> Please, please turn off that XMLObject logging category. That's serious
> noise. The default logging files turn off DEBUG for selected categories
> that aren't relevant. Could be the console one doesn't, you might look
> at shibd.logger for examples.

That's fine. I switch all debug logging on when things go south since that tends to help people out... 

Removing all that stuff leaves me with this:

pamtest.c:141 Starting with [log in to unmask] service=login
pamtest.c:144 pam_start: Success[0](null)
pamtest.c:71 pamtestConv num_msg=1
Password: ***
CTRL-EVENT-EAP-STARTED EAP authentication started CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21 CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
2013-06-18 14:15:06 DEBUG Shibboleth.PropertySet : added property clockSkew (180)
2013-06-18 14:15:06 DEBUG Shibboleth.PropertySet : added property id (default)
2013-06-18 14:15:06 DEBUG Shibboleth.PropertySet : added property validate (false)
2013-06-18 14:15:06 DEBUG Shibboleth.PropertySet : added property id (entity-attributes)
2013-06-18 14:15:06 DEBUG Shibboleth.PropertySet : added property REMOTE_USER (eppn persistent-id targeted-id)
2013-06-18 14:15:06 DEBUG Shibboleth.PropertySet : added property entityID (https://centos6_x64vm.diamond.ac.uk/shibboleth)
2013-06-18 14:15:06 DEBUG Shibboleth.PropertySet : added property id (default)
2013-06-18 14:15:06 DEBUG Shibboleth.PropertySet : added property checkAddress (false)
2013-06-18 14:15:06 DEBUG Shibboleth.PropertySet : added property cookieProps (http)
2013-06-18 14:15:06 DEBUG Shibboleth.PropertySet : added property handlerSSL (false)
2013-06-18 14:15:06 DEBUG Shibboleth.PropertySet : added property lifetime (28800)
2013-06-18 14:15:06 DEBUG Shibboleth.PropertySet : added property relayState (ss:mem)
2013-06-18 14:15:06 DEBUG Shibboleth.PropertySet : added property timeout (3600)
2013-06-18 14:15:06 DEBUG Shibboleth.PropertySet : added nested property set: {urn:mace:shibboleth:2.0:native:sp:config}Sessions
2013-06-18 14:15:06 DEBUG Shibboleth.PropertySet : added property helpLocation (/about.html)
2013-06-18 14:15:06 DEBUG Shibboleth.PropertySet : added property styleSheet (/shibboleth-sp/main.css)
2013-06-18 14:15:06 DEBUG Shibboleth.PropertySet : added property supportContact (root@localhost)
2013-06-18 14:15:06 DEBUG Shibboleth.PropertySet : added nested property set: {urn:mace:shibboleth:2.0:native:sp:config}Errors
2013-06-18 14:15:06 WARN Shibboleth.Application : insecure cookieProps setting, set to "https" for SSL/TLS-only usage
2013-06-18 14:15:06 WARN Shibboleth.Application : handlerSSL should be enabled for SSL/TLS-enabled web sites
2013-06-18 14:15:06 WARN Shibboleth.Application : no MetadataProvider available, configure at least one for standard SSO usage
2013-06-18 14:15:06 WARN Shibboleth.AttributeExtractor.GSSAPI : unable to extract attributes, GSS name import failed (131072:2109382973) CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
pamtest.c:147 pam_authenticate: Error in service module[3](null)
pamtest.c:150 pam_acct_mgmt: Authentication service cannot retrieve authentication info[9](null)
Segmentation fault (core dumped)

> That would be a bug, obviously.

But not relevant... what about the GSSAPI attribute extraction failing further up?

> I don't think that second one would make sense. You may be confused
> here, you don't put SAML attributes in that configuration, that stays
> where it always is. The GSS extractor runs against naming attribute
> extensions present in the initiator name, and those are spec'd to have
> those two part names, I think, with the space in the middle.

No, not confused! Trying ANYTHING to try and get whatever attribute it is that makes the GSSAPI attribute extraction fail (unless that warning is just... extraneous). Considering that it was looking for the "eppn" mapping and was specifically mentioning GSSAPI extraction failing, so I mapped the SAML attribute as a GSSAPI one instead. 

So again, which attribute from the standard Moonshot SAML assertion should be mapped/extracted, and why is there a "unable to extract attributes" warning?

Regards

Stefan


-- 
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. 
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom