Hello,
It seems that Satosa is not sending attributes to the SP. The only
exception is the one attribute specified in user_id_from_attrs. Is it a
default behaviour? No SP specific policies were defined.
[2021-08-11 15:57:36,463] [DEBUG]
[satosa.backends.saml2._translate_response]
[urn:uuid:104101fc-b624-41d0-96d2-c952f11713f9] backend received attributes:
{
"displayName": [
"plguser14"
],
"eduPersonTargetedID": [
"64d759cc-1d21-4a29-a6e1-e7a10908d95e"
],
"mail": [
"plguser14 at ops.pl"
],
"sn": [
"czterna"
]
}
[2021-08-11 15:57:36,464] [DEBUG] [satosa.routing.frontend_routing]
[urn:uuid:104101fc-b624-41d0-96d2-c952f11713f9] Routing to frontend:
Saml2IDP-front
[2021-08-11 15:57:36,464] [WARNING] [saml2.assertion.restrict] The metadata
parameter for saml2.assertion.Policy.restrict is deprecated and ignored;
instead, initialize the Policy object setting the mds param.
[2021-08-11 15:57:36,465] [DEBUG] [saml2.assertion.filter] required:
[{'__class__':
'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute',
'name': 'urn:oid:1.3.6.1.4.1.25178.1.2.14', 'name_format':
'urn:oasis:names:tc:SAML:2.0:attrnam
e-format:uri', 'friendly_name': 'schacPersonalUniqueCode',
'is_required':
'true'}], optional: [{'__class__':
'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name':
'urn:oid:1.3.6.1.4.1.5923.1.1.1.10', 'name_format': 'urn:oasis
:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name':
'eduPersonTargetedID'}, {'__class__':
'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name':
'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', 'name_format':
'urn:oasis:names:tc:SAML
:2.0:attrname-format:uri', 'friendly_name':
'eduPersonPrincipalName'},
{'__class__':
'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute',
'name': 'urn:oid:0.9.2342.19200300.100.1.3', 'name_format':
'urn:oasis:names:tc:SAML:2.0:attrn
ame-format:uri', 'friendly_name': 'mail'}, {'__class__':
'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name':
'urn:oid:urn:oid:2.16.840.1.113730.3.1.241', 'name_format':
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'fr
iendly_name': 'displayName'}, {'__class__':
'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name':
'urn:oid:2.5.4.3', 'name_format':
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name':
'cn'},
{'__class__': 'urn
:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name':
'urn:oid:1.3.6.1.4.1.5923.1.1.1.9', 'name_format':
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name':
'eduPersonScopedAffiliation'}, {'__class__':
'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name':
'urn:oid:1.3.6.1.4.1.25178.1.2.9', 'name_format':
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name':
'schacHomeOrganization'}, {'__class__':
'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name':
'urn:oid:1.3.6.1.4.1.13685.1.1.1.1.2.20', 'name_format':
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name':
'pleduOrgUniqueNumber'}]
[2021-08-11 15:57:36,465] [DEBUG]
[satosa.frontends.saml2._get_approved_attributes]
[urn:uuid:104101fc-b624-41d0-96d2-c952f11713f9] Filter:
['edupersontargetedid', 'schacPersonalUniqueCode', 'mail']
[2021-08-11 15:57:36,465] [DEBUG] [satosa.attribute_mapping.from_internal]
frontend attribute eduPersonTargetedID mapped from edupersontargetedid
[2021-08-11 15:57:36,465] [DEBUG] [satosa.attribute_mapping.from_internal]
frontend attribute email mapped from mail
[2021-08-11 15:57:36,465] [DEBUG]
[satosa.frontends.saml2._handle_authn_response]
[urn:uuid:104101fc-b624-41d0-96d2-c952f11713f9] returning attributes
{"eduPersonTargetedID": ["64d759cc-1d21-4a29-a6e1-e7a10908d95e"],
"email":
["plguser14 at ops.pl"]}
[2021-08-11 15:57:36,466] [DEBUG]
[satosa.frontends.saml2._handle_authn_response]
[urn:uuid:104101fc-b624-41d0-96d2-c952f11713f9] signing with algorithm
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
[2021-08-11 15:57:36,466] [DEBUG]
[satosa.frontends.saml2._handle_authn_response]
[urn:uuid:104101fc-b624-41d0-96d2-c952f11713f9] using digest algorithm
http://www.w3.org/2001/04/xmlenc#sha256
[2021-08-11 15:57:36,466] [WARNING]
[satosa.frontends.saml2._handle_authn_response] sign_alg and digest_alg are
deprecated; instead, use signing_algorithm and digest_algorithm under the
service/idp configuration path (not under policy/default).
