[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: Re: Problem releasing more than one scoped value
From: Chad La Joie <lajoie () itumi ! biz>
Date: 2011-07-28 16:03:41
Message-ID: 4E31885D.7030102 () itumi ! biz
[Download RAW message or body]
Okay, the fix for this problem has been checked in. If you need it
immediately you can pull the latest shib-common from SVN.
I'll be doing to build for IdP 2.3.3 this weekend and it will contain
the fix for this and one or two small bugs that were also reported.
On 7/26/11 9:26 AM, Jon Warbrick wrote:
> Unless I'm missing something (which is quite possible), versions of the
> Shib IdP from 2.3.0 onward seem to have a problem releasing more than
> one scoped value with the same 'value' part.
>
> I would expect the simplified attribute-resolver.xml and
> attribute-filter.xml definitions below to define and release
> 'member@domain1.invalid' and 'member@domain2.invalid', and they do up to
> release 2.2.1. But in releases from 2.3.0 onward I only get
> member@domain1.invalid:
>
> # aacli.sh --configDir=/opt/stand-alone-shibboleth-idp/conf/
> --principal=jw35
>
> <?xml version="1.0" encoding="UTF-8"?><saml2:AttributeStatement
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
> <saml2:Attribute FriendlyName="eduPersonScopedAffiliation"
> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">member@domain1.invalid</saml2:AttributeValue>
> </saml2:Attribute>
> </saml2:AttributeStatement>
>
> There's a copy of the idp-process.log set to DEBUG below.
>
> Changing one of the 'member's to 'nonmember' causes two values to be
> released:
>
> <?xml version="1.0" encoding="UTF-8"?><saml2:AttributeStatement
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
> <saml2:Attribute FriendlyName="eduPersonScopedAffiliation"
> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">member@domain1.invalid</saml2:AttributeValue>
> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">nonmember@domain2.invalid</saml2:AttributeValue>
> </saml2:Attribute>
> </saml2:AttributeStatement>
>
> Am I going mad, or is this a bug? If so I'll log it, but it's a
> significant problem becasue it's going to prevent me from deploying
> 2.3.2 which I need to avoid the recent security vulnerability.
>
>
>
> attribute-resolver.xml:
> --cut--
> <?xml version="1.0" encoding="UTF-8"?>
>
> <resolver:AttributeResolver
> xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
> xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
> xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
> xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
> xmlns:sec="urn:mace:shibboleth:2.0:security"
> xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver
> classpath:/schema/shibboleth-2.0-attribute-resolver.xsd
>
> urn:mace:shibboleth:2.0:resolver:pc
> classpath:/schema/shibboleth-2.0-attribute-resolver-pc.xsd
>
> urn:mace:shibboleth:2.0:resolver:ad
> classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd
>
> urn:mace:shibboleth:2.0:resolver:dc
> classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd
>
> urn:mace:shibboleth:2.0:attribute:encoder
> classpath:/schema/shibboleth-2.0-attribute-encoder.xsd
> urn:mace:shibboleth:2.0:security
> classpath:/schema/shibboleth-2.0-security.xsd">
>
> <resolver:AttributeDefinition xsi:type="ad:Prescoped"
> id="eduPersonScopedAffiliation" sourceAttributeID="testAffiliation">
> <resolver:Dependency ref="test" />
> <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString"
> name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString"
> name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
> friendlyName="eduPersonScopedAffiliation" />
> </resolver:AttributeDefinition>
>
> <resolver:DataConnector xsi:type="dc:Static"
> xmlns="urn:mace:shibboleth:2.0:resolver:dc"
> id="test">
> <Attribute id="testAffiliation">
> <Value>member@domain1.invalid</Value>
> <Value>member@domain2.invalid</Value>
> </Attribute>
> </resolver:DataConnector>
>
> </resolver:AttributeResolver>
> --cut--
>
>
>
> attribute-filter.xml
> --cut--
> <?xml version="1.0" encoding="UTF-8"?>
>
> <afp:AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
> xmlns:afp="urn:mace:shibboleth:2.0:afp"
>
> xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
>
> xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
>
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>
> xsi:schemaLocation="urn:mace:shibboleth:2.0:afp
> classpath:/schema/shibboleth-2.0-afp.xsd
>
> urn:mace:shibboleth:2.0:afp:mf:basic
> classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd
>
> urn:mace:shibboleth:2.0:afp:mf:saml
> classpath:/schema/shibboleth-2.0-afp-mf-saml.xsd">
>
> <afp:AttributeFilterPolicy id="releaseToAnyone">
>
> <afp:PolicyRequirementRule xsi:type="basic:ANY" />
>
> <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
>
> </afp:AttributeFilterPolicy>
>
> </afp:AttributeFilterPolicyGroup>
> --cut--
>
>
>
> idp-process.log:
> --cut--
> 14:19:42.759 - INFO
> [edu.internet2.middleware.shibboleth.common.config.attribute.filtering.ShibbolethAttributeFilteringEngineBeanDefinitionParser:54]
>
> - Parsing configuration for attribute filtering engine
> shibboleth.AttributeFilterEngine
> 14:19:44.029 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.OpensamlConfigBean:80] -
> Loading OpenSAML configuration file:
> jar:file:/opt/stand-alone-shibboleth-idp/lib/shibboleth-common-1.3.2.jar!/shibboleth-saml-ext-config.xml
>
> 14:19:44.085 - WARN
> [edu.internet2.middleware.shibboleth.common.config.service.ServletContextAttributeExporter:74]
>
> - This service may only be used when services are loaded within a web
> application context.
