Issue with upgrade 3.3 to 4.1 no attributes released
Powell, Keith A
PowellKeithA at uams.edu
Wed Nov 10 20:31:10 UTC 2021
Thanks for your response. I will say we did upgrade 3.3 -> 3.4.8 and that seemed to go ok and tested out. It's when we make the jump to 4.0 that things start to go wrong and it stops working. I went ahead and upgraded that to 4.1 since the warnings I see on the IDP side were nothing to worry about.
I will say the issue is not with CAS specifically. Basically we cannot finish the authentication to any endpoint. Each tested end point says the IDP is not sending attributes after the move from 3.4.8 to 4.0.
My intention is to start with a fresh IDP against the warnings in the upgrade documentation because my configuration is not that complex. But something in the IDP is certainly not working right after the upgrade, I can't place it nor find relevant documentation or internet searches based on behavior and logs.
On 11/10/21, 2:17 PM, "users on behalf of Cantor, Scott" <users-bounces at shibboleth.net on behalf of cantor.2 at osu.edu> wrote:
If you saw the IdP log that it released attributes (i.e. the audit log), then an SP saying they weren't there is not convincing evidence of anything. So I don't know that that's accurate at least for SAML. CAS has other complications and if it's as broken as you claim then you have some borked stuff and probably need to revert to vanilla CAS state to compare settings.
And furthermore, no SP is going to just generate invalid messages or direct them to the wrong place unless you fundamentally change the internet presence of the system and break/change the metadata they're given. Wrong endpoint, that kind of thing. Whatever is happening with Elsevier has nothing directly to do with an upgrade, it's whatever accompanied the upgrade or is a red herring.
If you can't debug the system or have access to skilled help, then you're probably better off doing the thing we warn against and starting somewhat fresh, at least in testing. At least attempting to get to a working state for some of the same use cases might allow one to compare the logs and config between the two to better understand what was broken and perhaps repair it on the upgraded system.
Another possibility is to take the extra time to hop through 3.4 since that's much closer to 3.3 and has the warnings about things that need to be changed for 4.0 included.
That's not "normal" as an approach but routine issues are out of scope for me on list for non-members. This is just my general advice in lieu of simply not even responding as I have been (not) doing more frequently, and hopefully does not offend as it seems to for so many.
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__shibboleth.atlassian.net_wiki_x_ZYEpPw&d=DwICAg&c=27AKQ-AFTMvLXtgZ7shZqsfSXu-Fwzpqk4BoASshREk&r=ALmgjisEdZjuYwvQf78ccYCV50oA0rSf5tQ7KUj2gVI&m=C0tvg3dHOca9c0u1ncyjgAZUxr6yXqdrpHUHX_r-lUM&s=mISIFseat73MCw0UWCV7fileI6fcQdI7j5iULujn_ec&e=
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
More information about the users