[2021-08-11 15:57:36,467] [DEBUG] [saml2.assertion.filter] required:
[{'__class__':
'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute',
'name': 'urn:oid:1.3.6.1.4.1.25178.1.2.14', 'name_format':
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name':
'schacPersonalUniqueCode', 'is_required': 'true'}], optional:
[{'__class__':
'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute',
'name': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10', 'name_format':
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name':
'eduPersonTargetedID'}, {'__class__':
'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name':
'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', 'name_format':
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name':
'eduPersonPrincipalName'}, {'__class__':
'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name':
'urn:oid:0.9.2342.19200300.100.1.3', 'name_format':
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name':
'mail'}, {'__class__':
'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name':
'urn:oid:urn:oid:2.16.840.1.113730.3.1.241', 'name_format':
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name':
'displayName'}, {'__class__':
'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name':
'urn:oid:2.5.4.3', 'name_format':
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name':
'cn'},
{'__class__':
'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute',
'name': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9', 'name_format':
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name':
'eduPersonScopedAffiliation'}, {'__class__':
'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name':
'urn:oid:1.3.6.1.4.1.25178.1.2.9', 'name_format':
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name':
'schacHomeOrganization'}, {'__class__':
'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name':
'urn:oid:1.3.6.1.4.1.13685.1.1.1.1.2.20', 'name_format':
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name':
'pleduOrgUniqueNumber'}]
[2021-08-11 15:57:36,469] [INFO] [saml2.entity.sign] REQUEST: <ns0:Response
xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="
http://www.w3.org/2000/09/xmldsig#" Destination="
https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp…
ID="id-HquE4vV74jkKMlK19"
InResponseTo="_417162b56e4c88f4e2d89d05c295789a5d318a5d91"
IssueInstant="2021-08-11T13:57:36Z" Version="2.0"><ns1:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://sso.pre.plgrid.pl:8081/Saml2IDP-front/proxy.xml</ns1:Issuer>&…
Id="Signature1"><ns2:SignedInfo><ns2:CanonicalizationMethod
Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" /><ns2:SignatureMethod
Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ns2:Reference
URI="#id-HquE4vV74jkKMlK19"><ns2:Transforms><ns2:Transform
Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ns2:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/></ns2:Transforms><ns2:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha256" /><ns2:DigestValue
/></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue
/><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIIFtzCCA5+gAwIBAgIJAMItW6x6FcDjMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNVBAYTAlBMMRYwFAYDVQQIDA1MZXNzZXIgUG9sYW5kMQ8wDQYDVQQHDAZDcmFjb3cxDDAKBgNVBAoMA0FDSzEQMA4GA1UECwwHQUNLLVNFQzEaMBgGA1UEAwwRc3NvLnByZS5wbGdyaWQucGwwHhcNMjEwNzMwMTIzODAxWhcNMjIwNzMwMTIzODAxWjByMQswCQYDVQQGEwJQTDEWMBQGA1UECAwNTGVzc2VyIFBvbGFuZDEPMA0GA1UEBwwGQ3JhY293MQwwCgYDVQQKDANBQ0sxEDAOBgNVBAsMB0FDSy1TRUMxGjAYBgNVBAMMEXNzby5wcmUucGxncmlkLnBsMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzwaBMIs/laH99rd6VxxIE/pbCv4oQqYelNRPEPpn9w+VmV5Er3RGfhGA8xuahHpFUu7rdqB0G96tmr7J8WMVCjEoDFnXkzYlJf8oul8BAsTXI2CnMw74mE98BnmT0/4jXIJbfcH9/UrtMVpR4pxIYV6CF2deXtPhFHxF8Sp+lhWCqEE27bxt7CVGoq5DMt9cm3qh6TtfdoLjALmKLjFvp6vBcyleufS1