[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: Re: Error When Using University's Idp
From: Antelmo Aguilar <Antelmo.Aguilar.17 () nd ! edu>
Date: 2015-06-29 19:35:00
Message-ID: CAKOQVm2y+yeVcm=tFqp1FQbwHLwa=bZV6Mja-Pcf8bzixaXSwg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Guys,
Just wanted to let you guys know that I was able to figure out the location
of the SAML response from the Idp was in the shibd.log. Looking at the
response, I was able to see that the Idp indeed was not releasing the
attributes to me. After sending that to the staff that manages the Idp,
they wer able to fix the issue and now everything works as expected.
Thank you all for your insight. It was very helpful and I was able to
learn a lot!
-Antelmo
On Sat, Jun 27, 2015 at 6:26 AM, Nate Klingenstein <ndk@internet2.edu>
wrote:
> Try turning up shibd.logger's main caregory to DEBUG and then check file
> e.g. /var/log/shibboleth/shibd.log.
>
> You might find something useful in the transaction log or others at the
> root category, but I think this is the main way to see the raw content on
> the wire.
>
> Semt frim mt iPone
>
> On Jun 27, 2015, at 0:32, "Antelmo Aguilar" <Antelmo.Aguilar.17@nd.edu>
> wrote:
>
> Hi all,
>
> @David - Scott mentioned that there is a query only because the SP does
> not seem to get the attributes during the assertion (which is the
> recommended way of getting them).
>
> @Scott - Can you tell me where I can modify the logger on the SP side so
> that I can see the assertion after it has been decrypted? I tried googling
> first and the most relevant thing I could find was a post from another user
> where you were also part of the conversation. Unfortunately, it seems the
> user was more interested in seeing the values in the Session page so you
> did not provide details on how to do change the logger to provide that
> information.
>
> I have also requested the logs of the Idp from the staff to see if I can
> verify anything on their end.
>
> Thanks,
> Antelmo
>
>
> On Fri, Jun 26, 2015 at 9:30 PM, Cantor, Scott <cantor.2@osu.edu> wrote:
>
>> > The staff member that manages the Idp tells me that the attributes are
>> > released during the assertion.
>>
>> If that were true, there would be no query.
>>
>> You can dump the assertion after its been decrypted in the logs with the
>> appropriate adjustments to the logging and make a definitive determination
>> as to what's in it.
>>
>> The IdP also has logs that definitively document what attributes it
>> included.
>>
>> If there's an attribute query attempted, I'm telling you that the IdP did
>> not release any attributes to you. You can believe me, or not, but I wrote
>> the code.
>>
>> -- Scott
>>
>> --
>> To unsubscribe from this list send an email to
>> users-unsubscribe@shibboleth.net
>>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe@shibboleth.net
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe@shibboleth.net
>
[Attachment #5 (text/html)]
<div dir="ltr">Hi Guys,<div><br></div><div>Just wanted to let you guys know that I \
was able to figure out the location of the SAML response from the Idp was in the \
shibd.log. Looking at the response, I was able to see that the Idp indeed was not \
releasing the attributes to me. After sending that to the staff that manages the \
Idp, they wer able to fix the issue and now everything works as \
expected.</div><div><br></div><div>Thank you all for your insight. It was very \
helpful and I was able to learn a \
lot!</div><div><br></div><div>-Antelmo</div></div><div class="gmail_extra"><br><div \
class="gmail_quote">On Sat, Jun 27, 2015 at 6:26 AM, Nate Klingenstein <span \
dir="ltr"><<a href="mailto:ndk@internet2.edu" \
target="_blank">ndk@internet2.edu</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">
<div dir="auto">
<div>Try turning up shibd.logger's main caregory to DEBUG and then check file \
e.g. /var/log/shibboleth/shibd.log.</div> <div><br>
</div>
<div>You might find something useful in the transaction log or others at the root \
category, but I think this is the main way to see the raw content on the wire.<br> \
<br> Semt frim mt iPone</div><div><div class="h5">
<div><br>
On Jun 27, 2015, at 0:32, "Antelmo Aguilar" <<a \
href="mailto:Antelmo.Aguilar.17@nd.edu" \
target="_blank">Antelmo.Aguilar.17@nd.edu</a>> wrote:<br> <br>
</div>
<blockquote type="cite">
<div>
<div dir="ltr">
<div>Hi all,</div>
<div><br>
</div>
<div>@David - Scott mentioned that there is a query only because the SP does not seem \
to get the attributes during the assertion (which is the recommended way of getting \
them). </div> <div><br>
</div>
<div>@Scott - Can you tell me where I can modify the logger on the SP side so that I \
can see the assertion after it has been decrypted? I tried googling first and the \
most relevant thing I could find was a post from another user where you were also \
part of the conversation. Unfortunately, it seems the user was more interested in \
seeing the values in the Session page so you did not provide details on how to do \
change the logger to provide that information.</div> <div><br>
</div>
<div>I have also requested the logs of the Idp from the staff to see if I can verify \
anything on their end.</div> <div><br>
</div>
<div>Thanks,</div>
<div>Antelmo</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Jun 26, 2015 at 9:30 PM, Cantor, Scott <span \
dir="ltr"> <<a href="mailto:cantor.2@osu.edu" \
target="_blank">cantor.2@osu.edu</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <span>> The staff member that manages the Idp tells me \
that the attributes are<br> > released during the assertion.<br>
<br>
</span>If that were true, there would be no query.<br>
<br>
You can dump the assertion after its been decrypted in the logs with the appropriate \
adjustments to the logging and make a definitive determination as to what's in \
it.<br> <br>
The IdP also has logs that definitively document what attributes it included.<br>
<br>
If there's an attribute query attempted, I'm telling you that the IdP did not \
release any attributes to you. You can believe me, or not, but I wrote the code.<br> \
<div> <div><br>
-- Scott<br>
<br>
--<br>
To unsubscribe from this list send an email to <a \
href="mailto:users-unsubscribe@shibboleth.net" target="_blank"> \
users-unsubscribe@shibboleth.net</a><br> </div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div><span>-- </span><br>
<span>To unsubscribe from this list send an email to <a \
href="mailto:users-unsubscribe@shibboleth.net" target="_blank"> \
users-unsubscribe@shibboleth.net</a></span></div> </blockquote>
</div></div></div>
<br>--<br>
To unsubscribe from this list send an email to <a \
href="mailto:users-unsubscribe@shibboleth.net">users-unsubscribe@shibboleth.net</a><br></blockquote></div><br></div>
--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic