Solved!

For coexistence with a Shib1 install on the same hostname I'm running the AA on port 8442 not 8443. This appears to be being blocked to outbound connections in a few SP firewalls, hence their attributes request never made it out of their network.

Thanks for the help and suggestions.

Cheers

dave


On 02/07/2010 11:48, "Andy Swiffin" <[log in to unmask]> wrote:

>>> On 02/07/2010 at 10:23, in message
<[log in to unmask]>,
"Thornley, Dave H" <[log in to unmask]> wrote:
> Hi all,
>
> We've just upgraded our IdP to Shib2 and are having trouble with
Refworks
> and one or two others.
>
> Attempts to log into Refworks display an error that we haven't
released
> eduPersonTargetedID. As far as I can tell from the IdP logs we're
retrieving
> it from LDAP and encoding it and the attribute filters aren't
blocking it but
> it still fails. Using other sites (the Federation Test SP for
example)
> displays eduPersonTargetedID and the new persistentID correctly.
We're using
> the old and new formats as on the federation website.

It does sound like they're going to the wrong place for attributes even
though they say they've updated

Have you had a look at the Shibboleth 1 IdP apache logs to confirm that
it isn't going there to look for attributes?   If I remember right it's
ssl_access_log you want to look at, put a tail -f on it and also on the
idp-process.log on the shibb 2 IdP and then go and login.   If it's
going to the wrong one for attributes you'll see something like:

00:30:48.161 - INFO [Shibboleth-Audit:714] -
20091211T003048Z|urn:mace:shibboleth:1.0:profiles:AuthnRequest||https://www.jiscmail.ac.uk/shibboleth|urn:mace:shibboleth:2.0:profiles:saml1:sso|https://idp.dundee.ac.uk/shibboleth|urn:oasis:names:tc:SAML:1.0:profiles:browser-post|_be3d5512d6af0eb475a1d53400c739d3|alswiffin|urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified||_847d125b8894b061fa1aada21484130f|_a5157df3849ea8a92a8793349e646dbd

in idp-process.log

and then straight away you'll see

130.246.192.50 - - [11/Dec/2009:00:30:48 +0000] "POST
/shibboleth-idp/AA HTTP/1.1" 200 676

in the shibb 1 apache ssl_access_log.

If all was well, you would normally see the above AuthnRequest:

11:36:58.447 - INFO [Shibboleth-Audit:714] -
20100702T103658Z|urn:mace:shibboleth:1.0:profiles:AuthnRequest||https://www.jiscmail.ac.uk/shibboleth|urn:mace:shibboleth:2.0:profiles:saml1:sso|https://idp.dundee.ac.uk/shibboleth|urn:oasis:names:tc:SAML:1.0:profiles:browser-post|_726dbd11f234b114705a3e21b6c5019f|alswiffin|urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified||_fbb00cdd007213294fe00bea68081f70|_a6e0e9e0b7ab8eed6eabb0d7f5f2814f,|

followed by an AttributeQuery:

11:36:58.815 - INFO [Shibboleth-Access:73] -
20100702T103658Z|130.246.192.50|idp.dundee.ac.uk:8443|/profile/SAML1/SOAP/AttributeQuery|

followed by the response

11:36:58.860 - INFO [Shibboleth-Audit:714] -
20100702T103658Z|urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding|_4bf599b9b47f3b92d2e19d2674236207|https://www.jiscmail.ac.uk/shibboleth|urn:mace:shibboleth:2.0:profiles:saml1:query:attribute|https://idp.dundee.acuk/shibboleth|urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding|_198028a192fd429637c8b70edb9d3848|alswiffin||eduPersonAffiliation,transientId,eduPersonScopedAffiliation,eduPersonTargetedID.old,eduPersonTargetedID,|_fbb00cdd007213294fe00bea68081f70|_0beb2b7d54242ba79399855d09238b62,|



HTH
Andy





************************************************************
Please consider the environment.  Do you really need to print this
email?



The University of Dundee is a registered Scottish charity, No: SC015096


--
Dave Thornley
Service Support Manager
IT Infrastructure Service
Sheffield Hallam University
Tel: 0114 225 3822 / 07771 974349
Email: [log in to unmask]