>>> On 02/07/2010 at 10:23, in message
<[log in to unmask]>,
"Thornley, Dave H" <[log in to unmask]> wrote:
> Hi all,
>
> We’ve just upgraded our IdP to Shib2 and are having trouble with
Refworks
> and one or two others.
>
> Attempts to log into Refworks display an error that we haven’t
released
> eduPersonTargetedID. As far as I can tell from the IdP logs we’re
retrieving
> it from LDAP and encoding it and the attribute filters aren’t
blocking it but
> it still fails. Using other sites (the Federation Test SP for
example)
> displays eduPersonTargetedID and the new persistentID correctly.
We're using
> the old and new formats as on the federation website.
It does sound like they're going to the wrong place for attributes even
though they say they've updated
Have you had a look at the Shibboleth 1 IdP apache logs to confirm that
it isn't going there to look for attributes? If I remember right it's
ssl_access_log you want to look at, put a tail -f on it and also on the
idp-process.log on the shibb 2 IdP and then go and login. If it's
going to the wrong one for attributes you'll see something like:
00:30:48.161 - INFO [Shibboleth-Audit:714] -
20091211T003048Z|urn:mace:shibboleth:1.0:profiles:AuthnRequest||https://www.jiscmail.ac.uk/shibboleth|urn:mace:shibboleth:2.0:profiles:saml1:sso|https://idp.dundee.ac.uk/shibboleth|urn:oasis:names:tc:SAML:1.0:profiles:browser-post|_be3d5512d6af0eb475a1d53400c739d3|alswiffin|urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified||_847d125b8894b061fa1aada21484130f|_a5157df3849ea8a92a8793349e646dbd
in idp-process.log
and then straight away you'll see
130.246.192.50 - - [11/Dec/2009:00:30:48 +0000] "POST
/shibboleth-idp/AA HTTP/1.1" 200 676
in the shibb 1 apache ssl_access_log.
If all was well, you would normally see the above AuthnRequest:
11:36:58.447 - INFO [Shibboleth-Audit:714] -
20100702T103658Z|urn:mace:shibboleth:1.0:profiles:AuthnRequest||https://www.jiscmail.ac.uk/shibboleth|urn:mace:shibboleth:2.0:profiles:saml1:sso|https://idp.dundee.ac.uk/shibboleth|urn:oasis:names:tc:SAML:1.0:profiles:browser-post|_726dbd11f234b114705a3e21b6c5019f|alswiffin|urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified||_fbb00cdd007213294fe00bea68081f70|_a6e0e9e0b7ab8eed6eabb0d7f5f2814f,|
followed by an AttributeQuery:
11:36:58.815 - INFO [Shibboleth-Access:73] -
20100702T103658Z|130.246.192.50|idp.dundee.ac.uk:8443|/profile/SAML1/SOAP/AttributeQuery|
followed by the response
11:36:58.860 - INFO [Shibboleth-Audit:714] -
20100702T103658Z|urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding|_4bf599b9b47f3b92d2e19d2674236207|https://www.jiscmail.ac.uk/shibboleth|urn:mace:shibboleth:2.0:profiles:saml1:query:attribute|https://idp.dundee.acuk/shibboleth|urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding|_198028a192fd429637c8b70edb9d3848|alswiffin||eduPersonAffiliation,transientId,eduPersonScopedAffiliation,eduPersonTargetedID.old,eduPersonTargetedID,|_fbb00cdd007213294fe00bea68081f70|_0beb2b7d54242ba79399855d09238b62,|
HTH
Andy
************************************************************
Please consider the environment. Do you really need to print this
email?
The University of Dundee is a registered Scottish charity, No: SC015096
|