> 14:19:44.092 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.BaseReloadableService:136]
> - Initializing shibboleth.AttributeResolver service with resources:
> [/opt/stand-alone-shibboleth-idp/conf/attribute-resolver.xml]
> 14:19:44.092 - INFO
> [edu.internet2.middleware.shibboleth.common.config.BaseService:158] -
> Loading new configuration for service shibboleth.AttributeResolver
> 14:19:44.135 - INFO
> [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:55]
>
> - Parsing configuration for DataConnector plugin with ID: test
> 14:19:44.135 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:65]
>
> - Dependencies for plugin test: none
> 14:19:44.143 - INFO
> [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:55]
>
> - Parsing configuration for AttributeDefinition plugin with ID:
> eduPersonScopedAffiliation
> 14:19:44.143 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:62]
>
> - Dependencies for plugin eduPersonScopedAffiliation: [test]
> 14:19:44.143 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.attributeDefinition.BaseAttributeDefinitionBeanDefinitionParser:58]
>
> - Setting source attribute ID for attribute definition
> eduPersonScopedAffiliation to: testAffiliation
> 14:19:44.143 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.attributeDefinition.BaseAttributeDefinitionBeanDefinitionParser:82]
>
> - Attribute definition eduPersonScopedAffiliation produces attributes
> that are only dependencies: false
> 14:19:44.150 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.attributeDefinition.PrescopedAttributeDefinitionBeanDefinitionParser:54]
>
> - Setting scope delimiter of attribute definition
> eduPersonScopedAffiliation to: @
> 14:19:44.175 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:503]
>
> - Loading 1 data connectors
> 14:19:44.175 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:513]
>
> - Loading 1 attribute definitions
> 14:19:44.175 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:523]
>
> - Loading 0 principal connectors
> 14:19:44.176 - INFO
> [edu.internet2.middleware.shibboleth.common.config.BaseService:180] -
> shibboleth.AttributeResolver service loaded new configuration
> 14:19:44.181 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.BaseReloadableService:136]
> - Initializing shibboleth.AttributeFilterEngine service with resources:
> [/opt/stand-alone-shibboleth-idp/conf/attribute-filter.xml]
> 14:19:44.181 - INFO
> [edu.internet2.middleware.shibboleth.common.config.BaseService:158] -
> Loading new configuration for service shibboleth.AttributeFilterEngine
> 14:19:44.198 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.attribute.filtering.AttributeFilterPolicyGroupBeanDefinitionParser:64]
>
> - Parsing attribute filter policy group ShibbolethFilterPolicy
> 14:19:44.198 - INFO
> [edu.internet2.middleware.shibboleth.common.config.attribute.filtering.AttributeFilterPolicyBeanDefinitionParser:72]
>
> - Parsing configuration for attribute filter policy releaseToAnyone
> 14:19:44.262 - INFO
> [edu.internet2.middleware.shibboleth.common.config.BaseService:180] -
> shibboleth.AttributeFilterEngine service loaded new configuration
> 14:19:44.265 - INFO
> [edu.internet2.middleware.shibboleth.common.config.BaseService:158] -
> Loading new configuration for service shibboleth.SAML1AttributeAuthority
> 14:19:44.271 - INFO
> [edu.internet2.middleware.shibboleth.common.config.BaseService:158] -
> Loading new configuration for service shibboleth.SAML2AttributeAuthority
> 14:19:44.276 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.BaseReloadableService:136]
> - Initializing shibboleth.RelyingPartyConfigurationManager service with
> resources: [/opt/stand-alone-shibboleth-idp/conf/relying-party.xml]
> 14:19:44.277 - INFO
> [edu.internet2.middleware.shibboleth.common.config.BaseService:158] -
> Loading new configuration for service
> shibboleth.RelyingPartyConfigurationManager
> 14:19:44.344 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.metadata.BaseMetadataProviderBeanDefinitionParser:42]
>
> - Parsing configuration for 'ChainingMetadataProvider' metadata provider
> with ID: ShibbolethMetadata
> 14:19:44.344 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.metadata.BaseMetadataProviderBeanDefinitionParser:46]
>
> - Metadata provider requires valid metadata: true
> 14:19:44.346 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.metadata.BaseMetadataProviderBeanDefinitionParser:42]
>
> - Parsing configuration for 'ResourceBackedMetadataProvider' metadata
> provider with ID: IdPMD
> 14:19:44.346 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.metadata.BaseMetadataProviderBeanDefinitionParser:46]
>
> - Metadata provider requires valid metadata: true
