Possible attribute problems when login

[Sergio Rivas]

Forget my last e-mail, I looked for AttrChecker on my shibbolet2.xml file 
(Service Provider config file) and I discovered that there was a 
prerequisite for logins:


<!-- Checks for required attribute(s) before login completes. -->
<Handler type="AttributeChecker" Location="/AttrChecker" 
template="attrChecker.html" attributes="eppn" flushSession="true"/>


Scott was right, I was not releasing "eppn" and that's why the session 
always have failed. If someone is interested, I've solved it by removing 
those lines and the "sessionHook" on top 
(sessionHook="/Shibboleth.sso/AttrChecker").

Also, Scott, why is this needed? Do I need to always use it or it's just for 
beign sure that some attributes are correctly received?

Again, thank you a lot, I've been with this for 3 days and you guys solved 
it in a couple of minutes (really, thank you Peter and Scott).

Kind Regards,
Sergio.



-----Mensaje original----- 
From: Cantor, Scott
Sent: Sunday, August 19, 2012 10:52 PM
To: Shib Users
Subject: Re: Possible attribute problems when login

On 8/19/12 9:07 AM, "Sergio Rivas" <srivasg_21 at hotmail.com> wrote:
>
>I'm using a User / Password authentication with an LDAP connector, and it
>seems to work as I can enter bad credentials and I'm not authorizated to
>access the service (i.e., the login form is showing). The problem is that
>I
>always get this message when my user is correctly authenticated through
>Shibboleth login form:
>
>"We're sorry, but you cannot access this service at this time.

That¹s a result of substantial "extra" configuration on your part. That's
the example template for failing a check for required attributes, which
means you had to have added the sessionHook feature and the AttrChecker
handler and told it to look for some set of attributes.

If you did all that, and you're not releasing those attributes from the
IdP, then that's the result.

-- Scott

--
To unsubscribe from this list send an email to 
users-unsubscribe at shibboleth.net