Better example resolver and filter files
authorlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 30 Nov 2007 07:50:43 +0000 (07:50 +0000)
committerlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 30 Nov 2007 07:50:43 +0000 (07:50 +0000)
Clearer log messaged around name identifier creation

git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@2484 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

resources/conf/attribute-filter.xml
resources/conf/attribute-resolver.xml
src/edu/internet2/middleware/shibboleth/idp/profile/saml1/AbstractSAML1ProfileHandler.java
src/edu/internet2/middleware/shibboleth/idp/profile/saml2/AbstractSAML2ProfileHandler.java

index d6c188a..b48d4ce 100644 (file)
@@ -1,87 +1,67 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
-<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" 
-                            xmlns="urn:mace:shibboleth:2.0:afp"
-                            xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
-                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                            xsi:schemaLocation="urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd
-                                                urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd ">
+<!-- 
+    This file is an EXAMPLE configuration file.  Deployers should NOT attempt to use this 
+    without modifying it for their environment.
+    
+    Deployers should refer to the Shibboleth 2 documentation for a complete list of components 
+    and their options.
+-->
 
-    <!-- 
-        Release the principal, which is used as our SAML 1 & 2 name identifiers to anyone.
-    -->
-    <AttributeFilterPolicy id="releasePrincipalToAnyone">
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" xmlns="urn:mace:shibboleth:2.0:afp"
+    xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd
+                        urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd ">
+
+    <!--  Release the transient ID to anyone -->
+    <AttributeFilterPolicy id="releaseTransientIdToAnyone">
         <PolicyRequirementRule xsi:type="basic:ANY" />
-        
-        <AttributeRule attributeID="principalName">
+
+        <AttributeRule attributeID="transientId">
             <PermitValueRule xsi:type="basic:ANY" />
         </AttributeRule>
-        
+
     </AttributeFilterPolicy>
-    
+
 
     <!-- 
-          Releases to anyone:
-            * any value of uid
-            * only the member value of affiliation
+        Release eduPersonEntitlement and the permissible values of eduPersonAffiliation
+        to any SP that is a member of InCommon, UK federation, or SWITCHaai
     -->
-    <!--
-    <AttributeFilterPolicy id="releaseToAnyone">
-        <PolicyRequirementRule xsi:type="basic:ANY" />
-        
-        <AttributeRule attributeID="uid">
+    <AttributeFilterPolicy>
+        <PolicyRequirementRule xsi:type="basic:OR">
+            <basic:Rule xsi:type="AttributeRequesterInEntityGroup" groupId="urn:mace:incommon" />
+            <basic:Rule xsi:type="AttributeRequesterInEntityGroup" groupId="http://ukfederation.org.uk" />
+            <basic:Rule xsi:type="AttributeRequesterInEntityGroup" groupId="urn:mace:switch.ch:SWITCHaai" />
+        </PolicyRequirementRule>
+
+        <AttributeRule attributeId="entitlment">
             <PermitValueRule xsi:type="basic:ANY" />
         </AttributeRule>
-        
-        <AttributeRule attributeID="affiliation">
-            <PermitValueRule value="member"
-                             xsi:type="basic:AttributeValueString"/>
+
+        <AttributeRule attributeId="affiliation">
+            <PermitValueRule xsi:type="basic:OR">
+                <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" />
+                <basic:Rule xsi:type="basic:AttributeValueString" value="student" />
+                <basic:Rule xsi:type="basic:AttributeValueString" value="staff" />
+                <basic:Rule xsi:type="basic:AttributeValueString" value="alumn" />
+                <basic:Rule xsi:type="basic:AttributeValueString" value="member" />
+                <basic:Rule xsi:type="basic:AttributeValueString" value="affliate" />
+                <basic:Rule xsi:type="basic:AttributeValueString" value="employee" />
+            </PermitValueRule>
         </AttributeRule>
-        
+
     </AttributeFilterPolicy>
-    -->
-    
-    
+
     <!-- 
-          Releases to only SP 1:
-            * any value of uid
-            * scoped primary affiliation if the scope is the IdP 1 and the value is staff, faculty, or student
-            * any value of affiliation
-            * any value of full name
+        Release the given name of the user to our portal service provider
     -->
-    <!--
-    <AttributeFilterPolicy id="releaseToSP1">
-        <PolicyRequirementRule value="urn:example.org:myFederation:sp1" 
-                               xsi:type="basic:AttributeRequesterString" />
-        
-        <AttributeRule attributeID="uid">
-            <PermitValueRule xsi:type="basic:ANY" />
-        </AttributeRule>
-        
-        <AttributeRule attributeID="scopedPrimaryAffiliation">
-            <PermitValueRule xsi:type="basic:AND">
-                <basic:Rule value="urn:example.org:myFederation:idp1" 
-                            xsi:type="AttributeScopeString" />
-                <basic:Rule xsi:type="basic:OR">
-                    <basic:Rule value="staff"
-                                xsi:type="AttributeValueString" />
-                    <basic:Rule value="faculty"
-                                xsi:type="AttributeValueString" />
-                    <basic:Rule value="student"
-                                xsi:type="AttributeValueString" />
-                </basic:Rule>
-            </PermitValueRule>
-        </AttributeRule>
-        
-        <AttributeRule attributeID="affiliation">
-            <PermitValueRule xsi:type="basic:ANY" />
-        </AttributeRule>
-        
-        <AttributeRule attributeID="fullName">
+    <AttributeFilterPolicy>
+        <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="urn:example.org:sp:myPortal" />
+
+        <AttributeRule attribtueId="givenName">
             <PermitValueRule xsi:type="basic:ANY" />
         </AttributeRule>
-        
     </AttributeFilterPolicy>
-    -->
-    
+
 </AttributeFilterPolicyGroup>
\ No newline at end of file
index fef544a..991b9bf 100644 (file)
 <?xml version="1.0" encoding="UTF-8"?>
 
