Australian Access Federation Support Desk

Troubleshooting Shibboleth IdP Attribute Release Issues

by Paul Stepowski Follow

Another extremely useful debugging tool is called aacli.sh.  This script is supplied with the Shibboleth IdP and is use to check which specific attributes and values are being released from your IdP to a particular SP for a particular user.  Here is how to use aacli.sh.

 

$SHIB_HOME/bin/aacli.sh --principal <principal_id> --configDir $SHIB_HOME/conf --requester <requester_id>

 

Where:

 

principal_id is the ID that the user authenticates to the IdP as.

requester_id is the entity ID of the service provider.

 

Note: You can find a comprehensive list of all service providers in the production federation here:

 https://manager.aaf.edu.au/federationregistry/membership/serviceprovider/list

 

For example, if we wanted to check which attributes are being release to the AAF attribute reflector for the AAF staff member 'stepowsk', we could use the following command:

 

/opt/shibboleth-idp/bin/aacli.sh --principal stepowsk --configDir /opt/shibboleth-idp/conf --requester https://vho.test.aaf.edu.au/shibboleth

 

NOTE: If you are running Shibboleth IdP version less than 2.4.0, and you get a ClassNotFound Java exception when running aacli.sh, you need to copy http://repo1.maven.org/maven2/javax/servlet/servlet-api/2.4/servlet-api-2.4.jar to your Shibboleth IdP lib directory.  This issue has been fixed as of version 2.4.0.

 

You could expect to see results similar to the following returned:

 

<?xml version="1.0" encoding="UTF-8"?><saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
   <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">p.stepowski@aaf.edu.au</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Paul Stepowski</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">staff</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Stepowski</saml2:AttributeValue>
   </saml2:Attribute>

...

</saml2:AttributeStatement>

 

As you can see, we can see the user's attributes and values released from the IdP to for particular SP, which is very useful in debugging attribute release issues.


 

Have more questions? Submit a request

Was this article helpful?
0 out of 0 found this helpful

Comments

Powered by Zendesk