[Shib-Users] Facing problem with StoredId Principal Connector and REMOTE_USER variable

7 views
Skip to first unread message

Shriram

unread,
Oct 7, 2008, 9:16:38 AM10/7/08
to shibbole...@internet2.edu

Hello Friends,

 

I have deployed Shibboleth 2 : IDP and SP.

 

I have configured attribute-resolver.xml file as follows :

 

 

    <resolver:AttributeDefinition id="persistentId" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" >

            <resolver:Dependency ref="PIDConnector" />

                        <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"

                        nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />

    </resolver:AttributeDefinition>

 

     <resolver:DataConnector xsi:type="StoredId" xmlns="urn:mace:shibboleth:2.0:resolver:dc"

                        id="PIDConnector"

                        sourceAttributeID="uid"  generatedAttributeID="persistentId"

                        salt="adfgdhjtyurhkldvcvbnterfdhklfofefdjfkcmxcgdbfksdacergfthvbcndkolhjyurecsvcnvjdopegfbxvsddg">

 

                                     <resolver:Dependency ref="uid" />

                                     <ApplicationManagedConnection jdbcDriver="com.mysql.jdbc.Driver" jdbcURL="jdbc:mysql://server:3306/userdb" jdbcUserName="user" jdbcPassword="password" />

    </resolver:DataConnector>

 

     <resolver:PrincipalConnector xsi:type="StoredId" xmlns="urn:mace:shibboleth:2.0:resolver:pc" id="saml2Persistent" storedIdDataConnectorRef="PIDConnector"

        nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"   />

 

 

When I mention the above Principal Connector, I get the following error. The IDP doesn’t start properly. I checked the syntax and it obeys the schema. Is this type of Principal Connector supported in Shibboleth 2.0 ?.

 

17:46:33.734 ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:187] - Configuration was not loaded for shibboleth.AttributeResolver service, error creating components.  The root cause of this error was: Cannot locate BeanDefinitionParser for element: {urn:mace:shibboleth:2.0:resolver}PrincipalConnector

17:46:33.734 ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[pf-idp.prodomain.com].[/idp]:3768] - Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.AttributeResolver': Invocation of init method failed; nested exception is edu.internet2.middleware.shibboleth.common.service.ServiceException: Configuration was not loaded for shibboleth.AttributeResolver service, error creating components.

            at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:353)

            Caused by: edu.internet2.middleware.shibboleth.common.service.ServiceException: Configuration was not loaded for shibboleth.AttributeResolver service, error creating components.

           

2. Also, even though the SP receives all requested attributes, still REMOTE_USER variable remains empty, at the application side. I have configured this property in Shibboleth.xml .

    REMOTE_USER=”uid”.  Using headers to pass attributes to application.

    I receive this attribute from IDP but REMOTE_USER remains empty. How to resolve this ?

 

3. Are the attribute-resolver.xml and attribute-filter.xml files ,on IDP side, dynamically re-loadable ? I have to keep restarting the IDP container to make the changes effective. Hence asking.

 

 

Please help.

Looking forward to your reply.

 

Regards,

Shriram.

 

DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.

Scott Cantor

unread,
Oct 7, 2008, 9:28:29 AM10/7/08
to shibbole...@internet2.edu
> 2. Also, even though the SP receives all requested attributes, still
> REMOTE_USER variable remains empty, at the application side. I have
> configured this property in Shibboleth.xml .
>
> REMOTE_USER="uid". Using headers to pass attributes to application.
>
> I receive this attribute from IDP but REMOTE_USER remains empty. How
to
> resolve this ?

Either you're wrong about that, or you're using something like Tomcat on the
SP side and not allowing Apache to pass in REMOTE_USER to it.

Check the transaction log and see if you actually have a cached uid
attribute for the session.

-- Scott


Peter Schober

unread,
Oct 10, 2008, 7:52:41 AM10/10/08
to shibbole...@internet2.edu
* Shriram <shriram_...@persistent.co.in> [2008-10-07 15:16]:

> 3. Are the attribute-resolver.xml and attribute-filter.xml files ,on
> IDP side, dynamically re-loadable ? I have to keep restarting the
> IDP container to make the changes effective. Hence asking.

not by default. see the docs for enabling this
https://spaces.internet2.edu/display/SHIB2/IdPConfigConfig
or just reload the app (via tomcat manager) until you run out of
permgen space and then restart tomcat ;)

cheers
-peter

--
peter....@univie.ac.at - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140

Reply all
Reply to author
Forward
0 new messages