Docstoc

Internet2

Document Sample
Internet2 Powered By Docstoc
					Internet2
Displaying 369 issues at 11/Feb/13 2:01 AM.
          Project           Key                  Summary            Issue Type    Status   Priority     Resolution
Shibboleth IdP 2 - Java SIDP-493 can not create /profile/Status   Bug            Open      Minor    Unresolved




                                                                                                                     1 of 748
Shibboleth IdP 2 - Java   SIDP-492 bin/version causes exception                 Bug           Open     Trivial   Unresolved




Shibboleth IdP 2 - Java   SIDP-491 Stylesheet link in login.jsp is not inside   Bug           Open     Trivial   Unresolved
                                   the head tag


Shibboleth IdP 2 - Java   SIDP-489 Typos in the idpui.tld                       Improvement   Resolved Minor     Fixed



Shibboleth IdP 2 - Java   SIDP-488 PeerEntityId property not set on SAML        Bug           Closed   Major     Fixed
                                   queries




                                                                                                                              2 of 748
Shibboleth IdP 2 - Java   SIDP-487 More login.jsp changes                     Improvement   Closed    Minor    Fixed




Shibboleth IdP 2 - Java   SIDP-486 login.jsp page contains this helper text   Bug           Resolved Trivial   Fixed
                                   "This login page is an example and
                                   should be customized. Refer to the
                                   documentation." The link on the word
                                   documentation takes the user to the
                                   spaces wiki.
Shibboleth IdP 2 - Java   SIDP-485 idpui tags for images do not create the    Bug           Closed    Minor    Fixed
                                   "alt" attribute.




                                                                                                                       3 of 748
Shibboleth IdP 2 - Java   SIDP-484 Login stops at AuthnEngine with an   Bug   Closed   Major   Fixed
                                   empty page




                                                                                                       4 of 748
Shibboleth IdP 2 - Java   SIDP-483 Log Completed, Unencrypted SAML           New Feature   Closed   Minor   Fixed
                                   Assertion




Shibboleth IdP 2 - Java   SIDP-482 JSP pages should HTML-encode any          Improvement   Closed   Minor   Fixed
                                   strings they handle




Shibboleth IdP 2 - Java   SIDP-480 Update POM to add plugin versions, use Task             Closed   Major   Fixed
                                   / publish to Shib.net Repo, and attach
                                   generated source and Javadocs

Shibboleth IdP 2 - Java   SIDP-478 ECP profile support                       New Feature   Closed   Major   Fixed




Shibboleth IdP 2 - Java   SIDP-477 Need to move references to the i2          Bug          Closed   Major   Fixed
                                   spaces wiki to be to the shibbolet.net one




                                                                                                                    5 of 748
Shibboleth IdP 2 - Java   SIDP-476 NullPointerException when mapping null Bug   Closed   Minor   Duplicate
                                   values returned from RDBMS query




Shibboleth IdP 2 - Java   SIDP-475 Better login page for IdP             Task   Closed   Minor   Fixed




                                                                                                             6 of 748
Shibboleth IdP 2 - Java   SIDP-474 NPE in taglib processing               Bug    Closed   Minor   Fixed




Shibboleth IdP 2 - Java   SIDP-473 Sample login page should exploit the   Task   Closed   Minor   Fixed
                                   MDUI tags




Shibboleth IdP 2 - Java   SIDP-471 Taglibs appear to be caching SP        Bug    Resolved Blocker Fixed
                                   information...




                                                                                                          7 of 748
Shibboleth IdP 2 - Java   SIDP-470 Uptime in ms is demoralizing   Improvement   Closed   Trivial   Won't Fix




Shibboleth IdP 2 - Java   SIDP-469 eduPersonTargetedID Could Be   Improvement   Closed   Trivial   Fixed
                                   Separately Commented




                                                                                                               8 of 748
Shibboleth IdP 2 - Java   SIDP-468 Supply taglibs with IdP 2.3 to allow    New Feature   Closed   Minor   Fixed
                                   easier access to display informatiomn
                                   gleaned from the metadata




Shibboleth IdP 2 - Java   SIDP-466 IdP22Upgrade documentation in unclear Documentation   Closed   Minor   Fixed
                                   regarding "Changes in Principal Name
                                   Returned from Authentication"




                                                                                                                  9 of 748
Shibboleth IdP 2 - Java   SIDP-465 A FailoverDataConnector for the Stored   Improvement     Closed   Minor   Invalid
                                   ID Data Connector




Shibboleth IdP 2 - Java   SIDP-464 An SPNameQualifier in NameIDPolicy       Bug             Closed   Minor   Fixed
                                   always treated as an affiliation




Shibboleth IdP 2 - Java   SIDP-463 Adjustments to the default format for idp- Improvement   Closed   Minor   Won't Fix
                                   process.log entries




                                                                                                                         10 of 748
Shibboleth IdP 2 - Java   SIDP-462 Add a separate (non install) "Keygen"   New Feature   Closed   Minor   Duplicate
                                   capability to IdP




                                                                                                                      11 of 748
Shibboleth IdP 2 - Java   SIDP-461 Add legacy Shib SSO protocol as          New Feature   Closed   Major   Fixed
                                   binding for IdP-initiated SSO for SAML
                                   2.0




Shibboleth IdP 2 - Java   SIDP-460 Add AuthenticatingAuthority support to   Improvement   Closed   Minor   Won't Fix
                                   login context API




                                                                                                                       12 of 748
Shibboleth IdP 2 - Java   SIDP-457 would be nice to include displayName in Improvement        Closed   Minor   Fixed
                                   default attribute resolver




Shibboleth IdP 2 - Java   SIDP-456 Specifying the metadata refresh interval   Documentation   Closed   Minor   Invalid




                                                                                                                         13 of 748
Shibboleth IdP 2 - Java   SIDP-455 Better error message in case of ACS    Improvement   Closed   Minor   Invalid
                                   mismatch (metadata vs shire parameter)




Shibboleth IdP 2 - Java   SIDP-453 Session inactivity timeout being treated   Bug       Closed   Minor   Fixed
                                   as a hard expiration time




                                                                                                                   14 of 748
Shibboleth IdP 2 - Java   SIDP-452 Facilitate replay detection to Shibboleth   Improvement   Closed   Minor   Completed
                                   SSO




                                                                                                                          15 of 748
Shibboleth IdP 2 - Java   SIDP-450 NPE with AttributeQueryProfile when     Bug   Closed   Minor   Fixed
                                   there are errors resolving attributes




                                                                                                          16 of 748
Shibboleth IdP 2 - Java   SIDP-449 AttributeFilterPolicy AttributeRule for   Bug   Closed   Major   Duplicate
                                   scoped Attribute not working




                                                                                                                17 of 748
Shibboleth IdP 2 - Java   SIDP-448 Create a login handler that provides   Improvement   Closed   Minor   Fixed
                                   authn "state" data to an external
                                   authentication system and has that
                                   system authenticate the user.




Shibboleth IdP 2 - Java   SIDP-447 Fix for SIDP-417 missed                Bug           Closed   Minor   Fixed
                                   RemoteUserLoginHandler




                                                                                                                 18 of 748
Shibboleth IdP 2 - Java   SIDP-446 cuncurrent multi tab login   Improvement   Closed   Minor   Won't Fix




                                                                                                           19 of 748
Shibboleth IdP 2 - Java   SIDP-444 default attribute definitions for some   Bug   Closed   Trivial   Duplicate
                                   attributes are missing the namespace
                                   qualifier in their xsi:type




Shibboleth IdP 2 - Java   SIDP-443 Profile handlers override encoder        Bug   Closed   Minor     Fixed
                                   nameQualifier setting




                                                                                                                 20 of 748
Shibboleth IdP 2 - Java   SIDP-442 IdPSession expiration during requests   Bug           Closed   Major     Won't Fix




Shibboleth IdP 2 - Java   SIDP-441 Add JSESSIONID and ClientIP to MDC      Improvement   Closed   Trivial   Fixed




                                                                                                                        21 of 748
Shibboleth IdP 2 - Java   SIDP-440 servlet-api-2.4.jar not installed when       Bug   Closed   Minor   Duplicate
                                   upgrading to 2.2.0 / aacli testing errors.




                                                                                                                   22 of 748
Shibboleth IdP 2 - Java   SIDP-438 Improve user experience when switching Improvement   Closed   Minor   Fixed
                                   versions of SAML




                                                                                                                 23 of 748
Shibboleth IdP 2 - Java   SIDP-437 NPE when loading metadata via HTTPS Bug   Closed   Minor   Duplicate




                                                                                                          24 of 748
Shibboleth IdP 2 - Java   SIDP-436 Null AuthnContextClassRef causes NPE Bug   Closed   Minor   Fixed




                                                                                                       25 of 748
Shibboleth IdP 2 - Java   SIDP-435 Different principal used for index into   Bug   Closed   Minor   Fixed
                                   session storage and transient ID




                                                                                                            26 of 748
Shibboleth IdP 2 - Java   SIDP-434 More Typos in Default attribute-   Bug    Closed   Minor   Fixed
                                   resolver.xml




Shibboleth IdP 2 - Java   SIDP-433 Update libs for 2.2.1              Task   Closed   Minor   Completed




                                                                                                          27 of 748
Shibboleth IdP 2 - Java   SIDP-432 Set explicit caching headers on redirects Improvement   Closed   Minor   Completed




Shibboleth IdP 2 - Java   SIDP-431 Typo in default attribute-resolver.xml   Bug            Closed   Major   Fixed




                                                                                                                        28 of 748
Shibboleth IdP 2 - Java   SIDP-429 Limit metadata SP credential resolution   Bug   Closed   Minor   Completed
                                   for encryption to RSA keys only




Shibboleth IdP 2 - Java   SIDP-428 Address lifecycle issues around use of    Bug   Closed   Minor   Fixed
                                   MetadataCredentialResolverFactory




                                                                                                                29 of 748
Shibboleth IdP 2 - Java   SIDP-427 Incorrect handling of returned authn    Bug    Closed   Major   Fixed
                                   error in SSO profile handlers




Shibboleth IdP 2 - Java   SIDP-426 Forced authentication does not reset the Bug   Closed   Minor   Fixed
                                   AuthnInstant




                                                                                                           30 of 748
Shibboleth IdP 2 - Java   SIDP-425 TCNonPortableObjectError when   Bug   Closed   Major   Invalid
                                   artifacts are used




Shibboleth IdP 2 - Java   SIDP-424 Artifact clustering is broken   Bug   Closed   Major   Completed




                                                                                                      31 of 748
Shibboleth IdP 2 - Java   SIDP-422 aacli.sh Exception in thread "main"   Bug   Closed   Minor   Fixed




Shibboleth IdP 2 - Java   SIDP-421 Error logging SOAP queries            Bug   Closed   Minor   Fixed




                                                                                                        32 of 748
Shibboleth IdP 2 - Java   SIDP-420 Status servlet should monitor for           Improvement   Closed   Major   Won't Fix
                                   Terracotta availablility via SessionStore
                                   object




                                                                                                                          33 of 748
Shibboleth IdP 2 - Java   SIDP-419 Metadata parsing fails when version   Bug   Closed   Major   Duplicate
                                   2.1.5 succeeds for the same ones




                                                                                                            34 of 748
Shibboleth IdP 2 - Java   SIDP-417 Shib deployed to root web context,   Bug   Closed   Minor   Fixed
                                   SSOProfileHandler forwards to
                                   "/null/AuthnEngine"




                                                                                                       35 of 748
Shibboleth IdP 2 - Java   SIDP-416 MetadataProviderObserver leak, new      Bug           Closed   Minor     Fixed
                                   one added on every login




Shibboleth IdP 2 - Java   SIDP-415 SAML name identifier value not logged   Bug           Closed   Minor     Fixed
                                   in audit log



Shibboleth IdP 2 - Java   SIDP-414 report number of active sessions in     New Feature   Closed   Trivial   Won't Fix
                                   status




                                                                                                                        36 of 748
Shibboleth IdP 2 - Java   SIDP-413 Change link on example login page       Improvement   Closed   Minor   Completed




Shibboleth IdP 2 - Java   SIDP-412 Create new login context, discard old   Bug           Closed   Minor   Won't Fix
                                   one(s)




                                                                                                                      37 of 748
Shibboleth IdP 2 - Java   SIDP-411 Check for loginContext != null at login.jsp Improvement   Closed   Trivial   Fixed




                                                                                                                        38 of 748
Shibboleth IdP 2 - Java   SIDP-410 Subject Principal NullPointerException   Bug   Closed   Critical   Invalid
                                   on restart (or change of nodes) of
                                   Terracotta-instrumented tomcat nodes




                                                                                                                39 of 748
Shibboleth IdP 2 - Java   SIDP-408 NullPointerException when unable to     Bug   Closed   Critical   Invalid
                                   construct NameID




Shibboleth IdP 2 - Java   SIDP-407 Shibboleth SSO profile handler sets     Bug   Closed   Minor      Fixed
                                   incorrect protocol string in outbound
                                   message context




                                                                                                               40 of 748
Shibboleth IdP 2 - Java   SIDP-404 Add an install-time setting for the path to Improvement   Closed   Minor   Fixed
                                   web.xml




Shibboleth IdP 2 - Java   SIDP-403 Use text/xml as the media type for        Improvement     Closed   Minor   Fixed
                                   returned metadata unless user agent
                                   request metadata media type




Shibboleth IdP 2 - Java   SIDP-402 Update 3rd party libraries for 2.2 release Task           Closed   Minor   Fixed




                                                                                                                      41 of 748
Shibboleth IdP 2 - Java   SIDP-401 Quick Installer doesn't set up the Admin   Bug   Closed   Minor   Fixed
                                   access rights correctly for Tomcat




Shibboleth IdP 2 - Java   SIDP-399 SessionManagerImpl fails to destroy        Bug   Closed   Minor   Duplicate
                                   indexed sessions




                                                                                                                 42 of 748
Shibboleth IdP 2 - Java   SIDP-398 Add X-Frame-Options http header as a    New Feature   Closed   Minor   Completed
                                   prevention for XSRF (Clickjacking)
                                   attacks on IdP login page




Shibboleth IdP 2 - Java   SIDP-397 Remove any unit test that won't be fixed Task         Closed   Minor   Completed
                                   in the 2.X branch, fix the rest




                                                                                                                      43 of 748
Shibboleth IdP 2 - Java   SIDP-396 Previous session LoginHandler used   Bug   Closed   Minor   Fixed
                                   even if authentication method has
                                   expired




                                                                                                       44 of 748
Shibboleth IdP 2 - Java   SIDP-395 Slow Memory Leak   Bug   Closed   Minor   Cannot Reproduce




                                                                                                45 of 748
Shibboleth IdP 2 - Java   SIDP-393 WAYF/shire url in IDP 2.1.5 losing       Bug   Closed   Major   Invalid
                                   atrributes before sending response to SP




                                                                                                             46 of 748
Shibboleth IdP 2 - Java   SIDP-390 Add ability to over ride relay state    New Feature   Closed   Minor   Invalid




Shibboleth IdP 2 - Java   SIDP-388 Add eduPersonAssurance attribute to     Improvement   Closed   Minor   Fixed
                                   attribute-resolver.xml config example




Shibboleth IdP 2 - Java   SIDP-386 Session indexes not cleared when        Improvement   Closed   Minor   Fixed
                                   session is destroyed




                                                                                                                    47 of 748
Shibboleth IdP 2 - Java   SIDP-384 Incorrect error message set for expired   Bug   Closed   Minor   Fixed
                                   request in Shibboleth SSO Profile
                                   Handler




                                                                                                            48 of 748
Shibboleth IdP 2 - Java   SIDP-383 servlet is not loaded when remote arp is   Bug   Closed   Major   Won't Fix
                                   not reachable




                                                                                                                 49 of 748
Shibboleth IdP 2 - Java   SIDP-382 Less verbose logging for failed attribute   Improvement   Closed   Minor   Fixed
                                   queries due to missing name-id




                                                                                                                      50 of 748
Shibboleth IdP 2 - Java   SIDP-381 Use duration notation for assertion   Improvement   Closed   Trivial   Fixed
                                   lifetime in example config files




Shibboleth IdP 2 - Java   SIDP-380 Use of forwards between profile       Bug           Closed   Major     Fixed
                                   handlers and authentication engine
                                   causes problems for uApprove




                                                                                                                  51 of 748
Shibboleth IdP 2 - Java   SIDP-379 Usage of general                         Bug   Closed   Minor   Fixed
                                   AuthenticationException in
                                   UsernamePasswordLoginHandler




Shibboleth IdP 2 - Java   SIDP-377 SPName Qualifier missing in NameID       Bug   Closed   Minor   Fixed
                                   when persistentID is used in
                                   combination with AffiliationDescriptor




                                                                                                           52 of 748
Shibboleth IdP 2 - Java   SIDP-376 Attribute Query with RDBM connector   Bug   Closed   Minor   Invalid
                                   resolving issue




                                                                                                          53 of 748
Shibboleth IdP 2 - Java   SIDP-375 Documentation indicates we populate an Bug          Closed   Minor   Fixed
                                   SLF4J MDC variable 'principalName',
                                   but code doesn't reflect this




Shibboleth IdP 2 - Java   SIDP-374 Switch to use StaticBasicParserPool   Improvement   Closed   Minor   Fixed
                                   instead of BasicParserPool




                                                                                                                54 of 748
Shibboleth IdP 2 - Java   SIDP-373 The SLF4J MDC state is not being       Bug           Closed   Minor   Fixed
                                   properly cleared when request
                                   processing is done.




Shibboleth IdP 2 - Java   SIDP-369 Allow to have cookie Domain set for    Improvement   Closed   Minor   Fixed
                                   login context cookie




Shibboleth IdP 2 - Java   SIDP-368 Provide more acurate login error to    New Feature   Closed   Minor   Fixed
                                   servlet when Username/Password login
                                   authentication has failed.




                                                                                                                 55 of 748
Shibboleth IdP 2 - Java   SIDP-365 Expose uptime of IdP web application    New Feature   Closed   Minor     Fixed
                                   with status handler



Shibboleth IdP 2 - Java   SIDP-362 Only log exception message without      Bug           Closed   Trivial   Fixed
                                   stack trace for expired SAML messages




                                                                                                                    56 of 748
Shibboleth IdP 2 - Java   SIDP-360 Session isn't being set within the     Bug    Closed   Minor   Fixed
                                   attribute request context during a
                                   SAML1 attribute query




Shibboleth IdP 2 - Java   SIDP-359 HttpServletHelper.getRelyingPartyConfir Bug   Closed   Minor   Fixed
                                   mationManager misnamed




                                                                                                          57 of 748
Shibboleth IdP 2 - Java   SIDP-357 Upgrade from 2.0 to 2.1.5. causing not   Bug   Closed   Major   Invalid
                                   able to be deployed the idp war file




                                                                                                             58 of 748
Shibboleth IdP 2 - Java   SIDP-356 AACLI does not work with               Bug   Closed   Minor   Duplicate
                                   AttributeRequesterInEntityGroup type
                                   filter




Shibboleth IdP 2 - Java   SIDP-353 Default login.jsp crashes on anonymous Bug   Closed   Minor   Fixed
                                   RPs




                                                                                                             59 of 748
Shibboleth IdP 2 - Java   SIDP-351 Attribute resolution errors shouldn't      Improvement   Closed   Minor     Completed
                                   prevent valid authn statement being
                                   returned




Shibboleth IdP 2 - Java   SIDP-350 Installer does not remember installation   Bug           Closed   Trivial   Fixed
                                   directory when upgrading




Shibboleth IdP 2 - Java   SIDP-349 LoginContext is not removed from           Bug           Closed   Trivial   Fixed
                                   StorageService after Authentication
                                   Completes




                                                                                                                           60 of 748
Shibboleth IdP 2 - Java   SIDP-348 Remove Terracotta Configuration from       Task          Closed   Minor   Completed
                                   IdP Install




Shibboleth IdP 2 - Java   SIDP-347 Authentication fails for users with LDAP   New Feature   Closed   Minor   Fixed
                                   aliases.




                                                                                                                         61 of 748
Shibboleth IdP 2 - Java   SIDP-345 strange behaviour with two SP sessions   Bug   Closed   Minor   Won't Fix
                                   on same IdP and browser back button




                                                                                                               62 of 748
Shibboleth IdP 2 - Java   SIDP-343 AuthnInstant is updated even when   Bug   Closed   Minor   Fixed
                                   authentication doesn't happen




                                                                                                      63 of 748
Shibboleth IdP 2 - Java   SIDP-342 NameIdentifier encoder mix-up when the Bug   Closed   Minor   Fixed
                                   SP doesn't support the first
                                   NameIdentifier format




                                                                                                         64 of 748
Shibboleth IdP 2 - Java   SIDP-340 Default tc-config.xml causes   Bug   Closed   Minor   Fixed
                                   TCNonPortableObjectError




                                                                                                 65 of 748
Shibboleth IdP 2 - Java   SIDP-335 NPE when testing SAML2 artifact   Bug   Closed   Minor   Invalid




                                                                                                      66 of 748
Shibboleth IdP 2 - Java   SIDP-329 Support for Bookmarked Login Pages   New Feature   Closed   Major   Won't Fix




                                                                                                                   67 of 748
Shibboleth IdP 2 - Java   SIDP-328 Direct link to IdP login page resuls in no Bug   Closed   Minor   Duplicate
                                   loginContext being created. User sees a
                                   404 instead.




                                                                                                                 68 of 748
Shibboleth IdP 2 - Java   SIDP-324 Add additional information to Status   Improvement   Closed   Minor   Fixed
                                   handler




                                                                                                                 69 of 748
Shibboleth IdP 2 - Java   SIDP-322 Exception thrown when SP requests a        Bug   Closed   Minor   Fixed
                                   particular authentication method that is
                                   not configured




                                                                                                             70 of 748
Shibboleth IdP 2 - Java   SIDP-321 IdP metadata generator appear to be    Bug   Closed   Major   Fixed
                                   adding extraneous name spaces to the
                                   metadata




                                                                                                         71 of 748
Shibboleth IdP 2 - Java   SIDP-318 IdP erroneously logs many normal   Bug   Closed   Minor   Fixed
                                   events as errors.




                                                                                                     72 of 748
Shibboleth IdP 2 - Java   SIDP-317 Multiple HEAD requests when        Bug   Closed   Minor   Won't Fix
                                   downloading attribute-filter.xml




                                                                                                         73 of 748
Shibboleth IdP 2 - Java   SIDP-316 The IdP configuration should be able to   New Feature   Closed   Minor   Invalid
                                   apply the clock skew to the NotBefore
                                   value in the <Condition>




                                                                                                                      74 of 748
Shibboleth IdP 2 - Java   SIDP-315 Credential provided by             Bug   Closed   Minor   Fixed
                                   UsernamePasswordLogin handler as
                                   attribute




                                                                                                     75 of 748
Shibboleth IdP 2 - Java   SIDP-312 LoginEvents with Null Subject from   Bug           Closed   Minor   Won't Fix
                                   SessionManagerImpl




Shibboleth IdP 2 - Java   SIDP-310 Change default relying-party.xml     Improvement   Closed   Minor   Fixed
                                   settings for SAML 2 profiles'
                                   encryptNameIds parameter from
                                   "conditional" to "never"

Shibboleth IdP 2 - Java   SIDP-306 Remove ClientCertAuth rule from SAML Improvement   Closed   Minor   Fixed
                                   2 SSO SecurityPolicy in relying-party.xml




                                                                                                                   76 of 748
Shibboleth IdP 2 - Java   SIDP-305 Dependencies in pom.xml of java-jce   Bug           Closed   Minor   Invalid
                                   have the wrong scope




Shibboleth IdP 2 - Java   SIDP-301 Remove use of events in               New Feature   Closed   Minor   Fixed
                                   SessionManager so that different
                                   StorageService implementations may be
                                   more easily used




                                                                                                                  77 of 748
Shibboleth IdP 2 - Java   SIDP-300 Unable to unmarshall metadata     Bug           Closed   Major   Invalid




Shibboleth IdP 2 - Java   SIDP-296 Make LoginContext / IdP Session   Improvement   Closed   Minor   Fixed
                                   availabe through the public API




                                                                                                              78 of 748
Shibboleth IdP 2 - Java   SIDP-295 If no cookies are supported/enabled in   Improvement   Closed   Minor   Fixed
                                   user agent (browser), display better
                                   error message




                                                                                                                   79 of 748
Shibboleth IdP 2 - Java   SIDP-294 Loglevel of                   Improvement   Closed   Minor   Fixed
                                   AbstractSAML1ProfileHandler




                                                                                                        80 of 748
Shibboleth IdP 2 - Java   SIDP-293 Ant installer target for renewing idp   Improvement   Closed   Minor   Duplicate
                                   certificate




                                                                                                                      81 of 748
Shibboleth IdP 2 - Java   SIDP-292 login.jsp: wrong using of the attribute   Bug           Closed   Trivial   Fixed
                                   rawspan within the tag <td>




Shibboleth IdP 2 - Java   SIDP-291 Update libs for 2.1.3 release             Improvement   Closed   Minor     Fixed
Shibboleth IdP 2 - Java   SIDP-289 allow disabling of previous session       New Feature   Closed   Minor     Won't Fix
                                   handler during IdP login




                                                                                                                          82 of 748
Shibboleth IdP 2 - Java   SIDP-288 Improve consistency of XML                    Improvement   Closed   Trivial   Completed
                                   configuration defaults/examples




Shibboleth IdP 2 - Java   SIDP-287 Specify validity of self-signed certificate   New Feature   Closed   Minor     Duplicate
                                   for installation




                                                                                                                              83 of 748
Shibboleth IdP 2 - Java   SIDP-286 Configurable validity period for self   Improvement     Closed   Minor   Fixed
                                   signed certificate




Shibboleth IdP 2 - Java   SIDP-285 Use $IDP_SCOPE$ to populate IdP           Improvement   Closed   Minor   Fixed
                                   scope in conf-tmpl\attribute-resolver.xml




Shibboleth IdP 2 - Java   SIDP-282 Make AuthenticationEngine part of the   Improvement     Closed   Minor   Fixed
                                   public API




                                                                                                                    84 of 748
Shibboleth IdP 2 - Java   SIDP-281 Customize login.jsp appearance based    New Feature   Closed   Minor     Fixed
                                   on relying party




Shibboleth IdP 2 - Java   SIDP-279 IdP should log NameID for auditing      Bug           Closed   Major     Fixed




Shibboleth IdP 2 - Java   SIDP-278 Log authentication success/failure at   Improvement   Closed   Trivial   Won't Fix
                                   higher level than debug




                                                                                                                        85 of 748
Shibboleth IdP 2 - Java   SIDP-277 Incorrect null check for request context   Bug   Closed   Minor   Fixed
                                   in UsernamePasswordServlet




                                                                                                             86 of 748
Shibboleth IdP 2 - Java   SIDP-276 Example RDB Connector, quote principal Bug            Closed   Trivial   Fixed




Shibboleth IdP 2 - Java   SIDP-275 Using standard JAAS LoginException in   Improvement   Closed   Minor     Fixed
                                   UP LoginHandler servlet

Shibboleth IdP 2 - Java   SIDP-274 Log Exception in UP LoginHandler        Bug           Closed   Trivial   Fixed
                                   Servlet




                                                                                                                    87 of 748
Shibboleth IdP 2 - Java   SIDP-273 Update local IdP metadata file with        New Feature   Closed   Major   Won't Fix
                                   installer task




Shibboleth IdP 2 - Java   SIDP-272 Regenerate self-signed certificate with    New Feature   Closed   Major   Fixed
                                   installer task




Shibboleth IdP 2 - Java   SIDP-271 AuthenticationEngine doesn't correctly     Bug           Closed   Minor   Fixed
                                   handle passive return from login servlet




Shibboleth IdP 2 - Java   SIDP-269 Expose the user's IP address in the        New Feature   Closed   Minor   Invalid
                                   resolver




                                                                                                                         88 of 748
Shibboleth IdP 2 - Java   SIDP-268 Expose Metadata on entityID URL         New Feature   Closed   Minor   Completed




Shibboleth IdP 2 - Java   SIDP-267 check if cookies are set on error.jsp   Improvement   Closed   Minor   Fixed




Shibboleth IdP 2 - Java   SIDP-266 General errors triggers error-404.jsp   Bug           Closed   Minor   Fixed
                                   instead of error.jsp



Shibboleth IdP 2 - Java   SIDP-265 Distinguish requested AuthMethod and    Improvement   Closed   Minor   Fixed
                                   default AuthMethod



                                                                                                                      89 of 748
Shibboleth IdP 2 - Java   SIDP-263 Suggest adding                          Improvement   Closed   Trivial   Fixed
                                   defaultSigningCredentialRef to the
                                   AnonymousRelyingParty element in the
                                   default config




Shibboleth IdP 2 - Java   SIDP-262 MIME type on metadata profile handler   Bug           Closed   Minor     Fixed
                                   is incorrect




                                                                                                                    90 of 748
Shibboleth IdP 2 - Java   SIDP-260 NPE in login-err.jsp                    Bug   Closed   Minor   Fixed




Shibboleth IdP 2 - Java   SIDP-259 Installer does not remove old library   Bug   Closed   Minor   Fixed
                                   versions from IDP_HOME/lib




                                                                                                          91 of 748
Shibboleth IdP 2 - Java   SIDP-258 Authentication Engine does not check to Bug     Closed   Minor   Fixed
                                   ensure returned authenticaiton
                                   mechanism from Login Handler is
                                   acceptable to the SP




Shibboleth IdP 2 - Java   SIDP-257 Prevous session is used if the user has   Bug   Closed   Major   Fixed
                                   an existing session but the SP requests
                                   an authentication method that is not
                                   currently active.