> 14:19:44.346 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.metadata.AbstractMetadataProviderBeanDefinitionParser:41]
>
> - Metadata provider using parser pool: shibboleth.ParserPool
> 14:19:44.347 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.metadata.AbstractMetadataProviderBeanDefinitionParser:45]
>
> - Metadata provider fail fast initialization enabled: true
> 14:19:44.347 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.metadata.AbstractReloadingMetadataProviderBeanDefinitionParser:44]
>
> - Metadata provider using task timer: shibboleth.TaskTimer
> 14:19:44.347 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.metadata.AbstractReloadingMetadataProviderBeanDefinitionParser:48]
>
> - Metadata provider refresh delay factor: 0.75
> 14:19:44.347 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.metadata.AbstractReloadingMetadataProviderBeanDefinitionParser:52]
>
> - Metadata provider min refresh delay: 300000ms
> 14:19:44.348 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.metadata.AbstractReloadingMetadataProviderBeanDefinitionParser:56]
>
> - Metadata provider max refresh delay: 14400000ms
> 14:19:44.348 - INFO
> [edu.internet2.middleware.shibboleth.common.config.relyingparty.RelyingPartyConfigurationBeanDefinitionParser:73]
>
> - Parsing configuration for relying party with id: anonymous
> 14:19:44.349 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.relyingparty.RelyingPartyConfigurationBeanDefinitionParser:77]
>
> - Relying party configuration - provider ID:
> https://idp.example.org/idp/shibboleth
> 14:19:44.349 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.relyingparty.RelyingPartyConfigurationBeanDefinitionParser:82]
>
> - Relying party configuration - default authentication method: null
> 14:19:44.349 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.relyingparty.RelyingPartyConfigurationBeanDefinitionParser:88]
>
> - Relying party configuration - default signing credential: IdPCredential
> 14:19:44.349 - INFO
> [edu.internet2.middleware.shibboleth.common.config.relyingparty.RelyingPartyConfigurationBeanDefinitionParser:73]
>
> - Parsing configuration for relying party with id: default
> 14:19:44.349 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.relyingparty.RelyingPartyConfigurationBeanDefinitionParser:77]
>
> - Relying party configuration - provider ID:
> https://idp.example.org/idp/shibboleth
> 14:19:44.350 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.relyingparty.RelyingPartyConfigurationBeanDefinitionParser:82]
>
> - Relying party configuration - default authentication method: null
> 14:19:44.350 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.relyingparty.RelyingPartyConfigurationBeanDefinitionParser:88]
>
> - Relying party configuration - default signing credential: IdPCredential
> 14:19:44.350 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.relyingparty.RelyingPartyConfigurationBeanDefinitionParser:102]
>
> - Relying party configuration - 7 profile configurations
> 14:19:44.377 - INFO
> [edu.internet2.middleware.shibboleth.common.config.security.AbstractX509CredentialBeanDefinitionParser:63]
>
> - Parsing configuration for X509Filesystem credential with id:
> IdPCredential
> 14:19:44.377 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.security.AbstractCredentialBeanDefinitionParser:91]
>
> - Parsing credential key names
> 14:19:44.377 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.security.AbstractCredentialBeanDefinitionParser:121]
>
> - Parsing credential private key
> 14:19:44.657 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.security.AbstractX509CredentialBeanDefinitionParser:89]
>
> - Parsing x509 credential certificates
> 14:19:44.685 - INFO
> [edu.internet2.middleware.shibboleth.common.config.security.ChainingSignatureTrustEngineBeanDefinitionParser:59]
>
> - Parsing configuration for SignatureChaining trust engine with id:
> shibboleth.SignatureTrustEngine
> 14:19:44.685 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.security.ChainingSignatureTrustEngineBeanDefinitionParser:68]
>
> - Parsing chain trust engine member shibboleth.SignatureTrustEngine
> 14:19:44.686 - INFO
> [edu.internet2.middleware.shibboleth.common.config.security.MetadataExplicitKeySignatureTrustEngineBeanDefinitionParser:50]
>
> - Parsing configuration for MetadataExplicitKeySignature trust engine
> with id: shibboleth.SignatureMetadataExplicitKeyTrustEngine
> 14:19:44.686 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.security.ChainingSignatureTrustEngineBeanDefinitionParser:68]
>
> - Parsing chain trust engine member shibboleth.SignatureTrustEngine
> 14:19:44.686 - INFO
