Possible attribute problems when login
srivasg_21 at hotmail.com
Sun Aug 19 21:16:45 EDT 2012
Forget my last e-mail, I looked for AttrChecker on my shibbolet2.xml file
(Service Provider config file) and I discovered that there was a
prerequisite for logins:
<!-- Checks for required attribute(s) before login completes. -->
<Handler type="AttributeChecker" Location="/AttrChecker"
template="attrChecker.html" attributes="eppn" flushSession="true"/>
Scott was right, I was not releasing "eppn" and that's why the session
always have failed. If someone is interested, I've solved it by removing
those lines and the "sessionHook" on top
Also, Scott, why is this needed? Do I need to always use it or it's just for
beign sure that some attributes are correctly received?
Again, thank you a lot, I've been with this for 3 days and you guys solved
it in a couple of minutes (really, thank you Peter and Scott).
From: Cantor, Scott
Sent: Sunday, August 19, 2012 10:52 PM
To: Shib Users
Subject: Re: Possible attribute problems when login
On 8/19/12 9:07 AM, "Sergio Rivas" <srivasg_21 at hotmail.com> wrote:
>I'm using a User / Password authentication with an LDAP connector, and it
>seems to work as I can enter bad credentials and I'm not authorizated to
>access the service (i.e., the login form is showing). The problem is that
>always get this message when my user is correctly authenticated through
>Shibboleth login form:
>"We're sorry, but you cannot access this service at this time.
That¹s a result of substantial "extra" configuration on your part. That's
the example template for failing a check for required attributes, which
means you had to have added the sessionHook feature and the AttrChecker
handler and told it to look for some set of attributes.
If you did all that, and you're not releasing those attributes from the
IdP, then that's the result.
To unsubscribe from this list send an email to
users-unsubscribe at shibboleth.net
More information about the users