Matthew,

It is almost canonical that if you cannot get attributes in SAML1 but can
using a DS then you have a firewall or external access problems.  It turns
out that a WAYF forces you into SAML1 and a DS will usually choose SAML2.
Unless you tested the explicit SAML1 end point at testshib
(https://sp.testshib.org/Shibboleth.sso/OneThree?entityID= ) you will also
have been testing SAML2.

Looking at your first log you are certainly never seeing the attribute
request.  Further if I look at https://jordan.kent.ac.uk:8443 I get
redirected to https://id.kent.ac.uk/opensso/cdcservlet?[Stuff]

.... However I have access to the logs on that machine (as to the nice folks
at federation support FWIW), and I see this:

2010-06-23 11:09:02 WARN Shibboleth.AttributeResolver.Query [61]: can't
attempt attribute query, either no NameID or no metadata to use

At the same time in your log I see.

125.11:09:00.538 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileH
andler:407] - No attributes for principal 'my_username' supports encoding
into a supported NameIdentifier format for relying party
'https://sh2testsp1.iay.org.uk/shibboleth'

Ahah ! now we are on to something.  So in fact it has nothing to do with
firewall (yet).  We haven't even got that far. 

Looking further up:

119.11:09:00.521 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.Shi
bbolethAttributeFilteringEngine:101] - Removing attribute from return set,
no more values: transientId

And above again

106.11:09:00.512 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.Shib
bolethAttributeResolver:307] - Resolved attribute transientId containing 1
values

I'd be looking closely at my attribute filtering.  I'd probably start by
putting in a "release everything to everyone" rule and if that worked start
adding the old rules back in.

transientId is related to the targeted IDs so I'd maybe expect that with the
transient fixed the others might follow.

Rod

PS Do may sure that you strip testshib out from your relying party when you
are done with it...

> -----Original Message-----
> From: Discussion list for Shibboleth developments [mailto:JISC-
> [log in to unmask]] On Behalf Of Matthew Slowe
> Sent: 23 June 2010 11:24
> To: [log in to unmask]
> Subject: Configuration error on Shib2.1 IdP?
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Morning all,
> 
> I'm trying to get our new Shib2.1 IdP working properly on the Live
> Federation.
> 
> We have registered a Test IdP with a view to, (very) soon, swapping the
> endpoints to the new service in the Federation Metadata while keeping
> the old EntityID [option (b) in
> http://www.ukfederation.org.uk/content/Documents/RollingIdPUpgrade].
> 
> It worked fine on testshib (released attributes which were correctly
> consumed).
> 
> We've rebuilt from scratch and got the thing on the Federation but,
> when
> doing testing using target.iay.org.uk it doesn't appear to release any
> attributes (none come up in the output).
> 
> However, using "Rod's Discovery Service" on sh2testsp1.iay.org.uk
> appears to be the only way I can get it to negotiate correctly and
> attributes to be passed... even then, I can't see the TargettedID :(
> 
> Any ideas?
> 
> We're running IdP 2.1.5 inside Apache2.2+Tomcat6.0.26 with 443 and 8443
> both running through mod_jk from Apache. Both ports are accessible to
> the internet at large.
> 
> Active bits of attribute-filter.xml:
> 
>   <AttributeFilterPolicy id="releaseTransientIdToAnyone">
>     <PolicyRequirementRule xsi:type="basic:ANY"/>
>     <AttributeRule attributeID="transientId">
>       <PermitValueRule xsi:type="basic:ANY"/>
>     </AttributeRule>
>   </AttributeFilterPolicy>
> 
>   <AttributeFilterPolicy id="releaseTransientIdToAnyone">
>     <PolicyRequirementRule xsi:type="basic:ANY"/>
>     <AttributeRule attributeID="eduPersonEntitlement">
>       <PermitValueRule xsi:type="basic:ANY"/>
>     </AttributeRule>
>     <AttributeRule attributeID="eduPersonScopedAffiliation">
>       <PermitValueRule xsi:type="basic:ANY"/>
>     </AttributeRule>
>     <AttributeRule attributeID="eduPersonTargetedID">
>       <PermitValueRule xsi:type="basic:ANY"/>
>     </AttributeRule>
>   </AttributeFilterPolicy>
> </AttributeFilterPolicyGroup>
> 
> IdP logs of failed login using "Default UK Federation (full)" on
> sh2testsp1.iay.org.uk:
> 
> 	http://pastebin.com/N2ZZvkLp
> 
> 
> Logs of mostly working (no TargettedID) login using "Rod's Discovery
> Service" on same place:
> 
> 	http://pastebin.com/HQSAddwx
> 
> Do yell if more information is required! Any pointers gratefully
> received.
> 
> - --
> Matthew Slowe <[log in to unmask]>     | Tel: +44 (0)1227 824265
> Development Team, Information Services | Fax: +44 (0)1227 824078
> University of Kent, Canterbury, Kent   | Web: http://www.kent.ac.uk/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkwh4KUACgkQ/V1qDCaTXgdxLgCgk+ItDaRULLBU6xfT0B2HaqcK
> bQUAoJP8UQJKSitaMdnXqktoz3P4zCW8
> =smB4
> -----END PGP SIGNATURE-----