-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Morning all, I'm trying to get our new Shib2.1 IdP working properly on the Live Federation. We have registered a Test IdP with a view to, (very) soon, swapping the endpoints to the new service in the Federation Metadata while keeping the old EntityID [option (b) in http://www.ukfederation.org.uk/content/Documents/RollingIdPUpgrade]. It worked fine on testshib (released attributes which were correctly consumed). We've rebuilt from scratch and got the thing on the Federation but, when doing testing using target.iay.org.uk it doesn't appear to release any attributes (none come up in the output). However, using "Rod's Discovery Service" on sh2testsp1.iay.org.uk appears to be the only way I can get it to negotiate correctly and attributes to be passed... even then, I can't see the TargettedID :( Any ideas? We're running IdP 2.1.5 inside Apache2.2+Tomcat6.0.26 with 443 and 8443 both running through mod_jk from Apache. Both ports are accessible to the internet at large. Active bits of attribute-filter.xml: <AttributeFilterPolicy id="releaseTransientIdToAnyone"> <PolicyRequirementRule xsi:type="basic:ANY"/> <AttributeRule attributeID="transientId"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> </AttributeFilterPolicy> <AttributeFilterPolicy id="releaseTransientIdToAnyone"> <PolicyRequirementRule xsi:type="basic:ANY"/> <AttributeRule attributeID="eduPersonEntitlement"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="eduPersonTargetedID"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> </AttributeFilterPolicy> </AttributeFilterPolicyGroup> IdP logs of failed login using "Default UK Federation (full)" on sh2testsp1.iay.org.uk: http://pastebin.com/N2ZZvkLp Logs of mostly working (no TargettedID) login using "Rod's Discovery Service" on same place: http://pastebin.com/HQSAddwx Do yell if more information is required! Any pointers gratefully received. - -- Matthew Slowe <[log in to unmask]> | Tel: +44 (0)1227 824265 Development Team, Information Services | Fax: +44 (0)1227 824078 University of Kent, Canterbury, Kent | Web: http://www.kent.ac.uk/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwh4KUACgkQ/V1qDCaTXgdxLgCgk+ItDaRULLBU6xfT0B2HaqcK bQUAoJP8UQJKSitaMdnXqktoz3P4zCW8 =smB4 -----END PGP SIGNATURE-----