Really strange authorization issue.

mat houser mhouser at
Fri Aug 14 14:18:06 EDT 2015

Thanks to Mr Koranda this seems sorted out.

The clock on the failing node was just a little under a minute in the
future, which most SPs didn't seem to care about, but exlibris evidently


mhouser at

On Fri, 14 Aug 2015, Cantor, Scott wrote:

On 8/14/15, 1:35 PM, "users on behalf of mat houser" <users-bounces at on behalf of mhouser at> wrote:
>IdP V3.1.2. Three servers configured identically with two behind an F5
>ADC and the third a stand-alone test VM. IdP01 works perfectly well with
>all SPs with the exception of Test and IdP02
>both work fine, and 01 appears to be sending all the same attributes
>including the patron ID that the SP is supposed to primary key from.

I guess I would diff a Response from them and see if you spot any important differences.

>Users authenticated by idp01 just get the error "The user is not
>authorized in Alma", even though the assertion definitely contains the
>authorization attribute in the attribute statement.

Well, we can't debug a message from an application. You're going to need them to debug what it actually thinks is wrong.

-- Scott

More information about the users mailing list