Nick,
> so it's happening at the apache level
Then I would say that Daniel over in Shib-users is getting there.
>> It seems that the error came from your idp's SSL connector
>> configuration. your tomcat server is telling the client (web
>> navigator) to provide a certificate.
>>
>> you can disable this behavior by setting the clientAuth directive in
>> the server.xml file of your tomcat server to "false"
>>
>> clientAuth="false"
(but Grahams suggestion about SSLVerifyClient should work too)
*However* if you don't get this with testshib but do with your test SP, I would also be suspicious of the metadata that the SP has consumed - it might have decided to direct your browser to the AA port (somehow), When you say
> going to https://shib02.aston.ac.uk
What is the exact path? Does it look like an SSO path?
> I had the idp working with testshib but I want to understand errors like:
I'm guessing (wildly) that your directory is spitting out something that the Attribute processing code is finding unpalatable. I'd poke at it with aacli and with logging turned right up. You'll get a trace of all the attribute state during processing...
Rod
----- Original Message -----
From: "Williams, John" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Thursday, July 24, 2008 2:01 PM
Subject: Re: shibboleth 2.0 idp/sp
Rod,
Looking at it again, IE7 flags this message when going to https://shib02.aston.ac.uk so it's happening at the apache level, there are no entries in the logs so I know where to look.
I had the idp working with testshib but I want to understand errors like:
2008-07-24 13:49:51 INFO Shibboleth.AttributeExtractor [6]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:0.9.2342.19200300.100.1.1
2008-07-24 13:49:51 WARN Shibboleth.AttributeFilter [6]: removed value at position (0) of attribute (eppn) from (https://shib02.aston.ac.uk/idp/shibboleth)
2008-07-24 13:49:51 WARN Shibboleth.AttributeFilter [6]: removed value at position (0) of attribute (affiliation) from (https://shib02.aston.ac.uk/idp/shibboleth)
Thanks
John
-----Original Message-----
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Rod Widdowson
Sent: 24 July 2008 10:08
To: [log in to unmask]
Subject: Re: shibboleth 2.0 idp/sp
John,
Have you set them up separately first? That usually makes life easier.
Your symptom is that of appopraching a web seber which is trying to set up an SSL connection qhich requires a certificate on both sides. This is the way that one of the IdP ports is configured - but not one that you would ever be looking at with a browser.
Further if you were going Shib2 Sp <-> Shib2 IdP it wouldn't even be being used (since that setup should be using encryopted attribute push).
Anything of interest in any of the logs?
Rod
----- Original Message -----
From: "Williams, John" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Thursday, July 24, 2008 9:20 AM
Subject: shibboleth 2.0 idp/sp
Hi,
I am trying to set up a shib2 idp and sp using the local install instructions. I'm having a whole raft of problems with attribute release and usage but when I go to the local sp with Windows IE7 it comes up with a box labelled "Choose a digital certificate" that states:
"The website you want to view requests identification.
Please choose a certificate"
The list is blank but if I say OK it just logs in to the SP via the IdP normally. Anyone have an idea why it does this, firefox works normally?
Thanks
John
--
This communication is intended solely for the addressee The message should not be forwarded to any third party without the agreement of the sender.
--
John Williams
ISA
Aston University
|