On Wed, 26 Jan 2011, Andy Swiffin wrote:
>>>> On 26/01/2011 at 11:11, in message
> <[log in to unmask]>, Jon Warbrick
> <[log in to unmask]> wrote:
>
>> Could you possibly post your attribute-resolver and attribute-filter
>> entries for eduPersonTargetID? [...]
>
> I'm a great fan of this approach ( I think I remember that half of my
> Shib 1 configuration came from Cambridge :-) I don't think you'll find a
> whole lot of surprise in whats below though, most of it I cut and pasted
> (great fan of that too) off the uk federation site
> (http://www.ukfederation.org.uk/content/Documents/Setup2IdP)
>
> The only thing you'll find different is that I choose to create an
> attribute in eduPersonTargetedID.old for SAML2 called
> "eduPersonTargetedID", this was primarily to keep a local SP happy.
So, it looks to me as if you are generating and releasing both the old and
new forms of "eduPersonTargetedID" over SAML1 and SAML2 to everyone. As
you say, this differs from the fragment in Setup2IdP which doesn't
generate the old form for SAML2.
What effect this had on transition may have depended on what your old
Shib1.3 IdP was doing. If it also generated and released the old and new
forms (necessarily over SAML1 since that's all it spoke) then in effect
nothing changed so it's not entirely surprising that nothing broke, at
least for the majority of SPs that will have continued to talk to you over
SAML1.
My Shib 1.3 IdP (yes, I know...) only releases the old form (in line with
what's in Setup1p3IdP) at least to the federation. I think my plan will be
to continue to only release the old form for SAML1 but to release both for
SAML2. With luck that will minimise the chance of the upgrade causing
problems even in the face of SPs that may not be processing the derived
values as carefully as they should.
There's still the danger that SPs that (on transition or later) start
talking to me over SAML2 might simply grab a string representation of the
new form and then fail to match it to the equivalent-if-they-but-knew-it
string representation of the old form and so break personalisation. I'm
going to hope that all the IdPs who have transitioned before me will have
already found and have caused to be fixed any important SPs that have
this problem.
[A minor problem is that I currently generate and release the new form
over SAML1 to local SPs. Just at the moment I don't know if I can craft a
filter rule that will let me continue to do that. Back to the Shib2
wiki...]
Jon.
--
Jon Warbrick
Information Systems Development, Computing Service, University of Cambridge
|