-<AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver"
-                   xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
-                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                   xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
-                   xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
-                      xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
-                   xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
-                      xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd
-                                       urn:mace:shibboleth:2.0:resolver:pc classpath:/schema/shibboleth-2.0-attribute-resolver-pc.xsd
-                                       urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd
-                                       urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd
-                                       urn:mace:shibboleth:2.0:attribute:encoder classpath:/schema/shibboleth-2.0-attribute-encoder.xsd">
+<!-- 
+    This file is an EXAMPLE configuration file.  Deployers should NOT attempt to use this 
+    without modifying it for their environment.  In paticular, deployers will need to edit 
+    data connector configurations.
+    
+    Not all attribute definitions, data connectors, or principal connectors are demonstrated.
+    Deployers should refer to the Shibboleth 2 documentation for a complete list of components 
+    and their options.
+-->
+
+
+<AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver" xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
+    xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
+    xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
+    xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd
+                        urn:mace:shibboleth:2.0:resolver:pc classpath:/schema/shibboleth-2.0-attribute-resolver-pc.xsd
+                        urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd
+                        urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd
+                        urn:mace:shibboleth:2.0:attribute:encoder classpath:/schema/shibboleth-2.0-attribute-encoder.xsd">
 
     <!-- ========================================== -->
     <!--      Attribute Definitions                 -->
     <!-- ========================================== -->
-    
-    <!-- Release the Principal as an attribute and encode it as the SAML 1 and 2 name IDs -->
-    <resolver:AttributeDefinition id="principalName" xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
-        <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
-                                   nameFormat="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" />
-                                   
-        <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
-                                   nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />
 
