Help with name ID

Mike Osterman ostermmg at whitman.edu
Fri Nov 16 11:45:55 EST 2018 

OK - very helpful!

So I've determined that there is a valid attribute:
2018-11-15 17:01:48,179 - DEBUG
[net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:411] -
Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies
for 'mail'
2018-11-15 17:01:48,180 - DEBUG
[net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:427] -
Attribute Resolver 'ShibbolethAttributeResolver': Finished resolving
dependencies for 'mail'
2018-11-15 17:01:48,180 - DEBUG
[net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:247] -
Attribute Definition 'mail': produced an attribute with the following
values [StringAttributeValue{value=ostermmg at whitman.edu}]
2018-11-15 17:01:48,181 - DEBUG
[net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:308] -
Attribute Resolver 'ShibbolethAttributeResolver': Attribute definition
'mail' produced an attribute with 1 values

It turned out to be a problem with the Requester URL in the Attribute
Filter policy:

2018-11-15 17:01:51,439 - DEBUG
[net.shibboleth.idp.attribute.filter.AttributeFilterPolicy:128] - Attribute
Filter Policy 'foo'  Checking if attribute filter policy is active
2018-11-15 17:01:51,440 - DEBUG
[net.shibboleth.idp.attribute.filter.policyrule.filtercontext.impl.AttributeRequesterPolicyRule:54]
- Attribute Filter
'/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/PolicyRequirementRule:_0c5a003c80627339e8c5675d08fe514c':
Found attribute requester: [REDACTED]
2018-11-15 17:01:51,440 - DEBUG
[net.shibboleth.idp.attribute.filter.AttributeFilterPolicy:137] - Attribute
Filter Policy 'foo'  Policy is not active for this request

I compared that with the URL that I got, and found the root cause: wrong
URL for the filter. We had received two URLs, and I picked the one I
thought matched up with the requester. Obviously, got that wrong. :/

Thanks for the DEBUG guidance. It's working now!

-Mike

On Thu, Nov 15, 2018 at 4:33 PM Cantor, Scott <cantor.2 at osu.edu> wrote:

> > Thanks, Scott. Which variable [1] do you recommend I set to debug to get
> at
> > this info? It's not clear (to me, at least) which one of these is going
> to provide
> > the debugging info you're thinking of.
>
> General IdP logging categories on DEBUG log attribute resolution
> thoroughly.
>
> -- Scott
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181116/a99d09f4/attachment.html>

More information about the users mailing list