2:02 p.m.
Hi,
I think that's not a cause. See for example "surname":
[2020-07-21 10:57:20,622] [DEBUG] [satosa.attribute_mapping.to_internal] skipped backend
attribute ['sn', 'surname']: no value found
but it appears in approved attr list.
For example : if use static attribute microservice for both surname and my customtenantid
then surname is released but not customtenantid.
So I guess there is something with that filter (approved list) but cannot figure it out.
I also tested for example: schacGender :
schacGender:
saml: [schacGender]
which exists in mapping and it's the same situation.
Thanks,
Janusz
________________________________
From: Ivan Kanakarakis <ivan.kanak at gmail.com>
Sent: Tuesday 21 July 2020 12:32
To: Janusz Ulanowski <janusz.ulanowski at heanet.ie>
Cc: Giuseppe De Marco <giuseppe.demarco at unical.it>; satosa-users at
lists.sunet.se <satosa-users at lists.sunet.se>
Subject: Re: [satosa-users] custom attribute
CAUTION[External]: This email originated from outside of the organisation. Do not click on
links or open the attachments unless you recognise the sender and know the content is
safe.
hello,
the attribute seems to be in the set of <RequestedAttribute>s in the
service's metadata.
However, the IdP seems not to be returning any value for this attribute, see
[2020-07-21 10:57:20,623] [DEBUG]
[satosa.attribute_mapping.to_internal] skipped backend attribute
['customtenantid']: no value found
Is the IdP sending it? Is there really a value for that attribute?
On Tue, 21 Jul 2020 at 14:07, Janusz Ulanowski
<janusz.ulanowski at heanet.ie> wrote:
>
> Hi,
> Thank you.
> see "customtentantid" attr name.
>
> I think logging is set to maximum:
> #########################
> LOGGING:
> ....
> loggers:
> satosa:
> level: DEBUG
> saml2:
> level: DEBUG
> oidcendpoint:
> level: DEBUG
> pyop:
> level: DEBUG
> oic:
> level: DEBUG
> root:
> level: DEBUG
> ######################
>
> [2020-07-21 10:57:20,622] [DEBUG] [satosa.attribute_mapping.to_internal] skipped
backend attribute ['postaladdress']: no value found
> [2020-07-21 10:57:20,622] [DEBUG] [satosa.attribute_mapping.to_internal] skipped
backend attribute ['displayName']: no value found
> [2020-07-21 10:57:20,622] [DEBUG] [satosa.attribute_mapping.to_internal] backend
attribute ['eduPersonTargetedID'] mapped to edupersontargetedid
> [2020-07-21 10:57:20,622] [DEBUG] [satosa.attribute_mapping.to_internal] skipped
backend attribute ['givenName']: no value found
> [2020-07-21 10:57:20,622] [DEBUG] [satosa.attribute_mapping.to_internal] backend
attribute ['mail', 'email'] mapped to mail
> [2020-07-21 10:57:20,622] [DEBUG] [satosa.attribute_mapping.to_internal] skipped
backend attribute ['cn']: no value found
> [2020-07-21 10:57:20,622] [DEBUG] [satosa.attribute_mapping.to_internal] skipped
backend attribute ['schacPersonalTitle']: no value found
> [2020-07-21 10:57:20,622] [DEBUG] [satosa.attribute_mapping.to_internal] skipped
backend attribute ['sn', 'surname']: no value found
> [2020-07-21 10:57:20,622] [DEBUG] [satosa.attribute_mapping.to_internal] backend
attribute ['eduPersonPrincipalName', 'eppn'] mapped to eppn
> [2020-07-21 10:57:20,622] [DEBUG] [satosa.attribute_mapping.to_internal] backend
attribute ['o', 'organizationName'] mapped to organizationName
> [2020-07-21 10:57:20,622] [DEBUG] [satosa.attribute_mapping.to_internal] backend
attribute ['schacHomeOrganization'] mapped to schacHomeOrganization
[2020-07-21 10:57:20,623] [DEBUG]
[satosa.attribute_mapping.to_internal] skipped backend attribute
['customtenantid']: no value found
> [2020-07-21 10:57:20,623] [DEBUG]
[satosa.backends.saml2._translate_response]
[urn:uuid:65b32c93-1ba7-4775-8f04-a38db0188097] backend received attributes:
> {
> "o": [
> "XXXXXXX"
> ],
> "eduPersonTargetedID": [
> "8SRQgI3XXXXXY="
> ],
> "schacHomeOrganization": [
> "YYY.COM"
> ],
> "eduPersonPrincipalName": [
> "XYZ at YYY.COM"
> ],
> "mail": [
> "dsfdsfsdfsd at YYY>COM"
> ]
> }
>
> That custom attribute is seen as required:
>
> [2020-07-21 10:57:20,624] [DEBUG] [satosa.routing.frontend_routing]
[urn:uuid:65b32c93-1ba7-4775-8f04-a38db0188097] Routing to frontend: Saml2IDP
> [2020-07-21 10:57:20,625] [DEBUG] [saml2.assertion.filter] required: [
{'__class__':
'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name':
'urn:mace:heanet.ie:custom:tenantid', 'name_format':
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name':
'customtenantid', 'is_required': 'true'}], optional: [.......]
