Hi,
The other cause of this kind of thing might be a hardcoded SSO endpoint somewhere at their end - I had this with a couple of providers who run their own WAYF (or provide their own WAYFless URLs) when we upgraded - they had picked up the updated UK Fed metadata but still had our old 1.3 SSO endpoint hardcoded into their WAYF.
We are currently running both the old Shib 1.3 and the new Shib 2 in parallel, so, in cases like the above, I would see the authentication request arrive at 1.3 but the attribute request arrive at 2 - the authentication would succeed, but not the attribute retrieval, so this would result in an attribute related error (e.g. the SP not receiving an eduPersonTargetedID value and so complaining) . . .
We're not a refworks site, so don't know if they run their own WAYF, so this may, or may not, be related to your problem, but it is an issue to be aware of regardless :-)
Mike
Michael White
eLearning Developer
eLearning Liaison & Development (eLD)
3V3a, Cottrell
University of Stirling
Stirling SCOTLAND
FK9 4LA
Email: [log in to unmask]
Tel: +44 (0) 1786 466877
Fax: +44 (0) 1786 466880
http://www.is.stir.ac.uk/aboutis/teams/aldt/eld.php
-----Original Message-----
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of NS Hashmi, Information Systems and Computing
Sent: 02 July 2010 10:33
To: [log in to unmask]
Subject: Re: Help please - upgraded to Shib2 and Refworks broken.
Hi
It could be that Refworks have yet to update their copy of the metadata, so
it still points to *your* old (1.3?) IdP. I suggest contacting them to
request they update their copy asap.
Naveed
--On 02 July 2010 10:23 +0100 "Thornley, Dave H" <[log in to unmask]>
wrote:
> Hi all,
>
> We've just upgraded our IdP to Shib2 and are having trouble with
> Refworks and one or two others.
>
> Attempts to log into Refworks display an error that we haven't released
> eduPersonTargetedID. As far as I can tell from the IdP logs we're
> retrieving it from LDAP and encoding it and the attribute filters
> aren't blocking it but it still fails. Using other sites (the
> Federation Test SP for example) displays eduPersonTargetedID and the new
> persistentID correctly. We're using the old and new formats as on the
> federation website.
>
> The only clue I have is that the IdP (when logging is set to TRACE) puts
> the following line in the log when searching the metadata for the
> entityID: 07:56:17.808 - TRACE
> [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:257] -
> Found entity descriptor for entity with ID
> https://www.refworks.com/shibboleth/sp but it is no longer valid,
> skipping it.
>
> Our federation metadata was updated this morning so I'm not sure where it
> why this would be the case. The expiry time in the metadata config in
> relying-party.xml is as set on the UK Federation site.
>
> Is there anyone using Refworks with Shib2 able to tell us where we might
> find the problem? Refworks have suggested it's because they're still
> using Shib1.3 but I can't find anything on the web suggetsing exceptions
> or differences needed to support this....
>
> Any help gratefully received!
>
> cheers
>
> dave
>
> --
> Dave Thornley
> Service Support Manager
> IT Infrastructure Service
> Sheffield Hallam University
> Tel: 0114 225 3822 / 07771 974349
> Email: [log in to unmask]
--------------------------------------------------------
Naveed Hashmi
Information Systems and Computing
University of Bristol
--
The Sunday Times Scottish University of the Year 2009/2010
The University of Stirling is a charity registered in Scotland,
number SC 011159.
|