                                                                                                            92 of 748
Shibboleth IdP 2 - Java   SIDP-255 Login Handler sets AuthMethod, but is   Bug   Closed   Minor   Fixed
                                   not in Assertion




                                                                                                          93 of 748
Shibboleth IdP 2 - Java   SIDP-253 NullPointerException in                Bug   Closed   Minor   Duplicate
                                   AbstractSAML1ProfileHandler.buildError
                                   Response




                                                                                                             94 of 748
Shibboleth IdP 2 - Java   SIDP-252 IdPSessionFilter throws             Bug   Closed   Minor   Fixed
                                   ArrayIndexOutOfBoundsException on
                                   validation of unexpected cookie




                                                                                                      95 of 748
Shibboleth IdP 2 - Java   SIDP-251 NPE when SAML1 Attribute Query   Bug   Closed   Minor   Fixed
                                   Handler hit with GET request




                                                                                                   96 of 748
Shibboleth IdP 2 - Java   SIDP-250 AuthenticationEngine::returnToAuthentic Bug   Closed   Minor   Fixed
                                   ationEngine() static method called
                                   before servlet init() when clustered.




                                                                                                          97 of 748
Shibboleth IdP 2 - Java   SIDP-249 PreviousSession INFO message printed Bug                   Closed   Trivial   Fixed
                                   as ERROR message




Shibboleth IdP 2 - Java   SIDP-248 Signing code in profile handlers and         Improvement   Closed   Minor     Fixed
                                   encoders should not just check that a
                                   signing credential is supplied, but that a
                                   signing key is available in that credential.




                                                                                                                         98 of 748
Shibboleth IdP 2 - Java   SIDP-245 Installer fails if credentials directory   Bug           Closed   Trivial   Invalid
                                   doesn't exist




Shibboleth IdP 2 - Java   SIDP-244 Error message on invalid ACS could be      Improvement   Closed   Minor     Fixed
                                   improved




                                                                                                                         99 of 748
Shibboleth IdP 2 - Java   SIDP-243 IDP_HOME check in aacli.bat cannot     Improvement   Closed   Minor   Fixed
                                   handle directories with spaces.




Shibboleth IdP 2 - Java   SIDP-242 Cleanup StorageService entry classes   Improvement   Closed   Minor   Completed




                                                                                                                     100 of 748
Shibboleth IdP 2 - Java   SIDP-241 Destination URL not unescaped?             Bug   Closed   Minor   Fixed




Shibboleth IdP 2 - Java   SIDP-238 Inconsistencies on bean names in           Bug   Closed   Minor   Invalid
                                   LoginHandler




Shibboleth IdP 2 - Java   SIDP-237 Re-run of install.sh does not create war   Bug   Closed   Minor   Fixed
                                   again

                                                                                                               101 of 748
Shibboleth IdP 2 - Java   SIDP-236 handling the X500Principal object,     Improvement   Closed   Minor   Completed
                                   getName() or toString()


Shibboleth IdP 2 - Java   SIDP-235 IdPSessionFilter lacks on Source IP    Bug           Closed   Minor   Fixed
                                   verification and cookie signature
                                   checking




Shibboleth IdP 2 - Java   SIDP-233 Typo on operation name - public void   Bug           Closed   Minor   Fixed
                                   setAuthenticationDurection(long
                                   duration)




                                                                                                                     102 of 748
Shibboleth IdP 2 - Java   SIDP-230 sanity check provided credentials   New Feature   Closed   Minor   Completed




                                                                                                                  103 of 748
Shibboleth IdP 2 - Java   SIDP-228 Improve error reporting in SAML 2            Improvement   Closed   Minor   Fixed
                                   profile handlers when no encryption key
                                   is resolveable for the peer entity ID




Shibboleth IdP 2 - Java   SIDP-227 Default relying-party.xml has SAML2-         Bug           Closed   Minor   Fixed
                                   specific security policy rules included in
                                   SAML 1 security policies
Shibboleth IdP 2 - Java   SIDP-224 Add version information in library JAR       New Feature   Closed   Minor   Fixed
                                   manifest and provide command line tool
                                   to view it


Shibboleth IdP 2 - Java   SIDP-223 Provide a profile handler that returns       New Feature   Closed   Minor   Fixed
                                   metadata for the IdP
Shibboleth IdP 2 - Java   SIDP-222 Template engine used by LDAP and             Bug           Closed   Blocker Fixed
                                   database connectors throw an NPE on
                                   startup




                                                                                                                       104 of 748
Shibboleth IdP 2 - Java   SIDP-220 creation of mapped attribute in attribute- Bug   Closed   Major   Fixed
                                   resolver doesn't seem correct




                                                                                                             105 of 748
Shibboleth IdP 2 - Java   SIDP-219 sourceAttributeID in attribute-           Bug   Closed   Minor   Won't Fix
                                   resolver.xml is case sensitive even for
                                   ldap




                                                                                                                106 of 748
Shibboleth IdP 2 - Java   SIDP-216 Second of two signed sources of        Bug   Closed   Critical   Fixed
                                   metadata fail after cache expiration




Shibboleth IdP 2 - Java   SIDP-215 SHIB-JCE.jar missing from 2.1.0 kit    Bug   Closed   Critical   Fixed




                                                                                                            107 of 748
Shibboleth IdP 2 - Java   SIDP-214 Installer needs to put (at least) bcprov   Bug   Closed   Critical   Fixed
                                   onto the calsspath before it runs ant




                                                                                                                108 of 748
Shibboleth IdP 2 - Java   SIDP-213 aacli.sh computedid Exception in thread   Bug   Closed   Minor   Fixed
                                   "main" java.lang.NullPointerException




                                                                                                            109 of 748
Shibboleth IdP 2 - Java   SIDP-212 Wrong confirmation method used with   Bug          Closed   Major   Fixed
                                   SAML 1.x artifact profile




Shibboleth IdP 2 - Java   SIDP-209 Enforce SAML 2 metadata              Bug           Closed   Major   Fixed
                                   SPSSODescriptor/@AuthnRequestsSign
                                   ed
Shibboleth IdP 2 - Java   SIDP-208 BasicSAMLArtifactMapEntry contains   Improvement   Closed   Minor   Fixed
                                   reference to parser pool from parent
                                   BasicSAMLArtifactMap




                                                                                                               110 of 748
Shibboleth IdP 2 - Java   SIDP-207 Changes to attribute-resolver.xml choke   Bug   Closed   Major   Cannot Reproduce
                                   loaded IdP




                                                                                                                       111 of 748
Shibboleth IdP 2 - Java   SIDP-206 SessionManagerEntry's back reference      Improvement   Closed   Minor   Fixed
                                   to the SessionManager object interferes
                                   with clustering




Shibboleth IdP 2 - Java   SIDP-205 Provide internationalization facilities   New Feature   Closed   Minor   Invalid




                                                                                                                      112 of 748
Shibboleth IdP 2 - Java   SIDP-204 Remove defaults from configuration         Improvement   Closed   Minor   Fixed
                                   schema files and move in to code




Shibboleth IdP 2 - Java   SIDP-203 Insufficient information logged to track   Bug           Closed   Minor   Fixed
                                   down errant users




                                                                                                                     113 of 748
Shibboleth IdP 2 - Java   SIDP-202 Saml2LoginContext unable to           Bug   Closed   Minor   Fixed
                                   deserialize serialized AuthnRequest




                                                                                                        114 of 748
Shibboleth IdP 2 - Java   SIDP-201 IdP sends SAML 1 authentication         Bug   Closed   Major   Fixed
                                   responses without audience conditions




                                                                                                          115 of 748
Shibboleth IdP 2 - Java   SIDP-200 attribute-filter.xml AtributeRule   Bug   Closed   Minor   Fixed
                                   ignoreCase logic is backwards




                                                                                                      116 of 748
Shibboleth IdP 2 - Java   SIDP-199 loss of login context when deploying the   Bug   Closed   Minor   Fixed
                                   IdP to tomcat's ROOT context




                                                                                                             117 of 748
Shibboleth IdP 2 - Java   SIDP-197 Misleading error message for         Bug   Closed   Trivial   Won't Fix
                                   ValidationInfo element in relying-
                                   party.xml




                                                                                                             118 of 748
Shibboleth IdP 2 - Java   SIDP-195 Exception with SAML1 Artifact     Bug   Closed   Major   Fixed
                                   Resolution serving simultaneous
                                   requests




                                                                                                    119 of 748
Shibboleth IdP 2 - Java   SIDP-194 Installer can remember the wrong thing   Bug   Closed   Minor   Fixed




                                                                                                           120 of 748
Shibboleth IdP 2 - Java   SIDP-193 Wrong error message, if no cert found   Bug   Closed   Trivial   Duplicate
                                   for encrypt assertion




Shibboleth IdP 2 - Java   SIDP-192 Wrong error message, if no cert found   Bug   Closed   Trivial   Duplicate
                                   for encrypt assertion




                                                                                                                121 of 748
Shibboleth IdP 2 - Java   SIDP-191 Wrong error message, if no cert found   Bug   Closed   Trivial   Duplicate
                                   for encrypt assertion




Shibboleth IdP 2 - Java   SIDP-190 Wrong error message, if no cert found   Bug   Closed   Trivial   Fixed
                                   for encrypt assertion




                                                                                                                122 of 748
Shibboleth IdP 2 - Java   SIDP-189 NPE in AbstractSAML2ProfileHandler    Bug   Closed   Minor   Fixed




Shibboleth IdP 2 - Java   SIDP-187 SAML 2 AuthnContext classes used as   Bug   Closed   Minor   Fixed
                                   1.1 auth methods and 2.0 decl refs




                                                                                                        123 of 748
Shibboleth IdP 2 - Java   SIDP-185 NullPointerException after                Bug           Closed   Minor   Fixed
                                   AttributeQuery when Security Rule fails




Shibboleth IdP 2 - Java   SIDP-183 make idp session available to logging     Improvement   Closed   Minor   Fixed
                                   system




                                                                                                                    124 of 748
Shibboleth IdP 2 - Java   SIDP-182 Allow configuration files to include other   New Feature   Closed   Minor   Completed
                                   files




Shibboleth IdP 2 - Java   SIDP-181 Released Attributes not logged when          Bug           Closed   Minor   Fixed
                                   using SAML2




                                                                                                                           125 of 748
Shibboleth IdP 2 - Java   SIDP-180 Double comment entry in relying-      Task   Closed   Trivial   Invalid
                                   party.xml




Shibboleth IdP 2 - Java   SIDP-179 Duplicate dependencies cause failed   Bug    Closed   Minor     Cannot Reproduce
                                   resolution




                                                                                                                      126 of 748
Shibboleth IdP 2 - Java   SIDP-178 Addition of an example PrincipalName   Improvement   Closed   Trivial   Won't Fix
                                   AttributeDefinition




Shibboleth IdP 2 - Java   SIDP-176 useKeyTab should be set to true        Improvement   Closed   Minor     Fixed




                                                                                                                       127 of 748
Shibboleth IdP 2 - Java   SIDP-175 Security role name missing in web.xml   Bug   Closed   Minor   Fixed




Shibboleth IdP 2 - Java   SIDP-174 Jira Misconfigured                      Bug   Closed   Major   Invalid




                                                                                                            128 of 748
Shibboleth IdP 2 - Java   SIDP-173 IllegalStateException while parsing   Bug   Closed   Major     Invalid
                                   hostname




Shibboleth IdP 2 - Java   SIDP-172 AACLI.BAT should check whether        Bug   Closed   Trivial   Fixed
                                   IDP_HOME is defined before testing
                                   whether it exists.




                                                                                                            129 of 748
Shibboleth IdP 2 - Java   SIDP-171 Cannot deploy to directories in spaces in Improvement   Closed   Minor   Fixed
                                   the names




                                                                                                                    130 of 748
Shibboleth IdP 2 - Java   SIDP-170 Attribute Filter refresh won't work with   Bug   Closed   Minor     Fixed
                                   "resource:FileBackedHttpResource"




Shibboleth IdP 2 - Java   SIDP-169 relying-party.xml has duplicated           Bug   Closed   Trivial   Fixed
                                   comment, typo




                                                                                                               131 of 748
Shibboleth IdP 2 - Java   SIDP-168 eduPersonTargetedID.old default scope Bug     Closed   Trivial   Fixed
                                   is Ian instead of example.org




Shibboleth IdP 2 - Java   SIDP-167 Missing tags and incomplete login.jsp   Bug   Closed   Minor     Fixed




                                                                                                            132 of 748
Shibboleth IdP 2 - Java   SIDP-166 AuthnRequest with forceAuthn="1"   Bug           Closed   Minor   Fixed
                                   attribute has no effect




Shibboleth IdP 2 - Java   SIDP-165 Support for SessionNotOnOrAfter    New Feature   Closed   Minor   Fixed




                                                                                                             133 of 748
Shibboleth IdP 2 - Java   SIDP-164 Option to make session cookie secure.   Improvement   Closed   Minor   Fixed




Shibboleth IdP 2 - Java   SIDP-162 2.0 AA response issues                  Bug           Closed   Minor   Fixed




                                                                                                                  134 of 748
Shibboleth IdP 2 - Java   SIDP-161 PersistentID cannot be set/read from   Bug   Closed   Major   Fixed
                                   postgres/MySQL DB




                                                                                                         135 of 748
Shibboleth IdP 2 - Java   SIDP-157 Attributes of type PrincipalName cannot   Bug   Closed   Minor   Fixed
                                   feed into other attributes




                                                                                                            136 of 748
Shibboleth IdP 2 - Java   SIDP-156 (possible AACLI only) NPE when     Bug   Closed   Minor   Fixed
                                   resolving SAML1 scoped Attribute




                                                                                                     137 of 748
Shibboleth IdP 2 - Java   SIDP-155 AACLI no longer works in RC2           Bug             Closed   Major     Fixed




Shibboleth IdP 2 - Java   SIDP-154 aacli.bat requires idp_home, but doesn't New Feature   Closed   Trivial   Fixed
                                   complain if its not set
Shibboleth IdP 2 - Java   SIDP-153 SAML Request logged as 'null' for        Bug           Closed   Trivial   Invalid
                                   Shibboleth 1.3 requests




                                                                                                                       138 of 748
Shibboleth IdP 2 - Java   SIDP-152 Loop in Metadata SignatureValidation     Bug           Closed   Critical   Fixed




Shibboleth IdP 2 - Java   SIDP-151 Load /Metadata Directory Automatically   Improvement   Closed   Minor      Won't Fix




                                                                                                                          139 of 748
Shibboleth IdP 2 - Java   SIDP-145 Adding a Location to the LoginHandler   Improvement   Closed   Minor   Invalid




                                                                                                                    140 of 748
Shibboleth IdP 2 - Java   SIDP-144 "Invalid identity provider profile URL."   Improvement   Closed   Minor     Fixed
                                   catch-all error message could be
                                   rephrased




Shibboleth IdP 2 - Java   SIDP-142 build.xml assumes hostname has .'s         Bug           Closed   Trivial   Invalid




Shibboleth IdP 2 - Java   SIDP-141 ant.sh is not executable                   Bug           Closed   Minor     Won't Fix




                                                                                                                           141 of 748
Shibboleth IdP 2 - Java   SIDP-140 Absolute paths in shibboleth-idp-2.0-rc1- Bug   Closed   Minor   Fixed
                                   bin.zip




                                                                                                            142 of 748
Shibboleth IdP 2 - Java   SIDP-139 Documented URI does not exist   Bug   Closed   Minor   Fixed




                                                                                                  143 of 748
Shibboleth IdP 2 - Java   SIDP-138 IdP encrypts assertions with own public   Bug   Closed   Major   Invalid
                                   key, not SP's




                                                                                                              144 of 748
Shibboleth IdP 2 - Java   SIDP-136 Automatic keypair/self-signed certificate Improvement   Closed   Major     Completed
                                   generation as part of installation process




Shibboleth IdP 2 - Java   SIDP-135 Move element in logging.xml             Improvement     Closed   Trivial   Fixed




                                                                                                                          145 of 748
Shibboleth IdP 2 - Java   SIDP-134 Unify FileBackedHTTPMetadataProvider Improvement   Closed   Minor   Won't Fix
                                   and FilesystemMetadataProvider




                                                                                                                   146 of 748
Shibboleth IdP 2 - Java   SIDP-132 Endpoint selection for AuthnResponse   Bug   Closed   Minor   Fixed
                                   throws NPE




                                                                                                         147 of 748
Shibboleth IdP 2 - Java   SIDP-131 profile/SAML2/Redirect/SSO?SAMLResp Bug   Closed   Trivial   Fixed
                                   onse=Hi! -> NPE




                                                                                                        148 of 748
Shibboleth IdP 2 - Java   SIDP-130 Missing DefaultRelyingParty schema-   Bug   Closed   Minor   Fixed
                                   valid but causes NPE




                                                                                                        149 of 748
Shibboleth IdP 2 - Java   SIDP-128 Null <NameID> in AttributeQuery causes Bug   Closed   Trivial   Fixed
                                   NPE




                                                                                                           150 of 748
Shibboleth IdP 2 - Java   SIDP-127 Unspecified principals in AttributeQuery   Bug   Closed   Minor   Invalid
                                   treated as transient principals




                                                                                                               151 of 748
Shibboleth IdP 2 - Java   SIDP-126 java.io.EOFException: Unexpected end     Bug   Closed   Minor   Cannot Reproduce
                                   of ZLIB input stream thrown under load




                                                                                                                      152 of 748
Shibboleth IdP 2 - Java   SIDP-125 install.properties corrupts itself   Bug   Closed   Trivial   Invalid




                                                                                                           153 of 748
Shibboleth IdP 2 - Java   SIDP-124 Default configuration results in         Bug   Closed   Minor   Fixed
                                   edu.internet2.middleware.shibboleth.com
                                   mon.attribute.provider.ScopedAttributeVa
                                   lue cannot be cast to
                                   java.lang.Comparable




                                                                                                           154 of 748
Shibboleth IdP 2 - Java   SIDP-123 Other failure in relying-party.xml   Bug   Closed   Minor   Fixed




                                                                                                       155 of 748
Shibboleth IdP 2 - Java   SIDP-122 Typos cause example config to fail to   Bug   Closed   Minor   Fixed
                                   load




                                                                                                          156 of 748
Shibboleth IdP 2 - Java   SIDP-121 Simultaneous requests can cause error   Bug   Closed   Minor   Cannot Reproduce
                                   forwarding SAML 2 AuthnRequest to
                                   AuthenticationManager




                                                                                                                     157 of 748
Shibboleth IdP 2 - Java   SIDP-120 SSOProfileHandler.buildRequestContext Bug   Closed   Minor   Cannot Reproduce
                                   NPE under moderate load




                                                                                                                   158 of 748
Shibboleth IdP 2 - Java   SIDP-119 Missing                                Bug   Closed   Minor   Fixed
                                   urn:oasis:names:tc:SAML:2.0:bindings:H
                                   TTP-POST-SimpleSign
                                   outboundBindingEnumeration in
                                   /SAML2/POST/SSO




                                                                                                         159 of 748
Shibboleth IdP 2 - Java   SIDP-118 Typos in shibboleth-2.0-security-policy-   Bug   Closed   Trivial   Fixed
                                   saml




                                                                                                               160 of 748
Shibboleth IdP 2 - Java   SIDP-117 Typos in shibboleth-2.0-security.xsd    Bug    Closed   Trivial   Fixed




Shibboleth IdP 2 - Java   SIDP-116 Typos in shibboleth-2.0-afp-mf-basic.xsd Bug   Closed   Trivial   Fixed




                                                                                                             161 of 748
Shibboleth IdP 2 - Java   SIDP-115 Typos in shibboleth-2.0-afp-mf-saml.xsd Bug   Closed   Trivial   Fixed




Shibboleth IdP 2 - Java   SIDP-114 Typos in shibboleth-2.0-afp.xsd        Bug    Closed   Trivial   Fixed




                                                                                                            162 of 748
Shibboleth IdP 2 - Java   SIDP-113 Typos in shibboleth-2.0-attribute-   Bug   Closed   Trivial   Fixed
                                   encoder.xsd




Shibboleth IdP 2 - Java   SIDP-112 Typos in shibboleth-2.0-attribute-   Bug   Closed   Trivial   Fixed
                                   resolver-ad




                                                                                                         163 of 748
Shibboleth IdP 2 - Java   SIDP-111 Typos in shibboleth-2.0-attribute-   Bug   Closed   Trivial   Fixed
                                   resolver-dc.xsd




Shibboleth IdP 2 - Java   SIDP-110 Typos in shibboleth-2.0-attribute-   Bug   Closed   Trivial   Fixed
                                   resolver-pc.xsd




                                                                                                         164 of 748
Shibboleth IdP 2 - Java   SIDP-109 Typos in shibboleth-2.0-attribute-     Bug   Closed   Trivial   Fixed
                                   resolver.xsd




Shibboleth IdP 2 - Java   SIDP-108 Typos in shibboleth-2.0-metadata.xsd   Bug   Closed   Trivial   Fixed




                                                                                                           165 of 748
Shibboleth IdP 2 - Java   SIDP-107 Typos in shibboleth-2.0-relying-party-   Bug   Closed   Trivial   Fixed
                                   saml.xsd




Shibboleth IdP 2 - Java   SIDP-106 Need Servlet Context Session Listener    Bug   Closed   Major     Fixed
                                   hook for Session Manager




                                                                                                             166 of 748
Shibboleth IdP 2 - Java   SIDP-105 Valid AttributeQuery considered of type Bug   Closed   Major   Fixed
                                   "org.opensaml.ws.soap.soap11.impl.Env
                                   elopeImpl", errors out




                                                                                                          167 of 748
Shibboleth IdP 2 - Java   SIDP-104 Query for Subject in protocol XMLNS ->   Bug   Closed   Trivial   Fixed
                                   NPE




                                                                                                             168 of 748
Shibboleth IdP 2 - Java   SIDP-103 DateTimes that aren't UTC are accepted Bug   Closed   Trivial   Fixed




                                                                                                           169 of 748
Shibboleth IdP 2 - Java   SIDP-102 AttributeQuery with null ID still receives   Bug   Closed   Major   Fixed
                                   assertion




                                                                                                               170 of 748
Shibboleth IdP 2 - Java   SIDP-101 Null IssueInstant throws   Bug   Closed   Trivial   Fixed
                                   IllegalArgumentException




                                                                                               171 of 748
Shibboleth IdP 2 - Java   SIDP-100 AttributeQuery in SAML:2.0:assertion Bug   Closed   Trivial   Fixed
                                   namespace causes ClassCastException




                                                                                                         172 of 748
Shibboleth IdP 2 - Java   SIDP-99   SOAP schema not enforced   Bug   Closed   Trivial   Fixed




                                                                                                173 of 748
Shibboleth IdP 2 - Java   SIDP-98   AttributeQuery for Transient ID results in Bug   Closed   Major   Fixed
                                    Response with New Transient ID




