Lösungen zu den Übungen

 DFN Logo






Übung 3: Loglevel auf Debug einstellen


# Datei: /opt/shibboleth-idp/conf/idp.properties
idp.loglevel.idp = DEBUG
idp.loglevel.messages = DEBUG
idp.loglevel.encryption = DEBUG

# die Konfiguration neu laden:
# der langsame Weg:
systemctl restart tomcat9.service
# schneller, aber trotzdem mit kurzer Unterbrechung:
touch /opt/shibboleth-idp/war/idp.war
# ohne Unterbrechung: 5 Min. warten., siehe Reload-Intervalle in conf/services.properties

Übung 4: dfnEduPerson-Schema importieren


# Download der Transcoding Properties für dfnEduPerson:
wget https://download.aai.dfn.de/schema/dfnEduPerson.xml -O /opt/shibboleth-idp/conf/attributes/dfnEduPerson.xml
ls /opt/shibboleth-idp/conf/attributes/
custom  default-rules.xml  dfnEduPerson.xml  eduCourse.xml  eduPerson.xml  inetOrgPerson.xml  samlSubject.xml
# Einbinden in default-rules.xml
[...]
    <import resource="dfnEduPerson.xml" />
[...]

Übung 5: eduPersonScopedAffiliation aus eduPersonAffiliation bilden


<!-- Datei: /opt/shibboleth-idp/conf/attribute-resolver.xml -->
    <AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="%{idp.scope}">
        <InputAttributeDefinition ref="eduPersonAffiliation" />
    </AttributeDefinition>

Übung 6: Attributfreigaben differenzieren

Für die attribute-filter.xml gibt es zwei mögliche Schreibweisen. Die erste wird in den mitgelieferten Beispieldateien verwendet. Die zweite (unten) ist kürzer und übersichtlicher. 

<!-- 1. Schreibweise -->
<!-- Datei: /opt/shibboleth-idp/conf/attribute-filter.xml -->
    <!-- Release to local SP1. -->
    <AttributeFilterPolicy id="SP1">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp1.local/shibboleth" />
        <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
    </AttributeFilterPolicy>

    <!-- Release to local SP2. -->
    <AttributeFilterPolicy id="SP2">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp2.local/shibboleth" />
        <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="surname">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="givenName">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="mail">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="uid">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
    </AttributeFilterPolicy>


<!-- 2. Schreibweise -->
<!-- Datei: /opt/shibboleth-idp/conf/attribute-filter.xml -->
    <!-- Release to local SP1. -->
    <AttributeFilterPolicy id="SP1">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp1.local/shibboleth" />
        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
    </AttributeFilterPolicy>

    <!-- Release to local SP2. -->
    <AttributeFilterPolicy id="SP2">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp2.local/shibboleth" />
        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
        <AttributeRule attributeID="surname"                    permitAny="true"/>
        <AttributeRule attributeID="givenName"                  permitAny="true"/>
        <AttributeRule attributeID="mail"                       permitAny="true"/>
        <AttributeRule attributeID="uid"                        permitAny="true"/>
    </AttributeFilterPolicy>

Übung 7: common-lib-terms für alle "member@local" übertragen

Doku: https://doku.tid.dfn.de/de:shibidp:config-attributes-publishers 

<!-- Datei: /opt/shibboleth-idp/conf/attribute-resolver.xml -->
    <!-- definiert wird das Attribut eduPersonEntitlement -->
    <AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonEntitlement">
        <!-- als Informationsquelle wird das Attribut eduPersonAffiliation genutzt -->
        <InputAttributeDefinition ref="eduPersonAffiliation" />
        <Script><![CDATA[
	      // wenn eduPersonAffiliation für die Person den Wert 'member' hat, ...
              if (eduPersonAffiliation.getValues().contains("member")) {
	            // ... dann bekommt eduPersonEntitlement den Wert 'urn:mace:dir:entitlement:common-lib-terms'
                    eduPersonEntitlement.getValues().add("urn:mace:dir:entitlement:common-lib-terms");
              }
           ]]>
        </Script>
    </AttributeDefinition>
Anschließend muss das Attribut eduPersonEntitlement auch für die SPs freigegeben werden: 

<!-- Datei: /opt/shibboleth-idp/conf/attribute-filter.xml -->
    <!-- Release to local SP1. -->
    <AttributeFilterPolicy id="SP1">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp1.local/shibboleth" />
        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
        <AttributeRule attributeID="eduPersonEntitlement"       permitAny="true"/>
    </AttributeFilterPolicy>

