Shibboleth 2.4.5 不释放所需的属性

Question

We have set up the IDP Shibboleth for the Single-Sign-On integrated with Cisco Webex but we keep on getting unauthorized access because the IDP is not passing the uid which is needed by the Webex to authorize access.

The response from IDP always include

<saml2:NameID Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\" NameQualifier=\"https://shibboleth.someaddress/idp/shibboleth\" SPNameQualifier=\"https://idbroker-eu.webex.com/key\">_68f435cf51bee4a2861d5a9420e3cdd2</saml2:NameID>

<saml2:NameID> is the problem and it is required to have mail-attr instead

attribute-resolver.xml is updated with this content

<resolver:AttributeDefinition id="mail-attr" xsi:type="ad:Simple" 
sourceAttributeID="mail">
        <resolver:Dependency ref="MyLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="uid" />
     </resolver:AttributeDefinition>

attribute-filter.xml with this content

<afp:AttributeFilterPolicy id="ReleaseToCI">
        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" 
value="https://idbroker.webex.com/key" />
        <afp:AttributeRule attributeID="transientId">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="mail-attr">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>

but the response never has the mail attribute, the authentication with IDP is done with LoginPassword and that part works fine with OpenLDAP integrated.

Answer 1

I do not have enough reputation to add a comment, but can you please show these configs: metadata-providers.xml and relying-party.xml , I think the problem may be in them. Because in these files we define which providers have access to IDP.