9:21 a.m.
Hello,
(Apologies, cross posting from Slack)
I’m having a strange error with my Satosa frontend that seems to be
stripping out attributes incorrectly from the SAML response before it is
sent, based on required attributes from SP metadata.
It receives the correct values from an upstream IdP:
returning attributes {"eduPersonUniqueId": ["... at cern.ch"],
"displayName":
["Hannah Short"], "givenName": ["Hannah"], "mail":
["hannah.short at cern.ch"],
"cn": ["Hannah Short"], "sn": ["Short"],
"eduPersonScopedAffiliation": ["
member at cern.ch"], "eduPersonAffiliation": ["member"],
"eduPersonPrincipalName": ["hshort at cern.ch"],
"eduPersonAssurance": ["
https://refeds.org/assurance/ID/unique", "
https://refeds.org/assurance/ATP/ePA-1m", "
https://refeds.org/assurance/IAP/low"] "schacHomeOrganization":
["cern.ch"],
"schacHomeOrganizationType":
["urn:schac:homeOrganizationType:ch:others"],
"swissEduPersonHomeOrganization": ["cern.ch"],
"swissEduPersonHomeOrganizationType": ["others"],
"swissEduPersonUniqueID":
["... at cern.ch"], "eduPersonTargetedID": ["..."]}
However, it then checks the “required” attributes from the target SP and
decides to strip out the swiss* ones (despite them being required in the
SP’s metadata and I can also see that they are required in the debug
statement).
My swiss* attributes are defined in an attribute map, and I’m running
satosa 6.0.0.
I’m really stuck here, I just rolled out this IdP and will have to roll
back if I can’t fix this quickly :( Can I ignore “required” attributes as a
workaround? When none are required the token gets sent as expected
Thanks in advance for any help,
Hannah