External SP doesn't receive username

This topic has 4 replies, 3 voices, and was last updated 6 years, 5 months ago by Peter Major.

  • Author
  • #2252

    Hi, I have done a fresh installation of OpenAM 12, and it is configured as hosted IdP.

    I have configured three test external SP. A Fedlet app, a simplesaml (php) SP, and an SP Apache module (mellon). The login process works fine in all of them.

    However, none of the SP can display any user attributes. Not even the user name.
    I only gen an Id of the session identifier. Could anyone tell me what I am missing?

    Many thanks!

     Scott Heger

    Have you set up your Attribute Map in your IDP? Go to the Assertion Processing tab of your IDP entity and make sure you have the Attribute Mapper values filled out. Also, make sure that the attributes you define in your attribute map exist in the Data Store configuration of the realm where your IDP and SPs exist. Finally, make sure the attributes exist in the user accounts you are logging in with.


    The user account is the “demo” user in the embedded OpenDJ. It has some existing attributes, for example “postaladdress”. Verified with an ldapsearch.

    In IDP -> Assertion Processing -> Attribute Mapper, I have added Address=postaladdress.
    In “Access Control”->”Top Realm”->”Data Stores”->”embeddeD” (OpenDJ) -> (User Configuration) “LDAP User Attributes”, the value “postalAddress” is included in the list.

    Just for info, if I map a static attribute works fine.

    What am I still missing? Many thanks!

     Scott Heger

    Take a look at each SP’s Attribute Map (Assertion Processing -> Attribute Mapper). If you have anything in there, remove it (sometimes a “*=*” is in there). This will then let the IDP control the Attribute Map for all SPs….assuming you want all your SPs to receive the same set of attributes. If not, then clear out the IDP Attribute Map and specifically add what you want to each SP.

    See if that helps.

     Peter Major


    I think as a first step you should figure out where are things going wrong exactly. Is your IdP including the attributes in the assertion? Capture network traffic, or just simply have a look at message level Federation debug logs to see if the attributes are there or not. Don’t forget that if the User Profile Mode is Dynamic or Ignored attribute mapping does not work.


Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?