Problems extracting attributes

[Rayene Ben Rayana]

Dear all,

We have a problem extracting user attributes from a our client's IDP. The
authentication succeeds but no attributes are pushed/resolved.

The SP is actually working with many other IDPs from the same federation.
The IDP has also been tested with other resources from the federation with
success.
Additionnaly, The aacli.sh command executed by the client returns the
attributes.

The syslog below shows that
1 / no attributes are pushed during SSO (do you confirm ?)
2 / the attribute resolution fails... This is because there's no
"AttributeAuthorityDescriptor" in the IDP's metadata (see
discussion<https://lists.internet2.edu/sympa/arc/shibboleth-users/2009-06/msg00040.html>
).

Any idea on how to solve this issue ? Is it a certificate issue ?

Please advice,

Thanks


Jan 30 16:22:44 localhost shibboleth: 1359559364 DEBUG
XMLTooling.KeyInfoResolver.Inline [12]: *resolved 0 certificate(s)*
Jan 30 16:22:44 localhost shibboleth: 1359559364 DEBUG
XMLTooling.CredentialCriteria [12]: *key algorithm didn't match ('AES' !=
'RSA')*
Jan 30 16:22:44 localhost shibboleth: 1359559364 DEBUG
XMLTooling.KeyInfoResolver.Inline [12]: resolving ds:X509Certificate
Jan 30 16:22:44 localhost shibboleth: 1359559364 DEBUG
XMLTooling.KeyInfoResolver.Inline [12]: resolved 1 certificate(s)
Jan 30 16:22:44 localhost shibboleth: 1359559364 DEBUG Shibboleth.SSO.SAML2
[12]: decrypted Assertion: <saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_1d175dede02b33fdda56b541aa1044db"
IssueInstant="2013-01-30T15:22:44.630Z" Version="2.0"><saml:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://shibbo.ec-nantes.fr/idp/shibboleth</saml:Issuer><saml:Subject><saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData
Address="195.68.4.238" InResponseTo="_f811fc94ba2bdf931a8b7c604f198928"
NotOnOrAfter="2013-01-30T15:27:44.630Z" Recipient="
https://controller.mobile.lan/Shibboleth.sso/SAML2/POST"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions
NotBefore="2013-01-30T15:22:44.630Z"
NotOnOrAfter="2013-01-30T15:27:44.630Z"><saml:AudienceRestriction><saml:Audience>
https://www.ucopia.com/shib</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement
AuthnInstant="2013-01-30T15:22:44.405Z"
SessionIndex="f9b1016452c9fb52fc85c1e0f7487bea7db08f2e8ecfd1aff8150de5574cb856"><saml:SubjectLocality
Address="195.68.4.238"/><saml:AuthnContext><saml:AuthnContextDeclRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextDeclRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>
Jan 30 16:22:44 localhost shibboleth: 1359559364 DEBUG Shibboleth.SSO.SAML2
[12]: extracting issuer from SAML 2.0 assertion
Jan 30 16:22:44 localhost shibboleth: 1359559364 DEBUG
OpenSAML.SecurityPolicyRule.MessageFlow [12]: evaluating message flow
policy (replay checking on, expiration 60)
Jan 30 16:22:44 localhost shibboleth: 1359559364 DEBUG
XMLTooling.StorageService [12]: inserted record
(_1d175dede02b33fdda56b541aa1044db) in context (MessageFlow)
Jan 30 16:22:44 localhost shibboleth: 1359559364 DEBUG
OpenSAML.SecurityPolicyRule.BearerConfirmation [12]: assertion satisfied
bearer confirmation requirements
Jan 30 16:22:44 localhost shibboleth: 1359559364 DEBUG Shibboleth.SSO.SAML2
[12]: SSO profile processing completed successfully
Jan 30 16:22:44 localhost shibboleth: 1359559364 DEBUG Shibboleth.SSO.SAML2
[12]: *extracting pushed attributes...*
Jan 30 16:22:44 localhost shibboleth: 1359559364 DEBUG Shibboleth.SSO.SAML2
[12]: *resolving attributes...*
Jan 30 16:22:44 localhost shibboleth: 1359559364 WARN
Shibboleth.AttributeResolver.Query [12]: *can't attempt attribute query,
either no NameID or no metadata to use*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130201/13f17f1c/attachment-0001.html