-        <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
-                                   nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />
-   </resolver:AttributeDefinition>
-    
-    <!-- Example attribute defintions -->
-    <!--
-    <resolver:AttributeDefinition id="uid" xsi:type="Simple"  xmlns="urn:mace:shibboleth:2.0:resolver:ad">
+    <!-- Schema: Core schema attributes-->
+    <resolver:AttributeDefinition id="uid" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="uid">
         <resolver:Dependency ref="myLDAP" />
-        
-        <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" />
-        
-        <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:uid" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
     </resolver:AttributeDefinition>
-    -->
-    
-    <!--
-    <resolver:AttributeDefinition id="scopedPrimaryAffiliation" xsi:type="Scoped"  xmlns="urn:mace:shibboleth:2.0:resolver:ad"
-                                  scope="example.org"
-                                  sourceAttributeID="eduPersonPrimaryAffiliation">
+
+    <resolver:AttributeDefinition id="mail" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="mail">
         <resolver:Dependency ref="myLDAP" />
-        
-        <resolver:AttributeEncoder xsi:type="SAML1ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
-                                   name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"/>
-        
-        <resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
-                                   name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"/>
 
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:mail" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
     </resolver:AttributeDefinition>
-    -->
-    
-    <!--
-    <resolver:AttributeDefinition id="affiliation" xsi:type="Simple"  xmlns="urn:mace:shibboleth:2.0:resolver:ad"
-                                   sourceAttributeID="eduPersonAffiliation">
+
+    <resolver:AttributeDefinition id="homePhone" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="homePhone">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:homePhone" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:0.9.2342.19200300.100.1.20" friendlyName="homePhone" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="homePostalAddress" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="homePostalAddress">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:homePostalAddress" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:0.9.2342.19200300.100.1.39" friendlyName="homePostalAddress" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="mobile" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="mobile">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:mobile" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="pager" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="pager">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:pager" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="uniqueId" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="uniqueIdentifier">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:uniqueIdentifier" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:0.9.2342.19200300.100.1.44" friendlyName="uniqueIdentifier" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="cn" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="cn">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:cn" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.5.4.3" friendlyName="cn" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="surname" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="surname">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:surname" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.5.4.4" friendlyName="surname" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="countryName" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="countryName">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:countryName" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.5.4.6" friendlyName="countryName" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="localityName" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="localityName">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:localityName" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.5.4.7" friendlyName="localityName" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="stateOrProvinceName" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="stateOrProvinceName">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:stateOrProvinceName" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.5.4.8" friendlyName="stateOrProvinceName" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="streetAddress" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="streetAddress">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:streetAddress" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.5.4.9" friendlyName="streetAddress" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="organizationName" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="organizationName">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:organizationName" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.5.4.10" friendlyName="organizationName" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="organizationalUnitName" xsi:type="Simple"
+        xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="organizationalUnitName">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:organizationalUnitName" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.5.4.11" friendlyName="organizationalUnitName" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="title" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="title">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:title" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.5.4.12" friendlyName="title" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="postalAddress" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="postalAddress">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:postalAddress" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.5.4.16" friendlyName="postalAddress" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="postalCode" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="postalCode">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:postalCode" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.5.4.17" friendlyName="postalCode" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="postOfficeBox" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="postOfficeBox">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:postOfficeBox" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.5.4.18" friendlyName="postOfficeBox" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="telephoneNumber" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="telephoneNumber">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:telephoneNumber" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="member" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="member">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:member" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.5.4.31" friendlyName="member" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="name" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="name">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:name" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.5.4.41" friendlyName="name" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="givenName" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="givenName">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:givenName" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.5.4.42" friendlyName="givenName" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="initials" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="initials">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:initials" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.5.4.43" friendlyName="initials" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="distinguishedName" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="distinguishedName">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:distinguishedName" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.5.4.49" friendlyName="distinguishedName" />
+    </resolver:AttributeDefinition>
+
+    <!-- Schema: inetOrgPerson attributes-->
