JISCMail - JISC-SHIBBOLETH Archives

Good morning all

After 3 hours of surfing the internet about how to configure attribute resolver I am still lost.

I know that there are 4 common attributes used in shibboleth:

eduPersonScopeAffiliation

eduPersonTargetID

eduPersonPrincipalName

eduPersonEntitlement

The first 3 are commonly used by the Ukfederation

So I need to define these in the resolver.xml file

Does shibboleth generate these attributes or should these be created in Active Directory first. I remember that you can change the AD schema for shibboleth but it was not recommended.

I know it s a bit of a noob question but we all have to start somewhere

Thanks in advance

Paul Cheyne

Support Consultant

RM (Aberdeen College)

Tel: 01224 (61)2550

Email: [log in to unmask]

From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Steve Holden
Sent: 05 May 2009 19:41
To: [log in to unmask]
Subject: Re: Attribute Definitions and metadatatool

Hi, Paul

Your resolver.xml file isn’t valid XML.

As the error message below says: “the end-tag for element type "Search" must end with a '>' delimiter”.

XML looks deceptively human-readable, but I’d (still, really, really) recommend using an XML validation tool to reduce this sort of frustration.

For example, using the command-line ‘xmlwf’ tool would have identified the two problems as:

    “42:12: not well-formed (invalid token)” - the trailing ‘>’ is missing from ‘</Search’

    “51:27: not well-formed (invalid token)” - the leading quote is missing from ‘<Property name=java…’

(the first two numbers are the line and character of the token after the problematic section).

‘xmlwf’ is part of the Expat package, and there’s a Win32 binary here:

  http://sourceforge.net/project/showfiles.php?group_id=10127&package_id=11277

A quick google also turns up XMLfox: http://www.rustemsoft.com/xfox.htm

and AltovaXML: http://www.altova.com/altovaxml.html

(no idea if they’re any good, but they’re both freeware).

Rod may have better Windows-specific suggestions.

Alternatively, paste your XML here to check it:

    http://validator.w3.org/#validate_by_input

(though by default this is a little too strict for Shibboleth’s XML files).

Kind regards,

Steve

From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Paul Cheyne
Sent: 05 May 2009 14:46
To: [log in to unmask]
Subject: Attribute Definitions and metadatatool

HI all

Sorry I am back with more problems

Today I am trying to define the attributes in the resolver.xml file and the attribute release policy.

I think I have got the attribute release policy spot on but I am having problems with the resolver.xml file. The shib install is throwing up these error

2009-05-05 14:08:23,839 ERROR [IdP] Core - Error parsing Attribute Resolver Configuration file: org.xml.sax.SAXParseException: cvc-complex-type.2.3: Element 'SimpleAttributeDefinition' cannot have character [children], because the type's content type is element-only.

2009-05-05 14:08:23,855 FATAL [IdP] Core - The Identity Provider could not be initialized due to a problem with the Attribute Resolver configuration: edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolverException: Error parsing Attribute Resolver Configuration file.

2009-05-05 14:08:23,855 FATAL [IdP] Core - The Identity Provider could not be initialized: edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException: Could not load Attribute Resolver.

2009-05-05 14:14:12,143 ERROR [IdP] Core - Error parsing Attribute Resolver Configuration file: org.xml.sax.SAXParseException: The end-tag for element type "Search" must end with a '>' delimiter.

2009-05-05 14:14:12,143 FATAL [IdP] Core - The Identity Provider could not be initialized due to a problem with the Attribute Resolver configuration: edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolverException: Error parsing Attribute Resolver Configuration file.

2009-05-05 14:14:12,143 FATAL [IdP] Core - The Identity Provider could not be initialized: edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException: Could not load Attribute Resolver.

Here is my resolver and arp.site files

Resolver.xml

</SimpleAttributeDefinition>

</SimpleAttributeDefinition>

<SimpleAttributeDefinition

id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"

smartScope="abcol.ac.uk">

<AttributeDependency

requires="urn:mace:dir:attribute-def:eduPersonAffiliation"/>

</SimpleAttributeDefinition>

<SimpleAttributeDefinition

id="urn:mace:dir:attribute-def:eduPersonPrincipalName"

smartScope="abcol.ac.uk"

sourceName="cn">

</SimpleAttributeDefinition>

</PersistentIDAttributeDefinition>

</Search

<Property name="java.naming.factory.initial"

value="com.sun.jndi.ldap.LdapCtxFactory" />

<Property name="java.naming.provider.url"

value="abwin10.abcol.ac.uk" />

<Property name="java.naming.security.principal"

value="cn=*,ou=*,dc=abcol,dc=ac,dc=uk" />

</JNDIDirectoryDataConnector>

</AttributeResolver>

arp.site.xml

<?xml version="1.0" encoding="UTF-8"?>

<Description>Simplest possible ARP.</Description>

<Rule>

</Target>

</Attribute>

</Attribute>

<!-- We will *NOT* release ePTID, ePPN or ePE

</Attribute>

</Attribute>

</Attribute>

-->

</Rule>

</AttributeReleasePolicy>

Also I have been searching the web on how to configure the metadatatool but have had no joy. Does anyone have any good resources on how to configure it. I have checked the Internet2 wiki etc with no joy

Sorry to be a pain again

Paul Cheyne

Support Consultant

RM (Aberdeen College)

Tel: 01224 (61)2550

Email: [log in to unmask]

__________________________________________________________________