January 6, 2015 at 12:10 pm #2252GiomenParticipant
Hi, I have done a fresh installation of OpenAM 12, and it is configured as hosted IdP.
I have configured three test external SP. A Fedlet app, a simplesaml (php) SP, and an SP Apache module (mellon). The login process works fine in all of them.
However, none of the SP can display any user attributes. Not even the user name.
I only gen an Id of the session identifier. Could anyone tell me what I am missing?
Many thanks!January 6, 2015 at 3:24 pm #2254Scott HegerParticipant
Have you set up your Attribute Map in your IDP? Go to the Assertion Processing tab of your IDP entity and make sure you have the Attribute Mapper values filled out. Also, make sure that the attributes you define in your attribute map exist in the Data Store configuration of the realm where your IDP and SPs exist. Finally, make sure the attributes exist in the user accounts you are logging in with.January 7, 2015 at 11:08 am #2258GiomenParticipant
The user account is the “demo” user in the embedded OpenDJ. It has some existing attributes, for example “postaladdress”. Verified with an ldapsearch.
In IDP -> Assertion Processing -> Attribute Mapper, I have added
In “Access Control”->”Top Realm”->”Data Stores”->”embeddeD” (OpenDJ) -> (User Configuration) “LDAP User Attributes”, the value “postalAddress” is included in the list.
Just for info, if I map a static attribute works fine.
What am I still missing? Many thanks!January 7, 2015 at 4:26 pm #2260Scott HegerParticipant
Take a look at each SP’s Attribute Map (Assertion Processing -> Attribute Mapper). If you have anything in there, remove it (sometimes a “*=*” is in there). This will then let the IDP control the Attribute Map for all SPs….assuming you want all your SPs to receive the same set of attributes. If not, then clear out the IDP Attribute Map and specifically add what you want to each SP.
See if that helps.January 14, 2015 at 3:03 am #2400Peter MajorModerator
I think as a first step you should figure out where are things going wrong exactly. Is your IdP including the attributes in the assertion? Capture network traffic, or just simply have a look at message level Federation debug logs to see if the attributes are there or not. Don’t forget that if the User Profile Mode is Dynamic or Ignored attribute mapping does not work.
You must be logged in to reply to this topic.