+    <resolver:AttributeDefinition id="departmentNumber" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="departmentNumber">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:departmentNumber" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="employeeNumber" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="employeeNumber">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:employeeNumber" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.16.840.1.113730.3.1.3" friendlyName="employeeNumber" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="employeeType" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="employeeType">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:employeeType" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="jpegPhoto" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="jpegPhoto">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1Base64" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:jpegPhoto" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2Base64" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:0.9.2342.19200300.100.1.60" friendlyName="jpegPhoto" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="preferredLanguage" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="preferredLanguage">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:preferredLanguage" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" />
+    </resolver:AttributeDefinition>
+
+    <!-- Schema: eduPerson attributes-->
+    <resolver:AttributeDefinition id="affiliation" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="eduPersonAffiliation">
         <resolver:Dependency ref="staticAttributes" />
         <resolver:Dependency ref="myLDAP" />
-        
+
         <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
-                                   name="urn:mace:dir:attribute-def:eduPersonAffiliation"/>
-        
+            name="urn:mace:dir:attribute-def:eduPersonAffiliation" />
+
         <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
-                                   name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
-                                   friendlyName="eduPersonAffiliation"/>
+            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" />
     </resolver:AttributeDefinition>
-    -->
-    
-    <!--
-    <resolver:AttributeDefinition id="fullName" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
+
+    <resolver:AttributeDefinition id="entitlement" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="eduPersonEntitlement">
         <resolver:Dependency ref="myLDAP" />
-        
-        <Script>
-            <![CDATA[
-                importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
-                fullname = new BasicAttribute("fullname");
-                fullname.getValues().add(givenName.getValues().first() + " " + sn.getValues().first());
-            ]]>
-        </Script>
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
     </resolver:AttributeDefinition>
-    -->
-    
-    
+
+    <resolver:AttributeDefinition id="nickname" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="eduPersonNickname">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:eduPersonNickname" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" friendlyName="eduPersonNickname" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="orgDN" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="eduPersonOrgDN">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:eduPersonOrgDN" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" friendlyName="eduPersonOrgDN" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="orgUnitDN" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="eduPersonOrgUnitDN">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" friendlyName="eduPersonOrgUnitDN" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="primaryAffiliation" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="eduPersonPrimaryAffiliation">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="primaryOrgUnitDN" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="eduPersonPrimaryOrgUnitDN">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" friendlyName="eduPersonPrimaryOrgUnitDN" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="principalName" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="eduPersonPrincipalName">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="scopedAffiliation" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="eduPersonScopedAffiliation">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition id="targetedID" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="eduPersonTargetedID">
+        <resolver:Dependency ref="myLDAP" />
+
+        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:mace:dir:attribute-def:eduPersonTargetedID" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
+    </resolver:AttributeDefinition>
+
+
+    <!-- Name Identifier related attributes -->
+    <resolver:AttributeDefinition id="transientId" xsi:type="TransientId" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
+        <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
+            xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />
+
+        <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
+            nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
+    </resolver:AttributeDefinition>
+
     <!-- ========================================== -->
     <!--      Data Connectors                       -->
     <!-- ========================================== -->
-    
+
     <!-- Example Static Connector -->
-    <!--
     <resolver:DataConnector id="staticAttributes" xsi:type="Static" xmlns="urn:mace:shibboleth:2.0:resolver:dc">
         <Attribute id="eduPersonAffiliation">
             <Value>member</Value>
             <Value>urn:mace:dir:entitlement:common-lib-terms</Value>
         </Attribute>
     </resolver:DataConnector>
-    -->
-    
+
     <!-- Example Relational Database Connector -->
-    <!--
     <resolver:DataConnector id="mySIS" xsi:type="RelationalDatabase" xmlns="urn:mace:shibboleth:2.0:resolver:dc">
         <ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
-                                      jdbcUrl="jdbc:oracle:thin:@db.example.org:1521:SomeDB"
-                                      jdbcUserName="myid"
-                                      jdbcPassword="mypassword" />
+            jdbcUrl="jdbc:oracle:thin:@db.example.org:1521:SomeDB" jdbcUserName="myid" jdbcPassword="mypassword" />
         <QueryTemplate>
             <![CDATA[
-                 SELECT * FROM student WHERE gzbtpid = $requestContext.principalName
-             ]]>
+                SELECT * FROM student WHERE gzbtpid = $requestContext.principalName
+            ]]>
         </QueryTemplate>
-    
-        <Column columnName="gzbtpid" attributeID="uid"/>
-        <Column columnName="fqlft" attributeID="gpa" type="Float"/>
+
+        <Column columnName="gzbtpid" attributeID="uid" />
+        <Column columnName="fqlft" attributeID="gpa" type="Float" />
     </resolver:DataConnector>
-    -->
-    
+
     <!-- Example LDAP Connector -->
-    <!--
     <resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
-                            ldapUrl="ldap://ldap.example.org"
-                            baseDN="ou=people,dc=example,dc=org"
-                            principal="uid=myservice,ou=system"
-                            principalCredential="myServicePassword">
+        ldapUrl="ldap://ldap.example.org" baseDN="ou=people,dc=example,dc=org" principal="uid=myservice,ou=system"
+        principalCredential="myServicePassword">
         <FilterTemplate>
             <![CDATA[
                 (uid=$requestContext.principalName)
             ]]>
         </FilterTemplate>
-    
+
     </resolver:DataConnector>
-    -->
-    
+
     <!-- ========================================== -->
     <!--      Principal Connectors                  -->
     <!-- ========================================== -->
-    <resolver:PrincipalConnector xsi:type="Direct" xmlns="urn:mace:shibboleth:2.0:resolver:pc"
-                                 id="saml1UnspecDirect"
-                                 nameIDFormat="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" />
-                                 
-    <resolver:PrincipalConnector xsi:type="Direct" xmlns="urn:mace:shibboleth:2.0:resolver:pc"
-                                 id="shibUnspecDirect"
-                                 nameIDFormat="urn:mace:shibboleth:1.0:nameIdentifier" />
-                                 
-    <resolver:PrincipalConnector xsi:type="Direct" xmlns="urn:mace:shibboleth:2.0:resolver:pc"
-                                 id="saml2UnspecDirect"
-                                 nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />
+    <resolver:PrincipalConnector xsi:type="Transient" xmlns="urn:mace:shibboleth:2.0:resolver:pc" id="shibTransient"
+        nameIDFormat="urn:mace:shibboleth:1.0:nameIdentifier" />
+
+    <resolver:PrincipalConnector xsi:type="Transient" xmlns="urn:mace:shibboleth:2.0:resolver:pc" id="saml1Transient"
+        nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
 