                                                                                                              174 of 748
Shibboleth IdP 2 - Java   SIDP-96   SOAP mustUnderstand not understood   Bug   Closed   Trivial   Fixed




                                                                                                          175 of 748
Shibboleth IdP 2 - Java   SIDP-95   ClassCastException in               Bug   Closed   Trivial   Fixed
                                    SAML2/SOAP/AttributeQuery Handler




                                                                                                         176 of 748
Shibboleth IdP 2 - Java   SIDP-94   NPE when handling default/anonymous   Bug   Closed   Minor   Fixed
                                    Shibboleth 1.x requests




                                                                                                         177 of 748
Shibboleth IdP 2 - Java   SIDP-93   Typos in Logs                          Bug           Closed   Trivial   Fixed




Shibboleth IdP 2 - Java   SIDP-92   Authentication session persists when   Bug           Closed   Minor     Invalid
                                    session cookies are cleared
Shibboleth IdP 2 - Java   SIDP-91   Flag to force Authentication over      Improvement   Closed   Minor     Won't Fix
                                    TLS/SSL protected transport




                                                                                                                        178 of 748
Shibboleth IdP 2 - Java   SIDP-90   Decoder binding not logged properly    Bug   Closed   Trivial   Fixed




Shibboleth IdP 2 - Java   SIDP-89   /SAML2/Redirect/SSO                    Bug   Closed   Major     Fixed
                                    java.lang.IndexOutOfBoundsException:
                                    Index: 0, Size: 0




                                                                                                            179 of 748
Shibboleth IdP 2 - Java   SIDP-88   Empty SOAP message to               Bug   Closed   Trivial   Fixed
                                    /SAML2/SOAP/AttributeQuery causes
                                    NPE




                                                                                                         180 of 748
Shibboleth IdP 2 - Java   SIDP-87   SOAP Content-Type Ignored   Bug   Closed   Trivial   Invalid




                                                                                                   181 of 748
Shibboleth IdP 2 - Java   SIDP-86   Null/no SAML AttributeQuery ID non-   Bug   Closed   Trivial   Fixed
                                    fatal, can be replayed infinitely




                                                                                                           182 of 748
Shibboleth IdP 2 - Java   SIDP-85   Malformatted timestamp in       Bug   Closed   Trivial   Fixed
                                    AttributeQuery results in NPE




                                                                                                     183 of 748
Shibboleth IdP 2 - Java   SIDP-84   Completely unauthenticated              Bug   Closed   Major   Fixed
                                    AttributeQuery processed with default
                                    SecurityPolicy




                                                                                                           184 of 748
Shibboleth IdP 2 - Java   SIDP-83   Unresolvable Transient ID Throws NPE   Bug   Closed   Trivial   Fixed




                                                                                                            185 of 748
Shibboleth IdP 2 - Java   SIDP-82   <saml:Subject> in AuthnRequest ignored Bug   Closed   Minor   Fixed




                                                                                                          186 of 748
Shibboleth IdP 2 - Java   SIDP-81   ForceAuthn in AuthnRequest ignored   Bug   Closed   Major   Fixed
                                    entirely




Shibboleth IdP 2 - Java   SIDP-80   ProtocolBinding in AuthnRequest      Bug   Closed   Major   Fixed
                                    ignored entirely




                                                                                                        187 of 748
   Assignee           Reporter    Created          Updated         Resolved   Affects Version/s
Tom Barton    xing chun yan      9/19/2011 3:18   9/19/2011 9:16




                                                                                                  188 of 748
Chad La Joie   Peter Schober    5/22/2011 7:52    5/22/2011 7:52                    2.3.0




Chad La Joie   Daniel J. Lauk   5/20/2011 4:41    5/20/2011 4:42



Chad La Joie   Rod Widdowson     5/7/2011 7:30    5/12/2011 3:48   5/12/2011 3:48



Scott Cantor   Scott Cantor     5/6/2011 16:29   5/17/2011 17:21   5/6/2011 17:03 2.2.0, 2.2.1




                                                                                                 189 of 748
Chad La Joie    Rod Widdowson    5/5/2011 10:07   5/17/2011 17:21   5/12/2011 3:48 2.3.0




Scott Cantor    Steven Carmody   5/4/2011 10:59    5/4/2011 12:01   5/4/2011 12:01 2.3.0




Rod Widdowson   Rod Widdowson     5/4/2011 3:40   5/17/2011 17:21    5/5/2011 9:09 2.3.0




                                                                                           190 of 748
Chad La Joie   Thomas Lenggenhager   4/28/2011 3:31   5/12/2011 13:24   5/11/2011 18:16 2.2.1




                                                                                                191 of 748
Brent Putman    Nate Klingenstein   4/13/2011 14:07   4/14/2011 20:51   4/14/2011 20:51 2.2.1




Chad La Joie    Scott Cantor        4/12/2011 15:04   5/17/2011 17:21   4/12/2011 15:52




Chad La Joie    Chad La Joie         4/6/2011 20:07    4/7/2011 20:11    4/7/2011 20:11



Chad La Joie    Scott Cantor         4/5/2011 22:28   4/26/2011 14:23   4/26/2011 14:23




Rod Widdowson   Rod Widdowson        4/5/2011 11:09   5/17/2011 17:22    4/6/2011 11:13




                                                                                                192 of 748
Chad La Joie   Russell Beall   3/30/2011 13:04   4/11/2011 17:24   4/11/2011 17:24 2.1.5




Chad La Joie   Rod Widdowson    3/29/2011 4:37   5/17/2011 17:22    3/29/2011 4:40




                                                                                           193 of 748
Rod Widdowson   Rod Widdowson    3/29/2011 3:49   5/17/2011 17:22    3/29/2011 4:34 2.3.0




Chad La Joie    Rod Widdowson   3/24/2011 12:53   5/17/2011 17:22    4/12/2011 8:37




Rod Widdowson   Rod Widdowson   3/18/2011 12:08   3/18/2011 13:32   3/18/2011 13:32




                                                                                            194 of 748
Chad La Joie   Nate Klingenstein   3/14/2011 16:22   3/14/2011 16:28   3/14/2011 16:25 2.2.1




Chad La Joie   Nate Klingenstein   3/14/2011 16:18    3/15/2011 9:02    3/15/2011 9:02 2.2.1




                                                                                               195 of 748
Rod Widdowson   Rod Widdowson    2/28/2011 10:45   5/17/2011 17:22    4/14/2011 9:16




Chad La Joie    Olivier Salaün   2/21/2011 11:32   3/20/2011 18:31   3/20/2011 18:31




                                                                                       196 of 748
Chad La Joie   naveed          2/15/2011 9:55   2/15/2011 10:15    2/15/2011 9:59 2.1.5




Scott Cantor   Scott Cantor   2/11/2011 12:58    3/14/2011 9:16   2/11/2011 13:18 2.2.0, 2.2.1




Chad La Joie   Kaspar Brand    2/8/2011 10:40    2/14/2011 4:03   2/10/2011 17:32 2.2.1




                                                                                                 197 of 748
Chad La Joie   Rod Widdowson   2/4/2011 4:25   2/4/2011 6:11   2/4/2011 6:11 2.2.1




                                                                                     198 of 748
Scott Cantor   Scott Cantor    2/2/2011 20:42    3/14/2011 9:16    2/9/2011 18:06




Scott Cantor   Scott Cantor   1/31/2011 12:48   2/10/2011 17:09   2/10/2011 17:09




                                                                                    199 of 748
Chad La Joie   Ian Young   1/4/2011 8:23   1/4/2011 8:59   1/4/2011 8:59 2.2.0




Chad La Joie   Tom Scavo   1/3/2011 9:18   1/3/2011 9:30   1/3/2011 9:30 2.1.5




                                                                                 200 of 748
Chad La Joie   Olivier Salaün      1/3/2011 7:31     1/5/2011 10:33      1/3/2011 7:38 2.1.5




Chad La Joie   Chad La Joie     12/21/2010 11:50   12/21/2010 11:58   12/21/2010 11:58 2.2.0




                                                                                               201 of 748
Chad La Joie   Scott Cantor   12/20/2010 12:54   1/11/2011 5:31   1/11/2011 5:31 2.2.0




                                                                                         202 of 748
Chad La Joie   Bradley Schwoerer   12/16/2010 0:16   12/21/2010 11:01   12/21/2010 11:01 2.2.0




                                                                                                 203 of 748
Chad La Joie   Robert Schlacher   12/15/2010 10:37   1/31/2011 13:05   12/15/2010 10:45 2.2.0




                                                                                                204 of 748
Chad La Joie   Bradley Schwoerer   12/14/2010 23:04    5/1/2011 15:49    5/1/2011 15:49 2.2.1




Chad La Joie   Bradley Schwoerer   12/14/2010 22:33   12/21/2010 9:28   12/21/2010 9:28 2.2.0




                                                                                                205 of 748
Chad La Joie   Petra Berg   12/13/2010 2:23   2/10/2011 17:28   2/10/2011 17:28 2.2.0




                                                                                        206 of 748
Chad La Joie   Vladimir Mencl   12/6/2010 18:28   12/21/2010 10:56   12/21/2010 10:56 2.2.0




Scott Cantor   Scott Cantor     12/6/2010 12:59    1/31/2011 13:05   12/22/2010 14:37 2.2.0




                                                                                              207 of 748
Chad La Joie   Bradley Schwoerer   12/6/2010 1:06   12/21/2010 11:42   12/21/2010 11:42 2.2.0




Chad La Joie   Bradley Schwoerer   12/6/2010 0:43    3/14/2011 10:41    3/14/2011 10:41 2.2.0




                                                                                                208 of 748
Chad La Joie   Benji Wakely   11/28/2010 23:39   11/29/2010 6:51   11/29/2010 6:51 2.2.0




                                                                                           209 of 748
Chad La Joie   Karsten Huneycutt   11/23/2010 14:57   1/11/2011 5:38   1/11/2011 5:38 2.2.0




                                                                                              210 of 748
Chad La Joie   Paul Engle   11/19/2010 14:10   11/19/2010 14:14   11/19/2010 14:14 2.2.0




                                                                                           211 of 748
Chad La Joie   James Bardin   11/17/2010 15:46   12/21/2010 10:52   12/21/2010 10:52 2.2.0




                                                                                             212 of 748
Chad La Joie   Karsten Huneycutt   11/16/2010 10:57   1/8/2011 13:47   1/8/2011 13:47 2.2.0




                                                                                              213 of 748
Chad La Joie   Nate Klingenstein   11/9/2010 16:23   11/10/2010 13:56   11/10/2010 13:56 2.2.0




Chad La Joie   Chad La Joie        11/9/2010 16:22     1/8/2011 14:29     1/8/2011 14:29 2.2.0




                                                                                                 214 of 748
Chad La Joie   Christopher Bongaarts   11/9/2010 15:26   12/21/2010 9:55   12/21/2010 9:55 2.1.3




Chad La Joie   Nate Klingenstein       11/9/2010 14:06   11/9/2010 14:56   11/9/2010 14:56 2.2.0




                                                                                                   215 of 748
Brent Putman   Brent Putman    11/2/2010 10:32    5/17/2011 17:22    4/14/2011 20:24 2.2.0




Brent Putman   Brent Putman   10/21/2010 19:01   10/25/2010 18:43   10/25/2010 18:43 2.2.0




                                                                                             216 of 748
Chad La Joie   Scott Cantor   10/19/2010 14:03   11/10/2010 14:56   11/10/2010 14:56 2.2.0




Scott Cantor   Scott Cantor    10/9/2010 13:05    1/31/2011 13:05   12/22/2010 14:30 2.2.0




                                                                                             217 of 748
Chad La Joie   Adam Lantos   10/8/2010 5:53    1/8/2011 14:01    1/8/2011 14:01




Chad La Joie   Adam Lantos   10/8/2010 7:20   1/10/2011 17:08   1/10/2011 17:08




                                                                                  218 of 748
Chad La Joie   kevin foote    10/5/2010 15:14   12/21/2010 10:31   12/21/2010 10:31 2.2.0




Brent Putman   Scott Cantor   10/4/2010 14:24    10/4/2010 17:49    10/4/2010 17:03 2.2.0




                                                                                            219 of 748
Chad La Joie   Russell Beall   9/27/2010 19:31   3/2/2011 13:32   2/10/2011 17:25 2.1.5, 2.2.0




                                                                                                 220 of 748
Chad La Joie   Hached Mehdi   9/24/2010 11:22   9/24/2010 11:56   9/24/2010 11:35 2.2.0




                                                                                          221 of 748
Chad La Joie   Robert Egglestone   9/23/2010 20:50   11/10/2010 18:07   11/10/2010 18:07 2.2.0




                                                                                                 222 of 748
Chad La Joie   Robert Egglestone   9/22/2010 21:59    9/23/2010 7:12    9/23/2010 7:12 2.1.5




Chad La Joie   Chad La Joie        9/20/2010 10:09   9/20/2010 10:12   9/20/2010 10:12 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5




Chad La Joie   Etienne Dysli       9/16/2010 10:59    9/23/2010 7:54   9/20/2010 10:25 2.2.0




                                                                                                                             223 of 748
Chad La Joie   Patrik Schnellmann   9/16/2010 4:29   9/20/2010 10:24   9/20/2010 10:24




Chad La Joie   Halm Reusser         9/16/2010 2:09    9/23/2010 7:54   9/20/2010 10:22 2.2.0




                                                                                               224 of 748
Chad La Joie   Halm Reusser   8/31/2010 3:38   9/23/2010 7:54   9/13/2010 10:43 2.2.0




                                                                                        225 of 748
Chad La Joie   Russell Beall   8/27/2010 12:48   9/23/2010 7:54   8/27/2010 13:47 2.2.0




                                                                                          226 of 748
Chad La Joie   Russell Beall   8/26/2010 14:38    9/23/2010 7:54   8/27/2010 13:47 2.2.0




Scott Cantor   Scott Cantor    8/25/2010 16:21   9/26/2010 11:12   8/25/2010 16:26 2.1.5




                                                                                           227 of 748
Rod Widdowson   Scott Cantor   8/24/2010 16:31     3/14/2011 9:16     2/8/2011 9:35 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4,
                                                                                    2.1.5




Chad La Joie    Chad La Joie    8/24/2010 8:20   10/22/2010 11:33   9/13/2010 13:30 2.1.5




Chad La Joie    Chad La Joie    8/23/2010 8:36     8/23/2010 8:37    8/23/2010 8:37




                                                                                                                          228 of 748
Rod Widdowson   Rod Widdowson   8/23/2010 5:54   5/17/2011 17:22   3/19/2011 10:35 2.1.5




Chad La Joie    Adam Lantos     7/21/2009 9:17   9/26/2010 11:12     8/6/2010 7:35




                                                                                           229 of 748
Chad La Joie   Patrik Schnellmann    8/3/2010 7:55   9/13/2010 15:59   9/13/2010 15:59




Chad La Joie   Chad La Joie         8/2/2010 21:33   1/31/2011 13:05     8/3/2010 4:07




                                                                                         230 of 748
Chad La Joie   David Langenberg   7/28/2010 18:02   8/16/2010 20:33   8/16/2010 20:33 2.1.5




                                                                                              231 of 748
Chad La Joie   Russell Beall   7/23/2010 13:39   1/31/2011 13:05   8/2/2010 17:11 2.1.5




                                                                                          232 of 748
Chad La Joie   martin kelly   7/2/2010 5:44   1/31/2011 13:05   7/26/2010 7:24 2.1.5




                                                                                       233 of 748
Chad La Joie   Paul Hethmon         5/7/2010 15:39    5/7/2010 15:55    5/7/2010 15:55 2.1.5




Chad La Joie   Patrik Schnellmann    5/4/2010 4:49   5/19/2010 20:29   5/19/2010 20:29 2.1.5




Chad La Joie   Halm Reusser         4/30/2010 8:35    9/23/2010 7:54     8/3/2010 6:06 2.2.0




                                                                                               234 of 748
Chad La Joie   Robert Basch   3/29/2010 17:40   5/19/2010 20:19   5/19/2010 20:19 2.1.5




                                                                                          235 of 748
Chad La Joie   Janusz Ulanowski   3/23/2010 8:10   5/20/2010 19:24   5/20/2010 19:24 2.1.5




                                                                                             236 of 748
Chad La Joie   Patrik Schnellmann   3/19/2010 3:12   5/19/2010 20:35   5/19/2010 20:35 2.2.0




                                                                                               237 of 748
Chad La Joie   Halm Reusser    3/17/2010 5:41   9/23/2010 7:54   5/19/2010 20:41 2.2.0




Chad La Joie   Halm Reusser   3/15/2010 10:00   8/16/2010 9:35    8/16/2010 9:35 2.1.5




                                                                                         238 of 748
Chad La Joie   Halm Reusser     3/15/2010 9:55   3/16/2010 3:15   3/16/2010 3:15 2.2.0




Chad La Joie   Lukas Hämmerle   3/2/2010 10:55   9/23/2010 7:54   3/2/2010 11:32 2.2.0




                                                                                         239 of 748
Chad La Joie   Lukas Hämmerle   2/24/2010 9:10   9/23/2010 7:54   2/26/2010 3:27 2.2.0




                                                                                         240 of 748
Chad La Joie   Brent Putman   2/18/2010 20:27   9/26/2010 11:11     8/3/2010 4:35 2.1.5




Chad La Joie   Brent Putman   2/18/2010 16:29   5/19/2010 20:38   5/19/2010 20:38




                                                                                          241 of 748
Chad La Joie   Brent Putman         2/18/2010 16:14   3/16/2010 3:06    3/16/2010 3:06




Chad La Joie   Patrik Schnellmann    1/29/2010 8:58   3/16/2010 3:32    3/16/2010 3:32 2.1.5




Chad La Joie   kevin foote          1/21/2010 10:57   9/23/2010 7:54   2/18/2010 20:03




                                                                                               242 of 748
Chad La Joie   Patrik Schnellmann   12/16/2009 6:56   9/23/2010 7:54    2/11/2010 9:38




Chad La Joie   Patrik Schnellmann    12/2/2009 3:28   9/23/2010 7:54   12/16/2009 2:59




                                                                                         243 of 748
Chad La Joie   Simon Shi   11/20/2009 16:28   9/23/2010 7:54   12/16/2009 3:02 2.1.5




Chad La Joie   Jim Fox     11/20/2009 14:23   9/23/2010 7:54   12/16/2009 3:07 2.1.5




                                                                                       244 of 748
Chad La Joie   Simon Shi   11/13/2009 12:09   11/13/2009 12:38   11/13/2009 12:38 2.1.5




                                                                                          245 of 748
Chad La Joie   Rod Widdowson    11/11/2009 9:38   12/16/2009 3:04   12/16/2009 3:04 2.1.4, 2.1.5




Chad La Joie   Scott Cantor    10/26/2009 13:59   10/27/2009 2:00   10/27/2009 2:00 2.1.4




                                                                                                   246 of 748
Chad La Joie   Chad La Joie   9/24/2009 7:57   9/24/2009 7:58   9/24/2009 7:58 2.1.0, 2.1.1, 2.1.2, 2.1.3




Chad La Joie   Chad La Joie   9/24/2009 3:50   9/25/2009 3:01   9/25/2009 3:01 2.1.3




Chad La Joie   Chad La Joie   9/24/2009 3:32   9/24/2009 5:12   9/24/2009 5:12 2.1.3




                                                                                                            247 of 748
Chad La Joie   Chad La Joie      9/24/2009 2:12    9/24/2009 3:02     9/24/2009 3:02 2.1.0, 2.1.1, 2.1.2, 2.1.3




Chad La Joie   Dan McLaughlin   9/11/2009 21:58   1/31/2011 13:05   10/30/2009 10:01 2.1.3




                                                                                                                  248 of 748
Chad La Joie   Ina Müller   9/8/2009 3:32   2/10/2011 17:27   2/10/2011 17:27 2.1.3




                                                                                      249 of 748
Chad La Joie   Martin Smith   9/3/2009 12:49   9/28/2009 3:03   9/28/2009 3:03 2.1.2, 2.1.3




                                                                                              250 of 748
Chad La Joie   Adam Lantos   9/3/2009 12:13   9/25/2009 2:27   9/25/2009 2:27 2.1.3




                                                                                      251 of 748
Chad La Joie   Adam Lantos   8/27/2009 10:06   9/24/2009 3:00   9/24/2009 3:00 2.1.2, 2.1.3




                                                                                              252 of 748
Chad La Joie   Rod Widdowson   7/30/2009 6:52   10/27/2009 5:07   10/27/2009 5:07 2.1.2




                                                                                          253 of 748
Chad La Joie   Nate Klingenstein   7/9/2009 1:02   7/16/2009 6:33   7/16/2009 6:33 2.0.0, 2.1.0, 2.1.1, 2.1.2




                                                                                                                254 of 748
Chad La Joie   Paul Hethmon   7/8/2009 16:23   7/16/2009 6:37   7/16/2009 6:37




                                                                                 255 of 748
Chad La Joie   Chad La Joie   6/30/2009 12:29   7/2/2009 14:33   7/2/2009 14:33 2.0.0, 2.1.0, 2.1.1, 2.1.2




                                                                                                             256 of 748
Chad La Joie   Chad La Joie   6/25/2009 6:18   6/30/2009 7:09   6/30/2009 7:09 2.0.0, 2.1.0, 2.1.1, 2.1.2




                                                                                                            257 of 748
Chad La Joie   Rod Widdowson   6/24/2009 6:21   8/19/2009 8:36   8/19/2009 8:36 2.1.2




                                                                                        258 of 748
Chad La Joie   Jim Fox   6/19/2009 12:27   6/30/2009 5:17   6/30/2009 5:17




                                                                             259 of 748
Chad La Joie   Lukas Hämmerle   6/10/2009 10:51   7/1/2009 4:28   7/1/2009 4:28 2.1.2




                                                                                        260 of 748
Chad La Joie   Rod Widdowson   6/8/2009 6:13   7/29/2009 12:44   7/29/2009 12:44 2.1.2




                                                                                         261 of 748
Chad La Joie   Lukas Hämmerle   6/4/2009 4:29   7/1/2009 2:53   7/1/2009 2:53




                                                                                262 of 748
Chad La Joie   Henri Mikkonen   5/22/2009 11:21    8/17/2009 4:32    8/17/2009 4:32 2.1.2




Brent Putman   Brent Putman     5/14/2009 16:39   5/14/2009 16:41   5/14/2009 16:41 2.1.2




Brent Putman   Brent Putman     4/30/2009 18:33   4/30/2009 18:50   4/30/2009 18:50 2.1.2




                                                                                            263 of 748
Chad La Joie   André Cruz   4/28/2009 12:37    6/30/2009 7:19   6/30/2009 7:19 2.1.2




Chad La Joie   André Cruz    4/13/2009 7:38   9/26/2010 11:11   8/3/2010 15:17 2.1.2




                                                                                       264 of 748
Chad La Joie   Olivier Salaün   4/9/2009 10:14   6/30/2009 8:03   6/30/2009 8:03 2.1.2




Chad La Joie   Halm Reusser     3/11/2009 8:13    7/3/2009 5:29    7/3/2009 5:29 2.1.2




                                                                                         265 of 748
Chad La Joie   Halm Reusser   3/11/2009 8:07   7/16/2009 6:40   7/16/2009 6:40 2.1.2




                                                                                       266 of 748
Chad La Joie   Halm Reusser   3/10/2009 11:33   7/1/2009 4:39   7/1/2009 4:39 2.1.2




                                                                                      267 of 748
Rod Widdowson   Halm Reusser   3/10/2009 11:24   3/14/2011 9:16   2/7/2011 13:04 2.1.2




                                                                                         268 of 748
Chad La Joie   Franck Borel      3/6/2009 5:18     7/1/2009 2:54     7/1/2009 2:54 2.1.2




Chad La Joie   Chad La Joie      3/3/2009 1:45     3/3/2009 3:27     3/3/2009 3:27
Chad La Joie   Peter Schober   2/26/2009 12:35   2/10/2011 17:26   2/10/2011 17:26




                                                                                           269 of 748
Chad La Joie   Scott Cantor         2/26/2009 11:30   1/31/2011 13:05   8/3/2010 19:17 2.1.2




Chad La Joie   Patrik Schnellmann   2/25/2009 10:57    2/26/2009 2:19   2/26/2009 2:19 2.1.2




                                                                                               270 of 748
Chad La Joie   Daniel J. Lauk   2/25/2009 5:16   1/11/2011 6:39   1/11/2011 6:39 2.1.2




Chad La Joie   Rod Widdowson    2/18/2009 6:50    3/3/2009 1:20    3/3/2009 1:20 2.1.2




Chad La Joie   Chad La Joie      2/6/2009 2:42   2/11/2010 9:55   2/11/2010 9:55




                                                                                         271 of 748
Chad La Joie   Nate Klingenstein    1/30/2009 0:28    7/2/2009 14:39   7/2/2009 14:39 2.0.0, 2.1.0, 2.1.1, 2.1.2




Chad La Joie   Kristof Bajnok      1/23/2009 11:09   9/20/2010 10:12    3/3/2009 3:36 2.1.2




Chad La Joie   Etienne Dysli        1/22/2009 4:39    3/2/2009 13:42   3/2/2009 13:42 2.1.2




                                                                                                                   272 of 748
Chad La Joie   Jon Stockdill   1/15/2009 10:25   3/3/2009 1:11   3/3/2009 1:11 2.1.2




                                                                                       273 of 748
Chad La Joie   Halm Reusser    1/14/2009 3:19   3/2/2009 13:22    3/2/2009 13:22 2.1.2




Chad La Joie   Halm Reusser   1/13/2009 10:25   9/23/2010 7:54   2/18/2010 20:04 2.1.2


Chad La Joie   Halm Reusser    1/13/2009 8:01   1/13/2009 8:57    1/13/2009 8:57 2.1.2




                                                                                         274 of 748
Chad La Joie    Patrik Schnellmann      1/8/2009 8:04   2/10/2011 17:16   2/10/2011 17:14 2.2.1




Rod Widdowson   Patrik Schnellmann      1/8/2009 7:59    3/14/2011 9:16    2/7/2011 13:03 2.1.2




