On Mon, 22 Sep 2008, Paul Campbell wrote:
> However I'm getting the following error in the server log. I had been
> getting the same error from resolvertest when I didn't provide the
> --requester parameter.
>
> - Resolving attribute: (urn:mace:dir:attribute-def:eduPersonTargetedID)
> - Could not create ID for unauthenticated requester.
>
> This is in the log *before* loading the ARP files.
eduPersonTargetedID is (in effect) a hash of (at least) the user's
identity and the identity of the SP it is being supplied to. So the IdP
can only securely generate an ePTID if its able to authenticate the SP
requesting it (because otherwise an SP could ask for the ePTID
corresponding to another SP and that wouldn't be good for privacy).
Typically this means that the SP must appear in the metadata and must be
using the host names, URLs and keys that the metadata supplies.
I'm fairly sure that "Could not create ID for unauthenticated requester"
simply means that this isn't the case and that therefore ePTID generation
has been suppressed.
Tracking down _why_ authentication is failing is an other whole ballgame.
Try using resolvertest and a --requester parameter that identifies an SP
that is in the metadata you have loaded.
Jon.
--
Jon Warbrick
Web/News Development, Computing Service, University of Cambridge
|