Roberts A.L. wrote:

> I have previously reported to the list a problem we are having at 
> Swansea University (UK) getting our IdP to interact successfully with 
> the publisher Science Direct’s SP. Thanks for the assistance so far but 
> we are still no nearer to resolving the situation. I am a little worried 
> by this scenario. The situation is:

I'm a bit concerned by this as well.  I remember your query going past 
in mid-February and it's obviously far from ideal that you and 
ScienceDirect haven't been able to debug the issue yet.  I'm sure you 
understand, though, how hard it can be for a third party to help debug 
an end-to-end problem.

> 1)      we have a problem with accessing an SP that belongs to the UK Fed
> 
> 2)      as far as the folks at UK Fed are concerned our IdP is working 
> correctly

I think we should try and verify this again.  Please try this test SP so 
that I can get a detailed idea of what you're sending:

    https://target.iay.org.uk/index.html

It may be that I'll see something we didn't think of last time round.

As a cross-check, it might also be worth trying this one:

    https://sh2testsp1.iay.org.uk/

(Shib 2.0, so almost certainly we'll get different diagnostics out of 
it.  Who knows, it might notice a problem)

> 3)      According to the Science Direct SP logs the problem is: ERROR 
> {nl:OpenSSL [6004] sessionNew: path validation failure: unable to get 
> local issuer certificate}} which is causing a failure with the message 
> ‘The inter-institutional access system was unable to successfully build 
> a login session…’

That looks like the problem isn't with your certificate per se but with 
the chain of certificates leading down to it.  Having said which, I 
still don't know why there would be a problem.

> 4)      UK Fed says that there is nothing wrong with our certificate(s) 
> (they are globalsign certs obtained via JANET)

I remember checking this personally, in fact.

> 5)      Our IdP seems to be working fine for every other shib protected 
> resource and I can find nothing wrong with our IdP config or any errors 
> in the shib log to point at what is failing
> 
> 6)      I don’t know what else to do…

Try that test, then get back to me off-list with the results and a 
timestamp.  We'll see what we can think of.  There are some options we 
hesitated to suggest last time that we might try this time round if 
we're out of options.

It would also be useful if you could send me your idp.xml and a copy of 
your certificate file (not the key file, obviously).

> My final stab at solving this is down to a difference between the way 
> the SD SP and the Eduserv SP interact with our IdP.

Comparing the SD SP and the Eduserv SP isn't as useful as you might 
think, because the Eduserv SP is using a completely different codebase 
and (at present) its own metadata.  So, success with the Eduserv SP 
doesn't tell us as much as I'd like about whether your IdP is "right". 
That test against my own test SP will be much more definitive in this area.

> I have noticed that 
> the SD SP does not make any POST Requests after establishing a 
> connection via GET in contrast to the Eduserv SP which initiates a POST 
> request following a GET. I have included a regular session in the 
> shib-error log between the Eduserv SP and our Idp and the SD SP below. 
> The salient lines occur just after the cert has been passed.

As Alastair points out, if the authentication response from the IdP 
can't be verified, there won't be an attribute query.  That looks like 
what's happening here but we'll need to dig a little deeper to find out why.

	-- Ian