    <!-- Release to local SP2. -->
    <AttributeFilterPolicy id="SP2">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp2.local/shibboleth" />
        <AttributeRule attributeID="eduPersonAffiliation"       permitAny="true"/>
        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
        <AttributeRule attributeID="surname"                    permitAny="true"/>
        <AttributeRule attributeID="givenName"                  permitAny="true"/>
        <AttributeRule attributeID="mail"                       permitAny="true"/>
        <AttributeRule attributeID="uid"                        permitAny="true"/>
        <AttributeRule attributeID="eduPersonEntitlement"       permitAny="true"/>
    </AttributeFilterPolicy>
Die SAML-Assertion vom Login von professorin: 
<!-- idp-process.log -->
2021-09-08 13:36:22,449 - 127.0.0.2 - DEBUG [org.opensaml.saml.saml2.encryption.Encrypter:339] - Assertion before encryption:
<?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_cf4228f862a4b997bbbd7b5c3b395299" IssueInstant="2021-09-08T11:36:21.671Z" Version="2.0">
   <saml2:Issuer>https://idp.local/idp/shibboleth</saml2:Issuer>
   <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.local/idp/shibboleth" SPNameQualifier="https://sp1.local/shibboleth" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">ZrUq2jdeUVo5sO9Z3WnuwKEUGTw=</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml2:SubjectConfirmationData Address="127.0.0.2" InResponseTo="_1565b5838dd009ff423216c6fc6646c7" NotOnOrAfter="2021-09-08T11:41:21.902Z" Recipient="https://sp1.local/Shibboleth.sso/SAML2/POST"/>
      </saml2:SubjectConfirmation>
   </saml2:Subject>
   <saml2:Conditions NotBefore="2021-09-08T11:36:21.671Z" NotOnOrAfter="2021-09-08T11:41:21.671Z">
      <saml2:AudienceRestriction>
         <saml2:Audience>https://sp1.local/shibboleth</saml2:Audience>
      </saml2:AudienceRestriction>
   </saml2:Conditions>
   <saml2:AuthnStatement AuthnInstant="2021-09-08T11:36:14.437Z" SessionIndex="_e30db63df76c093a938fa393916fb621">
      <saml2:SubjectLocality Address="127.0.0.2"/>
      <saml2:AuthnContext>
         <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
   </saml2:AuthnStatement>
   <saml2:AttributeStatement>
      <saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>member@local</saml2:AttributeValue>
         <saml2:AttributeValue>employee@local</saml2:AttributeValue>
         <saml2:AttributeValue>staff@local</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>urn:mace:dir:entitlement:common-lib-terms</saml2:AttributeValue>
      </saml2:Attribute>
   </saml2:AttributeStatement>
</saml2:Assertion>
Die SAML-Assertion vom Login von extern: 
<!-- idp-process.log -->
2021-09-08 15:23:18,904 - 127.0.0.2 - DEBUG [org.opensaml.saml.saml2.encryption.Encrypter:339] - Assertion before encryption:
<?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_21d13a8ab75ca1dbed651b2fcd99a7ca" IssueInstant="2021-09-08T13:23:18.177Z" Version="2.0">
   <saml2:Issuer>https://idp.local/idp/shibboleth</saml2:Issuer>
   <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.local/idp/shibboleth" SPNameQualifier="https://sp1.local/shibboleth" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">InPeS420PHTUEZKu84vtf1k1POg=</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml2:SubjectConfirmationData Address="127.0.0.2" InResponseTo="_798fb58891f4b5587829169c23ff1d09" NotOnOrAfter="2021-09-08T13:28:18.440Z" Recipient="https://sp1.local/Shibboleth.sso/SAML2/POST"/>
      </saml2:SubjectConfirmation>
   </saml2:Subject>
   <saml2:Conditions NotBefore="2021-09-08T13:23:18.177Z" NotOnOrAfter="2021-09-08T13:28:18.177Z">
      <saml2:AudienceRestriction>
         <saml2:Audience>https://sp1.local/shibboleth</saml2:Audience>
      </saml2:AudienceRestriction>
   </saml2:Conditions>
   <saml2:AuthnStatement AuthnInstant="2021-09-08T13:23:15.009Z" SessionIndex="_0df1859fae1395ca878f0887a71db2ef">
      <saml2:SubjectLocality Address="127.0.0.2"/>
      <saml2:AuthnContext>
         <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
   </saml2:AuthnStatement>
</saml2:Assertion>

