I'm acting as a service provider in a Shibboleth SSO interaction. I'm successfully getting back the SAML response with the expected attributes inside. However, these attributes are not showing up in the /Shibboleth.sso/Session Attributes list.
I have the <MetadataProvider> tag in the shibboleth.xml file. I'm wondering what else I could be doing wrong?
In the shibd.log I see the following:
skipping unmapped SAML 2.0 Attribute with Name: xxxx, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
skipping unmapped SAML 2.0 Attribute with Name: yyyy
EDIT - I also added to attribute-map.xml:
<Attribute Name="xxxx" id="xxxx" />
<Attribute Name="yyyy" id="yyyy" />
The attributes do not have fully qualified names in the IdP's metadata.xml. The names are just "xxxx" and "yyyy". Does this matter?
Finally, in the IdP's metadata.xml, they have this:
<saml:Attribute Name="xxxx" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml:Attribute Name="yyyy" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
I believe I have solved it. In the attribute-map.xml I had to add:
<Attribute name="xxxx" id="xxxx">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name" defaultQualifiers="true"/>
</Attribute>
<Attribute name="yyyy" id="yyyy">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name" defaultQualifiers="true"/>
</Attribute>
See here: NativeSPAttributeDecoder