Shibboleth problems

[Keith Jones]

Hi,

I've recently set up shibboleth on my institutional repository to do
authentication. Previously authentication was done via CAS. I'm
running into the following problem, I am getting some accounts that
authenticate without problem but also have other existing accounts
that fail and I'm not able to get new accounts to be created.

Have others run into the same issue?

Keith

[Mark H. Wood]

We also moved from CAS to Shibboleth recently, and have so far found
one user who could not login after the change. I don't recall the
precise issue, but I would start by comparing the database rows for a
succeeding and a failing user. I had to manually fix the failing
user's EPerson row.

[time passes]

Aha, I found some emails about it.

The problem here was that we had an EPerson with a null 'password'
field (suggesting that it was registered from a CAS login) and also a
null 'netid'. Apparently (a) we didn't capture the netid properly
during registration, and (b) our CAS login provider is able to match
on the email field instead. (I haven't looked into that code yet.)

Shibboleth is sending us email addresses for *some* users, but not
all. I haven't yet found out why. So the Shib provider couldn't
match on email and couldn't match on netid.

What I did was to set the 'netid' for this EPerson to the appropriate
value -- that is: the username portion of the email address. So
email "jqu...@example.com" => netid "jquser".

--
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu