Mike,
 
Nothing seems odd in all that.  My best suggestion is that you check the logs of AACLI and a successful login line by line.  Could it be the the principal is being capitalised or some such?
 
> what is actually bothering me, which is that I’m not getting “old style” eduPersonTargetedID
> values generated when using the StoredID data connector
 
I don't know whether it helps, but what I do is generate two attributes and given them different SAML1 encodings:
 
    <!-- EpTID (old) -->
       
    <resolver:AttributeDefinition id="eduPersonTargetedID.old" xsi:type="Scoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
        scope="$IDP_SCOPE$" sourceAttributeID="computedID">
        <resolver:Dependency ref="computedID" />
 
        <resolver:AttributeEncoder xsi:type="SAML1ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:mace:dir:attribute-def:eduPersonTargetedID" />
    </resolver:AttributeDefinition>
 
    <!-- EpTid (new) -->
 
    <resolver:AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
        nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
        sourceAttributeID="computedID">
        <resolver:Dependency ref="computedID" />
 
        <resolver:AttributeEncoder xsi:type="SAML1XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
   
        <resolver:AttributeEncoder xsi:type="SAML2XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
    </resolver:AttributeDefinition>
 
That gives you forward compatibility to when the world catches up with the current recommendations.
 
Rod
 
----- Original Message -----
From: [log in to unmask] href="mailto:[log in to unmask]">Michael White
To: [log in to unmask] href="mailto:[log in to unmask]">[log in to unmask]
Sent: Monday, November 09, 2009 11:52 AM
Subject: Re: IdP v2, aacli.sh and UK Fed Metadata

Thanks Rod,

 

> In my experience AACLI is extremely useful but it can be a bit perjink in how you call it.

 

Yes, I agree – it is very useful, especially at the early stages of development when you want to see what attributes a development system will produce for a live service provider (that you can’t just arbitrarily connect to from a development IdP) – but I’m currently seeing different values for StoredID when using aacli.sh versus a normal, web based, authentication cycle when testing against Test Shib and so it would be useful to get this working properly for UK Federation sites so that I can verify what I appear to be seeing!

 

> You might want to turn logging up a bit and see what it says

 

I’ve been running on DEBUG – this produces a lot (and I mean a lot!) of output when using aacli.sh – I’ve been through this with as fine a tooth comb as I can lay my hands on, but I’m not seeing anything jumping out at me that suggests the metadata isn’t loading – the only thing that I can find that indicates a problem is (after the attributes have been successfully generated):

 

10:49:27.528 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:122] - Evaluating if filter policy ukFederationPolicy is active for principal mw6

10:49:27.528 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.match.saml.AbstractEntityGroupMatchFunctor:70] - No entity metadata available, unable to check if entity is in group http://ukfederation.org.uk

10:49:27.528 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:126] - Filter policy ukFederationPolicy is not active for principal mw6

 

- further up the log files, it suggests that there aren’t any problems with the metadata:

 

10:49:20.669 - DEBUG [org.opensaml.saml2.metadata.provider.HTTPMetadataProvider:228] - Refreshing cache of metadata from URL http://metadata.ukfederation.org.uk/ukfederation-metadata.xml, max cache duration set to 2880 seconds

10:49:20.669 - DEBUG [org.opensaml.saml2.metadata.provider.HTTPMetadataProvider:271] - Fetching metadata document from remote server

10:49:22.381 - DEBUG [org.opensaml.xml.signature.impl.SignatureUnmarshaller:55] - Starting to unmarshall Apache XML-Security-based SignatureImpl element

10:49:22.382 - DEBUG [org.opensaml.xml.signature.impl.SignatureUnmarshaller:61] - Constructing Apache XMLSignature object

10:49:22.387 - DEBUG [org.opensaml.xml.signature.impl.SignatureUnmarshaller:67] - Adding canonicalization and signing algorithms, and HMAC output length to Signature

10:49:22.388 - DEBUG [org.opensaml.xml.signature.impl.SignatureUnmarshaller:74] - Adding KeyInfo to Signature

10:49:24.926 - DEBUG [org.opensaml.saml2.metadata.provider.HTTPMetadataProvider:284] - Unmarshalled metadata from remote server

10:49:24.926 - DEBUG [org.opensaml.saml2.metadata.provider.FileBackedHTTPMetadataProvider:106] - Writting retrieved metadata to backup file /opt/shibboleth-idp/metadata/ukfederation-metadata.xml

 

- and all the metadata signature stuff that follows seems fine as well . . .

