Odd authentication issue with EzProxy
mhouser at uwm.edu
Fri Sep 9 18:25:36 BST 2011
We've been getting some reports of users failing to authenticate to
EzProxy via our IdP. The reports unfortunately do not include such
useful information as error message text or even at which point in the
authentication process the error was presented, but via uids and
timeframes I was able to get something out of idp-process that looked
suspicious and googling has thus far not given me much to go on.
Before the unsuccessful logins occur there is the following line:
WARN [org.opensaml.saml2.binding.encoding.BaseSAML2MessageEncoder:134] - Relay state exceeds 80 bytes, some application may not support this.
This does not however occur for all EzProxy users but is only occurring
for EzProxy sessions. There does not appear to be anything weird or
special about the accounts that are failing, and the only attributes
that are being returned to EzProxy are surname, eduPersonScopedAffiliation,
transientId, email, eduPersonPrincipalName, givenName, eduPersonEntitlement
and eduPersonTargetedID. The only thing I've been able to find relating
to the warning are specific to Google Docs and suggest that in that case
it can just be ignored. I'm suspicious however that EzProxy may be one
of the applications that doesn't support this condition and I'm unsure
of where to begin looking in order to resolve this issue.
IdP is 2.3.2 and EzProxy is 5.3.0 GA.
More information about the users