Übung 8: Einzelnes Entitlement an nur einen SP übertragen

Beispiel für PermitValueRule ebenfalls unter https://doku.tid.dfn.de/de:shibidp:config-attributes-publishers 

<!-- Datei: /opt/shibboleth-idp/conf/attribute-resolver.xml -->
    <AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonEntitlement">
        <InputAttributeDefinition ref="eduPersonAffiliation" />
	<!-- hier muss die OU als zweite Infoquelle eingebunden werden -->
        <InputAttributeDefinition ref="organizationalUnit" />
        <Script>
          <![CDATA[
              if (eduPersonAffiliation.getValues().contains("member")) {
                  eduPersonEntitlement.getValues().add("urn:mace:dir:entitlement:common-lib-terms");
              }
              if (organizationalUnit.getValues().contains("politologie")) {
                  eduPersonEntitlement.getValues().add("https://sp2.local/entitlement/politologie");
              }
           ]]>
           </Script>
    </AttributeDefinition>

<!-- Datei: /opt/shibboleth-idp/conf/attribute-filter.xml -->
    <!-- Release to local SP1. -->
    <AttributeFilterPolicy id="SP1">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp1.local/shibboleth" />
        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
            <!-- an SP1 nur common-lib-terms übertragen -->
        <AttributeRule attributeID="eduPersonEntitlement">
            <PermitValueRule xsi:type="Value" value="urn:mace:dir:entitlement:common-lib-terms" />
        </AttributeRule>
    </AttributeFilterPolicy>

    <!-- Release to local SP2. -->
    <AttributeFilterPolicy id="SP2">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp2.local/shibboleth" />
        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
        <AttributeRule attributeID="surname"                    permitAny="true"/>
        <AttributeRule attributeID="givenName"                  permitAny="true"/>
        <AttributeRule attributeID="mail"                       permitAny="true"/>
        <AttributeRule attributeID="uid"                        permitAny="true"/>
        <!-- an SP2 jeden Wert übertragen -->
        <AttributeRule attributeID="eduPersonEntitlement"       permitAny="true"/>
    </AttributeFilterPolicy>
Die SAML-Assertion vom Login von polstudi: 

2021-09-08 15:49:44,041 - 127.0.0.2 - DEBUG [org.opensaml.saml.saml2.encryption.Encrypter:339] - Assertion before encryption:
<?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_882ef083bbb4c9e645a6a6b7839d2a0e" IssueInstant="2021-09-08T13:49:43.780Z" Version="2.0">
   <saml2:Issuer>https://idp.local/idp/shibboleth</saml2:Issuer>
   <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.local/idp/shibboleth" SPNameQualifier="https://sp2.local/sh
ibboleth" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">7DK9v7LlqyUH10fSxvDUzB7QOC4=</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml2:SubjectConfirmationData Address="127.0.0.2" InResponseTo="_fdd852ae1ef5a6a05e6f3824d21dd66c" NotOnOrAfter="2021-09-08T13:54:43.881Z" Recipient="https://
sp2.local/Shibboleth.sso/SAML2/POST"/>
      </saml2:SubjectConfirmation>
   </saml2:Subject>
   <saml2:Conditions NotBefore="2021-09-08T13:49:43.780Z" NotOnOrAfter="2021-09-08T13:54:43.780Z">
      <saml2:AudienceRestriction>
         <saml2:Audience>https://sp2.local/shibboleth</saml2:Audience>
      </saml2:AudienceRestriction>
   </saml2:Conditions>
   <saml2:AuthnStatement AuthnInstant="2021-09-08T13:49:15.505Z" SessionIndex="_ec3568d922ba0643ad2099f3ebabfee1">
      <saml2:SubjectLocality Address="127.0.0.2"/>
      <saml2:AuthnContext>
         <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
   </saml2:AuthnStatement>
   <saml2:AttributeStatement>
      <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>polstudi</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>max.strebsam@student.nodomain.local</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>member@local</saml2:AttributeValue>
         <saml2:AttributeValue>student@local</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>urn:mace:dir:entitlement:common-lib-terms</saml2:AttributeValue>
         <saml2:AttributeValue>https://sp2.local/entitlement/politologie</saml2:AttributeValue>
      </saml2:Attribute>
   </saml2:AttributeStatement>
</saml2:Assertion>
Der Account biostudi bekommt am SP2 die Antwort Unauthorized. Die SAML-Assertion von biostudi: 

