Good morning all
After 3 hours of surfing the
internet about how to configure attribute resolver I am still lost.
I know that there are 4 common
attributes used in shibboleth:
eduPersonScopeAffiliation
eduPersonTargetID
eduPersonPrincipalName
eduPersonEntitlement
The first 3 are commonly used by
the Ukfederation
So I need to define these in the
resolver.xml file
Does shibboleth generate these
attributes or should these be created in Active Directory first. I
remember that you can change the AD schema for shibboleth but it was not recommended.
I know it s a bit of a noob
question but we all have to start somewhere
Thanks in advance
From: Discussion list for
Shibboleth developments [mailto:[log in to unmask]] On Behalf Of
Steve Holden
Sent: 05 May 2009 19:41
To: [log in to unmask]
Subject: Re: Attribute Definitions and metadatatool
Hi, Paul
Your resolver.xml file isn’t valid XML.
As the error message below says: “the
end-tag for element type "Search" must end with a '>'
delimiter”.
XML looks deceptively human-readable, but I’d (still, really,
really) recommend using an XML validation tool to reduce this sort of
frustration.
For example, using the command-line ‘xmlwf’ tool would
have identified the two problems as:
“42:12: not well-formed (invalid token)” - the trailing ‘>’ is missing from ‘</Search’
“51:27: not well-formed (invalid token)” - the leading quote is missing from ‘<Property name=java…’
(the first two numbers are the line and character of the token after the problematic section).
‘xmlwf’ is part of the Expat package, and there’s a Win32 binary here:
http://sourceforge.net/project/showfiles.php?group_id=10127&package_id=11277
A quick google also turns up XMLfox: http://www.rustemsoft.com/xfox.htm
and AltovaXML: http://www.altova.com/altovaxml.html
(no idea if they’re any good, but they’re both freeware).
Rod may have better Windows-specific suggestions.
Alternatively, paste your XML here to check it:
http://validator.w3.org/#validate_by_input
(though by default this is a little too strict for Shibboleth’s XML files).
Kind regards,
Steve
From: Discussion list for
Shibboleth developments [mailto:[log in to unmask]] On Behalf Of
Paul Cheyne
Sent: 05 May 2009 14:46
To: [log in to unmask]
Subject: Attribute Definitions and metadatatool
HI all
Sorry I am back with more problems
Today I am trying to define the attributes in the
resolver.xml file and the attribute release policy.
I think I have got the attribute release policy spot on but
I am having problems with the resolver.xml file. The shib install is
throwing up these error
2009-05-05 14:08:23,839 ERROR [IdP]
Core
- Error parsing Attribute Resolver Configuration file:
org.xml.sax.SAXParseException: cvc-complex-type.2.3: Element
'SimpleAttributeDefinition' cannot have character [children], because the
type's content type is element-only.
2009-05-05 14:08:23,855 FATAL [IdP]
Core
- The Identity Provider could not be initialized due to a problem with the
Attribute Resolver configuration:
edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolverException:
Error parsing Attribute Resolver Configuration file.
2009-05-05 14:08:23,855 FATAL [IdP]
Core
- The Identity Provider could not be initialized:
edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException:
Could not load Attribute Resolver.
2009-05-05 14:14:12,143 ERROR [IdP]
Core
- Error parsing Attribute Resolver Configuration file: org.xml.sax.SAXParseException:
The end-tag for element type "Search" must end with a '>'
delimiter.
2009-05-05 14:14:12,143 FATAL [IdP]
Core
- The Identity Provider could not be initialized due to a problem with the
Attribute Resolver configuration:
edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolverException:
Error parsing Attribute Resolver Configuration file.
2009-05-05 14:14:12,143 FATAL [IdP]
Core
- The Identity Provider could not be initialized:
edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException:
Could not load Attribute Resolver.
