SAML2 attribute release - denied attributes are released even after denied in attribute-filter-custom.xml

By: Jonny Ehrnberg user 19 May 2022 at 8:46 a.m. CDT

2 Responses
Jonny Ehrnberg gravatar
We are trying to stop the attribute mail from being released to an SP but GluuReleaseAttributesPostProcessor seems to override our settings in attribute-filter-custom.xml. This rule works fine in Gluu server v.4.1.1. **Snippet from attribute-filter-custom.xml:** <AttributeFilterPolicy id="Stoppa mail till NAIS"> <PolicyRequirementRule xsi:type="Requester" value="https://www.nais.uhr.se/shibboleth" /> <AttributeRule attributeID="mail"> <DenyValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy> **Snippet from idp-process.log:** 2022-05-19 13:16:29,689 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.AttributeFilterPolicy:126] - Attribute Filter Policy 'Stoppa mail till NAIS' Policy is active for this request 2022-05-19 13:16:29,689 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.AttributeFilterPolicy:153] - Attribute Filter Policy 'Stoppa mail till NAIS' Applying attribute filter policy to current set of attributes: [schacHomeOrganization, norEduPersonNIN, eduPersonPrincipalName, schacHomeOrganizationType, givenName, c, cn, co, mail, schacDateOfBirth, sn, schacPersonalUniqueCode, o, eduPersonScopedAffiliation, personalIdentityNumber, norEduOrgAcronym, eduPersonAffiliation, countryName, uid] 2022-05-19 13:16:29,689 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.AttributeRule:183] - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_6267346604a951675062a6827202dbf3' Filtering values for attribute 'mail' which currently contains 1 values 2022-05-19 13:16:29,689 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.AttributeRule:201] - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_6267346604a951675062a6827202dbf3' Filter has denied the release of 1 values for attribute 'mail' 2022-05-19 13:16:29,689 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:165] - Attribute filtering engine 'ShibbolethAttributeFilter': no policy permitted release of attribute schacHomeOrganization values 2022-05-19 13:16:29,689 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:178] - Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for attribute 'norEduPersonNIN' remained after filtering 2022-05-19 13:16:29,690 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:178] - Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for attribute 'eduPersonPrincipalName' remained after filtering 2022-05-19 13:16:29,691 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:165] - Attribute filtering engine 'ShibbolethAttributeFilter': no policy permitted release of attribute schacHomeOrganizationType values 2022-05-19 13:16:29,691 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:178] - Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for attribute 'givenName' remained after filtering 2022-05-19 13:16:29,691 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:165] - Attribute filtering engine 'ShibbolethAttributeFilter': no policy permitted release of attribute c values 2022-05-19 13:16:29,691 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:178] - Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for attribute 'cn' remained after filtering 2022-05-19 13:16:29,691 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:165] - Attribute filtering engine 'ShibbolethAttributeFilter': no policy permitted release of attribute co values 2022-05-19 13:16:29,691 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:165] - Attribute filtering engine 'ShibbolethAttributeFilter': no policy permitted release of attribute mail values 2022-05-19 13:16:29,691 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:165] - Attribute filtering engine 'ShibbolethAttributeFilter': no policy permitted release of attribute schacDateOfBirth values 2022-05-19 13:16:29,692 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:178] - Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for attribute 'sn' remained after filtering 2022-05-19 13:16:29,692 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:165] - Attribute filtering engine 'ShibbolethAttributeFilter': no policy permitted release of attribute schacPersonalUniqueCode values 2022-05-19 13:16:29,692 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:165] - Attribute filtering engine 'ShibbolethAttributeFilter': no policy permitted release of attribute o values 2022-05-19 13:16:29,692 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:165] - Attribute filtering engine 'ShibbolethAttributeFilter': no policy permitted release of attribute eduPersonScopedAffiliation values 2022-05-19 13:16:29,692 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:178] - Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for attribute 'personalIdentityNumber' remained after filtering 2022-05-19 13:16:29,692 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:165] - Attribute filtering engine 'ShibbolethAttributeFilter': no policy permitted release of attribute norEduOrgAcronym values 2022-05-19 13:16:29,692 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:165] - Attribute filtering engine 'ShibbolethAttributeFilter': no policy permitted release of attribute eduPersonAffiliation values 2022-05-19 13:16:29,693 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:165] - Attribute filtering engine 'ShibbolethAttributeFilter': no policy permitted release of attribute countryName values 2022-05-19 13:16:29,693 - 10.1.100.227 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:165] - Attribute filtering engine 'ShibbolethAttributeFilter': no policy permitted release of attribute uid values 2022-05-19 13:16:29,697 - 10.1.100.227 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.PopulateProfileInterceptorContext:136] - Profile Action PopulateProfileInterceptorContext: Installing post-authn flow intercept/gluu-release-attributes-post-processor into interceptor context 2022-05-19 13:16:29,727 - 10.1.100.227 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.FilterFlowsByNonBrowserSupport:52] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do 2022-05-19 13:16:29,727 - 10.1.100.227 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:101] - Profile Action SelectProfileInterceptorFlow: Checking flow intercept/gluu-release-attributes-post-processor for applicability... 2022-05-19 13:16:29,728 - 10.1.100.227 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:84] - Profile Action SelectProfileInterceptorFlow: Selecting flow intercept/gluu-release-attributes-post-processor 2022-05-19 13:16:29,751 - 10.1.100.227 - INFO [org.gluu.idp.consent.processor.GluuReleaseAttributesPostProcessor:62] - Executing external IDP script 2022-05-19 13:16:29,751 - 10.1.100.227 - INFO [org.gluu.idp.consent.processor.GluuReleaseAttributesPostProcessor:88] - ------------------------attr: uid 2022-05-19 13:16:29,751 - 10.1.100.227 - INFO [org.gluu.idp.consent.processor.GluuReleaseAttributesPostProcessor:88] - ------------------------attr: personalIdentityNumber 2022-05-19 13:16:29,751 - 10.1.100.227 - INFO [org.gluu.idp.consent.processor.GluuReleaseAttributesPostProcessor:88] - ------------------------attr: mail 2022-05-19 13:16:29,752 - 10.1.100.227 - INFO [org.gluu.idp.consent.processor.GluuReleaseAttributesPostProcessor:88] - ------------------------attr: norEduPersonNIN 2022-05-19 13:16:29,752 - 10.1.100.227 - INFO [org.gluu.idp.consent.processor.GluuReleaseAttributesPostProcessor:88] - ------------------------attr: givenName 2022-05-19 13:16:29,752 - 10.1.100.227 - INFO [org.gluu.idp.consent.processor.GluuReleaseAttributesPostProcessor:88] - ------------------------attr: eduPersonPrincipalName 2022-05-19 13:16:29,752 - 10.1.100.227 - INFO [org.gluu.idp.consent.processor.GluuReleaseAttributesPostProcessor:88] - ------------------------attr: cn 2022-05-19 13:16:29,752 - 10.1.100.227 - INFO [org.gluu.idp.consent.processor.GluuReleaseAttributesPostProcessor:88] - ------------------------attr: sn 2022-05-19 13:16:29,752 - 10.1.100.227 - INFO [org.gluu.idp.consent.processor.GluuReleaseAttributesPostProcessor:93] - Using default release attributes post processor 2022-05-19 13:16:29,753 - 10.1.100.227 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.WriteProfileInterceptorResultToStorage:69] - Profile Action WriteProfileInterceptorResultToStorage: No results available from interceptor context, nothing to store 2022-05-19 13:16:29,754 - 10.1.100.227 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:65] - Profile Action SelectProfileInterceptorFlow: Moving completed flow intercept/gluu-release-attributes-post-processor to completed set, selecting next one 2022-05-19 13:16:29,754 - 10.1.100.227 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:80] - Profile Action SelectProfileInterceptorFlow: No flows available to choose from Do you have any ideas how to solve this problem?
Gluu 4.4 Ubuntu 20.04
closed

Answers

By Mohib Zico staff 19 May 2022 at 10:52 p.m. CDT

Copy
Mohib Zico gravatar
Hello Jonny, Two points: 1. Customization related issues are not covered in community support. 2. I have not much idea what `attribute-filter-custom.xml` is but velocity templates are inside `identity.war` now. From that location ( extract identity.war --> then go to `WEB-INF/lib` --> extract `oxtrust-configuration-4.x.x.Final.jar` --> go to `META-INF/shibboleth3/idp` --> all velocity template files ), identity is generating configuration files and inserting into working file system.

By Jonny Ehrnberg user 20 May 2022 at 1:57 a.m. CDT

Copy
Jonny Ehrnberg gravatar
Hello. I don't think this is a question about customization but more a question about changed behavior in the bundled Shibboleth-IdP in Gluu server. GluuReleaseAttributesPostProcessor seems to be forcing the release of the attribute 'mail' and not all SP's are not happy with that. This problem was not there in version 4.1.1. To deny the release of an attribute is a basic part of what Shibboleth should be able to handle and now GluuReleaseAttributesPostProcessor messes that up for us.

Post an answer