Date: Thu, 28 Mar 2024 21:21:41 +0000 (UTC) Message-ID: <1242225499.3.1711660901034@51677aac2300> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_2_492484803.1711660901033" ------=_Part_2_492484803.1711660901033 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
This is a test program that can be used to exercise the attribut= e-processing subsystems and plugins in the SP to process a SAML assertion o= r a user's identifier.
Successful output consists of a textual summary of the resulting attribu= te information. Failure results in console-directed log messages and a nega= tive return code.
To process a complete SAML assertion, it must be provided on the stdin s= tream. Otherwise, the following parameters must be used:
-n |
a SAML name identifier value |
-f |
optional SAML name identifier format |
-i |
entityID of an IdP |
-p |
a protocolSupportEnumeration value to use in finding the IdP role in met= adata |
-saml10 |
shortcut for "-p urn:oasis:names:tc:SAML:1.0:protocol" |
-saml11 |
shortcut for "-p urn:oasis:names:tc:SAML:1.1:protocol" |
-saml2 |
shortcut for "-p urn:oasis:names:tc:SAML:2.0:protocol" |
In either mode:
-a |
optional applicationId to use in applying SP configuration, if other tha= n "default" |
An example of executing the resolvertest is given below:
./resol= vertest -n _9f2d9fd62aa99cc43bf483045aeac123 -i https://aai-logon.switch.c= h/idp/shibboleth -saml2 -f urn:oasis:names:tc:SAML:2.0:nameid-format:persis= tent
The result of the processing will be to run the attribute extraction, fi= ltering, and resolution subsystems against the input information. Support f= or queries comes from the use of the default resolution plugin. The output = of the above command then could look like this:
./resol= vertest -saml2 -f urn:oasis:names:tc:SAML:2.0:nameid-format:persistent \ -i https://aai-logon.switch.ch/idp/shibboleth -n FQdaogdLEj0iZZTIfdS3svc52W= E=3D=20 uid: haemmerle affiliation: staff surname: H=C3=A4mmerle givenName: Lukas homeOrganization: switch.ch uniqueID: 123456abcde@switch.ch homeOrganizationType: others gender: 1 persistent-id: https://aai-idp.switch.ch/idp/shibboleth!https://dieng.switc= h.ch/shibboleth!FQdaogdLEj0iZZTIfdS3svc52WE=3D mail: lukas.haemmerle@switch.ch
In order to make attribute request to an Attribute Autority using a pers= istent Identifier, the Shibboleth Identity Provider needs to configure a Pr= incipalConnector for the persistent Name Identifier format in the attribute= -resolver.xml configuration:
<= ;resolver:PrincipalConnector xsi:type=3D"pc:StoredId" id=3D"saml2Persistent= " nameIDFormat=3D"urn:oasis:names:tc:SAML:2.0:nameid-format:persisten= t"=20 storedIdDataConnectorRef=3D"myStoredId" />
Be sure to set the DataConnectorRef with the correct ID of a targetedID = connector (e.g. "dc:ComputedId")