1

I integrated Siteminder with shibboleth using SAML2. In the saml2 response, in the Assertion section, I have the double "Id" : enter image description here

In the shibboleth I've the following error: Invalid attribute Id. It's possibile to ignore the attribute "Id"? I am not able to resolve this prolem...somebody can help me?

user880386
  • 2,737
  • 7
  • 33
  • 41
  • I don't believe it's well-formed SAML to have "Id" and "ID" in the assertion element. That said, those values both match, and when Shibboleth says something like "Invalid Attribute" as the error I would expect it to be referencing SAML elements. So you might be looking in the wrong place here. Can you supply a complete (redacted) assertion as well as the logged error message (at debug level) near the error you're seeing? I think both of those would be necessary to determine what's going on. – Kellen Murphy Sep 16 '19 at 12:29
  • It appears after upgrading siteminder to v12.8 the SAML assertion contains a duplicate attribute for ID. There is one for "ID" and another for "id". – user880386 Sep 17 '19 at 08:16
  • Usually Shibboleth SAML IdP is much more popular than Shibboleth SAML SP. However, in your use case, Siteminder SAML IdP sends SAML 2.0 response (with duplicated attribute ID) to Shibboleth SAML SP, then such duplicated attribute ID was identified by Shibboleth SP as Invalid attribute Id. You need to report this issue to the Siteminder development team to remove the 2nd Attribute "Id" which is redundant. – winstonhong Sep 17 '19 at 15:53
  • They are trying to remove it but they are not able to do it....there is some guide online to do it? – user880386 Sep 17 '19 at 16:33
  • A quick solution is downgrading Siteminder SAML IdP to previous version which sends SAML response/assertion in the correct format.Shibboleth SAML SP will NOT accept duplicate attribute ID. – winstonhong Sep 17 '19 at 19:25
  • It is not possible to change Siteminder version :( – user880386 Sep 18 '19 at 12:37
  • Is not possible to ignore the attribute id in the shibboleth configuration? – user880386 Sep 18 '19 at 15:50
  • Your SAML Assertion section shows that It is Assertion ID, NOT attribute ID. – winstonhong Sep 18 '19 at 18:45
  • 1
    This is literally a bug with 12.8... it's fixed in [12.8.01](https://docops.ca.com/ca-single-sign-on/12-8/en/release-notes/service-packs/defects-fixed-in-12-8-01) (internal defect ID's DE365688 and DE371749). You are not going to get Shibboleth to ignore this, and to me, it looks like it's a SAML-breaking bug. – Kellen Murphy Sep 24 '19 at 20:32

0 Answers0