I had been using the ids for both Jorum:
./bin/resolvertest -d --user="pcampbell"
--responder=https://idp.carnegiecollege.ac.uk/shibboleth-idp/
--idpXml=file:///usr/local/site-shibboleth/etc/idp.xml
--requester=urn:mace:ac.uk:sdss.ac.uk:provider:service:edina.ac.uk:jorum
and target.iay.org.uk:
./bin/resolvertest -d --user="pcampbell"
--responder=https://idp.carnegiecollege.ac.uk/shibboleth-idp/
--idpXml=file:///usr/local/site-shibboleth/etc/idp.xml
--requester=urn:mace:ac.uk:sdss.ac.uk:provider:service:target.iay.org.uk
Both return ePTargetedId attributes correctly, but not when the sites
are visited in the browser. When I visit in the browser I get the
errors as before.
--
Paul
Jon Warbrick wrote:
> On Mon, 22 Sep 2008, Paul Campbell wrote:
>
>> However I'm getting the following error in the server log. I had been
>> getting the same error from resolvertest when I didn't provide the
>> --requester parameter.
>>
>> - Resolving attribute: (urn:mace:dir:attribute-def:eduPersonTargetedID)
>> - Could not create ID for unauthenticated requester.
>>
>> This is in the log *before* loading the ARP files.
>
> eduPersonTargetedID is (in effect) a hash of (at least) the user's
> identity and the identity of the SP it is being supplied to. So the IdP
> can only securely generate an ePTID if its able to authenticate the SP
> requesting it (because otherwise an SP could ask for the ePTID
> corresponding to another SP and that wouldn't be good for privacy).
> Typically this means that the SP must appear in the metadata and must be
> using the host names, URLs and keys that the metadata supplies.
>
> I'm fairly sure that "Could not create ID for unauthenticated requester"
> simply means that this isn't the case and that therefore ePTID
> generation has been suppressed.
>
> Tracking down _why_ authentication is failing is an other whole
> ballgame. Try using resolvertest and a --requester parameter that
> identifies an SP that is in the metadata you have loaded.
>
> Jon.
>
--
--
Paul Campbell <[log in to unmask]>
Carnegie College
This email and any attachments may contain private and confidential information and is solely intended for the recipient(s) only. If you have received this email and any attachments in error and you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this message in error, please notify the sender immediately by reply email and delete the message and any attachments without retaining any copies. Any views or other information in this message which do not relate to our business are not authorised by us, nor does this message form part of any contract unless so stated.
We offer no guarantees that this email or any attachment will be received error or virus free and accept no responsibility whatsoever in this regard.
Our e-mail system is subject to random monitoring and recording by us.
Carnegie College is a body incorporated under the Further and Higher Education (Scotland) Act 1992. Carnegie College was formerly known as Lauder College. Check out what is new at Carnegie @ www.carnegiecollege.ac.uk
|