2021-09-08 15:54:09,910 - 127.0.0.2 - DEBUG [org.opensaml.saml.saml2.encryption.Encrypter:339] - Assertion before encryption:
<?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_52497b5b2012df6280564883ab4c101b" IssueInstant="2021-09-08T13:54:09.571Z" Version="2.0">
   <saml2:Issuer>https://idp.local/idp/shibboleth</saml2:Issuer>
   <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.local/idp/shibboleth" SPNameQualifier="https://sp2.local/sh
ibboleth" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">SAmLpofK57Ut0PZPw8dXfpNvr/c=</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml2:SubjectConfirmationData Address="127.0.0.2" InResponseTo="_731de97903ade13a8e162d6a5eacd03a" NotOnOrAfter="2021-09-08T13:59:09.806Z" Recipient="https://
sp2.local/Shibboleth.sso/SAML2/POST"/>
      </saml2:SubjectConfirmation>
   </saml2:Subject>
   <saml2:Conditions NotBefore="2021-09-08T13:54:09.571Z" NotOnOrAfter="2021-09-08T13:59:09.571Z">
      <saml2:AudienceRestriction>
         <saml2:Audience>https://sp2.local/shibboleth</saml2:Audience>
      </saml2:AudienceRestriction>
   </saml2:Conditions>
   <saml2:AuthnStatement AuthnInstant="2021-09-08T13:54:03.476Z" SessionIndex="_e458dbaf0a8b5c299b0ad5232f4279bb">
      <saml2:SubjectLocality Address="127.0.0.2"/>
      <saml2:AuthnContext>
         <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
   </saml2:AuthnStatement>
   <saml2:AttributeStatement>
      <saml2:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>urn:mace:dir:entitlement:common-lib-terms</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>biostudi</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>mia.studi@student.nodomain.local</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>member@local</saml2:AttributeValue>
         <saml2:AttributeValue>student@local</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>Mia</saml2:AttributeValue>
      </saml2:Attribute>
   </saml2:AttributeStatement>
</saml2:Assertion>
Gegenprobe: polstudi meldet sich am SP1 an, wohin das Politologie-Entitlement nicht übertragen werden soll. Hier nur das Attribute Statement aus der SAML-Assertion: 

   <saml2:AttributeStatement>
      <saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>member@local</saml2:AttributeValue>
         <saml2:AttributeValue>student@local</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>urn:mace:dir:entitlement:common-lib-terms</saml2:AttributeValue>
      </saml2:Attribute>
   </saml2:AttributeStatement>

Übung 9: Vergleich von Identifiern

SAML-Assertion von professorin (gekürzt): 
...
<saml2:Subject>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.local/idp/shibboleth"
    SPNameQualifier="https://sp1.local/shibboleth" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">ZrUq2jdeUVo5sO9Z3WnuwKEUGTw=</saml2:NameID>
</saml2:Subject>
...
<saml2:AttributeStatement>
    <saml2:Attribute FriendlyName="samlSubjectID" Name="urn:oasis:names:tc:SAML:attribute:subject-id"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml2:AttributeValue>5241e5ad778e6a9de03336337da47ddaabf354ecd3deaa0913518eb7647398cb@local</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute FriendlyName="samlPairwiseID" Name="urn:oasis:names:tc:SAML:attribute:pairwise-id"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">  
        <saml2:AttributeValue>ZrUq2jdeUVo5sO9Z3WnuwKEUGTw=@local</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute FriendlyName="eduPersonUniqueId" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml2:AttributeValue>5241e5ad778e6a9de03336337da47ddaabf354ecd3deaa0913518eb7647398cb@local</saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>


...
<saml2:Subject>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.local/idp/shibboleth"
    SPNameQualifier="https://sp2.local/shibboleth" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">teBAMDTLTCUHqqO5vycFPrwhKos=</saml2:NameID>
</saml2:Subject>
...
<saml2:AttributeStatement>
    <saml2:Attribute FriendlyName="samlPairwiseID" Name="urn:oasis:names:tc:SAML:attribute:pairwise-id"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml2:AttributeValue>teBAMDTLTCUHqqO5vycFPrwhKos=@local</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute FriendlyName="eduPersonUniqueId" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml2:AttributeValue>5241e5ad778e6a9de03336337da47ddaabf354ecd3deaa0913518eb7647398cb@local</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute FriendlyName="samlSubjectID" Name="urn:oasis:names:tc:SAML:attribute:subject-id"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml2:AttributeValue>5241e5ad778e6a9de03336337da47ddaabf354ecd3deaa0913518eb7647398cb@local</saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>