and let me know when you'll have a working setup, then we can proceed to your last issue.

By Hao Bin Kwan Account Admin 28 Feb 2017 at 8:50 p.m. CST

Copy
Hao Bin Kwan gravatar
Hi Aliaksandr, In fact before I uncomment <gather>...</gather>, I already did add this <attribute name="*" ></attribute> in asimba.xml, but still it only returns uid. this is my asimba.xml setup (link from other post) [https://support.gluu.org/single-sign-on/3787/asimba-multipe-sp-and-multiple-idp-setup/#at19725](https://support.gluu.org/single-sign-on/3787/asimba-multipe-sp-and-multiple-idp-setup/#at19725) Please note that on previous setup where SP connects directly to Asimba I'm able to retrieve attributes from IDP with <attribute name="*" ></attribute> in asimba.xml.

By Hao Bin Kwan Account Admin 01 Mar 2017 at 2:36 a.m. CST

Copy
Hao Bin Kwan gravatar
I managed to get the attributes returned from IDP already, it is the saml_idp_attributes_mapping that I need to update and change accordingly. Thanks for the help!

Post an answer