 

> I might be also be that you are trying to generated a persistent Id (aka EpTID) and have mis-specified the entityID of the target. 

 

Yes, I am trying to generate ePTIDs. This is the basic command I’ve been using - I’ve tried a couple of target EntityIDs:

 

./aacli.sh --principal=mw6 --configDir=../conf

 --requester=urn:mace:ac.uk:sdss.ac.uk:provider:service:target.sdss.ac.uk --issuer=https://shibdev2.stir.ac.uk/idp/shibboleth

 

./aacli.sh --principal=mw6 --configDir=../conf

 --requester=urn:mace:ac.uk:sdss.ac.uk:provider:service:target.iay.org.uk --issuer=https://shibdev2.stir.ac.uk/idp/shibboleth

 

- both those EntityIDs seem OK to me (they certainly both appear in the UK Federation Metadata) . . .

 

I am also able to connect to both of these (test) SPs via the web, and I get the expected attributes displayed at the other end . . .

 

> Or there may be other reasons..

 

I’m certainly open to any and all suggestions – I would love to be able to get this working so that I could move forward and test what is actually bothering me, which is that I’m not getting “old style” eduPersonTargetedID values generated when using the StoredID data connector . . . . J

 

Cheers,

 

Mike

Michael White
eLearning Developer
Centre for eLearning Development (CeLD)
3V3a, Cottrell
University of Stirling
Stirling SCOTLAND
FK9 4LA

Email: [log in to unmask]
Tel: +44 (0) 1786 466877
Fax: +44 (0) 1786 466880

http://www.is.stir.ac.uk/celd/

 

From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Rod Widdowson
Sent: 07 November 2009 09:30
To: [log in to unmask]
Subject: Re: IdP v2, aacli.sh and UK Fed Metadata

 

Michael,

 

 

In my experience AACLI is extremely useful but it can be a bit perjink in how you call it.

 

You might want to turn logging up a bit and see what it says.  It could be that the the metadata fetch has failed but it had I would have expected more information earlier in the log. I might be also be that you are trying to generated a persistent Id (aka EpTID) and have mis-specified the entityID of the target.  Or there may be other reasons..

 

Rod

----- Original Message -----

From: [log in to unmask] href="mailto:[log in to unmask]">Michael White

To: [log in to unmask] href="mailto:[log in to unmask]">[log in to unmask]

Sent: Friday, November 06, 2009 5:06 PM

Subject: IdP v2, aacli.sh and UK Fed Metadata

 

Hi there,

 

I’ve recently registered a development v2 Shib IdP with the UK Federation – in order to get this IdP to interoperated with UK Fed SPs I had to set the Java Heap Space in Tomcat to an appropriate level – this appears to be working fine and I can connect to the UK Fed test SPs and see the attributes that were supplied.

 

However, I’m having issues trying to run tests from the command line using the aacli.sh script (this is a linux box). I’m guessing that I need to ensure that Java has enough heap space to do its stuff, but my attempts to do this have so far failed - I get “No attribute statement.” returned and checking the logs I can see that attributes are generated but then discarded because “No entity metadata available” (which I’m guessing is because of the heap space issue?).

 

I’ve tried adding a parameter to the last line of the aacli.sh script thus:

 

"$JAVACMD" '-Xmx512m' '-classpath' "$LOCALCLASSPATH" '-Djava.endorsed.dirs='"$LIBDIR/endorsed" 'edu.internet2.middleware.shibboleth.common.attribute.AttributeAuthorityCLI' "$@"

 

- and I’ve tried simply setting it in JAVA_OPTS:

 

export JAVA_OPTS=-Xmx512M

 

. . .but neither of these approaches appears to have fixed the issue.

 

I’m not a Java/Unix whizz (I know just enough to be dangerous ;-) ), so have run out of ideas now – just wondered if anyone had any suggestions how I might get this sorted?

 

Cheers,

 

Mike

Michael White
eLearning Developer
Centre for eLearning Development (CeLD)
3V3a, Cottrell
University of Stirling
Stirling SCOTLAND
FK9 4LA

Email: [log in to unmask]
Tel: +44 (0) 1786 466877
Fax: +44 (0) 1786 466880

http://www.is.stir.ac.uk/celd/

 

 

 

The Sunday Times Scottish University of the Year 2009/2010

The University of Stirling is a charity registered in Scotland, number SC 011159.

The Sunday Times Scottish University of the Year 2009/2010
The University of Stirling is a charity registered in Scotland, number SC 011159.