 |
 |
Thierry Delaitre wrote: > Last Friday, the metadata file on our SP was probably out of date. However, > it is now in sync and the user from uclan still experiences authorization > denied. The user seems to authenticate fine but the > eduPersonScopedAffiliation does not seem to be populated I believe. It can > be seen in the transaction log below for uclan that there are no log entries > for the eduPersonScopedAffiliation attribute whereas a user from a standard > shib SP has got entries added for the eduPersonScopedAffiliation query. Is > this an issue with EduServ Athens ? That would have to be my guess; certainly, the best way to proceed will be to talk to the Eduserv helpdesk and explain the issue. > Would it make a difference if the user > select the uclan entry instead of the EduServ Athens ? I don't believe so, at least at present. > 2008-07-01 11:34:01 INFO Shibboleth-TRANSACTION : New session (ID: > _47cf42e4a65c0ca2be996195a261921f) with (applicationId: default) for > principal > from (IdP: urn:mace:eduserv.org.uk:athens:federation:uk) at (ClientAddress: > 193.61.255.86) with (NameIdentifier: > tZ1iw9X1wDUyNtiKlQb13tY9G6+zHsu29ymFkai+rJM2+P1q5bpwxQ5I3Dpo6coUrzmziNefubpl > 3XWnnAKWkw==) Just an observation here: this is an assertion from the "classic" gateway entity, not from the new virtual IdP that uclan.ac.uk now have. It's not clear to me at exactly what point that should be switching over for these new virtual IdPs, and maybe something has gone wrong there. However, the "classic" gateway is supposed to be working just the same as it always did, so this should still have given you the scoped affiliation. -- Ian