> What seems to happen is that the authentication phase works fine, but
> when LSE request attributes from my IdP the request contains credentials
> which my end doesn't think are valid for that SP - I end up logging
>
> 2007-11-13T14:39:40+0000 localhost [shib] cannot match certificate
> subject against acceptable key names based on the metadata entityId or
> KeyDescriptors
> 2007-11-13T14:39:40+0000 localhost [shib] Supplied credentials
> (CN=gate-test.library.lse.ac.uk,OU=Library,O=London School of
> Economics,L=London,ST=London,C=GB) are NOT valid for provider
> (urn:mace:ac.uk:sdss.ac.uk:provider:service:gabriel.lse.ac.uk).
>
> Secondly, if anyone has access to a UK Federation-only IdP that is
> expected to release at least some attributes (perhaps ePSA and/or ePTID)
> to LSE then could you try accessing
>
> https://gabriel.lse.ac.uk/simon/cgi-bin/printenv.pl
>
> and let me know if those attributes appear in the resulting table (the
> table will appear whatever, the question is whether the attribute values
> are there or not). Just tell me - I'll summarise replies and any
> eventual outcome to the list.
I see a similar message in my error log:
2007-11-16 14:47:30,586 ERROR [IdP] -1261031662
- cannot match certificate subject against acceptable key names based on
the metadata entityId or KeyDescriptors
2007-11-16 14:47:30,601 ERROR [IdP] -1261031662
- Supplied credentials
(CN=gate-test.library.lse.ac.uk,OU=Library,O=London School of
Economics,L=London,ST=London,C=GB) are NOT valid for provider
(urn:mace:ac.uk:sdss.ac.uk:provider:service:gabriel.lse.ac.uk).
2007-11-16 14:47:30,603 ERROR [IdP] -1261031662
- Error while processing request: org.opensaml.SAMLException: Invalid
credentials for request.
and, although I release ePSA and ePTID by default, they did not appear
in the table.
--
Richard Gilbert
Corporate Information and Computing Services
University of Sheffield, Sheffield, S10 2TN, UK
Phone: +44 114 222 3028 Fax: +44 114 222 3040
|