xv8AsXz0lHWJ6j8FdG2uBC75aZ9jWYZINopt90gJMUZpZ3XUfNm5DVFQqV3LyiNc4UNexqKtAydGtj6CWYXaBi5XiOflyINakSJf0v/3G5kFUonlleGsBgcq3xNU0ZeC+vjRoh4cA4CpIcvq//VvQvG9jcL5ExUhNc5niMuCBMNiJzPXG0l+HewX+n0PRG/XiYBlgC8dhYmaZXqyHpja5y4UjvKXlJxqcPxdqxfzoe30jK4UlgQZ2hu0i1pOQ+TdVURISJYKu2AjI9WmQ6J0F/77yaSez2J4MkqjZWADEv7EG/fdvCrCl/rSMNX6cEbHZHu8wu+OpWX15tF6av+CKt43NyPTFdB+vC2bHNSFzDAZwYwyX14HkNwkWHjerrGQSK9VdqoOBb2/NRGlHffpvyoS7Jd7TFD8Po26936rfF4weS/Urd9KLrOrg+dpU/8DT7jlROBNDtMCAwEAAaNQME4wHQYDVR0OBBYEFHqQWjL3v2VO2GjeRt221qP/Kkz7MB8GA1UdIwQYMBaAFHqQWjL3v2VO2GjeRt221qP/Kkz7MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAK7m+DKYQsyzniRNCWm4bgeqJ4fBjEdjw6xn8kB43MRTlaOQ41wMB7Qu2MM1umJida3/tIySbHGph/l/l3I/SanlUOAS9ahiKJtWUOj03XDdAKkQPf1ij7NqAq7Ealw9NVee+vhew36hD6m/jskjcJJEmbufb08QgeX7G7dG1jkSr2rfXhGzOnXIvAGiqizkRrI7WUNxferqU6CLgn1LxH3oSQa747dKPG02w0flphSN6f81+H2vxsIddvkeC1NSUq92sIfiMuYuKnzNkEheiFJ6JQpCaHH1yYJpkd8xoMZrSAosNprBYxMyS8cwEColCCdkiUcpab1xE4f3TF12O4eWEKSZw0MxH/FdPUvOjE9IMuGhQOMxbMQFw9AJnY2PNRHotMmyZQ5xUCUjUvfeE5FkD/rM1U8GWDSxoDPx9ORMebU3w2oXR8r4PUc//n405fXn/s4IYA3SleoaU5XmDtfg1QVd/4rN5rCa4yMqIzhVpZli6umVOYULbzhxAnpCd0PwUGoGfPniKg7fNHB5veSRzLXju8JaW7ldJacvkXnWzAnh3ti0BJQ29DbTUZ/QsjWGhzMfub31jp8lPK+tuphTkWoGok0sZRhKLH+2Sdkcb+jJkbhv0Ft197vnMZvz4Ybn4suAP5/GE2ZCgKDj7J9OJ37n/KyiD3gUKJasWFDk</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns0:Status><ns0:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"
/></ns0:Status><ns1:Assertion ID="id-X2qR3due6dcurArXi"
IssueInstant="2021-08-11T13:57:36Z" Version="2.0"><ns1:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://sso.pre.plgrid.pl:8081/Saml2IDP-front/proxy.xml</ns1:Issuer>&…
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">64d759cc-1d21-4a29-a6e1-e7a10908d95e</ns1:NameID><ns1:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData
InResponseTo="_417162b56e4c88f4e2d89d05c295789a5d318a5d91"
NotOnOrAfter="2021-08-11T14:12:36Z" Recipient="
https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp…
/></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions
NotBefore="2021-08-11T13:57:36Z"
NotOnOrAfter="2021-08-11T14:12:36Z"><ns1:AudienceRestriction><ns1:Audience>
https://aai.pionier.net.pl/test/module.php/saml/sp/metadata.php/default-sp&…
AuthnInstant="2021-08-11T13:57:36Z"
SessionIndex="id-YX0liwOPeyOoMqBv7"><ns1:AuthnContext><ns1:AuthnContextClassRef>default-LoA</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority>
https://sso.pre.plgrid.pl/auth/realms/PLGRID</ns1:AuthenticatingAuthorit…
FriendlyName="eduPersonTargetedID"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue><ns1:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">64d759cc-1d21-4a29-a6e1-e7a10908d95e</ns1:NameID></ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion></ns0:Response>
[2021-08-11 15:57:36,472] [DEBUG] [saml2.sigver._run_xmlsec] xmlsec
command: /bin/xmlsec1 --sign --privkey-pem
/etc/satosa/plugins/frontends/frontend.key --id-attr:ID
urn:oasis:names:tc:SAML:2.0:protocol:Response --node-id
id-HquE4vV74jkKMlK19 --output /tmp/tmp3ylf1dxd.xml /tmp/tmpj9ip14kl.xml
[2021-08-11 15:57:36,516] [INFO] [saml2.entity.apply_binding] HTTP POST
Logs from SP:
Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d]
<ns1:AttributeStatement>
Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d] <ns1:Attribute
FriendlyName="eduPersonTargetedID"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d]
<ns1:AttributeValue>
Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d] <ns1:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">64d759cc-1d21-4a29-a6e1-e7a10908d95e</ns1:NameID>
Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d]
</ns1:AttributeValue>
Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d] </ns1:Attribute>
Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d]
</ns1:AttributeStatement>
Thank you in advance for any help!
Jakub