Shibboleth Developers

[Brent Putman <>]

On 7/22/10 12:58 AM, Halm Reusser wrote:
> > It would be helpful to see a log output on level TRACE for package 
> > edu.internet2.middleware.shibboleth.idp.ext.delegation, for at least 
> > the Liberty part of the flow.  That would at least help confirm what 
> > is or is not happening.
>
> http://codeviewer.org/view/code:10b8 It seems there's no TRACE output, 
> but DEBUG is there.


Ok, it's definitely not running the security policy, at least, there's 
no log output for the delegation-specific rules for client cert auth and 
assertion token validation.  So it's almost certainly the case that the 
relying-party.xml config is incorrect in some way, or possibly hasn't 
been reloaed since changes were made, or something like that.  Basically 
it's not picking up the ProfileConfiguration.  Things that come to mind 
are: a mismatch between the entityID in the custom RelyingParty element 
and the entityID being claimed (thought we checked that already, but 
can't hurt to triple check for typos) or possibly you don't have the 
right metadata effectively loaded on the IdP for the SP.  Or possibly 
there's some syntactic typo that's the XML to not be what it should be.

It you can't spot anything, perhaps you should post on codeviewer (or 
send offline or whatever) your entire relying-party.xml as well as a log 
trace on DEBUG level for all the components, not just the delegation 
ones, so packages edu.internet2.middleware.shibboleth and org.opensaml.  
That should get everything, but of course will be a lot of output.  :-)

--Brent