Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Attribute Checker Handler

The AttributeChecker validates the user session against attributes specified as a required. If requirements are fulfilled, the login completes otherwise an error page is displayed instead. Note that the required attributes have to be "hard coded" here and kept in sync with the required attributes expressed in the Metadata.


Add a sessionHook for attribute checker: sessionHook="/Shibboleth.sso/AttrChecker" to ApplicationDefaults. Add also the metadataAttributePrefix="Meta-" (This will be explained later).

In context: /etc/shibboleth/shibboleth2.xml -> ApplicationDefault element

Code Block
<ApplicationDefaults entityID="https://<HOST>/shibboleth"
  REMOTE_USER="eppn persistent-id targeted-id"
  signing="front" encryption="false"
  metadataAttributePrefix="Meta-" >

Add the attribute checker handler with the list of required attributes to Sessions.

/etc/shibboleth/shibboleth2.xml -> Sessions element


Now we have an session hook for the attribute checker to check specified attributes before a user login is completed.

Add the AttributeExtractor element of the type metadata next to the already existing type XML: (<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>)

For customization and error checks on the error page (attrChecker.html) we want to enable the "Attribute Extractor" with the type "metadata" to be able to fetch IdP attributes from the metadata feed. The attributes we need is the email addresses of the IdP support and security contacts. We've already added metadataAttributePrefix to the ApplicationDefaults element.


When you modify shibboleth2.xml you can test validity of the configuration file with command "shibd -t". If configuration file is still valid XML you can now restart your shibboleth with "sudo service shibd restart". Shibboleth should anyways reload configuration file if it detects any change on it.

Add attribute definition for the metadata Assurance Certification attribute

To be able to check for REFEDS SIRTFI you need to add a definition for the metadata based attribute Assurance Certification. We've already added metadataAttributePrefix to the ApplicationDefaults element in shibboleth2.xml.


Code Block
<!-- Metadata based attribute for Assurance Certification -->
<Attribute name="urn:oasis:names:tc:SAML:attribute:assurance-certification" id="AssuranceCertification"/>

Logging of missing requirements

Shibboleth SP doesn't track nor log failed logins due to missing attributes. The Shibboleth SP web server can be used for "pixel tracking". This means that you load an image (eg: containing only one transparent pixel) from the web server from where you can monitor logs and observe access for you image. In the url of the image you can also insert details you want to see, eg: Authentication source (IdP) and missing attributes. This technique is used in attrChecker-html below.

Replace the image with your existing one from the following code or comment it out if you dont need it. Example below loads track.png from document root and adds variables like "idp" containing the entityID of the authentication source and "miss" denoting missing attributes.

Template customization

Replace the attrChecker.html that is located in the "/etc/shibboleth" directory with the template below. If you don't want to edit it by yourself, you can use the ready made template. The template has links to external components such as jquery and bootstrap. They are fetched on the fly from third party sources.