persitentID nameID for specific SPs, transient for default
Jehan PROCACCIA
jehan.procaccia at tem-tsp.eu
Wed Dec 13 11:40:40 EST 2017
I removed logs because of pb sending my mail with all the logs, I try to send here the essential, I guess your looking for logs prefix with ERROR ?
I'll more below :
from idp-process.log , 1st it doesn't seem to match the condidate condition !?
2017-12-13 17:22:00,188 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:334] - Metadata backing store does not contain any EntityDescriptors with the ID: https://services.renater.fr/shibboleth
although that SP is really here !
root at idp3 conf]# grep services.renater.fr/shibboleth ../metadata/main-sps-renater-metadata.xml
</md:EntityDescriptor><md:EntityDescriptor entityID="https://services.renater.fr/shibboleth">
latter in the logs
2017-12-13 17:22:00,207 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:259] - Resolving credentials from supplied RoleDescriptor using usage: ENCRYPTION. Effective entityID was: https://services.renater.fr/shibboleth
2017-12-13 17:22:00,217 - DEBUG [net.shibboleth.idp.saml.profile.impl.ExtractSubjectFromRequest:144] - Profile Action ExtractSubjectFromRequest: No Subject NameID/NameIdentifier in message needs inbound processing
2017-12-13 17:22:00,218 - DEBUG [org.opensaml.saml.common.profile.impl.VerifyChannelBindings:154] - Profile Action VerifyChannelBindings: No channel bindings found to verify, nothing to do
...
2017-12-13 17:22:11,278 - DEBUG [org.opensaml.saml.common.profile.logic.AbstractNameIDPolicyPredicate:218] - Policy checking disabled for NameIDPolicy with Format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
2017-12-13 17:22:11,278 - DEBUG [org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:82] - Metadata specifies the following formats: []
2017-12-13 17:22:11,278 - DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:100] - Configuration specifies the following formats: []
2017-12-13 17:22:11,278 - DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:110] - No formats specified in configuration or in metadata, returning default
2017-12-13 17:22:11,279 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:323] - Profile Action AddNameIDToSubjects: Candidate NameID formats: [urn:oasis:names:tc:SAML:2.0:nameid-format:transient]
2017-12-13 17:22:11,279 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:396] - Profile Action AddNameIDToSubjects: Trying to generate NameID with Format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
2017-12-13 17:22:11,280 - ERROR [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:404] - Profile Action AddNameIDToSubjects: Error while generating NameID
org.opensaml.saml.common.SAMLException: Invalid NameIdentifierGenerationService configuration
at net.shibboleth.idp.saml.nameid.impl.ProxySAML2NameIDGenerator.generate(ProxySAML2NameIDGenerator.java:62)
2017-12-13 17:22:11,280 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:341] - Profile Action AddNameIDToSubjects: Unable to generate a NameID, leaving empty
2017-12-13 17:22:11,281 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddSubjectConfirmationToSubjects:267] - Profile Action AddSubjectConfirmationToSubjects: Attempting to add SubjectConfirmation to assertions in outgoing Response
and finally the saml assertion
2017-12-13 17:22:11,290 - DEBUG [org.opensaml.saml.saml2.profile.impl.EncryptAssertions:132] - Profile Action EncryptAssertions: Assertion before encryption:
<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="_c4d76b71f6a31d3f8dcd8c7a6a729a50"
IssueInstant="2017-12-13T16:22:11.269Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://idpr3.tem-tsp.eu/idp/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="191.160.129.124"
InResponseTo="_1b36afb4833c7cafa8e35f4da86889dc"
NotOnOrAfter="2017-12-13T16:27:11.282Z" Recipient="https://services.renater.fr/Shibboleth.sso/SAML2/POST"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2017-12-13T16:22:11.269Z" NotOnOrAfter="2017-12-13T16:27:11.269Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://services.renater.fr/shibboleth</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2017-12-13T16:22:07.224Z" SessionIndex="_3bf26d03f5020709f5cac65cf2826eb1">
<saml2:SubjectLocality Address="191.160.129.124"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="uid"
Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">procacci</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="mail"
Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">jehan.procaccia at tem-tsp.eu</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="eduPersonPrincipalName"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">procacci at tem-tsp.eu</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
thanks.
----- Mail original -----
De: "Cantor, Scott" <cantor.2 at osu.edu>
À: "users" <users at shibboleth.net>
Envoyé: Mercredi 13 Décembre 2017 16:42:19
Objet: Re: persitentID nameID for specific SPs, transient for default
On 12/13/17, 10:06 AM, "users on behalf of Jehan PROCACCIA" <users-bounces at shibboleth.net on behalf of jehan.procaccia at tem-tsp.eu> wrote:
> Where did I done wrong ?
You ignored the giant slog of errors in the log far above anything you're looking at that will tell you what the syntax error is preventing the config from loading.
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list