idpv3.2.1 issues with

Rich Graves rgraves at
Mon Dec 21 22:26:13 EST 2015

Have other idpv3 sites found workarounds necessary for aka

My test idp3.2.1 seems to be working with every SP except this one. The SP works with idpv2. The response that v3 gets is:


Things I've tried:

- Force SHA1 instead of SHA256 digests with shibboleth.SigningConfiguration.SHA1 scoped to specific SPs
  - I followed the directions at /confluence/display/IDP30/SecurityConfiguration and it "works" in that I see <ds :DigestMethod Algorithm="" /> and if I force other SPs to use SHA1 instead of SHA256, I can log on to them
- Fiddle with attribute release and NameIDs
  - They "should" be fine with transientId and I am sending the same attributes

Observation: idpv3 transientIds are much longer, AAdzZWNyZXQx3A/wlRuqn8bbFDLYcUniAlGBSfrAkhqqCmB8fXImNo6r+2hwVemgErP92TNT83kpb+aWztJ3cGbZdGSSmmFGzMKORHCPPmj9VGxj6NHDkcj1a3IUS7nB5dJTzamyT9R9UIzTMvImntLvE2Xjyg/XhWifaL18d3/ZGkm4yz5CbbG36D3SGDrjaNJ73P+JOQ== versus _c764d8341964b9b3cea5045b4b50e2e8.

More information about the users mailing list