shibboleth-dev - Re: Shib 2, collection of glitches
Subject: Shibboleth Developers
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: Shib 2, collection of glitches
- Date: Thu, 06 Dec 2007 06:09:29 -0800
- Organization: SWITCH
Addressing some of these now.
wrote:
2) SSO transaction starts at line 4317; question relates to line 4581. (Note -- at this point, I was using the default filter policies, so only transientId is being released.)
The IdP is encoding attributes at this point; this msg appears:
Attribute transientId was not encoded because no SAML2AttributeEncoder was attached to it.
shouldn't the distributed config files contain the appropriate element, so this succeeds?
As I told you before, this message is fine. All it means is that IdP isn't encoding that particular value as a SAML attribute. In many, probably most, cases you aren't going to want to send a transient ID as an attribute, you'll just want it as a name ID.
4) the previous 2 points referenced an SSO processing; all attributes were filtered out, so an Attribute Query begins on line 4713.
The IdP seems to be trying to identify who is referenced by the query. On line 4873, I see this msg:
Using principal connector saml1Transient to resolve principal name.
the only thing that concerns me is the saml1Transient word -- since, based on the previous contents of the log, I'm pretty sure that the IdP sent a saml2format identifier... ?
saml1Transient is just the name of the principal connector itself, the name itself is meaningless expect as a way to map from these logging messages back to the exact connector the IdP is using. The name itself is confusing though, I agree, it was just a typo. I've changed the name to saml2Transient. I'll say again, though, the name itself is meaningless.
6) line 4981, 3 contains:
Supported NameID formats: [urn:mace:shibboleth:1.0:nameIdentifier]
No principal attribute supported encoding into a supported name ID format.
which seems odd, since it did find an appropriate format during the SSO stage....
Remember, the IdP has two roles, each with their own set of supportted name formats. The last time you were dealing with this you added the SAML 2 transient format to the SSO role, did you add it to the attribute authority role?
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
- Shib 2, collection of glitches, Steven_Carmody, 12/05/2007
- Re: Shib 2, collection of glitches, Brent Putman, 12/05/2007
- Re: Shib 2, collection of glitches, Chad La Joie, 12/06/2007
Archive powered by MHonArc 2.6.16.