JISCMail - JISC-SHIBBOLETH Archives

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Morning all,

I'm trying to get our new Shib2.1 IdP working properly on the Live
Federation.

We have registered a Test IdP with a view to, (very) soon, swapping the
endpoints to the new service in the Federation Metadata while keeping
the old EntityID [option (b) in
http://www.ukfederation.org.uk/content/Documents/RollingIdPUpgrade].

It worked fine on testshib (released attributes which were correctly
consumed).

We've rebuilt from scratch and got the thing on the Federation but, when
doing testing using target.iay.org.uk it doesn't appear to release any
attributes (none come up in the output).

However, using "Rod's Discovery Service" on sh2testsp1.iay.org.uk
appears to be the only way I can get it to negotiate correctly and
attributes to be passed... even then, I can't see the TargettedID :(

Any ideas?

We're running IdP 2.1.5 inside Apache2.2+Tomcat6.0.26 with 443 and 8443
both running through mod_jk from Apache. Both ports are accessible to
the internet at large.

Active bits of attribute-filter.xml:

  <AttributeFilterPolicy id="releaseTransientIdToAnyone">
    <PolicyRequirementRule xsi:type="basic:ANY"/>
    <AttributeRule attributeID="transientId">
      <PermitValueRule xsi:type="basic:ANY"/>
    </AttributeRule>
  </AttributeFilterPolicy>

  <AttributeFilterPolicy id="releaseTransientIdToAnyone">
    <PolicyRequirementRule xsi:type="basic:ANY"/>
    <AttributeRule attributeID="eduPersonEntitlement">
      <PermitValueRule xsi:type="basic:ANY"/>
    </AttributeRule>
    <AttributeRule attributeID="eduPersonScopedAffiliation">
      <PermitValueRule xsi:type="basic:ANY"/>
    </AttributeRule>
    <AttributeRule attributeID="eduPersonTargetedID">
      <PermitValueRule xsi:type="basic:ANY"/>
    </AttributeRule>
  </AttributeFilterPolicy>
</AttributeFilterPolicyGroup>

IdP logs of failed login using "Default UK Federation (full)" on
sh2testsp1.iay.org.uk:

	http://pastebin.com/N2ZZvkLp


Logs of mostly working (no TargettedID) login using "Rod's Discovery
Service" on same place:

	http://pastebin.com/HQSAddwx

Do yell if more information is required! Any pointers gratefully received.

- -- 
Matthew Slowe <[log in to unmask]>     | Tel: +44 (0)1227 824265
Development Team, Information Services | Fax: +44 (0)1227 824078
University of Kent, Canterbury, Kent   | Web: http://www.kent.ac.uk/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkwh4KUACgkQ/V1qDCaTXgdxLgCgk+ItDaRULLBU6xfT0B2HaqcK
bQUAoJP8UQJKSitaMdnXqktoz3P4zCW8
=smB4
-----END PGP SIGNATURE-----