Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation


Chronological Thread 
  • From: Brent Putman <>
  • To:
  • Subject: Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation
  • Date: Thu, 22 Jul 2010 10:31:26 -0700



On 7/22/10 12:58 AM, Halm Reusser wrote:


It would be helpful to see a log output on level TRACE for package edu.internet2.middleware.shibboleth.idp.ext.delegation, for at least the Liberty part of the flow. That would at least help confirm what is or is not happening.

http://codeviewer.org/view/code:10b8 It seems there's no TRACE output, but DEBUG is there.


Ok, it's definitely not running the security policy, at least, there's no log output for the delegation-specific rules for client cert auth and assertion token validation. So it's almost certainly the case that the relying-party.xml config is incorrect in some way, or possibly hasn't been reloaed since changes were made, or something like that. Basically it's not picking up the ProfileConfiguration. Things that come to mind are: a mismatch between the entityID in the custom RelyingParty element and the entityID being claimed (thought we checked that already, but can't hurt to triple check for typos) or possibly you don't have the right metadata effectively loaded on the IdP for the SP. Or possibly there's some syntactic typo that's the XML to not be what it should be.

It you can't spot anything, perhaps you should post on codeviewer (or send offline or whatever) your entire relying-party.xml as well as a log trace on DEBUG level for all the components, not just the delegation ones, so packages edu.internet2.middleware.shibboleth and org.opensaml. That should get everything, but of course will be a lot of output. :-)

--Brent





Archive powered by MHonArc 2.6.16.

Top of Page