Salesforce error when authing against Shibboleth

Ben Branch BBranch at uco.edu
Fri Aug 8 18:04:53 EDT 2014


So, then how do I get attributes to release then?  Understand, this is my first time ever setting this up.  I've been pouring over the wiki to try and find something to help me but I have been very unsuccessful in that endeavor.

Ben Branch
UNIX/Linux Administrator
University of Central Oklahoma
ITIL Foundation v3, Network+, RHCSA

100 N. University Drive, Box 122
Edmond, OK 73034
D: 405.974.2649 | M: 405.550.6804 | bbranch at uco.edu | www.uco.edu

"I am wiser than this man, for neither of us appears to know anything great and good; but he fancies he knows something, although he knows nothing; whereas I, as I do not know anything, so I do not fancy I do. In this trifling particular, then, I appear to be wiser than he, because I do not fancy I know what I do not know."  - Socrates


-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Friday, August 08, 2014 4:51 PM
To: Shib Users
Subject: Re: Salesforce error when authing against Shibboleth

On 8/8/14, 5:42 PM, "Ben Branch" <BBranch at uco.edu> wrote:
>
>So...then do I just comment out these 2 lines in my idp-metadata.xml?
>Or is there something more that I need to do?

Metadata advertises what you support and is something you change after having changed something that it reflects.

Disabling profiles for specific requesters is done with relying-party.xml (each profile has an element inside the RelyingParty elements that represents support for the profile and what options are used with it).

Disabling a particular profile outright, full stop, is done in handler.xml by removing the profile mapping that associates a path in the IdP to that profile.

SOAP is used for attribute queries and for the artifact profile/binding.
Disabling SAML 1 queries while supporting SAML 1 SPs with default options that don't include attributes during SSO will flat break them. However, you obviously don't have queries working now given that the wrong certificate is there, so it's pretty likely you don't need it.

>  I have an LDAP Data Connector configured and what I believe to be
>properly configured attribute-filter and resolver.

I guess that's not true, since you're not releasing any data even to testshib.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary!

**CONFIDENTIALITY** -This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited.


More information about the users mailing list