collaboration@CANARIE

Log in

IDP Installer

The IDP Installer tool home
Sub-Group of CAF Tools

IDP Installer 2.0.0-CAFbeta2 release

Release Information

This is an incremental update to the IDP-Installer beta release refreshed to ensure proper installation.

The release is managed via GitHub and can also viewed and retrieved via github here:

https://github.com/canariecaf/idp-installer-CAF/archive/2.0.0-CAFbeta2.zip

Installation documentation: IDP-Installer-InstallationGuide.pdf

Commit Summary

  •  Updated settings to pull Mysql Connection of v5.1.29 instead of 5.1.27 due to broken link to download

Comments

  • Chris Phillips 1823 days ago

    Regarding Empty Attributes for valid signed in users issue.

     

    For those using the Shibboleth portion of the IdP installer we've identified a case where attribute resolution is not working as expected post install/configuration for this build.

    What happens

    The improper behaviour is not being able to populate attributes for an identity once it has been authenticated.  This is a silent fail scenario due to attribute mappings not matching up correctly.

    There are no errors to either the end user or in the logs, just empty attributes even though the use has successfully signed in. 

     How to resolve it

    This problem has been narrowed down to the mapping convention for 'sAMAccountName' and the configuration file /opt/shibboleth-idp/conf/attribute-resolver.xml

     

    The following changes are being worked into the next update but  for those already using this version, the following changes will help attribute resolution to operate as expected.

    To perform the changes, please back up the existing attribute-resolver.xml file and then make the following edits:

     *** Note *** The lines below have 'caftest.canarie.ca' as the scope but you will have your own. The edits are to substitute the sAMAccountName element for uid in the called out lines. This has been bolded to illustrate the difference.

     

    Line 27 post installation for mapping the account to uid is:

     

    <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="samAccountName">

     

    And should be(note capitalization):

     

    <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="sAMAccountName">

     

     

    line 227 post installation for mapping the account to eduPersonPrincipalName is:

     

    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName" scope="caftest.canarie.ca" sourceAttributeID="uid">

     

    And should be 

     

    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName" scope="caftest.canarie.ca" sourceAttributeID="sAMAccountName">

     

    Line 391 post installation for looking up the attributes of a user is:

     

    (uid=$requestContext.principalName)

     

    And should be:

     

    (sAMAccountName=$requestContext.principalName)

     

    Line 430 post installation for generating a persistentID based of an account name is:

    sourceAttributeID="uid"

     

    And should be

    sourceAttributeID="sAMAccountName"

     

     

    ---------

    Once these changes are done, restart the IdP with:

     

    service tomcat6 restart

     

    To test attribute resolution we recommend using the aacli.sh command in the /opt/shibboleth-idp/bin/ directory which is a test harness which does not require you to sign in but exercises the entire attribute mapping and filtering engine.

    For details about aacli.sh see: https://wiki.shibboleth.net/confluence/display/SHIB2/AACLI