>
> [2020-07-21 10:57:20,625] [DEBUG] [satosa.frontends.saml2._get_approved_attributes]
[urn:uuid:65b32c93-1ba7-4775-8f04-a38db0188097] Filter: ['givenname',
'organizationName', 'name', 'schacHomeOrganization',
'edupersontargetedid', 'mail', 'eppn', 'surname',
'displayname']
>
> then logs show just preparing and releasing saml assertion
>
>
> That's I get in logs
>
> So I cannot to use microservice to generate value for that attribute.
>
> Any ideas ?
>
> Thanks,
> Janusz
>
>
> ________________________________
> From: Giuseppe De Marco <giuseppe.demarco at unical.it>
> Sent: Monday 20 July 2020 23:47
> To: Janusz Ulanowski <janusz.ulanowski at heanet.ie>
> Cc: satosa-users at lists.sunet.se <satosa-users at lists.sunet.se>
> Subject: Re: [satosa-users] custom attribute
>
>
> CAUTION[External]: This email originated from outside of the organisation. Do not
click on links or open the attachments unless you recognise the sender and know the
content is safe.
>
> Hi Janusz,
> Are there some isRequired attributes in the metadata of the calling sp?
> Attr name format is uri, isn't It?
> You can even increase debug level for pysaml2 internals, where happens filters, see
this
>
>
https://github.com/IdentityPython/pysaml2/blob/d655fc924af5ddd56a51d1e6bb41…
>
> That's a good point where to put a debugger or increase logging level, there
you'll find what you're lookin for, explicitly
>
>
>
> Il lun 20 lug 2020, 23:52 Janusz Ulanowski <janusz.ulanowski at heanet.ie> ha
scritto:
>
> Hi,
> I'm having few issues and hopefully you might provide some light
> saml to saml scenario.
>
>
> I wanted to add custom attribute:
> I added that attribute to saml_uri.py
>
> 'fro': { 'urn:mace:heanet.ie:custom:tenantid':
'customtenantid', ... },
> 'to': { 'customtenantid':
'urn:mace:heanet.ie:custom:tenantid', ... }
>
> then internal_attributes.yaml :
> added:
> customtenantid:
> saml: [customtenantid, urn:mace:heanet.ie:custom:tenantid]
>
>
> in saml2_frontend.yaml policy is set to allow release everything:
> policy:
> default:
> attribute_restrictions: null
>
>
> however: logs say:
> ///////////////
> xx | [2020-07-20 20:59:47,604] [DEBUG]
[satosa.frontends.saml2._get_approved_attributes]
[urn:uuid:244a93be-a61e-4e5f-8508-c293a24f832d] Filter: ['name',
'schacHomeOrganization', 'edupersontargetedid', 'givenname',
'eppn', 'organizationName', 'mail', 'displayname',
'surname']
> //////////////
> where does that filter come from if I have set not restriction .
> Is it only way to add a custom atribute ?
>
>
> thanks in advance,
> Janusz
> _______________________________________________
> satosa-users mailing list
> satosa-users at lists.sunet.se
> https://lists.sunet.se/listinfo/satosa-users
>
>
>
------------------------------------------------------------------------------------------------------------------
> Il banner è generato automaticamente dal servizio di posta elettronica
dell'Università della Calabria
> _______________________________________________
> satosa-users mailing list
> satosa-users at lists.sunet.se
> https://lists.sunet.se/listinfo/satosa-users
--
Ivan c00kiemon5ter Kanakarakis >:3