We also moved from CAS to Shibboleth recently, and have so far found
one user who could not login after the change. I don't recall the
precise issue, but I would start by comparing the database rows for a
succeeding and a failing user. I had to manually fix the failing
user's EPerson row.
[time passes]
Aha, I found some emails about it.
The problem here was that we had an EPerson with a null 'password'
field (suggesting that it was registered from a CAS login) and also a
null 'netid'. Apparently (a) we didn't capture the netid properly
during registration, and (b) our CAS login provider is able to match
on the email field instead. (I haven't looked into that code yet.)
Shibboleth is sending us email addresses for *some* users, but not
all. I haven't yet found out why. So the Shib provider couldn't
match on email and couldn't match on netid.
What I did was to set the 'netid' for this EPerson to the appropriate
value -- that is: the username portion of the email address. So
email "
jqu...@example.com" => netid "jquser".
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu