Brady, Jason W
jbrady at sbccd.cc.ca.us
Thu Aug 2 18:49:42 EDT 2018
I don’t know if this was your issue, but we literally did this yesterday, and for us it was that you must release the attributes used to calculate the Name ID. The log pretty much said that, but I don’t remember if it required debug to say it (I leave some debug on to help with troubleshooting helpdesk issues, and they haven’t caused an issue). Adobe told us the attribute names were case sensitive, and releasing “Email” did not allow the email Name ID to be calculated because our configuration used “email” to calculate it. I released both and it worked.
Also the initial setup on Adobe’s side using our SHA1 certificate did not provide an encryption key in the Adobe metadata and I had to disable encrypted assertions (and encrypted Name ID, though maybe that wasn’t required) on our side for it to work. Once they loaded our SHA256 certificate, their metadata included an encryption key.
Jason Brady * Web Developer * San Bernardino Community College District *
1289 Bryn Mawr Ave, Suite B, Redlands, CA 92374 *
Tel 909-384-8691 * Mobile 951-295-9515 * Fax 909-796-6579 * jbrady at sbccd.cc.ca.us<mailto:jbrady at sbccd.cc.ca.us>
From: users <users-bounces at shibboleth.net> On Behalf Of Jann Malenkoff
Sent: Thursday, August 2, 2018 11:19 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Adobe SSO
As always -- this mailing list has the direction and/or answers -- thank you :)
There were a number of events (on NameID generation, attribute resolution unsupported by Adobe - per suggestion by Peter and Todd) -- culminating with Scott's suggestion -- w.r.t attribute release.
Thank you all.
We were on a wild-goose chase for many weeks with the vendor -- I have learned my lesson to come here earlier in future.
On Thu, Aug 2, 2018 at 8:23 AM, Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>> wrote:
(And I'd add that once the logging is clear, I'd suggest filing a RFE because it shouldn't be necessary to run on DEBUG to diagnose this. Any generators that aren't able to run when they're asked to should probably log themselves on INFO. They may already.)
> -----Original Message-----
> From: Cantor, Scott
> Sent: Thursday, August 2, 2018 11:21 AM
> To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
> Subject: RE: Adobe SSO
> > Any ideas where else to investigate?
> The log. It tells you exactly what it does at every step of the generation
> process and I can mostly guarantee it's telling you that your requested
> format was impossible to satisfy with anything you have configured or that
> no data was available to populate it from the sourced IdPAttribute.
> -- Scott
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users