Shibboleth Developers

[Ian Young <>]

Scott Cantor wrote:

> You should be able to capture the outgoing envelope in the IdP log.

I was able to log into the wiki from that IdP, and my ePPN got through 
as evidenced by it knowing that I am IanYoung.  I can indeed see from 
the IdP logs that the outgoing attribute assertion was signed.

So my IdP is generating signatures that your SP likes, but that my SP 
dislikes.  How irritating.

The SP in question is running your latest FC4 RPMs, and I have checked 
the RPM versions of shibb and the other things (xml-security-c, xerces-c 
etc.) against the download site; they are all up-to-date.

> One unrelated note...exportAssertion blows Apache up immediately here, so if
> that's on, it will work until Apache errors out in the request.

Because the signed assertion is too large?  OK.  I have turned the 
pass-through of that off on my test SP for now.

If you wanted to try the your-IdP/my-SP combination, an IdP in InQueue 
could be tweaked to issue signed assertions to my SP:

urn:mace:ac.uk:sdss.ac.uk:provider:service:target.iay.org.uk

Then, you could go here:

https://target.iay.org.uk:8446/index.html

Click on the link for an InQueue WAYF or the SDSS multi-WAYF, and when 
you get back from your IdP, click the link that says "a more interesting 
test" to see if any attributes got through.

This is assuming that your IdP has appropriate metadata, which I think 
everything in InQueue does.

        -- Ian