By: Thomas Maerz user 25 Jul 2016 at 9:58 p.m. CDT

3 Responses

I'm having some trouble releasing custom attributes to TR without duplicating them. I'm trying to release custom attributes firstname, lastname and email to an SP. They don't follow SAML conventions so it can't have all this OID stuff in there, they want it really simple, like this: ``` <resolver:AttributeDefinition xsi:type="ad:Simple" id="webexFirstName" sourceAttributeID="givenName"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="firstname" /> </resolver:AttributeDefinition> ``` I think the friendlynames that Gluu puts in there are stopping it from working for me. Basically my issue is I'm not sure exactly how the VM templates are supposed to be working. If I just put my desired attributes into attribute-resolver.xml and attribute-filter.xml directly, it works, but this is less than ideal because it will get overwritten. Similarly, if I put them into attribute-resolver.xml.vm with no logic, don't release the attributes in the GUI, and write an if statement in the filter it only releases to my intended SP, it works, but this is also a pain to configure. I can't seem to get the velocity template to handle the attributes so that they don't get written to attribute-resolver.xml twice. When this happens, all the XML pages and whole shibboleth page goes blank and ```idp-process.log``` fills up with ```Configuration was not loaded for shibboleth.AttributeResolver service, error creating components. The root cause of this error was: org.xml.sax.SAXParseException: Duplicate key value [webexEmail] declared for identity constraint of element "AttributeResolver".``` messages. I've also tried configurting it like this, but it also doesn't work: ``` #if( ! ($attribute.name.equals('webexEmail') or $attribute.name.equals('webexLastName') or $attribute.name.equals('webexFirstName') ) ) <resolver:AttributeDefinition xsi:type="ad:Simple" id="$attribute.name" sourceAttributeID="$attribute.name"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="$attrParams.attributeSAML2Strings.get($attribute.name)" /> </resolver:AttributeDefinition> #end ``` ```  #if( ! ($attribute.name.equals('webexEmail') ) ) <resolver:AttributeDefinition xsi:type="ad:Simple" id="webexEmail" sourceAttributeID="mail"> <resolver:Dependency ref="siteLDAP"></resolver:Dependency> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="email" /> </resolver:AttributeDefinition> #end #if( ! ($attribute.name.equals('webexFirstName') ) ) <resolver:AttributeDefinition xsi:type="ad:Simple" id="webexFirstName" sourceAttributeID="givenName"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="firstname" /> </resolver:AttributeDefinition> #end #if( ! ($attribute.name.equals('webexLastName') ) ) <resolver:AttributeDefinition xsi:type="ad:Simple" id="webexLastName" sourceAttributeID="sn"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="lastname" /> </resolver:AttributeDefinition> #end ``` Am I way off base here?

U1404

closed

By Aliaksandr Samuseu staff 26 Jul 2016 at 6:23 a.m. CDT

Copy

Hi, Thomas. If you need attributes you are adding to template to not be duplicated (and you need this), you should add name of each of your attribute to this segment already present in your `/opt/tomcat/conf/shibboleth2/idp/attribute-resolver.xml.vm`, like that: ``` #foreach( $attribute in $attrParams.attributes ) #if( ! ( $attribute.name.equals('transientId') or $attribute.name.equals('persistentId') or $attribute.name.equals('yourCustomAttribute') ) ) ``` Then you just add your complete custom attribute definition here: ``` #end #end YOUR_CUSTOM_ATTRIBUTE_DEFINITION_GOES_HERE  ``` You shouldn't need to edit `attribute-filter`, neither template, nor actual file, though. When you'll add your custom attribute to the list of attributes to release in web UI, it will add it to `attribute-filter` for you. But due to exception you created modifying this `#if` section above it won't be added to `attribute-resolver` and your fixed definition will be used instead. Regards, Alex.

By Thomas Maerz user 26 Jul 2016 at 10:03 a.m. CDT

Copy

I believe I tried that, but what I did (that didn't work) was add another if statement in the foreach block because I wanted to release a barebones response for WebEx: ``` #foreach( $attribute in $attrParams.attributes ) #if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('webexID') ) ) <resolver:AttributeDefinition xsi:type="ad:Simple" id="$attribute.name" sourceAttributeID="$attribute.name"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="$attrParams.attributeSAML1Strings.get($attribute.name)" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="$attrParams.attributeSAML2Strings.get($attribute.name)" friendlyName="$attribute.name" /> </resolver:AttributeDefinition> #end #if( ! ($attribute.name.equals('webexEmail') or $attribute.name.equals('webexLastName') or $attribute.name.equals('webexFirstName') ) ) <resolver:AttributeDefinition xsi:type="ad:Simple" id="$attribute.name" sourceAttributeID="$attribute.name"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="$attrParams.attributeSAML2Strings.get($attribute.name)" /> </resolver:AttributeDefinition> #end #end ``` Then I added the other ones below. I did try entering them bare with no if statement around it and that didn't seem to work either. Perhaps they must all be in the same if block in that foreach statement. Either way, I have found another way to do this which doesn't require editing the templates (at least not for the additional attributes). What I did was go into oxTrust Attribute editor and for each attribute remove everything except the attribute name from SAML1String and SAML2String. That seems to have been enough to make WebEx accept it.

By Aliaksandr Samuseu staff 26 Jul 2016 at 3:06 p.m. CDT

Copy

>I believe I tried that, but what I did (that didn't work) was add another if statement in the foreach block because I wanted to release a barebones response for WebEx I haven't tried it your way, but the one I suggested works 100% of the time if done correctly, so I would recommend to use this if you'll need it again. That's how we add custom attributes and nameids all the time. >What I did was go into oxTrust Attribute editor and for each attribute remove everything except the attribute name from SAML1String and SAML2String. That seems to have been enough to make WebEx accept it Interesting finding. I believe there are quite a bit of mandatory fields in the editor's page which won't allow you to save your attribute if left empty.

You need to Login in order to post an answer

Issues releasing custom (non-nameID) attributes

By: Thomas Maerz user 25 Jul 2016 at 9:58 p.m. CDT

Answers

By Aliaksandr Samuseu staff 26 Jul 2016 at 6:23 a.m. CDT

By Thomas Maerz user 26 Jul 2016 at 10:03 a.m. CDT

By Aliaksandr Samuseu staff 26 Jul 2016 at 3:06 p.m. CDT

Post an answer