Chad La Joie    Jim Fox              12/29/2008 15:40     7/1/2009 5:25     7/1/2009 5:25 2.1.2




Chad La Joie    Bernd Oberknapp       12/17/2008 2:55    5/19/2011 6:01    3/21/2011 9:48 2.1.1




                                                                                                  275 of 748
Chad La Joie   Patrik Schnellmann   12/17/2008 2:14   12/19/2008 7:41   12/19/2008 7:41 2.1.1




Chad La Joie   Halm Reusser         12/16/2008 7:53   12/19/2008 7:46   12/19/2008 7:46 2.1.2




Chad La Joie   Halm Reusser         12/16/2008 7:31    7/16/2009 6:41    7/16/2009 6:41 2.1.2




Chad La Joie   Halm Reusser          12/4/2008 3:06     7/1/2009 4:58     7/1/2009 4:58 2.1.1




                                                                                                276 of 748
Chad La Joie   Scott Cantor   12/3/2008 14:17     3/3/2009 1:16     3/3/2009 1:16 2.0.0, 2.1.0, 2.1.1




Chad La Joie   Scott Cantor   12/3/2008 13:53   12/19/2008 7:51   12/19/2008 7:51 2.1.0, 2.1.1




                                                                                                        277 of 748
Chad La Joie   Bob Allison    12/2/2008 12:10   12/15/2008 8:01   12/15/2008 8:01 2.1.1




Chad La Joie   Chad La Joie    12/2/2008 6:55    12/2/2008 7:07    12/2/2008 7:07 2.0.0, 2.1.0




                                                                                                 278 of 748
Chad La Joie   Chad La Joie   11/30/2008 13:39      7/3/2009 1:37      7/3/2009 1:37 2.0.0, 2.1.0




Chad La Joie   Chad La Joie    11/27/2008 9:18   11/27/2008 11:24   11/27/2008 11:24 2.0.0, 2.1.0




                                                                                                    279 of 748
Chad La Joie   Halm Reusser   11/27/2008 4:15   11/28/2008 4:59   11/28/2008 4:59 2.1.0




                                                                                          280 of 748
Chad La Joie   Russell Beall   11/17/2008 18:32   11/26/2008 2:20   11/26/2008 2:20 2.1.0




                                                                                            281 of 748
Chad La Joie   Russell Beall   11/17/2008 13:51   11/26/2008 2:16   11/26/2008 2:16 2.1.0




                                                                                            282 of 748
Chad La Joie   Patrik Schnellmann   11/14/2008 1:55   11/26/2008 9:06   11/26/2008 9:06 2.1.0




                                                                                                283 of 748
Chad La Joie   Bill Kuker   11/13/2008 14:29   11/26/2008 2:27   11/26/2008 2:27 2.1.0




                                                                                         284 of 748
Chad La Joie   Russell Beall   11/13/2008 14:17   11/26/2008 2:29   11/26/2008 2:29 2.1.0




Brent Putman   Brent Putman    11/11/2008 14:52   11/26/2008 2:35   11/26/2008 2:35 2.0.0, 2.1.0




                                                                                                   285 of 748
Chad La Joie   Russell Beall   11/3/2008 17:06   3/3/2009 3:43   3/3/2009 3:43 2.1.0




Chad La Joie   Scott Cantor    11/3/2008 16:27   7/1/2009 7:51   7/1/2009 7:51 2.1.0




                                                                                       286 of 748
Chad La Joie   Rod Widdowson   10/29/2008 6:29   10/30/2008 5:31   10/29/2008 6:41 2.1.0




Chad La Joie   Chad La Joie    10/29/2008 3:05   10/29/2008 5:00   10/29/2008 5:00 2.0.0




                                                                                           287 of 748
Chad La Joie   André Cruz     10/21/2008 13:18    12/9/2008 12:40    12/9/2008 12:40 2.0.0




Chad La Joie   André Cruz     10/15/2008 12:00   10/15/2008 15:24   10/15/2008 15:24 2.0.0




Chad La Joie   Halm Reusser   10/15/2008 11:08   10/15/2008 15:40   10/15/2008 15:40 2.1.0


                                                                                             288 of 748
Chad La Joie   Halm Reusser   10/15/2008 7:24   10/15/2008 15:52   10/15/2008 15:52 2.1.0



Chad La Joie   Halm Reusser   10/15/2008 6:58    10/29/2008 3:23    10/29/2008 3:23 2.1.0




Chad La Joie   André Cruz     10/9/2008 10:30   10/15/2008 15:44   10/15/2008 15:44 2.0.0




                                                                                            289 of 748
Brent Putman   Ian Young   9/30/2008 10:05   10/7/2008 17:50   10/5/2008 0:36 2.0.0




                                                                                      290 of 748
Brent Putman   Brent Putman     9/26/2008 15:48   9/26/2008 15:52   9/26/2008 15:52 2.0.0




Brent Putman   Brent Putman     9/26/2008 15:24   9/26/2008 15:27   9/26/2008 15:27 2.0.0


Chad La Joie   Chad La Joie      9/16/2008 5:34    9/16/2008 5:40    9/16/2008 5:40 2.0.0




Chad La Joie   Chad La Joie      8/28/2008 5:32    8/28/2008 5:36    8/28/2008 5:36

Chad La Joie   Steven Carmody    8/26/2008 7:42    8/31/2008 5:03    8/31/2008 5:03 2.1.0




                                                                                            291 of 748
Chad La Joie   Joy Veronneau   8/14/2008 15:54   9/3/2008 4:28   9/3/2008 4:28 2.0.0




                                                                                       292 of 748
Chad La Joie   Joy Veronneau   8/14/2008 11:54   8/16/2008 1:44   8/16/2008 1:44 2.0.0




                                                                                         293 of 748
Brent Putman   Karsten Huneycutt   7/29/2008 15:26   1/31/2011 13:05   9/29/2008 20:39 2.0.0




Chad La Joie   Rod Widdowson        7/23/2008 5:39    9/19/2008 8:26    9/19/2008 8:26 2.1.0




                                                                                               294 of 748
Chad La Joie   Rod Widdowson   7/23/2008 5:36   7/23/2008 12:49   7/23/2008 12:49 2.1.0




                                                                                          295 of 748
Chad La Joie   John Williams   7/18/2008 4:52   7/19/2008 2:42   7/19/2008 2:42 2.0.0




                                                                                        296 of 748
Chad La Joie   Scott Cantor        7/16/2008 11:36    10/1/2008 2:22    10/1/2008 2:22 2.0.0




Brent Putman   Brent Putman        7/12/2008 14:56   7/18/2008 18:11   7/18/2008 18:11 2.0.0


Chad La Joie   Karsten Huneycutt   7/10/2008 15:16     9/1/2008 2:31     9/1/2008 2:31 2.0.0




                                                                                               297 of 748
Chad La Joie   Russell Beall   7/10/2008 14:07   1/31/2011 13:05   8/3/2010 18:49 2.0.0




                                                                                          298 of 748
Chad La Joie   Karsten Huneycutt   7/10/2008 12:13    9/2/2008 7:13    9/2/2008 7:13 2.0.0




Chad La Joie   Etienne Dysli        7/10/2008 3:30   7/10/2008 3:34   7/10/2008 3:34 2.0.0




                                                                                             299 of 748
Chad La Joie   Chad La Joie    7/8/2008 3:11   7/24/2008 4:26   7/24/2008 4:26 2.0.0




Chad La Joie   Simon McLeish   7/4/2008 7:56   7/10/2008 6:44   7/10/2008 6:44 2.0.0




                                                                                       300 of 748
Chad La Joie   Karsten Huneycutt   6/30/2008 17:14   10/29/2008 6:20   10/29/2008 6:20 2.0.0




                                                                                               301 of 748
Chad La Joie   Ian Young   6/17/2008 12:45   6/19/2008 2:03   6/19/2008 2:03 2.0.0




                                                                                     302 of 748
Chad La Joie   Jeffrey Crawford   6/16/2008 14:59   6/19/2008 1:03   6/19/2008 1:03




                                                                                      303 of 748
Chad La Joie   Peter Schober   6/12/2008 18:15   6/15/2008 4:15   6/15/2008 4:15 2.0.0




                                                                                         304 of 748
Chad La Joie   Patrik Schnellmann   6/4/2008 4:14   6/6/2008 6:38   6/6/2008 6:38 2.0.0




                                                                                          305 of 748
Chad La Joie   André Cruz   5/29/2008 11:47   3/2/2009 13:29   3/2/2009 13:29 2.0.0




                                                                                      306 of 748
Chad La Joie   Rod Widdowson   5/27/2008 5:19   7/23/2008 12:50   7/23/2008 12:50 2.0.0




                                                                                          307 of 748
Chad La Joie   Halm Reusser   5/22/2008 9:09   5/22/2008 9:13   5/22/2008 9:13 2.0.0




Chad La Joie   Halm Reusser   5/22/2008 9:04   5/22/2008 9:12   5/22/2008 9:12 2.0.0




                                                                                       308 of 748
Chad La Joie   Halm Reusser   5/22/2008 9:04   5/22/2008 9:12   5/22/2008 9:12




Chad La Joie   Halm Reusser   5/22/2008 9:03   6/15/2008 4:10   6/15/2008 4:10




                                                                                 309 of 748
Chad La Joie   Dr. Y          5/20/2008 11:53     5/23/2008 4:59   5/22/2008 9:22 2.0.0




Chad La Joie   Scott Cantor   5/12/2008 19:41   10/18/2009 20:27    3/3/2009 3:47 2.0.0




                                                                                          310 of 748
Chad La Joie   Patrik Schnellmann    4/25/2008 5:17   5/28/2008 4:00   5/28/2008 4:00 2.0.0




Chad La Joie   Will Norris          4/21/2008 14:55   4/24/2008 3:50   4/24/2008 3:50 2.1.0




                                                                                              311 of 748
Chad La Joie   Christopher Bongaarts   4/18/2008 16:46   4/25/2008 13:44   4/25/2008 12:09 2.0.0




Chad La Joie   Ina Müller               4/17/2008 8:44   4/17/2008 11:05   4/17/2008 11:05 2.0.0




                                                                                                   312 of 748
Chad La Joie   Franck Borel        4/14/2008 7:42   4/17/2008 11:07   4/17/2008 11:07 2.0.0




Will Norris    Nate Klingenstein   4/8/2008 12:00   4/17/2008 14:33   4/17/2008 14:33 2.0.0




                                                                                              313 of 748
Chad La Joie   Nate Klingenstein   4/8/2008 11:58    5/28/2008 3:49    5/28/2008 3:49 2.0.0




Chad La Joie   Markus Grandpre      4/4/2008 6:32   4/17/2008 11:20   4/17/2008 11:20 2.0.0




                                                                                              314 of 748
Chad La Joie   Markus Grandpre       4/3/2008 9:31   5/28/2008 3:47   5/28/2008 3:47 2.0.0




Chad La Joie   Hendrik Brummermann   4/3/2008 9:07   4/3/2008 10:00   4/3/2008 10:00 2.0.0




                                                                                             315 of 748
Chad La Joie   Hendrik Brummermann    4/3/2008 9:05    5/28/2008 3:51   5/28/2008 3:51 2.0.0




Chad La Joie   Rod Widdowson         4/2/2008 11:32   7/14/2008 11:00   7/14/2008 7:52 2.0.0




                                                                                               316 of 748
Rod Widdowson   Rod Widdowson   4/1/2008 10:13   7/23/2008 6:30   7/15/2008 9:16 2.0.0




                                                                                         317 of 748
Chad La Joie   Lukas Hämmerle    3/31/2008 4:52    5/30/2008 3:01    5/30/2008 3:01 2.0.0




Chad La Joie   Ian Young        3/28/2008 10:40   4/17/2008 11:26   4/17/2008 11:26 2.0.0




                                                                                            318 of 748
Chad La Joie   Nate Klingenstein    3/24/2008 2:59    5/23/2008 4:59    3/25/2008 3:06




Chad La Joie   Franck Borel        3/20/2008 11:11   4/17/2008 11:29   4/17/2008 11:29 2.0.0




                                                                                               319 of 748
Chad La Joie   Ivan Novakov   3/19/2008 11:07   5/23/2008 4:59   3/20/2008 7:22 2.0.0




Chad La Joie   Scott Cantor   3/11/2008 12:24   4/18/2008 3:48   4/18/2008 3:48 2.0.0




                                                                                        320 of 748
Chad La Joie   Scott Cantor   3/10/2008 12:02   6/15/2008 4:21   6/15/2008 4:21




Chad La Joie   Scott Cantor    3/9/2008 15:01   5/23/2008 4:59   3/11/2008 9:00 2.0.0




                                                                                        321 of 748
Will Norris   Lukas Hämmerle   3/4/2008 9:45   3/17/2008 12:10   3/17/2008 12:10 2.0.0




                                                                                         322 of 748
Chad La Joie   Rod Widdowson   2/21/2008 8:12   2/21/2008 9:27   2/21/2008 9:27 2.0.0




                                                                                        323 of 748
Chad La Joie   Rod Widdowson   2/21/2008 8:03   3/2/2008 3:54   3/2/2008 3:54 2.0.0




                                                                                      324 of 748
Chad La Joie   Rod Widdowson       2/20/2008 13:37   5/23/2008 4:59   2/21/2008 3:30 2.0.0




Chad La Joie   Rod Widdowson       2/20/2008 12:45   5/23/2008 4:59   2/21/2008 4:18 2.0.0

Chad La Joie   Nate Klingenstein   2/19/2008 19:48   5/28/2008 3:44   5/28/2008 3:44 2.0.0




                                                                                             325 of 748
Brent Putman   Lukas Hämmerle      2/19/2008 8:27   5/23/2008 4:59   2/19/2008 19:22 2.0.0




Chad La Joie   Nate Klingenstein   2/5/2008 21:47   2/26/2010 3:32    2/26/2010 3:32 2.0.0




                                                                                             326 of 748
Chad La Joie   Nate Klingenstein   1/31/2008 17:13   2/1/2008 2:49   2/1/2008 2:49 2.0.0




                                                                                           327 of 748
Chad La Joie   Nate Klingenstein   1/28/2008 13:38    1/29/2008 1:55    1/29/2008 1:55 2.0.0




Chad La Joie   Nate Klingenstein   1/25/2008 20:12    1/26/2008 2:04    1/26/2008 2:04 2.0.0




Chad La Joie   Franck Borel         1/25/2008 8:28   2/25/2008 14:48   2/25/2008 14:48




                                                                                               328 of 748
Chad La Joie   Franck Borel   1/25/2008 8:25   1/29/2008 1:56   1/29/2008 1:56




                                                                                 329 of 748
Brent Putman   Tom Scavo   1/24/2008 8:09   5/22/2011 14:07   5/19/2011 18:23




                                                                                330 of 748
Chad La Joie   Nate Klingenstein   1/24/2008 1:04   1/24/2008 2:29   1/24/2008 2:29 2.0.0




                                                                                            331 of 748
Chad La Joie   Nate Klingenstein    1/16/2008 2:52   1/17/2008 4:19   1/17/2008 4:19 2.0.0




Chad La Joie   Nate Klingenstein   1/15/2008 16:44   1/16/2008 3:21   1/16/2008 3:21 2.0.0




                                                                                             332 of 748
Chad La Joie   Nate Klingenstein   1/15/2008 16:35   1/16/2008 14:40   1/16/2008 14:40 2.0.0




                                                                                               333 of 748
Chad La Joie   Nate Klingenstein   1/11/2008 11:58   1/11/2008 15:55   1/11/2008 15:55 2.0.0




                                                                                               334 of 748
Chad La Joie   Nate Klingenstein   1/11/2008 11:34   1/12/2008 5:52   1/12/2008 5:52 2.0.0




                                                                                             335 of 748
Chad La Joie   Nate Klingenstein   1/11/2008 11:29   5/23/2008 4:59   1/11/2008 13:14 2.0.0




                                                                                              336 of 748
Chad La Joie   Nate Klingenstein   1/10/2008 20:15   1/11/2008 12:39   1/11/2008 1:33 2.0.0




                                                                                              337 of 748
Chad La Joie   Nate Klingenstein   1/10/2008 19:20   1/11/2008 1:14   1/11/2008 1:14 2.0.0




                                                                                             338 of 748
Chad La Joie   Nate Klingenstein   1/10/2008 19:05   5/28/2010 16:40   3/22/2008 14:14 2.0.0




                                                                                               339 of 748
Chad La Joie   Nate Klingenstein   1/10/2008 18:35   1/11/2008 1:13   1/11/2008 1:13 2.0.0




                                                                                             340 of 748
Chad La Joie   Nate Klingenstein   1/7/2008 19:34   1/8/2008 4:51   1/8/2008 4:51 2.0.0




                                                                                          341 of 748
Chad La Joie   Nate Klingenstein   1/6/2008 13:07   2/1/2008 13:28   1/7/2008 1:53 2.0.0




                                                                                           342 of 748
Chad La Joie   Nate Klingenstein   1/6/2008 12:46   1/11/2008 12:42   1/9/2008 8:54 2.0.0




                                                                                            343 of 748
Chad La Joie   Nate Klingenstein   1/4/2008 22:15   3/22/2008 14:14   3/22/2008 14:14 2.0.0




                                                                                              344 of 748
Chad La Joie   Nate Klingenstein   1/4/2008 21:44   3/22/2008 14:14   3/22/2008 14:14 2.0.0




                                                                                              345 of 748
Chad La Joie   Nate Klingenstein   1/4/2008 13:28   1/11/2008 12:41   1/5/2008 5:16 2.0.0




                                                                                            346 of 748
Chad La Joie   Nate Klingenstein   1/3/2008 18:35   1/5/2008 5:08   1/5/2008 5:08 2.0.0




                                                                                          347 of 748
Chad La Joie   Nate Klingenstein   1/3/2008 18:30   1/5/2008 5:06   1/5/2008 5:06 2.0.0




Chad La Joie   Nate Klingenstein   1/3/2008 18:25   1/5/2008 5:04   1/5/2008 5:04 2.0.0




                                                                                          348 of 748
Chad La Joie   Nate Klingenstein   1/3/2008 18:21   1/5/2008 5:03   1/5/2008 5:03 2.0.0




Chad La Joie   Nate Klingenstein   1/3/2008 18:20   1/5/2008 5:02   1/5/2008 5:02 2.0.0




                                                                                          349 of 748
Chad La Joie   Nate Klingenstein   1/3/2008 18:16   1/5/2008 5:01   1/5/2008 5:01 2.0.0




Chad La Joie   Nate Klingenstein   1/3/2008 18:11   1/5/2008 4:59   1/5/2008 4:59 2.0.0




                                                                                          350 of 748
Chad La Joie   Nate Klingenstein   1/3/2008 18:06   1/5/2008 4:58   1/5/2008 4:58 2.0.0




Chad La Joie   Nate Klingenstein   1/3/2008 17:56   1/5/2008 4:52   1/5/2008 4:52 2.0.0




                                                                                          351 of 748
Chad La Joie   Nate Klingenstein   1/3/2008 17:55   1/5/2008 4:52   1/5/2008 4:52




Chad La Joie   Nate Klingenstein   1/3/2008 17:48   1/5/2008 4:50   1/5/2008 4:50 2.1.0




                                                                                          352 of 748
Chad La Joie   Nate Klingenstein    1/3/2008 17:36    1/5/2008 4:44     1/5/2008 4:44 2.0.0




Chad La Joie   Chad La Joie        12/24/2007 5:38   5/23/2008 4:59   12/31/2007 4:29




                                                                                              353 of 748
Chad La Joie   Nate Klingenstein   12/17/2007 15:09   1/11/2008 12:43   12/18/2007 5:27 2.0.0




                                                                                                354 of 748
Chad La Joie   Nate Klingenstein   12/17/2007 14:10   1/11/2008 12:43   12/18/2007 6:53 2.0.0




                                                                                                355 of 748
Chad La Joie   Nate Klingenstein   12/17/2007 14:03   5/23/2008 4:59   12/18/2007 6:56 2.0.0




                                                                                               356 of 748
Chad La Joie   Nate Klingenstein   12/17/2007 13:54   5/23/2008 4:59   12/27/2007 4:19




                                                                                         357 of 748
Chad La Joie   Nate Klingenstein   12/17/2007 13:51   5/23/2008 4:59   12/18/2007 9:56 2.0.0




                                                                                               358 of 748
Chad La Joie   Nate Klingenstein   12/17/2007 13:50   5/23/2008 4:59   12/27/2007 2:40




                                                                                         359 of 748
Chad La Joie   Nate Klingenstein   12/17/2007 13:43   5/23/2008 4:59   12/18/2007 9:57 2.0.0




                                                                                               360 of 748
Chad La Joie   Nate Klingenstein   12/17/2007 13:35   5/23/2008 4:59   1/6/2008 7:35 2.0.0




                                                                                             361 of 748
Chad La Joie   Nate Klingenstein   12/15/2007 20:59   5/23/2008 4:59   12/27/2007 4:14 2.0.0




                                                                                               362 of 748
Chad La Joie   Nate Klingenstein   12/15/2007 15:55   5/23/2008 4:59   12/17/2007 6:45 2.0.0




                                                                                               363 of 748
Chad La Joie   Nate Klingenstein   12/15/2007 14:57   2/25/2008 14:35   2/25/2008 14:35 2.0.0




                                                                                                364 of 748
Chad La Joie   Nate Klingenstein   12/15/2007 14:57      1/9/2008 8:54      1/9/2008 8:54 2.0.0




Chad La Joie   Nate Klingenstein   12/15/2007 14:46   12/15/2007 15:48   12/15/2007 14:47 2.0.0

Chad La Joie   Nate Klingenstein   12/15/2007 14:21     5/23/2008 4:59    12/27/2007 2:18 2.0.0




                                                                                                  365 of 748
Chad La Joie   Nate Klingenstein   12/15/2007 13:20    5/23/2008 4:59   12/15/2007 13:38 2.0.0




Chad La Joie   Nate Klingenstein   12/15/2007 13:07   1/11/2008 12:47   12/15/2007 13:33 2.0.0




                                                                                                 366 of 748
Chad La Joie   Nate Klingenstein   12/14/2007 17:01   1/11/2008 12:47   12/15/2007 8:52




                                                                                          367 of 748
Chad La Joie   Nate Klingenstein   12/14/2007 16:40   12/15/2007 15:54   12/15/2007 8:50




                                                                                           368 of 748
Chad La Joie   Nate Klingenstein   12/14/2007 16:19   1/11/2008 12:44   12/27/2007 4:26 2.0.0




                                                                                                369 of 748
Chad La Joie   Nate Klingenstein   12/14/2007 16:12   1/11/2008 12:44   12/15/2007 8:39




                                                                                          370 of 748
Chad La Joie   Nate Klingenstein   12/14/2007 15:59   5/23/2008 4:59   1/21/2008 6:55




                                                                                        371 of 748
Chad La Joie   Nate Klingenstein   12/14/2007 15:46   12/16/2007 3:07   12/15/2007 8:33




                                                                                          372 of 748
Chad La Joie   Nate Klingenstein   12/13/2007 17:48   12/15/2007 4:05   12/15/2007 3:49 2.0.0




                                                                                                373 of 748
Chad La Joie   Nate Klingenstein   12/13/2007 17:29   1/12/2008 4:58    1/12/2008 4:58 2.0.0




Chad La Joie   Nate Klingenstein   12/13/2007 17:24   5/23/2008 4:59   12/14/2007 5:28 2.0.0




                                                                                               374 of 748
Fix Version/s   Component/s   Votes Watchers Images Work Ratio Sub-Tasks   Linked Issues
                                  0        0




