Which handler LDAP SSO

Morris, Andi amorris at cardiffmet.ac.uk
Wed Nov 12 10:05:52 EST 2014

Aha, yes I can see that now, thanks. I hadn't configured the attribute resolver with all the examples given. I think I couldn't see the wood for the trees.


-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: 12 November 2014 14:34
To: users at shibboleth.net
Subject: Re: Which handler LDAP SSO


I have not done such an integration myself so far so can't comment on further details.

* Morris, Andi <amorris at cardiffmet.ac.uk> [2014-11-12 15:08]:
> 13:56:17.790 - ERROR
> [edu.internet2.middleware.shibboleth.common.config.BaseService:188]
> - Configuration was not loaded for shibboleth.AttributeResolver 
> service, error creating components.  The root cause of this error
> was: org.xml.sax.SAXParseException: Key 
> 'DataConnectorAttributeDefinitionDependencyRef' with value 
> 'HTTP/servername.cardiffmet.ac.uk' not found for identity constraint 
> of element 'AttributeResolver'.
>       <resolver:Dependency ref="HTTP/servername.cardiffmet.ac.uk" />
>       <resolver:Dependency ref="INTERNAL.DOMAIN.AC.UK" />

The resolver:Dependency elements reference the internal ids of data connectors defined in the attribute resolver, they know nothing about kerberos. The root cause for this seems to be a confusion about this part in the Kerberos Login Handler docs:
  <resolver:Dependency ref="krb_principalname" />
  <resolver:Dependency ref="krb_domain" /> Those strings are meant to be used literally, they reference by name data connectors defined elsewhere on that page.
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list