Here is my resolver and arp.site files
Resolver.xml
<AttributeResolver
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="urn:mace:shibboleth:resolver:1.0"
xsi:schemaLocation="urn:mace:shibboleth:resolver:1.0
shibboleth-resolver-1.0.xsd">
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:eduPersonEntitlement">
<DataConnectorDependency requires="echo"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:eduPersonAffiliation">
<DataConnectorDependency requires="echo"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
smartScope="abcol.ac.uk">
<AttributeDependency
requires="urn:mace:dir:attribute-def:eduPersonAffiliation"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:eduPersonPrincipalName"
smartScope="abcol.ac.uk"
sourceName="cn">
<DataConnectorDependency requires="ldap-directory"/>
</SimpleAttributeDefinition>
<PersistentIDAttributeDefinition
id="urn:mace:dir:attribute-def:eduPersonTargetedID"
scope="abcol.ac.uk" sourceName="cn">
<DataConnectorDependency requires="ldap-directory"/>
<Salt>*</Salt>
</PersistentIDAttributeDefinition>
<JNDIDirectoryDataConnector id="ldap-directory">
<Search filter="cn=%PRINCIPAL%">
<Controls searchScope="SUBTREE_SCOPE" returningObjects="false"
/>
</Search
<Property name="java.naming.factory.initial"
value="com.sun.jndi.ldap.LdapCtxFactory" />
<Property name="java.naming.provider.url"
value="abwin10.abcol.ac.uk" />
<Property name="java.naming.security.principal"
value="cn=*,ou=*,dc=abcol,dc=ac,dc=uk" />
<Property name=java.naming.security.credentials" value="*"
/>
</JNDIDirectoryDataConnector>
</AttributeResolver>
arp.site.xml
<?xml
version="1.0" encoding="UTF-8"?>
<AttributeReleasePolicy
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="urn:mace:shibboleth:arp:1.0"
xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd"
>
<Description>Simplest possible ARP.</Description>
<Rule>
<Target>
<AnyTarget/>
</Target>
<Attribute
name="urn:mace:dir:attribute-def:eduPersonAffiliation">
<AnyValue release="permit"/>
</Attribute>
<Attribute
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation">
<AnyValue release="permit"/>
</Attribute>
<!-- We will *NOT*
release ePTID, ePPN or ePE
<Attribute
name="urn:mace:dir:attribute-def:eduPersonTargetedID">
<AnyValue release="permit"/>
</Attribute>
<Attribute
name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
<AnyValue release="permit"/>
</Attribute>
<Attribute
name="urn:mace:dir:attribute-def:eduPersonEntitlement">
<AnyValue release="permit"/>
</Attribute>
-->
</Rule>
</AttributeReleasePolicy>
Also I have been searching the web on how to
configure the metadatatool but have had no joy. Does anyone have any good
resources on how to configure it. I have checked the Internet2 wiki etc
with no joy
Sorry to be a pain again
Paul Cheyne
Support Consultant
RM
(Aberdeen College)
Tel:
01224 (61)2550
__________________________________________________________________
You might
be interested in this...
RM
ICT Tour 2009 |
__________________________________________________________________
P.S. Think Green - don't print this email unless you really need
to.
This
message is confidential, so please treat it appropriately and for its intended
purpose only. In particular, if it refers to any technical data, terms or
prices not generally available or known, such items are "commercially
sensitive information" within the terms of the Freedom of Information Act
2000 and related laws. As it would be prejudicial to RM's commercial interests
if these were disclosed, please refrain from doing so.
As Internet communications are not secure, please be aware that RM cannot
accept responsibility for its contents. Any views or opinions presented are
those of the author only and not of RM. If you are not the intended recipient
of this e-mail, please accept our apologies and arrange for copies of it to be
deleted. For your information, RM may intercept incoming and outgoing email
communications.
RM Education plc
Registered Office: New Mill House, 183 Milton Park, Abingdon, Oxfordshire, OX14
4SE, England
Registered Number: 1148594