                                                                                           375 of 748
                         0   1




                         0   0



                         0   0



2.3.0   SAML 1, SAML 2   0   0




                                 376 of 748
2.3.0   0   0




        0   0




2.3.0   0   0




                377 of 748
2.3.0   Authentication   0   1




                                 378 of 748
2.3.0   SAML 2   0   0




2.3.0            0   0   SC-150




2.3.0   Build    0   0



2.3.0   SAML 2   0   0




2.3.0            0   0




                                  379 of 748
        Attribute Resolution   0   1




2.3.0                          0   0




                                       380 of 748
2.3.0   0   0




2.3.0   0   0




        0   0




                381 of 748
        SAML 2                 0   0




2.3.0   Attribute Resolution   0   0




                                       382 of 748
2.3.0   0   0




        0   0




                383 of 748
        Attribute Resolution   0   0




2.3.0   SAML 2                 0   0




                               0   0




                                       384 of 748
Build   0   0




                385 of 748
2.3.0   SAML 2           0   0




        Authentication   0   0




                                 386 of 748
2.2.1   Attribute Resolution   0   0




                               0   0




                                       387 of 748
                         0   0




2.2.1   Authentication   0   0




                                 388 of 748
2.2.1   SAML 1   0   0




                         389 of 748
2.2.1   Attribute Resolution   0   0




                                       390 of 748
2.2.1   0   0




                391 of 748
2.3.0   Authentication   0   0




2.2.1                    0   0




                                 392 of 748
Authentication   0   0




                         393 of 748
        Attribute Resolution   0   1




2.2.1   SAML 1, SAML 2         0   0




                                       394 of 748
        0   0




2.3.0   0   1




                395 of 748
Build   0   0




                396 of 748
2.2.1   SAML 1, SAML 2   0   0




                                 397 of 748
0   0




        398 of 748
2.2.1   SAML 2   0   0




                         399 of 748
2.2.1   Attribute Resolution, Authentication   0   0




                                                       400 of 748
2.2.1   Attribute Resolution   0   0




2.2.1   Build                  0   0




                                       401 of 748
2.2.1   Authentication         0   0




2.2.1   Attribute Resolution   0   0




                                       402 of 748
2.3.0   SAML 2           0   0




2.2.1   SAML 1, SAML 2   0   0




                                 403 of 748
2.2.1   SAML 1, SAML 2   0   0




2.2.1   Authentication   0   0




                                 404 of 748
0   2




0   2




        405 of 748
2.2.0            0   1




2.2.1   SAML 2   0   0




                         406 of 748
Attribute Resolution   0   2




                               407 of 748
0   0




        408 of 748
2.2.1   0   1




                409 of 748
2.2.0   Authentication, SAML 2   0   1




2.2.0   SAML 1, SAML 2           0   0




                                 0   1




                                         410 of 748
2.2.0                    0   0




        Authentication   0   0




                                 411 of 748
2.2.0   Authentication   1   2




                                 412 of 748
Authentication   0   0




                         413 of 748
        Attribute Resolution   0   0




2.2.0   SAML 1                 0   0




                                       414 of 748
2.3.0   Build   0   1




2.2.0           0   0




2.2.0           0   0




                        415 of 748
2.3.0   Build   0   0




2.2.0           0   0




                        416 of 748
2.2.0           0   1




        Build   0   0




                        417 of 748
2.2.0   Authentication   0   1




                                 418 of 748
0   1




        419 of 748
0   2




        420 of 748
        SAML 2   0   1




2.2.0            0   0




2.2.0            0   0




                         421 of 748
2.2.0   SAML 1   0   0




                         422 of 748
0   0




        423 of 748
2.2.0   SAML 2   0   0




                         424 of 748
2.2.0                    0   0




2.2.0   Authentication   0   0




                                 425 of 748
2.2.0   Authentication   0   0




2.2.0                    0   0




                                 426 of 748
0   0




        427 of 748
2.2.0   0   0




2.2.0   0   0




                428 of 748
2.2.0                    0   0




2.2.0   Authentication   0   0




2.2.0   Authentication   0   3   SIDP-275




                                            429 of 748
2.2.0   0   0




2.2.0   0   0




                430 of 748
2.2.0   0   0




2.2.0   0   0




                431 of 748
0   0




        432 of 748
                         0   0




2.1.5   Authentication   0   0




                                 433 of 748
2.1.4   Attribute Resolution, Authentication   0   0




2.1.4   Build                                  0   0




2.1.4   Authentication                         0   0




                                                       434 of 748
2.1.4                    0   0




        Authentication   0   2   SC-73




                                         435 of 748
Authentication   0   1




                         436 of 748
2.1.4   Authentication   0   1




                                 437 of 748
2.1.4   0   0




                438 of 748
0   0




        439 of 748
SAML 2   0   0




                 440 of 748
Authentication   0   0




                         441 of 748
Authentication   0   2




                         442 of 748
2.1.3   0   0




                443 of 748
2.1.3   Authentication   0   0




                                 444 of 748
2.1.3   0   0




                445 of 748
2.1.3   0   0




                446 of 748
0   0




        447 of 748
SAML 2   0   0




                 448 of 748
0   0




        449 of 748
        Authentication           0   1




2.1.3   SAML 2                   0   0




2.1.3   Authentication, SAML 2   0   0




                                         450 of 748
        Build   0   0




2.2.0           0   1




                        451 of 748
                         0   1




2.1.3   Authentication   0   0




                                 452 of 748
2.1.3   Authentication   0   0




                                 453 of 748
2.1.3   SAML 1   0   0




                         454 of 748
2.3.0   Build   0   0




                        455 of 748
2.1.3   Authentication   0   0




2.1.3                    0   0
        Authentication   0   1




                                 456 of 748
0   0




0   0




        457 of 748
2.2.1   Build            0   0




2.1.3   Build            0   0




2.1.3   Authentication   0   1




                                 458 of 748
2.1.3   Authentication   1   2




2.1.3                    0   2




        Authentication   0   0




                                 459 of 748
2.1.3   Authentication   1   1




                                 460 of 748
2.1.3   Attribute Resolution   0   0




2.2.0   Authentication         0   1   SIDP-368


2.1.3   Authentication         0   0




                                                  461 of 748
        Build            0   0




2.3.0                    0   0




2.1.3   Authentication   0   2




2.3.0                    0   0




                                 462 of 748
2.1.2                            0   0




2.1.2                            0   0




2.1.3                            0   0




2.1.3   Authentication, SAML 2   0   2




                                         463 of 748
2.1.3   0   0




2.1.2   0   0




                464 of 748
2.1.2   Authentication   0   0




2.1.1                    0   0




                                 465 of 748
2.1.3   Authentication   0   2




2.1.1   Authentication   0   0




                                 466 of 748
2.1.1   SAML 2   0   0




                         467 of 748
SAML 1   0   1




                 468 of 748
2.1.1   Authentication   0   1




                                 469 of 748
2.1.1   0   0




                470 of 748
2.1.1   Authentication   0   1




                                 471 of 748
2.1.1   Authentication   0   1




2.1.1   SAML 1, SAML 2   0   0




                                 472 of 748
        Build            0   0




2.1.3   SAML 1, SAML 2   0   0




                                 473 of 748
2.1.0   Build   0   0




2.1.0           0   0




                        474 of 748
2.1.0   SAML 1   0   0




                 0   0




2.1.0   Build    0   0


                         475 of 748
        Authentication   0   0



2.1.0   Authentication   0   1




2.1.0   Build            0   0




                                 476 of 748
2.1.0   0   0   CPPXT-29




                           477 of 748
2.1.0   SAML 2   0   0




2.1.0   SAML 1   0   0


2.1.0            0   0




                 0   0

2.1.0            0   0




                         478 of 748
2.1.0   0   0




                479 of 748
0   0




        480 of 748
2.1.0           1   0




2.1.0   Build   0   0




                        481 of 748
2.1.0   Build   0   0




                        482 of 748
2.1.0   0   0




                483 of 748
2.1.0   SAML 1                   1   1




2.1.0   Authentication, SAML 2   0   0   JOST-50


2.1.0                            0   0




                                                   484 of 748
0   2




        485 of 748
2.1.0   0   0




        0   0




                486 of 748
2.1.0   0   0




2.1.0   0   0   SSPCPP-118




                             487 of 748
SAML 2   0   0




                 488 of 748
2.1.0   SAML 1   0   2




                         489 of 748
2.1.0   0   0




                490 of 748
2.1.0   Authentication   0   0




                                 491 of 748
0   0




        492 of 748
2.1.3   SAML 1   0   0




                         493 of 748
2.1.0   0   0




                494 of 748
SAML 2   0   0




SAML 2   0   0




                 495 of 748
        SAML 2   0   0




2.1.0   SAML 2   0   0




                         496 of 748
2.1.0   SAML 2           0   0




2.1.3   SAML 1, SAML 2   0   0




                                 497 of 748
2.1.0   0   0




        0   0




                498 of 748
        0   0   JOWS-8




2.1.0   0   0




                         499 of 748
0   0




0   0




        500 of 748
                 0   0




Authentication   0   0




                         501 of 748
2.1.0   Authentication   0   0




                         0   0




                                 502 of 748
2.1.0   Build   0   0




2.1.0           0   0




                        503 of 748
2.1.0   0   0




                504 of 748
2.1.0   0   0




2.1.0   0   0




                505 of 748
                         0   0




2.1.0   Authentication   0   0




                                 506 of 748
Authentication   0   1




SAML 2           0   0




                         507 of 748
2.1.0            0   0




        SAML 2   0   0




                         508 of 748
2.0.0   0   1




                509 of 748
SAML 1, SAML 2   0   0




                         510 of 748
SAML 1   0   0




                 511 of 748
         0   0




         0   0

SAML 1   0   0




                 512 of 748
0   0




0   0




        513 of 748
Authentication   0   0




                         514 of 748
SAML 2   0   0




Build    0   0




Build    1   1




                 515 of 748
Build   0   0




                516 of 748
2.3.1   SAML 2   0   0




                         517 of 748
2.0.0   SAML 2   0   0




                         518 of 748
Build    0   0




SAML 2   0   0




                 519 of 748
SAML 2   0   0




                 520 of 748
SAML 2   0   0




                 521 of 748
SAML 2   0   0




                 522 of 748
0   0




        523 of 748
SAML 2   0   0




                 524 of 748
SAML 2   0   0




                 525 of 748
SAML 2   0   0




                 526 of 748
0   0




        527 of 748
SAML 2   0   0




                 528 of 748
0   0




        529 of 748
0   0




        530 of 748
Authentication   0   0




                         531 of 748
SAML 2   0   0




                 532 of 748
SAML 2   0   0




                 533 of 748
0   0




        534 of 748
0   0




0   0




        535 of 748
0   0




0   0




        536 of 748
0   0




0   0




        537 of 748
0   0




0   0




        538 of 748
0   0




0   0




        539 of 748
0   0




0   0




        540 of 748
SAML 2   0   0




                 541 of 748
SAML 2   0   0




                 542 of 748
SAML 2   0   0




                 543 of 748
SAML 2   0   0




                 544 of 748
SAML 2   0   0




                 545 of 748
0   0




        546 of 748
SAML 2   0   0




                 547 of 748
SAML 2   0   0




                 548 of 748
0   0




        549 of 748
SAML 2   0   0




                 550 of 748
SAML 1   0   0




                 551 of 748
                         0   0




2.0.0   Authentication   0   0

        Authentication   0   0




                                 552 of 748
SAML 2   0   0




         0   0




                 553 of 748
SAML 2   0   0




                 554 of 748
SAML 2   0   0




                 555 of 748
0   0




        556 of 748
SAML 2   0   0




                 557 of 748
SAML 2   0   0




                 558 of 748
SAML 2   0   0




                 559 of 748
SAML 2   0   0




                 560 of 748
SAML 2   0   0




SAML 2   0   0




                 561 of 748
               Description                    Security Level   Labels Flagged Epic/Theme    Servlet Container    Java Version
idp-process.log                                                                            Jetty 7              Sun 1.6
16:24:37.850 - INFO
[edu.internet2.middleware.shibboleth.co
mmon.config.profile.JSPErrorHandlerBe
anDefinitionParser:45] - Parsing
configuration for JSP error handler.
16:24:37.852 - INFO
[edu.internet2.middleware.shibboleth.co
mmon.config.profile.AbstractRequestURI
MappedProfileHandlerBeanDefinitionPar
ser:42] - Parsing configuration for profile
handler: Status
16:24:37.853 - INFO
[edu.internet2.middleware.shibboleth.co
mmon.config.profile.AbstractRequestURI
MappedProfileHandlerBeanDefinitionPar
ser:42] - Parsing configuration for profile
handler: SAMLMetadata
16:24:37.859 - INFO
[edu.internet2.middleware.shibboleth.co
mmon.config.profile.AbstractRequestURI
MappedProfileHandlerBeanDefinitionPar
ser:42] - Parsing configuration for profile
handler: ShibbolethSSO
16:24:37.878 - INFO
[edu.internet2.middleware.shibboleth.co
mmon.config.profile.AbstractRequestURI
MappedProfileHandlerBeanDefinitionPar
ser:42] - Parsing configuration for profile




                                                                                                                                562 of 748
{noformat}                                    Apache Tomcat 6.0   Sun 1.6
[shibboleth-idp]# bin/version.sh
Exception in thread "main"
java.lang.ExceptionInInitializerError
Caused by:
java.lang.ArrayIndexOutOfBoundsExcept
ion: 0
at
edu.internet2.middleware.shibboleth.idp.
Version.<clinit>(Version.java:101)
Could not find the main class:
edu.internet2.middleware.shibboleth.idp.
Version. Program will exit.
{noformat}
The HTML element '<link                       Apache Tomcat 6.0   Sun 1.6
rel="stylesheet" ... />' belongs inside the
'<head>' section of an (X)HTML
document.
This file appears to have had a bad case
of "search and replace gone bad". I fixed
on in idp-485, but there are some more.

For SAML attribute queries, the               Jetty 7             Sun 1.6
requestContext object is missing a value
for getPeerEntityId. It does have a value
for getInboundMessageIssuer, which is
why the filtering engine works.




                                                                            563 of 748
From Ian:
> A couple of quick observations about
the example user/password login page,
which I had to customise from scratch:
>
> 1) It seems to have DOS line endings
now; I don't think that used to be the
case.
>
> 2) It has a documentation link to a
page on spaces.internet2.edu which no
longer exists.
>
> 3) The sentence starting "The web site
described to the right" should end with a
'.'

(2) is SIDP-486
(1) also applies to login.css




                                            Apache Tomcat 6.0   Sun 1.6




three options to fix :                      Jetty 7             Sun 1.6
1) add a required alt text parameter
2) or supply it from the same code that
creates the entityName.
3) or supply it, but have it overridable.

Do we need this for 2.3?




                                                                          564 of 748
We observed repeatedly that a login at      Apache Tomcat 6.0   Sun 1.6
our IdP stops at AuthnEngine with an
empty page in the browser, the redirect
to the Login Handler does not take
place. The first retry is mostly
successful. However, yesterday it
happend to me three times in a row
when trtying to access
wiki.shibboleth.net.

Up to now, we can not reproduce it yet,
but by chance we captured such an
incident yesterday evening while
DEBUG was turned on for another
reason.

Here the relevant logfile entries.
The user confirmed that he made this
access with no old session cookies,
since he restarted the browser just
before it hapened and no cookies were
blocked. A retry thereafter using the
same browser config was successful.

2011-04-27 19:23:22,564 - DEBUG
[edu.internet2.middleware.shibboleth.idp.
profile.saml2.SSOProfileHandler:198] -
Creating login context and transferring
control to authentication engine




                                                                          565 of 748
Currently, if a deployer wants to see the
complete SAML assertion that is being
sent to an SP, it is difficult to do so. The
PROTOCOL_MESSAGE logger will log
only an encrypted assertion(assuming
encryption for transport), and the fully
serialized assertion is not AFAIK logged
at any point prior to encryption.

This would be useful for debugging
transactions, especially with non-
Shibboleth SP's.

The error templates currently assume
the IdP has made any strings they get
safe for insertion, but we want to ensure
that gets done directly by the templates.

Update POM to add plugin versions, use
/ publish to Shib.net Repo, and attach
generated source and Javadocs

Merge in a modified version of Jim Fox'
ECP profile support. This version will
rely on new handler-aware SOAP
binding classes in OpenSAML, and
inherit more effectively from the SAML 2
SSO handler.

Authentication via REMOTE_USER is
implemented using a decoder handler
rather than inside the profile handler.


A quick grep shows that login.jsp (which       Apache Tomcat 7.0   Sun 1.6
I was aware of) and login.config and
README.TXT need changed.



                                                                             566 of 748
Multiple rows returned by RDBMS query        Apache Tomcat 6.0   Sun 1.6
on non-normalized database. Some
values are returned as null. When
mapping these values, the Null values
are considered to be actual values for
the column by the mapper and it tries to
run a regex match on the null value.
This error is printed in the logs:

17:21:57.358 DEBUG
[edu.internet2.middleware.shibboleth.co
mmon.attribute.resolver.provider.attribute
Definition.ValueMap:98] - Performing
regular expression based comparison
17:21:57.384 ERROR
[edu.internet2.middleware.shibboleth.co
mmon.profile.ProfileRequestDispatcherS
ervlet:88] - Error occured while
processing request
java.lang.NullPointerException: null
at
edu.internet2.middleware.shibboleth.com
mon.attribute.resolver.provider.attributeD
efinition.MappedAttributeDefinition.doRe
solve(MappedAttributeDefinition.java:68)
at
edu.internet2.middleware.shibboleth.com
mon.attribute.resolver.provider.attributeD
efinition.BaseAttributeDefinition.resolve(
Despite lots of help, people still deploy
the default login page.

Now that we have taglib assists we can
make this look more like the standard
page we are aiming for (login left, SP
right).



                                                                           567 of 748
Caused by:                                     Jetty 7             Sun 1.6
java.lang.NullPointerException: null
at
edu.internet2.middleware.shibboleth.idp.
ui.ServiceTagSupport.getSPEntityDescri
ptor(ServiceTagSupport.java:133)

What it says.

We will probably go for the "two box"
approach, with login on the LHS and SP
details (if any) on the RHS.

This does present a few issues for
layout since I don't see an way to have
two same sized boxes without ending up
with absolute sizes. Fortunately you can
cascade the taglibs which means you
can say "If there is a (logo > size) then
use that but clip it, otherwise just use the
logo" which means that big logos get
scaled down but small ones do not get
bloated.

(I view this a a blocker to 2.3 delivery -     Apache Tomcat 6.0   Sun 1.6
we can fix it by removing the atg support
but I'd rather not).

As part of final test of this code I
deployed this into a live IdP. It appears
that I only ever see one SP's logo - no
matter which SP I approach this from.

More diagnosis needed, But I wanted to
get this is ASAP




                                                                             568 of 748
The uptime on
https://server.name/idp/status is
displayed in ms. This may cause
demoralization and trepidation in new
deployers.
A lot of early deployers like to
uncomment large piles of attributes. In
the process, they often uncomment
eduPersonTargetedID, which is
dependent on the computedID data
connector, which isn't generally
uncommented. Installfests would be
marginally smoother if these were
commented independently.

<!--
<resolver:AttributeDefinition
xsi:type="ad:Scoped"
id="eduPersonTargetedID.old"
scope="$IDP_SCOPE$"
sourceAttributeID="computedID">
<resolver:Dependency
ref="computedID" />
<resolver:AttributeEncoder
xsi:type="enc:SAML1ScopedString"
name="urn:mace:dir:attribute-
def:eduPersonTargetedID" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition
xsi:type="ad:SAML2NameID"
id="eduPersonTargetedID"
nameIdFormat="urn:oasis:names:tc:SAM
L:2.0:nameid-format:persistent"




                                          569 of 748
This can all be found by traversing the
metadata, but it seems best to keep this
compexity from the GUI.

The kinds of information we want to
supply is
- ServiceName (taken from
<mdui:UIInfo> or
<AssertionConsumerService> of the
host name from the entityID
- ServiceDescription
- ServiceLogo (with some sort of size
"parameterization")
- ServiceContact
- ServicePrivacyURL
- Service InformationURL
- IdPContact
The Upgrade instructions from
https://spaces.internet2.edu/display/SHIB
2/IdP22Upgrade#IdP22Upgrade-
ChangesinPrincipalNameReturnedfromA
uthentication states that "If you were
properly pulling in the value from the
principal name set by class name then
you should see no change in behavior."

I'm afraid I don't understand what
"pulling in the value from the principal
name set by class name" mean.

Could you please complete this (very
usefull documentation) with more
precised instructions?

Thanks.




                                            570 of 748
Unlike the Relational Database Data
Connector, there is no
FailoverDataConnector for the Stored ID
Data Connector. I'm sure this could
prove a useful feature.
If you set SPNameQualifier to the SP's        Jetty 7   Sun 1.6
entityID, it should be a no-op/default
result, but instead the code treats it as
an affiliation and checks the metadata,
resulting in an Invalid SPNameQualifier
error.
I'd like to suggest the changes
appended below to the default format for
the idp-process.log:

1) add the full date to each message -
while it's true that the YYYY-MM-DD is
also "encoded" in the file name (after
rotation), this information can sometimes
get lost (when extracts are copied etc).
Having it "inline" as well seems
preferrable to me.

2) only output exceptions in the short
format, by default. (%ex{short} "prints
the first line of the stack trace",
otherwise the Logback default applies -
the "PatternLayout will automatically add
it as the last conversion word" if it's not
explicitly specified -
http://logback.qos.ch/manual/layouts.htm
l)

Thanks for considering these for 2.3.


Index:
REL_2/src/installer/resources/conf-
tmpl/logging.xml
===============================
                                                                  571 of 748
I got a strong steer for the UK Fed
support guys that it would be nice to be
able to generate the self-signed
.key/.cert/.jks which the IdP installation
does as a separate beast from the
instalation. II'm not sure why it important
to them. I suspect that its (a) to allow
easier documentation (since the SP and
(b) because in the UK more IdPs have
to have non self signed certs because of
legacy software considerations.

Either way I it feels like a good idea to
align the IdPs capabilities with the SP
and I can see good reasons to want to
be able to do this easily.

I just took a look at build.xml and it looks
as though this might be possible with
very little effort. If it's less than a day
(and it's hard to see how it could be
more) I'll happily do the work for this as
part of 2.3, otherwise can we move this
to 3.x?




                                               572 of 748
After much gnashing of teeth, we've
agreed to support IdP-initiated SSO by
using the legacy Shibboleth protocol (a
simple query string) to signal this on the
SAML 2.0 SSO endpoint.

We need to reuse or adapt the
MessageDecoder from the original
protocol support for SAML 1 and bind it
to the SAML 2.0 endpoint. We may even
be able to reuse the binding URN,
because there's no reason to add this to
metadata (it's intended to be internal to
the IdP deployment, not public).

We will not try and support both SAML
versions on one endpoint, so if the shire
parameter matches a SAML 1 ACS, it
will be treated as an error when the
SAML 2 endpoint is used.

Finally, the whole point of this exercise
is to signal that the IdP should omit
InResponseTo. We can't do this by the
absence of a messageID, because the
replay support we added to 2.2.1 mocks
up a messageID for legacy protocol
requests. Chad suggested using a
profile handler option, but I would rather
Some people are building IdP proxies
that populate the AuthenticatingAuthority
element. We should add support for
setting that via custom login handlers
and honor that in the SAML 2 SSO
profile handler.




                                             573 of 748
The default attribute-resolver.xml does
not include the displayName attribute
from inetOrgPerson (RFC 2798 section
2.3) although this attribute is in use in
some popular SP deployments including
the shibboleth.net wiki.

Something like this could be added to
the default file:

<resolver:AttributeDefinition
xsi:type="ad:Simple" id="displayName"
sourceAttributeID="displayName">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder
xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-
def:displayName" />
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
name="urn:oid:2.16.840.1.113730.3.1.24
1" friendlyName="displayName" />
</resolver:AttributeDefinition>




In versions prior to v2.2, how do you
explicitly configure the IdP to refresh
metadata, say, every 8 hrs?




                                            574 of 748
That's a very common mistake and it
always takes me some time to fix it,
mainly because of the error messages.
Therefore I thought it was worth
sumitting a suggestion.

This happens whenever an SP admin
publishes an ACS URL that differs from
the one configured in his
shibboleth2.xml.

The end user gets an error message
that makes him think it's a web client
configuration issue because the error
message refers to cookies: "An error
occurred while processing your request.
Please contact your helpdesk or user ID
office for assistance. This service
requires cookies. Please ensure that
they are enabled and try your going
back to your desired resource and trying
to login again. Use of your browser's
back button may cause specific errors
that can be resolved by going back to
your desired resource and trying to login
again." Since it's not a web client
configuration issue, this error message
should be changed.

The IdP SessionManager and sweeper          Jetty 7   Sun 1.5
thread are improperly identifying when a
session is expired. Currently they the
expiration time is being determined via
the formula creationDate +
inactivityTimeout when it should be
lastActivity + inactivityTimeout




                                                                575 of 748
I have an improved
ShibbolethSSODecoder that supports
replay detection by "mocking" up a
message ID by combining the time
parameter with the Java container
session ID (if any). If there's no session
ID, it just behaves as before. The
session isn't actually used as a session,
but it's usually (always?) there, and it's a
simple way to make the timestamp
tracking unique by client without adding
cookies. That would probably work, but
this is simpler and avoids cookie
hassles.

In conjunction with this, you also add:
<security:Rule
xsi:type="samlsec:Replay"
required="false"/>
to the ShibbolethSSOSecurityPolicy rule
set in relying-party.xml




                                               576 of 748
When doing a                                Apache Tomcat 6.0   Sun 1.6
/profile/SAMLX/SOAP/AttributeQuery for
a user which results in an
attributeresolver error it causes an NPE.
It is an easy fix using the same logic
flow as the SSOProfileHandler.


22:14:50.905 -
[144.92.104.210|51ABCF58EC84F66841
03D3E7FA6668DD] - ERROR
[edu.internet2.middleware.shibboleth.co
mmon.attribute.resolver.provider.Shibbol
ethAttributeResolver:350] - Received the
following error from data connector
udsLDAPfailover, no failover data
connector available
edu.internet2.middleware.shibboleth.com
mon.attribute.resolver.AttributeResolutio
nException: No LDAP entry found for
buckybadger
at
edu.internet2.middleware.shibboleth.com
mon.attribute.resolver.provider.dataConn
ector.LdapDataConnector.resolve(LdapD
ataConnector.java:319) ~[shibboleth-
common-1.2.1-WISC.jar:na]
at
edu.internet2.middleware.shibboleth.com




                                                                          577 of 748
After Upgrading my test environment        Apache Tomcat 6.0   IBM 1.6
from IDP verison 2.1.5 to 2.2.0, the
following Filter rule isn't working
anymore.
No Value for
eduPersonScopedAffiliation is included
in the Assertion.
The rule which is working in my
production environment (2.1.5) and not
in 2.2.0 is:

<AttributeRule
attributeID="eduPersonScopedAffiliation"
>
<PermitValueRule xsi:type="basic:OR">
<basic:Rule
xsi:type="basic:AttributeValueString"
value="student" ignoreCase="true" />
<basic:Rule
xsi:type="basic:AttributeValueString"
value="staff" ignoreCase="true" />
<basic:Rule
xsi:type="basic:AttributeValueString"
value="member" ignoreCase="true" />
<basic:Rule
xsi:type="basic:AttributeValueString"
value="alum" ignoreCase="true"/>
</PermitValueRule>
</AttributeRule>




                                                                         578 of 748
The use case is to be able to support
two additional things with RemoteUser
authentication. The first is to allow for
Relying Party specific extensions and
the second is to support force
authentication. IMHO, both can be
supported by appending information
onto the end of the request string. To
support force authentication it would be
to append something like /ForceAuthN
at the end of the url, to look like
https://login.wisc.edu/idp/Authn/RemoteU
ser/ForceAuthN. Likewise for Relying
Party specific support it would be to
append the Base64 url encoded string to
the end like
https://login.wisc.edu/idp/Authn/RemoteU
ser/bXkud2lzY29uc2luLmVkdS9zaGliYm
9sZXRo. In the situation that the relying
party asked for force re-auth in the
SAML token it would then result in
https://login.wisc.edu/idp/Authn/RemoteU
ser/ForceAuthN/bXkud2lzY29uc2luLmVk
dS9zaGliYm9sZXRo.


The fix for SIDP-417 (rev 2966) missed      Apache Tomcat 6.0   Sun 1.6
the RemoteUserLoginHandler.




                                                                          579 of 748
Logging in from multiple browser tabs at
same time fail.

Since the passing from one IdP module
to the other is done by HTTP
redirect and the loginContextKey is
stored in a cookie, for all requests
in the same session the cookie will be
overwritten. One solution for
this problem could be passing the
loginContextKey as parameter through
the modules including the login jsp
page.
If done this way every login page,
displayed in it's own browser tab has
it's own loginContextKey.