> [edu.internet2.middleware.shibboleth.common.config.security.MetadataPKIXSignatureTrustEngineBeanDefinitionParser:52]
>
> - Parsing configuration for MetadataPKIXSignature trust engine with id:
> shibboleth.SignatureMetadataPKIXTrustEngine
> 14:19:44.688 - INFO
> [edu.internet2.middleware.shibboleth.common.config.security.ChainingTrustEngineBeanDefinitionParser:59]
>
> - Parsing configuration for Chaining trust engine with id:
> shibboleth.CredentialTrustEngine
> 14:19:44.688 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.security.ChainingTrustEngineBeanDefinitionParser:68]
>
> - Parsing chain trust engine member shibboleth.CredentialTrustEngine
> 14:19:44.688 - INFO
> [edu.internet2.middleware.shibboleth.common.config.security.MetadataExplicitKeyTrustEngineBeanDefinitionParser:48]
>
> - Parsing configuration for MetadataExplicitKey trust engine with id:
> shibboleth.CredentialMetadataExplictKeyTrustEngine
> 14:19:44.689 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.security.ChainingTrustEngineBeanDefinitionParser:68]
>
> - Parsing chain trust engine member shibboleth.CredentialTrustEngine
> 14:19:44.689 - INFO
> [edu.internet2.middleware.shibboleth.common.config.security.MetadataPKIXX509CredentialTrustEngineBeanDefinitionParser:52]
>
> - Parsing configuration for MetadataPKIXX509Credential trust engine with
> id: shibboleth.CredentialMetadataPKIXTrustEngine
> 14:19:44.690 - INFO
> [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59]
>
> - Parsing configuration for SecurityPolicyType security policy with id:
> shibboleth.ShibbolethSSOSecurityPolicy
> 14:19:44.690 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:63]
>
> - Configuring security policy: shibboleth.ShibbolethSSOSecurityPolicy
> 14:19:44.695 - INFO
> [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59]
>
> - Parsing configuration for SecurityPolicyType security policy with id:
> shibboleth.SAML1AttributeQuerySecurityPolicy
> 14:19:44.695 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:63]
>
> - Configuring security policy: shibboleth.SAML1AttributeQuerySecurityPolicy
> 14:19:44.698 - INFO
> [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59]
>
> - Parsing configuration for SecurityPolicyType security policy with id:
> shibboleth.SAML1ArtifactResolutionSecurityPolicy
> 14:19:44.699 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:63]
>
> - Configuring security policy:
> shibboleth.SAML1ArtifactResolutionSecurityPolicy
> 14:19:44.700 - INFO
> [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59]
>
> - Parsing configuration for SecurityPolicyType security policy with id:
> shibboleth.SAML2SSOSecurityPolicy
> 14:19:44.700 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:63]
>
> - Configuring security policy: shibboleth.SAML2SSOSecurityPolicy
> 14:19:44.702 - INFO
> [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59]
>
> - Parsing configuration for SecurityPolicyType security policy with id:
> shibboleth.SAML2AttributeQuerySecurityPolicy
> 14:19:44.702 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:63]
>
> - Configuring security policy: shibboleth.SAML2AttributeQuerySecurityPolicy
> 14:19:44.704 - INFO
> [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59]
>
> - Parsing configuration for SecurityPolicyType security policy with id:
> shibboleth.SAML2ArtifactResolutionSecurityPolicy
> 14:19:44.704 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:63]
>
> - Configuring security policy:
> shibboleth.SAML2ArtifactResolutionSecurityPolicy
> 14:19:44.705 - INFO
> [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59]
>
> - Parsing configuration for SecurityPolicyType security policy with id:
> shibboleth.SAML2SLOSecurityPolicy
> 14:19:44.705 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:63]
>
> - Configuring security policy: shibboleth.SAML2SLOSecurityPolicy
> 14:19:45.013 - INFO
> [edu.internet2.middleware.shibboleth.common.config.BaseService:180] -
> shibboleth.RelyingPartyConfigurationManager service loaded new
> configuration
> 14:19:45.018 - DEBUG
> [edu.internet2.middleware.shibboleth.common.config.BaseReloadableService:136]
> - Initializing shibboleth.HandlerManager service with resources:
> [/opt/stand-alone-shibboleth-idp/conf/handler.xml]
> 14:19:45.018 - INFO
> [edu.internet2.middleware.shibboleth.common.config.BaseService:158] -
> Loading new configuration for service shibboleth.HandlerManager
> 14:19:45.033 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.config.profile.ProfileHandlerGroupBeanDefinitionParser:50]
>
> - 1 error handler definitions found
> 14:19:45.034 - INFO
> [edu.internet2.middleware.shibboleth.common.config.profile.JSPErrorHandlerBeanDefinitionParser:46]
>
> - Parsing configuration for JSP error handler.