 </AttributeResolver>
\ No newline at end of file
index ae3e061..93687ac 100644 (file)
@@ -308,17 +308,23 @@ public abstract class AbstractSAML1ProfileHandler extends AbstractSAMLProfileHan
         log.debug("Building assertion NameIdentifier to relying party {} for principal {}", requestContext
                 .getInboundMessageIssuer(), requestContext.getPrincipalName());
         Map<String, BaseAttribute> principalAttributes = requestContext.getPrincipalAttributes();
-        List<String> supportedNameFormats = getNameFormats(requestContext);
+        if (principalAttributes == null || principalAttributes.isEmpty()) {
+            log.error("No attributes for principal {}, unable to construct of NameID", requestContext
+                    .getPrincipalName());
+            requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, null,
+                    "Unable to construct NameIdentifier"));
+            throw new ProfileException("No principal attributes support NameIdentifier construction");
+        }
 
-        log.debug("Supported name formats: {}", supportedNameFormats);
-        if (principalAttributes == null || supportedNameFormats == null) {
-            log.error("No attributes for principal " + requestContext.getPrincipalName()
-                    + " support constructions of NameIdentifier");
+        List<String> supportedNameFormats = getNameFormats(requestContext);
+        if (supportedNameFormats == null || supportedNameFormats.isEmpty()) {
+            log.error("No common NameID formats supported by SP {} and IdP", requestContext.getInboundMessageIssuer());
             requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, null,
                     "Unable to construct NameIdentifier"));
             throw new ProfileException("No principal attributes support NameIdentifier construction");
         }
 