Next thing is refreshing a login-page,
where the authentication finished
already in an other browser tab. In this
case the loginContext need to
be reseted and the 'PreviousSession'-
Handler need to be uses instead.




                                           580 of 748
Hi,                                            Apache Tomcat 5.5   Sun 1.6

This is just a trivial thing - I started
installing a Shibboleth 2.2.0 IdP and as I
was uncommenting the attribute
definitions in attribute-resolver.xml, I got
some XML parse errors for attributes
that have not yet been converted to the
new naming syntax:
eduPersonScopedAffiliation,
eduPersonAssirance and
eduPersonTargetedId (plus the
encoders for eduPersonAssurance).
Looks like someone overlooked a block
of text when manually converting the
attribute definitions.

The following patch fixes the issue in the
attribute resolver configuration file
template:
{noformat}
--- ./shibboleth-identityprovider-
2.2.0/src/installer/resources/conf-
tmpl/attribute-resolver.xml.orig 2010-12-
07 12:24:00.000000000 +1300
+++ ./shibboleth-identityprovider-
2.2.0/src/installer/resources/conf-
tmpl/attribute-resolver.xml 2010-12-07
12:25:54.000000000 +1300
The string-based NameID encoders               Jetty 7             Sun 1.6
have a nameQualifier setting to
override/control the NameQualifier
attribute, but the abstract profile handler
bases explicitly set that to the IdP name
regardless of whether it's set by the
encoder already. We could check for
null in the profile handler bases to fix it.




                                                                             581 of 748
We are getting errors for users when         Apache Tomcat 6.0   Sun 1.6
their IdP sessions expire in the middle
processing requests. Our IdP session
timeout is set to 60 seconds. When they
start an incoming request before the
expiration and don't finish before the
expiration we are getting errors in the
attribute resolution or other places,
mainly in the attribute resolution. It
reports the principal as 'null'. Attached
you will find an example of this where
the the session was created around
22:07:02.221, and they returned for a
new request at 22:08:01.540. At
22:08:02.533 when they are redirected
to the profile handler they IdP session is
expired and they no longer have a
principal associated with this session.


Please add JSESSIONID and ClientIP to
MDC to make it easier to correlate log
lines.




                                                                           582 of 748
I have run across a bug, the same as        Apache Tomcat 6.0   Sun 1.5
detailed at:
http://comments.gmane.org/gmane.comp
.web.shibboleth.user/14878

...There didn't seem to be a bug filed
yet, so I've filed this.

I had an installed version of the
shibboleth IdP, version 2.1.5.
Upgraded to 2.2.0 using the source at
http://shibboleth.internet2.edu/downloads
/shibboleth/idp/2.2.0/shibboleth-
identityprovider-2.2.0-bin.zip

Testing retrieval of attributes using
aacli.sh failed with error:
Exception in thread "main"
org.springframework.beans.factory.Bean
CreationException: Error creating bean
with name 'shibboleth.HandlerManager':
Initialization of bean failed; nested
exception is
java.lang.NoClassDefFoundError:
javax/servlet/ServletRequest

As per Chad La Joie's suggestion, the
workaround to this is to simply place
servlet-api.2.4.jar into the




                                                                          583 of 748
When a user begins an authentication
transaction but abandons it without
completing it and starts another
authentication transaction using the
same version of SAML, the second
authentication transaction can be
completed successfully. However, when
the second transaction is using a
different version of SAML, the user gets
an error page and is not allowed to log
in. The logs show a
ClassCastException, because the profile
handlers are assuming that the
LoginContext returned will always be of
the type appropriate for that version of
SAML and are not checking before
casting. This is a regression in user
experience from previous versions of the
IdP (at least from version 2.1.2).

We have users who set Shibboleth-
protected sites (the actual end site) as
their browser's homepage, and they
experience this when they attempt to
start a new window/tab and log into a
site that uses a different version of
SAML.

I've attached a patch to revert the




                                           584 of 748
                                            Apache Tomcat 6.0   Sun 1.6
I have the following metadata provider
defined in relying-party.xml

<metadata:MetadataProvider
id="LearnFedMD"
xsi:type="metadata:FileBackedHTTPMet
adataProvider"
metadataURL="https://eco.tx-
learn.net/downloads/LEARNfed-
metadata.xml"
backingFile="/usr/site/shibboleth_idp/met
adata/LEARNfed-metadata.xml" />

As is, the configuration generates a null
pointer exception. I'll attach the full,
trace-level idp-process.log.
I have a relatively easy workaround by
just putting
disregardSslCertificate="true" in the
definition, but I thought you'd want a
report of the NPE nonetheless. The
certificate provided is perfectly kosher,
and the same definition caused no
problems under 2.1.5 using the same
container & JRE.




                                                                          585 of 748
A NullPointerException is thrown after   Apache Tomcat 5.0   Sun 1.5
receiving a message with a
RequestedAuthnContext containing an
empty AuthnContextClassRef (from a
misconfigured SAML2 SP).

<?xml version="1.0" encoding="UTF-
8"?><saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAM
L:2.0:protocol"
AssertionConsumerServiceURL="https://
example.com/navpage.do"
ForceAuthn="false"
ID="5B428E390A0A3CAA013029B7E66
B58D4" IsPassive="false"
IssueInstant="2010-11-
17T19:14:37.263Z"
ProtocolBinding="urn:oasis:names:tc:SA
ML:2.0:bindings:HTTP-POST"
ProviderName="undefined"
Version="2.0">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:
2.0:assertion">https://example.com</sa
ml2:Issuer>
<saml2p:NameIDPolicy
AllowCreate="true"/>
<saml2p:RequestedAuthnContext
Comparison="exact">




                                                                       586 of 748
At authentication time, the IdP              JBoss 5.0 Tomcat   Sun 1.6
AuthnEngine inserts a second pointer
from the user's principal name to the
user's session object. It does this based
on:
authnMethodInfo.getAuthenticationPrinci
pal().getName(). Everywhere else in the
IdP, however, the Session's
getPrincipalName() (or
RequestContext's, which is set from the
Session) method is used, which can
return a different name (and does in our
environment).

This will cause any AttributeQuery
profiles to fail.

A simple fix is to index using the Session
getPrincipalName() method:


---
src/main/java/edu/internet2/middleware/s
hibboleth/idp/authn/AuthenticationEngine
.java (revision 2966)
+++
src/main/java/edu/internet2/middleware/s
hibboleth/idp/authn/AuthenticationEngine
.java (working copy)




                                                                          587 of 748
More errors in default java-                  Apache Tomcat 6.0   Sun 1.6
idp/tags/2.2.0/src/installer/resources/conf
-tmpl/attribute-resolver.xml:

eduPersonScopeAffiliation,
eduPersonAssurance, and
eduPersonTargetedID.old's xsi:type
have no namespace declared; should be
ad:.
eduPersonAssurance's
AttributeEncoders' xsi:type have no
namespace defined; should be enc:.

<resolver:AttributeDefinition
xsi:type="Scoped"
id="eduPersonScopedAffiliation"
scope="$IDP_SCOPE$"
sourceAttributeID="eduPersonAffiliation"
>
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder
xsi:type="enc:SAML1ScopedString"
name="urn:mace:dir:attribute-
def:eduPersonScopedAffiliation" />
<resolver:AttributeEncoder
xsi:type="enc:SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
friendlyName="eduPersonScopedAffiliati
on" />
shib-common 1.2.0 -> 1.2.1




                                                                            588 of 748
We have had a user complain that he
got "Shibboleth Error - An error has
occurred while processing your request. -
 Please login through the original link if
you are attempting to use a bookmark."
when using Opera 10.

IdP logs showed this error:
[edu.internet2.middleware.shibboleth.idp.
authn.AuthenticationEngine:148] - No
login context available, unable to return
to authentication engine

We are using the RemoteUser
LoginHandler. My suspicion is that this is
running afoul of Opera 10's aggressive
redirect caching (see
http://stevesouders.com/tests/redirects/re
sults.php for a table) causing the user's
login session to get dropped (perhaps
by not getting the _idp_authn_lc_key
cookie set during the redirect from the
SSO endpoint).

If my understanding of the problem is
correct, the IdP could work around the
problem by setting Expires: or Cache-
Control: headers on the HTTP response
containing the redirect to
http://svn.middleware.georgetown.edu/vi       Apache Tomcat 6.0   Sun 1.6
ew/java-
idp/tags/2.2.0/src/installer/resources/conf
-tmpl/attribute-
resolver.xml?view=markup

<resolver:AttributeEncoder
xsi:type="enc:SAML2String"name="urn:o
id:0.9.2342.19200300.100.1.20"
friendlyName="homePhone" />


                                                                            589 of 748
An SP's entity descriptor may for           Jetty 7   Sun 1.6
example have an EC key or
(erroneously) a DSA key flagged for
effective use = "encryption". Currently
the IdP picks the "first" encryption key
and doesn't filter these out. Should add
an additional credential criteria to
require only RSA keys to be resolved,
since that is realistically the only
algorithm supported. (This will be
replaced by the more general algorithm
whitelist/blacklist mechanism in 3.x).

There are issues to consider around use     Jetty 7   Sun 1.5
of the factory and the lifecycle of the
output instances of the factory
(MetadataCredentialResolver). These
are related to the use of
WeakReferences in the factory impl to
avoid memory leaks. These issues are
documented in the superclass of the
factory:

http://svn.middleware.georgetown.edu/vi
ew/java-
xmltooling/branches/REL_1/src/main/jav
a/org/opensaml/xml/util/AbstractWrapped
SingletonFactory.java?revision=564&vie
w=markup

We should probably either:
1) cache a long-lived reference to the
obtained resolver instance (i.e. a strong
reference) inside the profile handler
(easiest)
2) implement the explicit release
mechanism, perhaps by using a
finalize() method in the profile handlers


                                                                590 of 748
I think there's a bug in the conditionals     Jetty 7   Sun 1.6
that run in the processRequest method
in the SAML 1 and 2 SSO profile
handlers. They use the
LoginContext.isPrincipalAuthenticated()
method to determine whether to treat
the request as the "first" or "second" leg,
but this breaks if the LoginHandler
returns to the profile handler with an
error rather than authenticating the user.

The code in both the protocol versions
looks like this:

if (loginContext == null) {
log.debug("Incoming request does not
contain a login context, processing as
first leg of request");
performAuthentication(inTransport,
outTransport);
}else
if(!loginContext.isPrincipalAuthenticated()
){
log.debug("Incoming request contained
a login context but principal was not
authenticated, processing as first leg of
request");
performAuthentication(inTransport,
outTransport);
The time of authentication is tracked by      Jetty 7   Sun 1.6
an Info structure that's only created
when an existing Info structure for a
given method isn't already present in a
user's session. So if forceAuthn is used
before the previous authentication has
expired, the time won't get reset.




                                                                  591 of 748
Latest released version causes             Jetty 7   Sun 1.6
TCNonPortableObjectError when
artifacts are used. This issue also
affects the 2.2 IdP release.

Referring class :
org.opensaml.common.binding.artifact.B
asicSAMLArtifactMapEntry
Referring field :
org.opensaml.common.binding.artifact.B
asicSAMLArtifactMapEntry.log
Non-portable field name:
org.opensaml.common.binding.artifact.B
asicSAMLArtifactMapEntry.log
Thread : TP-Processor9
JVM ID : VM(9)
Non-included class :
ch.qos.logback.classic.Logger

Terracotta tries to cluster the non-
transient instance field "log", which is
not included in the bootstrap jar.
With the changes introduced in the 2.4.0   Jetty 7   Sun 1.6
version, BasicArtifactMapEntry no longer
works in a clustered environment.

When put() and get() happens on
separate nodes, the transient message
field is dropped by the clustering code,
so the getMessage() method will
eventually end up returning null (since
Terracotta doesn't call the
writeObject/readObject pair).




                                                               592 of 748
running aacli to test filters etc.. results in   Apache Tomcat 6.0   Sun 1.6

Exception in thread "main"
org.springframework.beans.factory.Bean
CreationException: Error creating bean
with name 'shibboleth.HandlerManager':
Initialization of bean failed; nested
exception is
java.lang.NoClassDefFoundError:
javax/servlet/ServletRequest....


The SAML2 attribute query handler logs           Jetty 7             Sun 1.5
the reference to the SOAP envelope
instead of the actual message:

14:20:58.359 - DEBUG
[edu.internet2.middleware.shibboleth.idp.
profile.saml2.AttributeQueryProfileHandl
er:174] -
Decoded request from relying party
'org.opensaml.ws.soap.soap11.impl.Env
elopeImpl@1be87a0'

May affect other profile handlers as well.




                                                                               593 of 748
Here is a patch to
edu/internet2/middleware/shibboleth/idp/
StatusServlet.java which enables
session store monitoring. The page
shows a line indicating that the store is
accessible, but hangs if Terracotta is
disconnected. If terracotta is not
implemented, the line always shows true.

$ diff StatusServlet.java.dist
StatusServlet.java
47a48
> import
org.opensaml.util.storage.StorageServic
e;
69a71,73
> /** Storage service used by the IdP. */
> private StorageService<?,?> store;
>
89a94
> store =
HttpServletHelper.getStorageService(con
fig.getServletContext());
173a179,183
> try {
> out.println("storage_accessible: " +
((store.getPartitions() != null) ?
Boolean.TRUE : Boolean.FALSE));
> } catch (Exception e) {




                                            594 of 748
The IdP 2.2.0 fails at parsing French          JBoss 6.0 Tomcat   Sun 1.6
federation metadata when version 2.1.5
succeeds. It can be a problem linked to
that particular federation's metadata
format.
These metadata are available here :
https://services-
federation.renater.fr/metadata/renater-
metadata.xml
signing certificate here : https://services-
federation.renater.fr/metadata/metadata-
federation-renater.crt

The IdP 2.2.0 stops with the following
messages (in debug level the stack
trace is not more clearer):

16:47:04.717 - INFO
[edu.internet2.middleware.shibboleth.co
mmon.config.BaseService:179] -
shibboleth.HandlerManager service
loaded new configuration
16:49:37.263 - INFO
[org.apache.velocity.app.VelocityEngine:
49] - LogSystem has been deprecated.
Please use a LogChute implementation.
16:49:37.450 - INFO
[edu.internet2.middleware.shibboleth.co
mmon.config.BaseService:157] -




                                                                            595 of 748
I have Shibboleth deployed at the root of   Jetty 6   Sun 1.5
a site.

With Shibboleth 2.2.0, attempts to login
redirect the user to
"https://iam.dev.auckland.ac.nz:443/null/
AuthnEngine".

Previously this was being handled by
dispatching internally, however the
changes in SIDP-380 mean that there is
now an extra redirect.

The redirect path is being built using
org.opensaml.util.URLBuilder, but the
problem is in SSOProfileHandler, which
is taking the existing path (which has
been converted from "" to null by
URLBuilder), and it concatenating
authenticationManagerPath to it.

{code}
URLBuilder urlBuilder =
HttpServletHelper.getServletContextUrl(h
ttpRequest);
urlBuilder.setPath(urlBuilder.getPath() +
authenticationManagerPath);
{code}




                                                                596 of 748
After running Shibboleth for a period of    Jetty 6   Sun 1.6
time, we've found thousands of
metadata provider observer instances
are registered on the metadata provider.
These are getting added every time a
user logs in.

MetadataCredentialResolverFactory
ensures that only one instance of
MetadataCredentialResolver is created
for each MetadataProvider.

Shibboleth is not using this factory, but
instead directly creating instances of
MetadataCredentialResolver. Each
resolver then registers its own observer,
which causes the observers to build up
over time. This also means the caching
done in MetadataCredentialResolver is
not effective as the cache is being
recreated for each instance.

Please can Shibboleth use the factory
instead of directly creating instances of
MetadataCredentialResolver?

The request trace for these observers
being created is...
>
The SAML name identifier was not being      Jetty 7   Sun 1.5
properly logged in the audit log per
https://spaces.internet2.edu/display/SHIB
2/IdPLogging

It'd be nice if the status page would
report the number of active IdP
sessions. This should give deployers an
idea of the usage level of their IdP.


                                                                597 of 748
The link for the documentation in
login.jsp should point to
https://spaces.internet2.edu/display/SHIB
2/IdPAuthUserPassLoginPage instead
of IdPAuthUserPass
Let me explain the issue:                   Jetty 7   Sun 1.6

1. User access to SP A
2. LoginContext is created, User
authenticates
3. User might be redirected to an
extension (e.g., uApprove), the
LoginContext is persisted (cookie,
storage service)
4. The user does not complete
authentication (e.g., within uApprove he
clicks on some bookmark to another SP
B)
--> LoginContext is still persisted and
valid (refers to RP A), because he gets
not unbound by the IdP.
5. When the user access to IdP again
(session imitation from SP B) the login
context from A is retrieved from the
storage.

The behavior, which in my opinion will
be the "right" one:
When a new SSO session is initiated, a
new login context will be created and old
ones are discarded.




                                                                598 of 748
Some users will bookmark the IdP login
form. If they access later again, they get
an error after authentication, cause of
missing login context.

A suggestion would be, to check for
loginContext != null at the login.jsp and
print a warning message. This would be
a good example for the shipped
login.jsp, deployers might to adjust it
accordingly.




                                             599 of 748
1. Existing session in browser               Apache Tomcat 6.0   Sun 1.6
2. Restart tomcat node using TC or
switch to a different node where the
session is not present
3. Use browser to navigate to new SP
4. NullPointerException in resolving
principal

It seems we still do not have the
complete set of classes requiring
instrumentation for TC.

Not sure why, but the browser ends up
on this link:
https://shibboleth.usc.edu:443/idp/Authn
Engine

This is the error message; it bypasses
the idp-process.log and is printed to
catalina.out:
SEVERE: Servlet.service() for servlet
AuthenticationEngine threw exception
java.lang.NullPointerException
at
javax.security.auth.Subject$ClassSet.<ini
t>(Subject.java:1311)
at
javax.security.auth.Subject.getPrincipals(
Subject.java:592)




                                                                           600 of 748
At USC we don't release any attributes        Apache Tomcat 6.0   Sun 1.6
about a person where the person does
not have an entitlement to the
application. This includes all identifiers
including the usual transient-nameid
field which is constructed for all relying
parties if the person is entitled. Here is
the stack trace from the exception:

11:34:34.794 - DEBUG
[edu.internet2.middleware.shibboleth.idp.
profile.saml2.AbstractSAML2ProfileHandl
er:825] - Attemping to build NameID for
principal 'beall' in response to request
from relying party
'https://grs.usc.edu/shibboleth-sp
11:34:34.794 - DEBUG
[edu.internet2.middleware.shibboleth.idp.
profile.AbstractSAMLProfileHandler:434]
- No attributes for principal 'beall', no
name identifier will be created for relying
party 'https://grs.usc.edu/shibboleth-sp'
11:34:34.798 - ERROR
[edu.internet2.middleware.shibboleth.co
mmon.profile.ProfileRequestDispatcherS
ervlet:88] - Error occured while
processing request
java.lang.NullPointerException: null
at
The ShibbolethSSOProfileHandler               Jetty 7             Sun 1.5
buildRequestContext method is setting
the outbound protocol as SAML 2.0.
Looks like it should be the SAML 1.1
constant? Assuming there's no SAML
1.0 support...




                                                                            601 of 748
If web.xml has to be customized (e.g. to
add a container managed data source) it
would be convenient when tracking
snapshots or upgrading to override the
path to the web.xml to pull into the war. I
think this is fairly straightforward in the
ant task that builds the war.

Currently, when a user agent requests
an IdP's metadata from the metadata
profile handler it responds with the
SAML metadata media type. If you point
a browser at this URL, since it doesn't
understand the SAML metadata media
type, it will simply prompt to save the file
instead of displaying it.

In order to avoid this, check the
incoming requests for supported media
types. If SAML metadata media type is
not listed use text/xml or text as
supported. If nothing is supported return
an error.

Update 3rd party libs:
xerces 2.9.1 -> 2.10.0
ant 1.7.0 -> 1.7.1




                                               602 of 748
The QS installer (should have) enough          Apache Tomcat 6.0   Sun 1.6
smarts to use the Shibboleth JAAS
connector to allow the "administrator"
user (by name) to get access to the
tomcat manager capability.

This seemed like a good idea at the
time, particularly since I naively
expected people to wire in something
more permanent if they had a need.
However has proven to be contstantly
problematic and I just don't like
hardwiring this to an account name.
Further it is not widely used (people just
don't have a need) and adds marginal
value, somewhere quite far from our
core needs.

It has now rusted -
(https://lists.internet2.edu/sympa/arc/shib
boleth-users/2010-08/msg00190.html),
I'll trouble shoot this, but unless there is
a wail of complaint. I am going to
remove this function from future version -
 probably 2.2, failing that 3.0 definitely.




SessionManagerImpl.destroySession()            Apache Tomcat 5.5   Sun 1.5
only removes the given sessionID from
the session store and keeps indexed
references in place. This causes several
code-paths to access the session
depending on the index they use.




                                                                             603 of 748
The latest browser versions (IE8, Opera
10.50, Safari 4+ i.e. WebKit,
forthcoming Firefox 3.6.9 or current FF
with NoScript Add-On) support the
header and for older browsers, the
header won't do any harm.

References:
http://blogs.msdn.com/b/ie/archive/2009/
01/27/ie8-security-part-vii-clickjacking-
defenses.aspx
http://www.owasp.org/index.php/Clickjac
king
Fix any failing unit test that can be fixed
with minimal effort. Remove all the rest.




                                              604 of 748
From: handler.xml                            Apache Tomcat 6.0   Sun 1.6

<LoginHandler
xsi:type="UsernamePassword"
authenticationDuration="1"
jaasConfigurationLocation="file:///opt/shi
bboleth-idp/conf/login.config">
<AuthenticationMethod>urn:oasis:names
:tc:SAML:2.0:ac:classes:PasswordProtec
tedTransport</AuthenticationMethod>
</LoginHandler>

From: internal.xml

<bean id="shibboleth.SessionManager"
class="edu.internet2.middleware.shibbol
eth.idp.session.impl.SessionManagerImp
l"
depends-
on="shibboleth.LogbackLogging">
<constructor-arg
ref="shibboleth.StorageService" />
<constructor-arg value="28800000"
type="long" />
</bean>

1) Visit SP
2) Login to IdP
3) Wait 2 minutes




                                                                           605 of 748
It appears that not quite all memory                     Apache Tomcat 6.0   Sun 1.6
leaks were plugged from last year's
work on the memory issues.

Instead of filling up the JVM in two
weeks of heavy use, it takes two months
of heavy use to fill up a 2G JVM. The
following is a heap trace showing the
objects which were hanging around.
This is with Terracotta in use.

Object Histogram:

num #instances #bytes Class description
------------------------------------------------------
--------------------
1: 3740573 364185984 char[]
2: 7121427 341828496
java.util.HashMap$Entry
3: 3498305 195905080
java.lang.ref.SoftReference
4: 61004 177727376
java.util.HashMap$Entry[]
5: 3756237 150249480 java.lang.String
6: 3517010 84408240 java.lang.Integer
7: 25603 32320384 byte[]
8: 108632 14826176 *
ConstMethodKlass
9: 108632 13045840 * MethodKlass




                                                                                       606 of 748
                                            Apache Tomcat 5.5   Sun 1.5
Original SP WAYF/Shire url is correctly
obtained by the IDP as:

https://coleg.intralibrary.com/?command=
open-athens-auth%26federation=ukfed

After 'Invoking velocity template to
create POST body' and 'Encoding action
url' the WAYF url to respond to becomes:

https://coleg.intralibrary.com/?command=
open-athens-auth%26federation

Only happens with Shibboleth IDP 2.1.5
other IDPs such as 2.1.4 are
successfully working. Upgrading to 2.1.5
has been proven to cause the issue and
reverting back is currently our only
solution.


IDP Log below:


09:38:53.673 - INFO [Shibboleth-
Access:73] -
20100701T093853Z|10.1.21.151|cardshi
bidp.cardonald.ac.uk:443|/profile/Shibbol




                                                                          607 of 748
I have an SP partner that insists I add
data to their Relay State during the
authentication process. I've added a
Saml2LoginContext.setRelayState() to a
custom build of Shibboleth, but would
like to not have to modify the main code
body.

I realize that having the IdP do anything
but send back the given Relay State is
not spec, but I still have a relying party
that makes me do it.




The attribute eduPersonAssurance
defined in eduPerson 200806 is not in
the attribute-resolver.xml file delivered
with the IdP.

Please add the attribute to the example
config file.
In
edu.internet2.middleware.shibboleth.idp.
session.impl.SessionManagerImpl#destr
oySession(String) session indexes are
not cleared when the session is
destroyed.




