Access Denied

Tabitha O. Locklear tabithao.locklear at
Wed Aug 1 11:17:31 EDT 2018

Thank you for your time and your response.
I had so much time into building the V3 and I had all but two SP's working, I felt that it would be a simple fix ; but not understanding the syntax has made if far too difficult.

-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Tuesday, July 31, 2018 9:19 PM
To: Shib Users <users at>
Subject: Re: Access Denied

On 7/31/18, 9:15 AM, "Cantor, Scott" <cantor.2 at> wrote:

> You move the system over by hand, and then upgrade over top of it. All that has to be there are the files.

To clarify since I was a bit overly brief this morning due to busy-ness, what I'm saying is: if you want to get back to a working system, you can upgrade, and the NameID behavior is going to be identical because all of the components that go into it are left in place by design (whatever you already did for authentication can just be copied over into the upgraded system, that's all different in V3 of course).

The documented upgrade procedure has nothing to do with moving servers or not moving servers, it's simply how it is meant to be done no matter what. It is how *I* did mine, and trust me, I know more about running both V2 and V3 than anybody. When I deviated from the upgrade mid-stream to "clean stuff up", I broke it. It's just unavoidable doing it that way, too many different cases to test or fully reproduce from scratch.

All that said, if you're stuck with a fresh install, then you have no choice but to understand *how* NameID generation works, full stop, and you need to debug the active behavior, which is heavily logged. It is very well documented and if I understood why people seemed to have such trouble with it, I would fix it, but I simply don't.

1. A Format is selected in a precisely documented and rigid sequence of steps that are documented.
2. The generators in the configuration are tried in sequence to satisfy that Format.
3. Failing that, give up and stick in a default (transient).

That's it. The only variable part is that step 2 will also fall back into legacy use of the attribute resolver via the old NameID-based AttributeEncoders attached to AttributeDefinitions to generate the NameIDs, which is what an upgraded system does at first until it's changed. I didn't change mine away from that until months after I had a production V3 system. It is not urgent to do that, short of moving to V4, which is certainly not coming any time soon.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list