Fiona/Ian,
Thanks for your message. Please see my comments/reply below Ian's response.
-----Original Message-----
From: Discussion list for Shibboleth developments
[mailto:[log in to unmask]] On Behalf Of Ian Young
Sent: 27 June 2008 15:21
To: [log in to unmask]
Subject: Re: UK federation VO
Thierry Delaitre wrote:
> However, one site (uclan.ac.uk) which is using the Athens EduServ entry
> from the WAYF list got an authorization denied from my Shib SP. I checked
> the various shibd/transaction log files but could not find anything for
this
> site:-( uclan is using the EduServ Athens gateway. Are the affiliation
> values meant to be set when those sites which are using 3rd party shib
> providers such as the Eduserv Athens gw ?
Yes, whether an institution is using the "classic" gateway or one of the
new OpenAthens virtual IdPs (which gives the institution its own entry
in the WAYF list) you should see an appropriate value of
eduPersonScopedAffiliation, issued by an IdP with that scope in its
permitted list.
In this particular case, note that uclan.ac.uk (University of Central
Lancashire) got their own virtual IdP literally today. It's possible
that your SP doesn't have the appropriate metadata for it yet, if you
haven't picked it up since this morning. I'm sure I don't have to tell
anyone here that the recommendation is that people refresh their
metadata at least once a day, but in this case you might still have
stale metadata even if you've done that.
It's also possible that there's an inconsistency in the setup for that
institution; this virtual IdP configuration is very new and relies on
several different things all being completely consistent. So, if this
still seems to be a problem once you've refreshed metadata, it's
potentially something you need to report through the support channels.
Note that a user might select Eduserv Athens from the WAYF, and you
might get a response "from" the virtual IdP instead of the "classic"
gateway. This is intended in part to reduce confusion in end users.
---
Last Friday, the metadata file on our SP was probably out of date. However,
it is now in sync and the user from uclan still experiences authorization
denied. The user seems to authenticate fine but the
eduPersonScopedAffiliation does not seem to be populated I believe. It can
be seen in the transaction log below for uclan that there are no log entries
for the eduPersonScopedAffiliation attribute whereas a user from a standard
shib SP has got entries added for the eduPersonScopedAffiliation query. Is
this an issue with EduServ Athens ? Would it make a difference if the user
select the uclan entry instead of the EduServ Athens ?
Thanks
Thierry.
<Host name="isls-shib2.wmin.ac.uk">
<Path name="artsonfilm"
authType="shibboleth" requireSession="true">
<AccessControlProvider
uri="/srv/www/artsonfilm/.shibacl.xml"
type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl"/>
Content of /srv/www/artsonfilm/.shibacl.xml:
--------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<AccessControl xmlns="urn:mace:shibboleth:target:config:1.0">
<OR>
<!-- HE -->
<Rule require="affiliation">[log in to unmask]</Rule>
<Rule require="affiliation">[log in to unmask]</Rule>
....
<Rule require="affiliation">[log in to unmask]</Rule>
<Rule require="affiliation">[log in to unmask]</Rule>
<Rule require="affiliation">[log in to unmask]</Rule>
<Rule require="affiliation">[log in to unmask]</Rule>
<Rule require="affiliation">[log in to unmask]</Rule>
<Rule require="affiliation">[log in to unmask]</Rule>
....
Athens eduserv entry selected (transaction.log)
-----------------------------
2008-07-01 11:34:01 INFO Shibboleth-TRANSACTION : New session (ID:
_47cf42e4a65c0ca2be996195a261921f) with (applicationId: default) for
principal
from (IdP: urn:mace:eduserv.org.uk:athens:federation:uk) at (ClientAddress:
193.61.255.86) with (NameIdentifier:
tZ1iw9X1wDUyNtiKlQb13tY9G6+zHsu29ymFkai+rJM2+P1q5bpwxQ5I3Dpo6coUrzmziNefubpl
3XWnnAKWkw==)
2008-07-01 11:34:01 INFO Shibboleth-TRANSACTION : Making attribute query for
session (ID: _47cf42e4a65c0ca2be996195a261921f) on (applicationId: default)
for principal from (IdP: urn:mace:eduserv.org.uk:athens:federation:uk)
From Coventry by selecting their local Shibboleth IDP (transaction.log)
-----------------------------------------------------
2008-07-02 07:49:49 INFO Shibboleth-TRANSACTION : New session (ID:
_bb815374d3a5ab1e66c7abc753e6544c) with (applicationId: default) for
principal from (IdP: https://idp.wmin.ac.uk/entity) at (ClientAddress:
217.42.80.1) with (NameIdentifier: _b0a1f567e3245216984c7c18a8d23cd8)
2008-07-02 07:49:49 INFO Shibboleth-TRANSACTION : Making attribute query for
session (ID: _bb815374d3a5ab1e66c7abc753e6544c) on (applicationId: default)
for principal from (IdP: https://idp.wmin.ac.uk/entity)
2008-07-02 07:49:50 INFO Shibboleth-TRANSACTION : Caching the following
attributes after AAP applied for session (ID:
_bb815374d3a5ab1e66c7abc753e6544c) on (applicationId: default) for principal
from (IdP: https://idp.wmin.ac.uk/entity) {
2008-07-02 07:49:50 INFO Shibboleth-TRANSACTION :
urn:mace:dir:attribute-def:eduPersonScopedAffiliation (2 values)
2008-07-02 07:49:50 INFO Shibboleth-TRANSACTION :
urn:mace:dir:attribute-def:givenName (1 values)
2008-07-02 07:49:50 INFO Shibboleth-TRANSACTION :
urn:mace:dir:attribute-def:mail (1 values)
2008-07-02 07:49:50 INFO Shibboleth-TRANSACTION :
urn:mace:dir:attribute-def:cn (1 values)
2008-07-02 07:49:50 INFO Shibboleth-TRANSACTION :
urn:mace:dir:attribute-def:sn (1 values)
2008-07-02 07:49:50 INFO Shibboleth-TRANSACTION :
urn:mace:dir:attribute-def:eduPersonPrincipalName (1 values)
2008-07-02 07:49:50 INFO Shibboleth-TRANSACTION : }
2008-07-02 07:49:50 INFO Shibboleth-TRANSACTION : Successful attribute query
for session (ID: _bb815374d3a5ab1e66c7abc753e6544c)
|