                                             608 of 748
When an expired request (or other            Apache Tomcat 6.0   Sun 1.6
SecurityException) is detected by the
Shibboleth SSO profile handler, the
error message is being set to the literal
string "msg"; this string may be retrieved
and displayed to the user via error.jsp.
The problem seems to be due to an
obvious bug in
ShibbolethSSOProfileHandler's
decodeRequest() method, which would
be corrected with the following patch:

Index:
src/main/java/edu/internet2/middleware/s
hibboleth/idp/profile/saml1/ShibbolethSS
OProfileHandler.java
===============================
===============================
=====
---
src/main/java/edu/internet2/middleware/s
hibboleth/idp/profile/saml1/ShibbolethSS
OProfileHandler.java (revision 2924)
+++
src/main/java/edu/internet2/middleware/s
hibboleth/idp/profile/saml1/ShibbolethSS
OProfileHandler.java (working copy)
@@ -214,7 +214,7 @@
} catch (SecurityException e) {




                                                                           609 of 748
during tomcat restart idp servlet has not   Apache Tomcat 6.0   Sun 1.6
been loaded if remote arp is not
available.
example of config.
<Service
id="shibboleth.AttributeFilterEngine"
xsi:type="attribute-
afp:ShibbolethAttributeFilteringEngine"
configurationResourcePollingFrequency=
"120000"
configurationResourcePollingRetryAttem
pts="3">
<ConfigurationResource
file="/opt/shibboleth-idp/conf/attribute-
filter.xml"
xsi:type="resource:FilesystemResource"
/>
<ConfigurationResource
xsi:type="resource:FileBackedHttpResou
rce"
url="https://remote.example.com/path"
file="/opt/shibboleth-idp/conf/attribute-
filter-remote.xml" />
</Service>




                                                                          610 of 748
The error message blows up the log file
when logged with the full stack trace:

14:50:36.450 - ERROR
[edu.internet2.middleware.shibboleth.idp.
profile.saml2.AbstractSAML2ProfileHandl
er:539] - Error resolving principal name
for SAML request
'_8cb93320f745386444dcfa4f7cd50651'
from relying party 'https://aai-
demo.switch.ch/shibboleth'
edu.internet2.middleware.shibboleth.com
mon.attribute.resolver.AttributeResolutio
nException: No information associated
with transient identifier: 26387e54-8a6d-
4cdd-8e19-154992977116
at
edu.internet2.middleware.shibboleth.com
mon.attribute.resolver.provider.principalC
onnector.TransientPrincipalConnector.re
solve(TransientPrincipalConnector.java:7
9) [shibboleth-common-1.2.0.jar:na]
at
edu.internet2.middleware.shibboleth.com
mon.attribute.resolver.provider.principalC
onnector.TransientPrincipalConnector.re
solve(TransientPrincipalConnector.java:3
2) [shibboleth-common-1.2.0.jar:na]
at




                                             611 of 748
Shipped configuration files, should not
throw those warnings:

11:38:33.650 - WARN
[edu.internet2.middleware.shibboleth.co
mmon.config.SpringConfigurationUtils:27
1] - Numerical duration form is
deprecated. The property
'assertionLifetime' on profile
configuration of type
{urn:mace:shibboleth:2.0:relying-
party:saml}ShibbolethSSOProfile should
use the duration notation: PT5M0.000S
11:38:33.659 - WARN
[edu.internet2.middleware.shibboleth.co
mmon.config.SpringConfigurationUtils:27
1] - Numerical duration form is
deprecated. The property
'assertionLifetime' on profile
configuration of type
{urn:mace:shibboleth:2.0:relying-
party:saml}SAML1AttributeQueryProfile
should use the duration notation:
PT5M0.000S
11:38:33.661 - WARN
[edu.internet2.middleware.shibboleth.co
mmon.config.SpringConfigurationUtils:27
1] - Numerical duration form is
deprecated. The property
Current, requests are sent to the          Apache Tomcat 6.0   Sun 1.5
authentication engine, and returned to
the profile handler, by means of request
forwards. This means that cookies, in
particular the cookie that contains the
LoginContext key, are not available to
filters, like uApprove, intercepting the
these transitions.


                                                                         612 of 748
In the UsernameLoginHandler Servlet it       Apache Tomcat 6.0   Sun 1.5
get checked if an JAAS LoginException
is throwded. Instead putting that directly
to the reuquest as
AUTHENTICATION_EXCEPTION_KEY
bundle it in an AuthenticationException.


The IdP sends the following SAML             Jetty 7             Sun 1.5
subject:

<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:n
ameid-format:persistent">
g4489WICx4m/zeiOD0nCwxGPYeU=
</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:c
m:bearer">
<saml2:SubjectConfirmationData
Address="130.59.6.143"
InResponseTo="_ccb44b0734183e5d21
90bc73cedddc24" NotOnOrAfter="2010-
02-25T13:20:06.596Z"
Recipient="https://kelimutu.switch.ch/Shi
bboleth.sso/SAML2/POST" />
</saml2:SubjectConfirmation>
</saml2:Subject>

The SP then provides as persistentID
value in the web server environment
"!!g4489WICx4m/zeiOD0nCwxGPYeU=",
 presumably because the
SPNameQualifier is missing.




                                                                           613 of 748
After upgrading a 2.1 IdP to 2.2 preview,   Jetty 7   Sun 1.5
the mySQL connector seems not to
work anymore.

During startup everything is fine:
[...]
INFO - Parsing configuration for
DataConnector plugin with ID: myDB
DEBUG - Setting the following attribute
definition dependencies for plugin
myDB: null
DEBUG - Created application managed
data source for data connector myDB
DEBUG - Data connector myDB query
template:

SELECT CONCAT_WS(":", "vo-
attribute", `group`, `role` )
AS eduPersonEntitlement
FROM GroupMembers
WHERE uniqueID =
'$requestContext.principalName'

DEBUG - Data connector myDB
database query template: SELECT
CONCAT_WS(":", "vo-attribute",
`group`, `role` )
AS eduPersonEntitlement
FROM GroupMembers




                                                                614 of 748
Section at bottom of logging docs wiki           Apache Tomcat 5.5   Sun 1.5
says we populate both principalName
and idpSessionId keys, but a search of
the code indicates we actually only
populate idpSessionId.

https://spaces.internet2.edu/display/SHIB
2/IdPLogging

Did we populate principalName at some
point and it just got removed, perhaps
accidentally? If docs are just wrong, can
just fix those. But seems desirable to
populate principalName if it's feasible.


The StaticBasicParserPool has much
less synchronization going on and is
therefore more efficient. We don't
change the pool properties after
initialization anyway, so nothing lost.

I think we pretty much agreed to do this
sometime last year, but the change just
never made it into the project.

In internal.xml, make sure to also add an
init-method="initialize" onto the bean
definition, this impl doesn't init itself like
the old one did.




                                                                               615 of 748
MDC support is implemented by per-            Apache Tomcat 6.0   Sun 1.5
thread state stored via a TheadLocal. If
the MDC state is not reset at the end of
request processing, then the state will
persist in the thread, leading to
stale/incorrect logging data if the thread
is later reused and logging output
includes MDC variables prior to being
updated in the new request. We should
clear the MDC state at the end of the
processing of a request, as documented
in the slf4j user's guide. The most
obvious way to do is via a very simple
servlet filter, attached.

http://logback.qos.ch/manual/mdc.html




To enable certain scenarios with
authentication, a possibility to explicitly
set the cookie Domain for the login
context cookie would be useful.

It would be advantageous to report a
more accurate message than
"Authentication Failed" to the end user
when the users password is expired or
account is other wise locked or the likes.

I'm thinking LDAP and better reporting
than the obvious error 49. If there is
more information in the message that
LDAP returns then can we make use of
it to give them a better "reason" than
their request has failed.




                                                                            616 of 748
I would like to see the uptime of the IdP
web app on the status URL of the IdP. I
don't care whether it's a duration or the
(UTC-) time the web app was started.

As a result of an expired SAML              Apache Tomcat 6.0   Sun 1.6
message, the IdP logs this:

WARN
[edu.internet2.middleware.shibboleth.idp.
profile.saml1.ShibbolethSSOProfileHandl
er:216] - Shibboleth SSO request does
not meet security requirements
org.opensaml.ws.security.SecurityPolicy
Exception: Message was rejected due to
issue instant expiration
at
org.opensaml.common.binding.security.I
ssueInstantRule.evaluate(IssueInstantRu
le.java:109) [opensaml-2.3.1.jar:na]
at
org.opensaml.ws.security.provider.Basic
SecurityPolicy.evaluate(BasicSecurityPoli
cy.java:50) [openws-1.3.0.jar:na]
at
org.opensaml.ws.message.decoder.Bas
eMessageDecoder.processSecurityPolic
y(BaseMessageDecoder.java:110)
[openws-1.3.0.jar:na]
at
org.opensaml.ws.message.decoder.Bas
eMessageDecoder.decode(BaseMessag
eDecoder.java:79) [openws-1.3.0.jar:na]
at




                                                                          617 of 748
I've tired to implement the feature that     Apache Tomcat 6.0   Sun 1.6
IdP releases password as attribute, but
the script seems unable to retrieve the
user session. Chad suggested this is a
bug that the session isn't being set
within the attribute request context
during a SAML1 attribute query. I will
test this with a SAML2 SP and report the
results a little bit later.

Script:
importPackage(Packages.edu.internet2.
middleware.shibboleth.common.attribute.
provider);
importPackage(Packages.edu.internet2.
middleware.shibboleth.idp.authn.provider
);
password = new
BasicAttribute("password");
userSubject =
requestContext.getUserSession().getSub
ject();
i=
userSubject.getPrivateCredentials().iterat
or();
if( i.hasNext() )
{
password.getValues().add(i.next().getPa
ssword());
The two methods in HttpServletHelper         Apache Tomcat 6.0   Sun 1.6
named
getRelyingPartyConfirmationManager
should be named
getRelyingPartyConfigurationManager.




                                                                           618 of 748
After the upgrade from idp 2.0 to idp        Apache Tomcat 6.0   Sun 1.6
2.1.5, I wasn't able to deploy the new idp
war file. But somehow, it works fine if I
copy back the 2.0 idp war file. I wonder
if there are any new improvements/bug
fixes on the 2.1.5 idp war file that I
should be used instead of the 2.0 war
file. How can I get it to work with the
2.1.5 war file? Thanks for the helps.

Tomcat error:
INFO: Deploying web application archive
idp.war
Nov 13, 2009 10:55:40 AM
org.apache.catalina.core.StandardConte
xt start
SEVERE: Error listenerStart
Nov 13, 2009 10:55:40 AM
org.apache.catalina.core.StandardConte
xt start
SEVERE: Context [/idp] startup failed
due to previous errors
Nov 13, 2009 10:55:40 AM
org.apache.coyote.http11.Http11Protocol
 start
INFO: Starting Coyote HTTP/1.1 on http-
80

Thanks,




                                                                           619 of 748
I found this while looking at the another        Apache Tomcat 6.0   Sun 1.6
bug (case to come once I have it sorted).

The bottom line is that in the AACLI
case a AttributeRequesterInEntityGroup
cannot get hold of the metadata and so
always fails. This means that any
attributes protected by such a filter fail. If
I look at the attribute filter in the real IdP
case then all is fine.

I'll append the resolver file but the rub is
this statement:

<AttributeFilterPolicy>
<PolicyRequirementRule
xsi:type="basic:OR">
<basic:Rule
xsi:type="saml:AttributeRequesterInEntit
yGroup"
groupID="urn:mace:shibboleth:testshib:t
wo" />
<basic:Rule
xsi:type="saml:AttributeRequesterInEntit
yGroup"
groupID="http://ukfederation.org.uk" />
<basic:Rule
xsi:type="saml:AttributeRequesterInEntit
yGroup"
The default login.jsp script has various         Apache Tomcat 6.0   Sun 1.6
debugging and informational content
now based on the RP metadata, and
crashes internally with no output when
an Anonymous RP is used.




                                                                               620 of 748
During an SSO request attributes are
resolved in order to get the information
necessary to create name identifier and
attributes however neither pieces of data
are required within the authentication
statement. Currently when an attribute
resolution error occurs it causes an error
to be sent back to the SP instead a valid
authentication statement, without name
identifier, should be returned since
authentication was, in fact, successful.




When the installer runs the first time it    Apache Tomcat 5.5   Sun 1.5
saves the IDP_HOME directory that is
entered for subsequent invocations.
When a new version of the IdP is
installed the installer will ask for the
IDP_HOME and detect that a version is
already installed there. If the default
option of not overwriting the existing
configuration files is then chosen the
installer does not remember IDP_HOME
entered and it must be re-entered each
subsequent invocation.

Before transferring control to a             Apache Tomcat 5.5   Sun 1.5
LoginHandler the IdP stores the
LoginContext within the StorageService,
however once authentication completes
the LoginContext is not properly
removed. It will eventually be removed
by the StorageService sweeper thread
but it's better to clean it up properly.




                                                                           621 of 748
The terracotta configuration file is not
necessary unless clustering support is
enabled and it changes with almost
every TC release. So, instead of
bundling it with the IdP we'll just keep it
on the wiki where it's easier to maintain.

Every time a user authenticates, the
initial query performed against
LDAP doesn't include a filter. We need
the filter to be applied b/c
our LDAP includes hundreds of users
with LDAP Aliases
(objectclass=alias); the net result is that
anytime a user with an
alias tries to login it fails. We see
"javax.naming.SizeLimitExceededExcepti
on: [LDAP: error code 4 -
Sizelimit Exceeded]" in the idp-
process.log b/c two results were
returned for the LDAP query lacking the
filter (cn=testuser1)..the
first is the alias and the second is the
person.

So far I've found two workarounds that
have allowed me to get around
the problem, *but* my preference would
still be to configure a filter
in the login.config so I could avoid ever
finding the LDAP aliases in
the first place.

The first workaround was to set
maxResultSize > the max number of
aliases any user in the organization



                                              622 of 748
I am not sure if this is a IdP or a browser   Apache Tomcat 6.0   Sun 1.6
topic, but I wanted to document here for
further testing.

If we have two SP sessions in one
browser with the same IdP, we
encounter strange behaviour with
browser back button:
step 1: log in to SP1 in browser tab 1
step 2: log in to SP2 in browser tab 2

Firefox 3.5.2 and IE 8:
-----------------------------
step 3: browser back button in SP2 (tab
2) results in
org.opensaml.ws.security.SecurityPolicy
Exception:
Rejecting replayed message ID
'_e2a3c20efa9ec3018f45a2d67cb0237b'
from issuer <entityId SP2>

step 4: browser back button in SP1 (tab
1) ends in start page of SP2 (originally
tab 2)

Opera 10.0
---------------
shows the previous screens without any
new communication with IdP or SP,




                                                                            623 of 748
We're having some SPs report that they     Apache Tomcat 5.5   Sun 1.5
are seeing
HTTP_SHIB_AUTHENTICATION_INSTA
NT get an updated value for users that
are getting redirected from an SP to our
IdP and back, even when the user didn't
have to re-authenticate (seamless
redirects from a user perspective).

I assumed that
HTTP_SHIB_AUTHENTICATION_INSTA
NT / AuthnInstant was only updated
when the user entered credentials and
those credentials were checked, not
simply when the SP establishes a new
session from an existing IdP session.
After reading SAML2 spec, I still think
my assumption is correct.




                                                                         624 of 748
Configuration snippets which triggers         Apache Tomcat 5.5   Sun 1.6
the issue:

attribute-resolver.xml:

<!-- Name Identifier related attributes -->
<resolver:AttributeDefinition
id="transientId"
xsi:type="TransientId"
xmlns="urn:mace:shibboleth:2.0:resolver:
ad">
<resolver:AttributeEncoder
xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute
:encoder"
nameFormat="urn:oasis:names:tc:SAML:
2.0:nameid-format:transient" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition
id="persistentId" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:
ad">
<resolver:Dependency
ref="persistentIdConnector" />
<resolver:AttributeEncoder
xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute
:encoder"




                                                                            625 of 748
The default tc-config.xml template does   Apache Tomcat 5.5   Sun 1.5
not contain

<instrumented-classes>
<include>
<class-
expression>org.opensaml.xml.util.LazyLi
st</class-expression>
</include>
</instrumented-classes>

which causes runtime
com.tc.exception.TCNonPortableObjectE
rror.




                                                                        626 of 748
The root cause might be PEBKAC in the           Apache Tomcat 6.0   Sun 1.6
installation (although I tried two installs).
But the NPE shouldn't happen.

I tried SAML2 artifact between two Shib2
entities via a DS [Starting at
Sp\Shibboleth.sso\DS?acsIndex=3
Where 3 is the
urn:oasis:names:tc:SAML:2.0:bindings:H
TTP-Artifact ACS].

This was the request:

<?xml version="1.0" encoding="UTF-
8"?><samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol"
AssertionConsumerServiceURL="https://
sh2testsp1.iay.org.uk/Shibboleth.sso/SA
ML2/Artifact" Destination="https://dlib-
adidp.ucs.ed.ac.uk/shibboleth-
idp/profile/SAML2/Redirect/SSO"
ID="_3bb01d863f48e137626572229d1d7
d32" IssueInstant="2009-07-
30T10:43:14Z"
ProtocolBinding="urn:oasis:names:tc:SA
ML:2.0:bindings:HTTP-Artifact"
Version="2.0">
<saml:Issuer




                                                                              627 of 748
Many users like to bookmark their login
page. Because all the session state is
currently stored in the IdP rather than
the client, if they bookmark the login
page to return to it later, their intended
SP and other information is lost.

Particularly because the information in
99% of AuthnRequests is unsigned and
thus advisory, it should be possible to
add enough information to the query
string to allow for sufficient
persistence/replay of the AuthnRequest
to allow users to bookmark login pages
successfully. That information would
probably look a lot like the old
Shibboleth SSO authentication request
query string
(?SHIRE=a&providerId=b&target=c).

A potential problem is the use of cookie-
based relay state and targets by the SP.
Deployments that wanted to support this
feature could make appropriate
configuration changes, and there is little
impact on those that do not.

This would be a really nice feature to
have.




                                             628 of 748
When a user bookmarks the IdP login           Apache Tomcat 5.5   Sun 1.6
page (the IdP is using a custom
Username Password servlet which
renders the login page much like the
standard one for JAAS), no login context
is evidently created. The user will enter
their login credentials submit them, have
them validated by the login handler
successfully. The login handler then
calls
AuthenticationEngine.returnToAuthentica
tionEngine(request, response) which
ends up in a 404 error to the browser
since there is no target to send them to.

This might be caused in some way by
my login servlet since I have a prior
version that this behavior just resulted in
the user being dumped back to the
login.jsp page through the servlet. I will
be investigating further and updating the
issue.




                                                                            629 of 748
Add the following information to the
status handler:
OS info: jdk version, total CPUs, total
memory used, max memory available,
current time in UTC
IdP version, start time, # of current
sessions
*entity info: entity ID, public key,
configured profiles
*session info: session ID, principals,
active authentication method, services to
which authenticated

There would be two options:
- Basic/Full view (full view includes the '*'
items)
- Relying party view which gives the
entity info for the given relying party

The Status handler would also become
IP protected in a similar fashion to the
SP's Session view page.




                                                630 of 748
If an SP requests a specific mechanism      Apache Tomcat 5.5   Sun 1.5
and the IdP is not configured for that
mechanism an exception is throw. This
caused AuthenticationEngine line 319
does not check to see if there are
methods remaining after filtering.
Attached is a trace.

----

8:08:33.557 - DEBUG
[edu.internet2.middleware.shibboleth.idp.
authn.AuthenticationEngine:352] -
Configured LoginHandlers:
{urn:oasis:names:tc:SAML:2.0:ac:classes
:unspecified=edu.internet2.middleware.s
hibboleth.idp.authn.provider.RemoteUser
LoginHandler@ef7d74,
urn:oasis:names:tc:SAML:2.0:ac:classes:
PreviousSession=edu.internet2.middlewa
re.shibboleth.idp.authn.provider.Previous
SessionLoginHandler@1157f77}
18:08:33.557 - DEBUG
[edu.internet2.middleware.shibboleth.idp.
authn.AuthenticationEngine:353] -
Requested authentication methods:
org.opensaml.xml.util.LazyList@1bca486
18:08:33.557 - DEBUG
[edu.internet2.middleware.shibboleth.idp.




                                                                          631 of 748
*NOTE* I want to do some more                  Apache Tomcat 6.0   Sun 1.6
analysis of this case and so I will asign it
to myself. However I am OOF for the
next 3 days and I need to capture it now.

I have an IdP which comes from a
QuickInstall. The installation process is
pretty standard (the MSI grabs some
properties and then falls into the ant
script. However I am not 100% sure that
the Quick installer isn't the core of the
problems.

The QI starts with a slightly different
template for the self metadata but the
first few lines look like this:

<EntityDescriptor
entityID="$IDP_ENTITY_ID$"
xmlns="urn:oasis:names:tc:SAML:2.0:me
tadata"
xmlns:ds="http://www.w3.org/2000/09/xm
ldsig#"
xmlns:shibmd="urn:mace:shibboleth:met
adata:1.0"
xmlns:xsi="http://www.w3.org/2001/XML
Schema-instance">

<IDPSSODescriptor




                                                                             632 of 748
The IdP inappropriately logs many         Apache Tomcat 6.0   Sun 1.6
events -- expired requests, unknown
nameidentifiers, etc. -- as ERRORs. An
ERROR ought to mean the IdP itself has
failed in some way, not just that some
user has failed to get what she wants.
I'd like to monitor the process log for
errors, and maybe alert someone, but I
can't do that if I get an ERROR log
every time someone hits the back button
on an old page.

In addition several of these put stack
traces in the process log.




                                                                        633 of 748
For some reason the IdP always issues         Apache Tomcat 5.5   Sun 1.5
two HEAD requests when downloading
the attribute-filter.xml (and potentially
other files).

That's how the apache access log file
looks like in the case where the attribute-
filter.xml has not changed (etag stays
the same previously downloaded file.
last-modified time stays also the same)
193.5.54.127 - - [10/Jun/2009:15:55:35
+0200] "HEAD /switchaai/hsz-
t.ch/attribute-filter.xml HTTP/1.1" 200 -
193.5.54.127 - - [10/Jun/2009:15:55:37
+0200] "HEAD /switchaai/hsz-
t.ch/attribute-filter.xml HTTP/1.1" 200 -
130.92.13.155 - - [10/Jun/2009:16:34:54
+0200] "HEAD
/switchaai/unibe.ch/attribute-filter.xml
HTTP/1.1" 200 -
130.92.13.155 - - [10/Jun/2009:16:34:55
+0200] "HEAD
/switchaai/unibe.ch/attribute-filter.xml
HTTP/1.1" 200 -
130.59.10.127 - - [10/Jun/2009:16:35:33
+0200] "HEAD
/switchaai/switch.ch/attribute-filter.xml
HTTP/1.1" 200 -
130.59.10.127 - - [10/Jun/2009:16:35:34




                                                                            634 of 748
This comes from an issue that an IdP
has had interacting with GoogleApps.

Google is failing "GoogleApps - This
service cannot be accessed because
your login credentials
are not yet valid". A repost will work (so
much for replay detection!). The IDP is
otherwise correctly configured and
interops fine with Shib SPs.

The disucssion is still open, but either
way it would be nice to put a negative
dither into a condition validity period to
deal with SPs which won't bring
themselve up to date and are intolerant
of others being ahead of them.

For the record Chad states that line 352
of
edu.internet2.middleware.shibboleth.idp.
profile.saml2.AbstractSAML2ProfileHandl
er is the place to start

I may need to start programming to
debug this at Google. If so I'll keep this
case posted.




                                             635 of 748
I gave your hints a try in order to make   Apache Tomcat 5.5   Sun 1.5
the UsernamePasswordHandler
servlet place the credential as an
attribute.

After some twaking I got it to work with
this scripted attribute:

<Script>
<![CDATA[
importPackage(Packages.edu.internet2.
middleware.shibboleth.common.attribute.
provider);
importPackage(Packages.java.util);
importPackage(Packages.javax.security.
auth);
importPackage(Packages.edu.internet2.
middleware.shibboleth.idp.authn.provider
);
importPackage(Packages.edu.vt.middle
ware.ldap.jaas);

// Create new password attribute
password = new
BasicAttribute("password");

// How to get subject?
userSubject =
requestContext.getUserSession().getSub




                                                                         636 of 748
SessionManagerImpl class publishes a         Apache Tomcat 6.0   Sun 1.6
LoginEvent in two cases:

1) when createSession() method is called
2) when its ApplicationListener sees
AddEntryEvent

First, it would be more logical for the
listeners if the event was published only
once.
Second, currently there is a race
condition, depending on the timing, the
ApplicationListeners may not be able to
get the subject / principal information
from the Session object, because they
are set a little bit later by the
AuthenticationEngine.

This is redundant with the default config
of conditionally encrypting the Assertion,
which contains the NameID. The extra
crypto operation is unnecessary
overhead.
For the standard cases, this security
policy applies to a profile handler which
is always a front-channel binding,
therefore no SP client TLS cert will ever
be present. This rule causes request
failure when a user browser client cert is
presented, for example when authN to
the IdP with client cert is desired.




                                                                           637 of 748
I had to make these modifications in      Apache Tomcat 5.5   Sun 1.6
order to build the shibboleth-jce.jar:

diff --git a/pom.xml b/pom.xml
index 8dda457..23be64a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -34,13 +34,13 @@
<groupId>tomcat</groupId>
<artifactId>catalina</artifactId>
<version>5.5.23</version>
- <scope>runtime</scope>
+ <scope>compile</scope>
</dependency>
<dependency>
<groupId>tomcat</groupId>
<artifactId>tomcat-util</artifactId>
<version>5.5.23</version>
- <scope>runtime</scope>
+ <scope>compile</scope>
</dependency>

<!-- Test dependencies -->

Terracotta is a big dependency to have
for just sharing data between nodes.
Most of the systems already have some
sort of store for clustering other data
that could be used for storing the IDP
state.

If a StorageService API existed (as
exists for the SP) people could use the
store they wanted.




                                                                        638 of 748
Shibboleth IdP servlet fails to start when   Apache Tomcat 6.0   Sun 1.6
adding the following MetadataProvider :

<MetadataProvider id="lexis-nexis"
xsi:type="FileBackedHTTPMetadataProvi
der"
xmlns="urn:mace:shibboleth:2.0:metadat
a"
metadataURL="https://cdc2-
www.lexisnexis.com/start/shib/metadata"
backingFile="/tmp/lexisnexis-test-
metadata.xml">
</MetadataProvider>

The main error seems to be :

15:49:11.241 - ERROR
[org.opensaml.saml2.metadata.provider.
HTTPMetadataProvider:253] - Unable to
unmarshall metadata
org.opensaml.xml.io.UnmarshallingExce
ption:
org.opensaml.xml.parse.XMLParserExce
ption: Invalid XML

Attached is the content of the metadata
and the full log sequence.


You told me that my access method to
the LoginContext in uApprove is not
relaiable on clustererd setups...




                                                                           639 of 748
If the user agent (browser) do not send
cookies in the log file following appears:

ERROR
[edu.internet2.middleware.shibboleth.idp.
authn.AuthenticationEngine:211] - No
login context available, unable to return
to authentication engine
Improvement: Add information, that no
cookies are sent

On the error.jsp following is printed
(/idp/Authn/UserPassword):

Error Message: Invalid IdP URL (HTTP
404)
Improvement: Your Browser has not
enabled cookies, or similar




                                             640 of 748
When an SP queries the IdP for new
attribtutes, using an handle which is
unknown for the IdP, following ERROR
incl. Stacktrace is logged:

ERROR
[edu.internet2.middleware.shibboleth.idp.
profile.saml1.AbstractSAML1ProfileHandl
er:558] - Error resolving attributes for
SAML request from relying party
https://www.switch.ch/shibboleth
edu.internet2.middleware.shibboleth.com
mon.attribute.resolver.AttributeResolutio
nException: No information associated
with transient identifier:
_70da14e771da5d275a1a8af6f2164c4f

This happens a lot. In my Opinion
'unusal' operation which are not
disturbing the service (end user has no
affects), messages of this kind should
not be logged as ERROR. WARN would
be appropiate. (Also for backbutton
issues...)