> 14:19:45.034 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.config.profile.ProfileHandlerGroupBeanDefinitionParser:54]
>
> - 12 profile handler definitions found
> 14:19:45.035 - INFO
> [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43]
>
> - Parsing configuration for profile handler: Status
> 14:19:45.035 - INFO
> [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43]
>
> - Parsing configuration for profile handler: SAMLMetadata
> 14:19:45.039 - INFO
> [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43]
>
> - Parsing configuration for profile handler: ShibbolethSSO
> 14:19:45.039 - INFO
> [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43]
>
> - Parsing configuration for profile handler: SAML1AttributeQuery
> 14:19:45.040 - INFO
> [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43]
>
> - Parsing configuration for profile handler: SAML1ArtifactResolution
> 14:19:45.043 - INFO
> [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43]
>
> - Parsing configuration for profile handler: SAML2SSO
> 14:19:45.043 - INFO
> [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43]
>
> - Parsing configuration for profile handler: SAML2SSO
> 14:19:45.043 - INFO
> [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43]
>
> - Parsing configuration for profile handler: SAML2SSO
> 14:19:45.043 - INFO
> [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43]
>
> - Parsing configuration for profile handler: SAML2SSO
> 14:19:45.044 - INFO
> [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43]
>
> - Parsing configuration for profile handler: SAML2ECP
> 14:19:45.045 - INFO
> [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43]
>
> - Parsing configuration for profile handler: SAML2AttributeQuery
> 14:19:45.046 - INFO
> [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43]
>
> - Parsing configuration for profile handler: SAML2ArtifactResolution
> 14:19:45.046 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.config.profile.ProfileHandlerGroupBeanDefinitionParser:58]
>
> - 2 login handler definitions found
> 14:19:45.047 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.config.profile.authn.AbstractLoginHandlerBeanDefinitionParser:44]
>
> - Parsing configuration for RemoteUser authentication handler.
> 14:19:45.047 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.config.profile.authn.AbstractLoginHandlerBeanDefinitionParser:51]
>
> - Authentication duration: 1800000ms
> 14:19:45.047 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.config.profile.authn.AbstractLoginHandlerBeanDefinitionParser:60]
>
> - Authentication handler declared support for authentication method
> urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
> 14:19:45.048 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.config.profile.authn.AbstractLoginHandlerBeanDefinitionParser:44]
>
> - Parsing configuration for PreviousSession authentication handler.
> 14:19:45.048 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.config.profile.authn.AbstractLoginHandlerBeanDefinitionParser:51]
>
> - Authentication duration: 1800000ms
> 14:19:45.048 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.config.profile.authn.AbstractLoginHandlerBeanDefinitionParser:60]
>
> - Authentication handler declared support for authentication method
> urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
> 14:19:45.147 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:125]
> - shibboleth.HandlerManager: Loading new configuration into service
> 14:19:45.147 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:149]
> - shibboleth.HandlerManager: Loading 1 new error handler.
> 14:19:45.148 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:152]
> - shibboleth.HandlerManager: Loaded new error handler of type:
> edu.internet2.middleware.shibboleth.common.profile.provider.JSPErrorHandler
> 14:19:45.148 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:162]
> - shibboleth.HandlerManager: Loading 12 new profile handlers.
> 14:19:45.148 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:170]
> - shibboleth.HandlerManager: Loaded profile handler for handling
> requests to request path /Status
> 14:19:45.148 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:170]
> - shibboleth.HandlerManager: Loaded profile handler for handling
> requests to request path /Metadata/SAML
> 14:19:45.148 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:170]
> - shibboleth.HandlerManager: Loaded profile handler for handling
> requests to request path /Shibboleth/SSO
> 14:19:45.148 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:170]
> - shibboleth.HandlerManager: Loaded profile handler for handling
> requests to request path /SAML1/SOAP/AttributeQuery
> 14:19:45.148 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:170]
> - shibboleth.HandlerManager: Loaded profile handler for handling
> requests to request path /SAML1/SOAP/ArtifactResolution
> 14:19:45.149 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:170]
> - shibboleth.HandlerManager: Loaded profile handler for handling
> requests to request path /SAML2/POST/SSO
> 14:19:45.149 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:170]
> - shibboleth.HandlerManager: Loaded profile handler for handling
> requests to request path /SAML2/POST-SimpleSign/SSO
> 14:19:45.149 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:170]
> - shibboleth.HandlerManager: Loaded profile handler for handling
> requests to request path /SAML2/Redirect/SSO
> 14:19:45.149 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:170]
> - shibboleth.HandlerManager: Loaded profile handler for handling
> requests to request path /SAML2/Unsolicited/SSO
> 14:19:45.149 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:170]
> - shibboleth.HandlerManager: Loaded profile handler for handling
> requests to request path /SAML2/SOAP/ECP
> 14:19:45.149 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:170]
> - shibboleth.HandlerManager: Loaded profile handler for handling
> requests to request path /SAML2/SOAP/AttributeQuery
> 14:19:45.149 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:170]
> - shibboleth.HandlerManager: Loaded profile handler for handling
> requests to request path /SAML2/SOAP/ArtifactResolution
> 14:19:45.149 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:183]
> - shibboleth.HandlerManager: Loading 2 new authentication handlers.
> 14:19:45.150 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:189]
> - shibboleth.HandlerManager: Loading authentication handler of type
> supporting authentication methods:
> [urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified]
> 14:19:45.150 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:189]
> - shibboleth.HandlerManager: Loading authentication handler of type
> supporting authentication methods:
> [urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession]
> 14:19:45.150 - INFO
> [edu.internet2.middleware.shibboleth.common.config.BaseService:180] -
> shibboleth.HandlerManager service loaded new configuration
> 14:19:45.150 - WARN
> [edu.internet2.middleware.shibboleth.common.config.service.ServletContextAttributeExporter:74]
>
> - This service may only be used when services are loaded within a web
> application context.
> 14:19:45.152 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:119]
>
> - shibboleth.AttributeResolver resolving attributes for principal jw35
> 14:19:45.152 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:275]
>
> - Specific attributes for principal jw35 were not requested, resolving
> all attributes.
> 14:19:45.153 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314]
>
> - Resolving attribute eduPersonScopedAffiliation for principal jw35
> 14:19:45.153 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:354]
>
> - Resolving data connector test for principal jw35
> 14:19:45.154 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336]
>
> - Resolved attribute eduPersonScopedAffiliation containing 2 values
> 14:19:45.154 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:137]
>
> - shibboleth.AttributeResolver resolved, for principal jw35, the
> attributes: [eduPersonScopedAffiliation]
> 14:19:45.155 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:71]
>
> - shibboleth.AttributeFilterEngine filtering 1 attributes for principal
> jw35
> 14:19:45.155 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:129]
>
> - Evaluating if filter policy releaseToAnyone is active for principal jw35
> 14:19:45.156 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:138]
>
> - Filter policy releaseToAnyone is active for principal jw35
> 14:19:45.156 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163]
>
> - Processing permit value rule for attribute eduPersonScopedAffiliation
> for principal jw35
> 14:19:45.156 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:113]
>
> - Filtered attributes for principal jw35. The following attributes
> remain: [eduPersonScopedAffiliation]
> 14:19:45.157 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:215]
>
> - Encoded attribute eduPersonScopedAffiliation with encoder of type
> edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2ScopedStringAttributeEncoder
>
> --cut--
>
> Jon.
>
--
Chad La Joie
http://itumi.biz
trusted identities, delivered
--
To unsubscribe from this group, send email to
users+unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic