Shibboleth Developers

["Alistair Young" <>]

righto - saw that in the logs but it didn't seem to tie into any decision
making process. By authenticated, do you mean the sp has to sign the
attribute query? Or does the IdP authenticate based on the x509 from the
ssl connection? I'm presuming the IdP only consumes uk fed metadata so I
can think of at least one route to investigate.

Yes Ian, correct on that one. I suspect perhaps the sp's metadata isn't in
the fed metadata but I'll pursue that elsewhere.

cheers,

Alistair


-- 
mov eax,1
mov ebx,0
int 80h

>> A Shibboleth IdP won't (can't) release ePTI to an SP that hasn't been
>> authenticated, for example because it hasn't provided a credential on
>> the attribute callback.
>
> Yes, that's true. It's acceptable (though unlikely to be a good idea) to
> put
> it in the default ARP, but that's one case where having it there won't
> work
> if the request is anonymous. That falls into the "not successfully
> resolved"
> bucket I mentioned in the last email.
>
> If the logs aren't clearly indicating that, I'd file a bug.
>
> -- Scott
>
>
>