Thierry Delaitre wrote:
> However, one site (uclan.ac.uk) which is using the Athens EduServ entry
> from the WAYF list got an authorization denied from my Shib SP. I checked
> the various shibd/transaction log files but could not find anything for this
> site:-( uclan is using the EduServ Athens gateway. Are the affiliation
> values meant to be set when those sites which are using 3rd party shib
> providers such as the Eduserv Athens gw ?
Yes, whether an institution is using the "classic" gateway or one of the
new OpenAthens virtual IdPs (which gives the institution its own entry
in the WAYF list) you should see an appropriate value of
eduPersonScopedAffiliation, issued by an IdP with that scope in its
permitted list.
In this particular case, note that uclan.ac.uk (University of Central
Lancashire) got their own virtual IdP literally today. It's possible
that your SP doesn't have the appropriate metadata for it yet, if you
haven't picked it up since this morning. I'm sure I don't have to tell
anyone here that the recommendation is that people refresh their
metadata at least once a day, but in this case you might still have
stale metadata even if you've done that.
It's also possible that there's an inconsistency in the setup for that
institution; this virtual IdP configuration is very new and relies on
several different things all being completely consistent. So, if this
still seems to be a problem once you've refreshed metadata, it's
potentially something you need to report through the support channels.
Note that a user might select Eduserv Athens from the WAYF, and you
might get a response "from" the virtual IdP instead of the "classic"
gateway. This is intended in part to reduce confusion in end users.
-- Ian
|