Page tree
Skip to end of metadata
Go to start of metadata

This is a test program that can be used to exercise the attribute-processing subsystems and plugins in the SP to process a SAML assertion or a user's identifier.

Successful output consists of a textual summary of the resulting attribute information. Failure results in console-directed log messages and a negative return code.

To process a complete SAML assertion, it must be provided on the stdin stream. Otherwise, the following parameters must be used:

-n

a SAML name identifier value

-f

optional SAML name identifier format

-i

entityID of an IdP

-p

a protocolSupportEnumeration value to use in finding the IdP role in metadata

-saml10

shortcut for "-p urn:oasis:names:tc:SAML:1.0:protocol"

-saml11

shortcut for "-p urn:oasis:names:tc:SAML:1.1:protocol"

-saml2

shortcut for "-p urn:oasis:names:tc:SAML:2.0:protocol"

In either mode:

-a

optional applicationId to use in applying SP configuration, if other than "default"

An example of executing the resolvertest is given below:

./resolvertest -n _9f2d9fd62aa99cc43bf483045aeac123  -i https://aai-logon.switch.ch/idp/shibboleth -saml2 -f urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

The result of the processing will be to run the attribute extraction, filtering, and resolution subsystems against the input information. Support for queries comes from the use of the default resolution plugin. The output of the above command then could look like this:

./resolvertest -saml2 -f urn:oasis:names:tc:SAML:2.0:nameid-format:persistent \
-i https://aai-logon.switch.ch/idp/shibboleth -n FQdaogdLEj0iZZTIfdS3svc52WE= 
uid: haemmerle
affiliation: staff
surname: Hämmerle
givenName: Lukas
homeOrganization: switch.ch
uniqueID: 123456abcde@switch.ch
homeOrganizationType: others
gender: 1
persistent-id: https://aai-idp.switch.ch/idp/shibboleth!https://dieng.switch.ch/shibboleth!FQdaogdLEj0iZZTIfdS3svc52WE=
mail: lukas.haemmerle@switch.ch

In order to make attribute request to an Attribute Autority using a persistent Identifier, the Shibboleth Identity Provider needs to configure a PrincipalConnector for the persistent Name Identifier format in the attribute-resolver.xml configuration:

     <resolver:PrincipalConnector xsi:type="pc:StoredId" id="saml2Persistent"
        nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" 
        storedIdDataConnectorRef="myStoredId" />

Be sure to set the DataConnectorRef with the correct ID of a targetedID connector (e.g. "dc:ComputedId")

  • No labels