+        log.debug("Supported name formats: {}", supportedNameFormats);
         try {
             SAML1NameIdentifierEncoder nameIdEncoder;
 
@@ -327,9 +333,7 @@ public abstract class AbstractSAML1ProfileHandler extends AbstractSAMLProfileHan
                     if (encoder instanceof SAML1NameIdentifierEncoder) {
                         nameIdEncoder = (SAML1NameIdentifierEncoder) encoder;
                         if (supportedNameFormats.contains(nameIdEncoder.getNameFormat())) {
-                            log
-                                    .debug(
-                                            "Using attribute {} suppoting name format {} to create the NameIdentifier for principal",
+                            log.debug("Using attribute {} suppoting name format {} to create the NameIdentifier for principal",
                                             attribute.getId(), nameIdEncoder.getNameFormat());
                             return nameIdEncoder.encode(attribute);
                         }
index 18c445b..4ce8fb9 100644 (file)
@@ -217,11 +217,11 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
         Response samlResponse = responseBuilder.buildObject();
         samlResponse.setIssueInstant(issueInstant);
         populateStatusResponse(requestContext, samlResponse);
-        
+
         // sign the assertion if it should be signed
         signAssertion(requestContext, assertion);
 
-        if(requestContext.getProfileConfiguration().getEncryptAssertion()){
+        if (requestContext.getProfileConfiguration().getEncryptAssertion()) {
             log.debug("Attempting to encrypt assertion to relying party {}", requestContext.getInboundMessageIssuer());
             try {
                 Encrypter encrypter = getEncrypter(requestContext.getInboundMessageIssuer());
@@ -237,7 +237,7 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
                         "Unable to encrypt assertion"));
                 throw new ProfileException("Unable to encrypt assertion", e);
             }
-        }else{
+        } else {
             samlResponse.getAssertions().add(assertion);
         }
 
@@ -628,19 +628,25 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
     protected NameID buildNameId(BaseSAML2ProfileRequestContext<?, ?, ?> requestContext) throws ProfileException {
         log.debug("Building assertion NameID for principal/relying party:{}/{}", requestContext.getPrincipalName(),
                 requestContext.getInboundMessageIssuer());
+        
         Map<String, BaseAttribute> principalAttributes = requestContext.getPrincipalAttributes();
-        List<String> supportedNameFormats = getNameFormats(requestContext);
-
-        log.debug("Supported NameID formats: {}", supportedNameFormats);
-
-        if (principalAttributes == null || supportedNameFormats == null) {
-            log.error("No attributes for principal " + requestContext.getPrincipalName()
-                    + " support constructions of NameID");
+        if (principalAttributes == null || principalAttributes.isEmpty()) {
+            log.error("No attributes for principal {}, unable to construct of NameID", requestContext
+                    .getPrincipalName());
             requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.INVALID_NAMEID_POLICY_URI,
                     "Unable to construct NameID"));
             throw new ProfileException("No principal attributes support NameID construction");
         }
-
+        
+        List<String> supportedNameFormats = getNameFormats(requestContext);        
+        if (supportedNameFormats == null || supportedNameFormats.isEmpty()) {
+            log.error("No common NameID formats supported by SP {} and IdP", requestContext.getInboundMessageIssuer());
+            requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.INVALID_NAMEID_POLICY_URI,
+                    "Unable to construct NameID"));
+            throw new ProfileException("No principal attributes support NameID construction");
+        }
+        
+        log.debug("Supported NameID formats: {}", supportedNameFormats);
         try {
             SAML2NameIDAttributeEncoder nameIdEncoder;
             for (BaseAttribute<?> attribute : principalAttributes.values()) {