In other way, monitoring idp-process.log
makes no sense, cause lot of false
positives.




                                            641 of 748
I added the following target to
src/installer/resources/build.xml:

<target name="renew-cert"
description="Installs the identity provider
software.">
<input message="Are u sure?"
addproperty="renew.cert.do"
validargs="yes,no" defaultvalue="no" />
<if> <equals arg1="${renew.cert.do}"
arg2="yes" /> <then>
<pathToAbsolutePath
path="${idp.home}"
addproperty="idp.home.path" />

<input message="What is the fully
qualified hostname of the Shibboleth
Identity Provider server?"
addproperty="idp.hostname.input"
defaultvalue="${idp.hostname}" />
<var name="idp.hostname"
value="${idp.hostname.input}" />
<var name="idp.entity.id"
value="https://${idp.hostname}/idp/shibb
oleth" />

<input message="A keystore is about to
be generated for you. Please enter a
password that will be used to protect it."




                                              642 of 748
Wrong using of the attribute rawspan          Apache Tomcat 5.5   Sun 1.5
within the tag <td> at the last line of the
block table:

<td rawspan="2"><input type="submit"
value="login" tabindex="3"/></td>

should be changed to

<td colspan="2"><input type="submit"
value="login" tabindex="3"/></td>


shib-common from 1.1.2 to 1.1.3
A checkbox on the login.jsp to disable
the previous session handler (or
someting along those lines) for this one
session could help with kiosk PCs etc.,
where logout might not easily be
possible.




                                                                            643 of 748
One thing I noticed while working on the
JA-SIG workshop material was that
there's some inconsistency on how the
various plugin examples in the config
files are done with regard to the XML.
Sometimes the xsi:types are prefixed
and sometimes they're not, and
sometimes the namespaces are
redeclared in each element, and other
times the prefix defined at the root of the
file is used.

I think the best we can hope for is
consistency and IMHO the least XML
markup possible. My suggestion would
be to declare all the namespaces we
can at the root (which I think is generally
being done), and use the prefixes
whenever possible, rather than any
default xmlns="" declarations.

Basically, I think this:

<security:Credential id="IdPCredential"
xsi:type="security:X509Filesystem">

is generally better for people than this:

<MetadataProvider id="URLMD"
By default, the self-signed certificate
generated by the installer is valid for 20.
Our federation policies require a shorter
validity of 3 years. Instead of the
hardcoded 20 years, the number of
years should be supplied as a parameter
for the installer's ant task.



                                              644 of 748
This is an improvement to SIDP-136.

Currently the self signed certificates
generated by the installation process are
valid for 20 years (hard coded).
Some federations reject certificates valid
for such a long period of time.
Therefore I'd suggest that the validity
period be configurable.
I am playing with the installation for the
Windoze thing. I just spotted that the
metadata has $IDP_SCOPE$ which is
updated, but the attribute resolver just
has "example.org" hardwired.

Is there any reason why we don't
change the attribute resolver so that the
selected scope goes in?

I'm in the area and I can make thing
change if you want, but I know that there
are major changes proposed for 2.2....

R


Currently the AuthenticationEngine is
not part of the public API
(https://spaces.internet2.edu/display/SHI
B2/IdPAPI) but LoginHandlers are and
they are required to call the currently
static methods of the Engine. So, at
least part of the Engine API needs to be
public.




                                             645 of 748
Many sites would like to rebrand the
login.jsp page according to the SP that
has issued the AuthnRequest. In order
to support that, it would be nice to
provide an entityID variable to the JSP
page that is persistent through a failed
login attempt.

Documentation would have to point out
to deployers the increased probability of
phishing that may result, and the
entityID might need to be sanitized for
XSS attacks.
Without NameID logged, it's hard (or          Apache Tomcat 6.0   Sun 1.6
even impossible) to track back for which
user belonged a certain SP session.
Actually haven't checked this with
SAML1 NameIdentifiers.

Feel free to reject it there's some other
way to do this. Shib-users:
http://marc.info/?t=123271285500002&r=
1&w=2

For auditing purposes it would be better
to log authentication successes and,
especially, failures at a higher level than
debug; for instance info.




                                                                            646 of 748
In the following code, should (request ==     Apache Tomcat 5.5   Sun 1.5
null) be (requestContext ==
null) ?

requestContext +
request.getServletPath() seems to be
being set to:
null/Authn/UserPassword

I also think the requestContext = "/"
should be replaced w/ "". See the patch
below.

I haven't used the trunk code, which has
changed significantly, but it looks like it
needs the same fix.

--jon


protected void
redirectToLoginPage(HttpServletRequest
 request,
HttpServletResponse response,
List<Pair<String, String>> queryParams)
{

String requestContext =
DatatypeHelper.safeTrimOrNullString(re




                                                                            647 of 748
<!-- Example Relational Database           Apache Tomcat 5.5   Sun 1.6
Connector -->
<resolver:DataConnector id="mySIS"
xsi:type="RelationalDatabase"
xmlns="urn:mace:shibboleth:2.0:resolver:
dc">
....
<QueryTemplate>
<![CDATA[
SELECT * FROM student WHERE
gzbtpid =
$requestContext.principalName
]]>
</QueryTemplate>


--> SELECT * FROM student WHERE
gzbtpid =
'$requestContext.principalName'

Attached patches. Please verify. My
auto build on eclipse doesn't wor with
maven :-( Sorry
edu.internet2.middleware.shibboleth.idp.   Apache Tomcat 5.5   Sun 1.6
authn.provider.UsernamePasswordLogin
Servlet
protected boolean
authenticateUser(HttpServletRequest
request)
...
} catch (Throwable e) {
log.debug("User authentication for {}
failed", new Object[] {username}, e);
...

--> log.debug("User authentication for "
+ username + " failed", e);


                                                                         648 of 748
This is related to
https://bugs.internet2.edu/jira/browse/SI
DP-272

A possibility to (automatically) update
the local IdP metadata file should be
available. E.g. after the IdP credentials
change.
Add the possibility to generate a new
key-pair as IdP credentials. Specifying
the validity is also required, e.g. in
years. Our federation requires
certificates to be included into metadata
to have a maximum validity which is 3
years according to the current rules.

The completeAuthentication method of        Apache Tomcat 6.0   Sun 1.6
AuthenticationEngine does not correctly
handle a case where a login servlet has
processed a passive login request and
declined to handle it - due to no
established session. The combination of
passive login request and no remote
user should throw a
PassiveAuthenticationException, not a
AuthenticationException.

The user's IP address is necessary for
releasing the library-walk-in affiliation
or the common-lib-terms entitlement for
users at a library terminal. See
http://groups.google.com/group/shibbolet
h-users/msg/8407f64a7c66c5bb .




                                                                          649 of 748
Add a feature to get the IdP's metadata
from the default entityID
https://HOSTNAME/idp/shibboleth .

As an example, in web.xml put:
----
<servlet>
<servlet-name>shibboleth_jsp</servlet-
name>
<jsp-file>/shibboleth.jsp</jsp-file>
</servlet>

<servlet-mapping>
<servlet-name>shibboleth_jsp</servlet-
name>
<url-pattern>/shibboleth</url-pattern>
</servlet-mapping>
---
The shibboleth.jsp file is:
<jsp:forward
page="/profile/Metadata/SAML" />


Adjustment of the error.jsp template to
check if cookies are set/enabled.
If not print out some meaningful/helpful
error message to the user.

If some general error occurs, the wrong    Apache Tomcat 5.5   Sun 1.6
error page (404) is displayed.
Examples:
- Back Button
- No Login cotext/session found




                                                                         650 of 748
It's easy to forget to add the
defaultSigningCredentialRef to the
Anonymous element if you try to enable
SSO by adding a profile handler, since
the entityID is already set, so I'd suggest
we just add it in the default config.


The /profiles/Metadata/SAML handler           Apache Tomcat 6.0   Sun 1.6
that returns metadata is using text/xml
as a MIME type, but the SAML
resolution profile requires
application/samlmetadata+xml

The advantage is nobody can read the
metadata in their browser because it
prompts for an unknown MIME type, so
it's a big win...;-(




                                                                            651 of 748
I am using the /Authn/RemoteUser              Apache Tomcat 6.0   Sun 1.6
process for sign-in.

If I log in and provide an incorrect
password, I get the following exception:
org.apache.jasper.JasperException: An
exception occurred processing JSP
page /login-error.jsp at line 12
...
Caused by:
java.lang.NullPointerException
at
org.apache.jsp.login_002derror_jsp._jsp
Service(login_002derror_jsp.java:69)
at
org.apache.jasper.runtime.HttpJspBase.
service(HttpJspBase.java:70)
at
javax.servlet.http.HttpServlet.service(Http
Servlet.java:717)
at
org.apache.jasper.servlet.JspServletWra
pper.service(JspServletWrapper.java:37
4)
... 23 more

I can eliminate the exception by adding
the following lines after line 4:
if (error == null) {
The IdP copies updated libraries in to        Apache Tomcat 5.5   Sun 1.5
the IDP_HOME/lib directory but it does
not remove the old versions.




                                                                            652 of 748
The Authentication Engine chooses a           Apache Tomcat 5.5   Sun 1.5
Login Handler based on information
from the SP, if it's provided. If the AuthN
Engine can't meet the requirement an
error is returned. However, Login
Handlers can override their default
authentication method and return a
different one. The engine does not
currently check, after the actual
authentication method is determined if
that method is acceptable to the SP.

For example, a LoginHandler does
username/password and OTP
authentication and it's registered under
username/password. The SP requests
username/password (and only
username/password). The engine
selects the appropriate handler but the
user does something to trigger and use
OTP. The LoginHandler return the OTP
authentication method.

The correct behavior should be that the
engine returns the same error message
that would be returned if no
LoginHandler was found to meet the
SP's criteria.

If a user has an existing session,            Apache Tomcat 5.5   Sun 1.5
established by authentication
mechanism A, and the SP requests
authentication mechanism B (which has
not yet been used by the user) the IdP
will use the previous session login
handler.



                                                                            653 of 748
Login Handler sets AuthMethod to           Apache Tomcat 5.5   Sun 1.5
"...X509"

In Audit Log it appeaers right: INFO
[Shibboleth-
Audit:901]...|urn:oasis:names:tc:SAML:2.
0:ac:classes:X509|...

But in the SAML2 Assertion, the is no
AuthStatement found:

<saml:AuthnStatement
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion"
AuthnInstant="2008-11-
26T15:18:25.621Z"
SessionIndex="...">
<saml:SubjectLocality
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion"
Address="2001:620:0:4:21b:63ff:fe94:ba
e2"/>
<saml:AuthnContext
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion"/>
</saml:AuthnStatement>




                                                                         654 of 748
On a message replay rejection, the          Apache Tomcat 5.5   Sun 1.5
SAML1 profile handler tries to build an
error response but has a failure. Here is
a log snippet showing some detail:

14:37:08.140 ERROR
[edu.internet2.middleware.shibboleth.idp.
profile.saml1.AttributeQueryProfileHandl
er:175] - Message did not meet security
requirements
org.opensaml.ws.security.SecurityPolicy
Exception: Rejecting replayed message
ID
'_5e8f71d7352a1cdc63fe2b4c513e4db0'
from issuer
https://blackboard.usc.edu/shibboleth-sp
at
org.opensaml.common.binding.security.
MessageReplayRule.evaluate(MessageR
eplayRule.java:93)
14:37:08.142 ERROR
[edu.internet2.middleware.shibboleth.co
mmon.profile.ProfileRequestDispatcherS
ervlet:85] - Error processing profile
request
java.lang.NullPointerException
at
edu.internet2.middleware.shibboleth.idp.
profile.saml1.AbstractSAML1ProfileHandl




                                                                          655 of 748
We have regular cookie validation errors       Apache Tomcat 5.5   Sun 1.5
reported in the logs. I can reproduce this
error by deleting the value of the
_idp_session cookie. This error causes
a user to see an IdP error page.

I can fix my reproduced version by
adding these lines to IdPSessionFilter
(REL_2 branch) line 137:

if (valueComponents.length < 3) {
return null;
}

I expect this will fix the errors showing in
the logs, but I will have to try it in
production.




                                                                             656 of 748
A simple GET request on                     Apache Tomcat 5.5   Sun 1.6
/profile/SAML1/SOAP/AttributeQuery
leads to the NullPointerException.

07:50:56.579 - INFO [Shibboleth-
Access:72] -
20081114T065056Z|127.0.0.1|toba.switc
h.ch:8443|/profile/SAML1/SOAP/Attribute
Query|
07:50:56.583 - ERROR
[edu.internet2.middleware.shibboleth.idp.
profile.saml1.AttributeQueryProfileHandl
er:171] - Error decoding attribute query
message
org.opensaml.ws.message.decoder.Mes
sageDecodingException: This message
deocoder only supports the HTTP POST
method
at
org.opensaml.saml1.binding.decoding.H
TTPSOAP11Decoder.doDecode(HTTPS
OAP11Decoder.java:119) [opensaml-
2.2.2.jar:na]
at
org.opensaml.ws.message.decoder.Bas
eMessageDecoder.decode(BaseMessag
eDecoder.java:74) [openws-1.2.1.jar:na]
at
org.opensaml.saml1.binding.decoding.B




                                                                          657 of 748
I have found an issue with Terracotta         Apache Tomcat 6.0   Sun 1.5
and Idp 2.1. I am using mod_jk load
balancing to two tomcat instances.
Under some circumstances the
RemoteUserAuthServlet calls static
functions in AuthenticationEngine before
tomcat has called the
AuthenticationEngine's init() function. In
this case the storageService static
variable is null and the attempt to look
up the login context fails like so:

java.lang.NullPointerException
at
edu.internet2.middleware.shibboleth.idp.
authn.AuthenticationEngine.retrieveLogin
Context(AuthenticationEngine.java:186)
at
edu.internet2.middleware.shibboleth.idp.
authn.AuthenticationEngine.returnToAut
henticationEngine(AuthenticationEngine.j
ava:208)
at
edu.internet2.middleware.shibboleth.idp.
authn.provider.RemoteUserAuthServlet.s
ervice(RemoteUserAuthServlet.java:50)
at
javax.servlet.http.HttpServlet.service(Http
Servlet.java:717)




                                                                            658 of 748
When returning to the IdP from a            Apache Tomcat 5.5   Sun 1.5
second SP after initial authentication,
the PreviousSessionLoginHandler takes
effect and logs me in to the next
shibbolized service. There is an INFO
message regarding this, however it is
printed as an error:

11:11:49.738 ERROR
[edu.internet2.middleware.shibboleth.idp.
authn.provider.PreviousSessionLoginHa
ndler:111] - Using existing IdP session
for beall


Sanity check that signing credential has
either a private key or a
secret/symmetric key. One or the other
is necessary for signing.

Some code currently throws NPE when
actual signing key is null.

Note: We can't really do this in the
config processing level because we
don't differentiate Credential elements
used for different purposes. Private or
secret key is optional for the general
case (peer credentials with only public
keys).




                                                                          659 of 748
If the credentials/ directory in the          Apache Tomcat 5.5   Sun 1.5
installation location does not exist with a
cert in it, the installer fails to run when
"no" is selected as the option for
whether or not to overwrite configuration.

We traditionally delete this directory
upon installation since it is not needed,
and when changes to the IdP war file
are needed we re-run the installer.

It would be better for us not to have to
confuse the install location with unused
files just to be able to run the installer.

(When that directory exists, and "no" is
selected, the install proceeds and did
not overwrite configuration as indicated
by the upgrade instructions).




The old IdP reports an "invalid ACS"
error when the request asks for an
endpoint that isn't allowed for an SP (not
in metadata). The new IdP bundles this
into the larger set of "no peer endpoint"
errors, which is somewhat more
confusing.




                                                                            660 of 748
In aacli.bat we find these lines:

if not exist %IDP_HOME% (
echo Error: IDP_HOME is not defined
correctly.
exit /b
)

(Iindeed I think I added them). This
doesn't handle IDP_HOME have
spaces. If should be

if not exist "%IDP_HOME%" (
echo Error: IDP_HOME is not defined
correctly.
exit /b
)

Tested using the 2.0 distro but with an
aacli.bat form a 2.1 distro
- Make classes serializable
- Use AbstractExpiringObject as a base
class
- Moe entry classes from inner classes
to top-level classes




                                          661 of 748
Hello.                                       Apache Tomcat 5.5   Sun 1.5

When I try to access a SP protected
URL, after the Login finishes, I end up at
the wrong location. It seems the url is
not unescaped. Can this be a problem
on my LoginHandler?

IDP - sso1.sso.bk.sapo.pt
SP - sso2.sso.bk.sapo.pt

17:36:34.164[26ms][total 26ms] Status:
302[Found]
GET
http://sso2.sso.bk.sapo.pt/secure/header
s.pl
Response Headers:
Date[Tue, 21 Oct 2008 16:36:36 GMT]
Server[Apache/2.2.3 (Debian)
mod_python/3.2.10 Python/2.4.4
mod_ssl/2.2.3 OpenSSL/0.9.8c
mod_perl/2.0.2 Perl/v5.8.8]
Set-
Cookie[_shibsession_64656661756c746
8747470733a2f2f7370312e73736f322e7
3736f2e626b2e7361706f2e70742f73686
962626f6c657468=; path=/;
expires=Mon, 01 Jan 2001 00:00:00
GMT]
AbstractLoginHandlerBeanDefinitionPars       Apache Tomcat 5.5   Sun 1.5
er assumes that AbstractLoginHandler
has a property called
"authenticationMethods". But the
property is called
"supportedAuthenticationMethods".
Also, there's no setter for
"supportedAuthenticationMethods".
                                             Apache Tomcat 5.5   Sun 1.5


                                                                           662 of 748
Check if toString() or getName() is the
appropiate method to deal with the
String form of an X500Principal object.

ERROR with IPv6 enabled:                    Apache Tomcat 5.5   Sun 1.5
10:22:13.686 ERROR
[edu.internet2.middleware.shibboleth.idp.
session.IdPSessionFilter:139] - Client
sent a cookie from addres
2001:620:0:4:21b:63ff:fe94:bae2 but the
cookie was issued to address 2001

ERROR with IPv6 disabled, running
IPv4:
0:30:51.132 ERROR
[edu.internet2.middleware.shibboleth.idp.
session.IdPSessionFilter:157] - Session
cookie signature did not match, the
session cookie has been tampered with


Your head must have been somewhere          Apache Tomcat 5.5   Sun 1.5
else.. :)


edu.internet2.middleware.shibboleth.idp.
authn.provider.AbstractLoginHandler:

public void
setAuthenticationDurection(long
duration) {
authenticationDuration = duration;
}




                                                                          663 of 748
In the IdP configuration, credentials are
configured in two parts, thus:

<security:Credential id="IdPCredential"
xsi:type="security:X509Filesystem">
<security:PrivateKey>.../idp.key</security
:PrivateKey>
<security:Certificate>.../idp.crt</security:
Certificate>
</security:Credential>

If someone replaces only one of these
files, the IdP doesn't notice and signs
with a private key which then doesn't
allow messages to be validated against
the public key provided with the
certificate. This is very hard to debug.

The IdP could verify that the public key
in the certificate and in the key file were
the same, and throw an error if not. This
would make the error obvious in the IdP
logs without needing the co-operation of
an SP to debug the issue.




                                               664 of 748
Currently this case produces:

10:59:36.643 ERROR
edu.internet2.middleware.shibboleth.idp.
profile.saml2.AbstractSAML2ProfileHandl
er:282] - Unable to construct encrypter
org.opensaml.xml.security.SecurityExcep
tion: Key encryption credential may not
be null
at
org.opensaml.xml.security.SecurityHelpe
r.buildKeyEncryptionParams(SecurityHel
per.java:621)


Indicate more explicitly the actual error
condition to the end-user.

                                            Apache Tomcat 5.5   Sun 1.5


Add the implementation title, version,
and vendor to the manifest files for the
xmltooling jar. Provide a command line
tool to then display this information.

Create a new profile handler that will
return the metadata for the IdP.
If use current 2.1 HEAD, and enable         Apache Tomcat 5.5   Sun 1.5
either an LDAP or SQL Data connector
in the resolver file, then you get an NPE
on startup. Using a Statis Dataconnector
does NOT cause a problem.




                                                                          665 of 748
Hi, I am having a problem creating a       Apache Tomcat 5.5   Sun 1.5
mapped attribute. What I would like to
do is for an edupersonprimaryaffiliation
value of staff or student, return an
edupersonentitlement value of
urn:mace:dir:entitlement:common-lib-
terms.

Consider this entry in attribute-
resolver.xml which returns an
edupersonentitlement value of "staff"
and "urn:mace:dir:entitlement:common-
lib-terms" vs the following example:
--------------------------------
Example 1:
<resolver:AttributeDefinition
id="eduPersonEntitlement"
xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:
ad"
sourceAttributeID="MappedEduPE">
<resolver:Dependency
ref="MappedEduPE" />

<resolver:AttributeEncoder
xsi:type="SAML1String"
xmlns="urn:mace:shibboleth:2.0:attribute
:encoder"
name="urn:mace:dir:attribute-




                                                                         666 of 748
It seems that this sourceAttributeID is       Apache Tomcat 5.5   Sun 1.5
case sensitive. i.e. if I use
EduPersonPrimaryAffiliation I don't get
any attribute returned, but if I use
edupersonprimaryaffiliation, I get the
attribute. My directory uses
edupersonprimaryaffiliation as the
attribute name. I think this might be a
historic artifact.

I really am not sure if this is a bug or
not. I can see that you would want to
have it be case sensitive for some types
of data connectors, but I think for ldap it
should be case INsensitive.




                                                                            667 of 748
I have the following configuration for     JBoss 4.2 Tomcat    Sun 1.6
metadata:

<MetadataProvider
id="ShibbolethMetadata"
xsi:type="ChainingMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadat
a">

<MetadataProvider id="FSMD"
xsi:type="FilesystemMetadataProvider"
metadataFile="/opt/local/shibboleth/meta
data/miscellaneous.xml"
maintainExpiredMetadata="true"/>

<MetadataProvider id="ProviderA"
xsi:type="FileBackedHTTPMetadataProvi
der"
xmlns="urn:mace:shibboleth:2.0:metadat
a"
metadataURL="http://urla/metadata.xml"
cacheDuration="600"
backingFile="/opt/local/shibboleth/metad
ata/a-metadata.xml">
<MetadataFilter
xsi:type="SignatureValidation"
trustEngineRef="FederationAMetadataTr
ustEngine"
requireSignedMetadata="true"/>
Just what it says                          Apache Tomcat 5.5   Sun 1.5




                                                                         668 of 748
in Install.bat I changed the adding of two    Apache Tomcat 6.0   Sun 1.5
jar files within the lib directory to this:

for %%i in (%ANT_HOME%\lib\*.jar) do (
call %ANT_HOME%\cpappend.bat %%i
)

(added *before* the setting of elements
from src\installer\lib)

and the install then ran. Without this
chnage we fell over looking for
something inside bouncy castle




                                                                            669 of 748
oot@shib02:/opt/shib2/conf#                Apache Tomcat 5.5   Sun 1.6
../bin/aacli.sh --
configDir=/opt/shib2/conf/ --
principal=williamj
Exception in thread "main"
java.lang.NullPointerException
at
edu.internet2.middleware.shibboleth.com
mon.attribute.resolver.provider.dataConn
ector.ComputedIDDataConnector.resolve
(ComputedIDDataConnector.java:130)
at
edu.internet2.middleware.shibboleth.com
mon.attribute.resolver.provider.dataConn
ector.ComputedIDDataConnector.resolve
(ComputedIDDataConnector.java:41)
etc

Brent supplied workround but said:
At a minimum, we should probably fail in
this case more gracefully, with a better
exception message. However, this
brings up an interesting question,
though, of what we should do if the
SAML requester really is not known, i.e.
the anonymous relying party case.
Computed ID sort of doesn't make
sense in that case, but perhaps there is
some valid reason to support (all




                                                                         670 of 748
Based on report from list, and perusing       Apache Tomcat 5.5   Sun 1.5
the code, the IdP is using the "bearer"
confirmation method regardless of which
SAML 1 profile is used. Unfortunately
that's not strictly correct, and the old SP
is being strict about it. I think the new
one isn't as strict, due to the fact that
using the other method was so stupid to
begin with.

Anyway, to be correct, the code has to
generate a different confirmation
method depending on the profile used.


Add new java-opensaml2 security policy        Apache Tomcat 5.5   Sun 1.5
rule to the relevant profile handler(s).

The BasicSAMLArtifactMapEntry keeps
a reference to a parser pool from the
parent BasicSAMLArtifactMap. This
becomes an issue in a clustered
environment -- the parser pool is not
replicated across the cluster, and so
when the MapEntry is clustered, the
code that relies on the MapEntry is
unable to retrieve the parsed artifact.

I fixed this for our clustered environment
by causing the MapEntry itself to create
the XML parser, but that is less than
ideal.




                                                                            671 of 748
This is a snippet of an e-mail which was     Apache Tomcat 5.5   Sun 1.5
submitted to shibboleth-
users@internet2.edu with no response,
so I am assuming nothing is known
about this issue:

At USC we have been running the 2.0
IdP for a while now. We are able to
update the metadata and attribute-
filter.xml without problem so that we can
successfully make configuration
changes to add new SPs and tweak
requirements.

Recently we needed to add some data
definitions for releasing new data to an
SP. I added these definitions to our hot
backup server and tested it out. The test
worked fine and the configuration was
auto-loaded. When I made this same
change into our running production IdP
with a significant load, the server choked
and stopped returning data to SPs.
Access requests continued to pour in,
and I could get to the login page, but the
server hung on responses.

Tomcat required a restart to restore
service responses.




                                                                           672 of 748
The SessionManagerEntry object keeps
a back reference to the SessionManager
object for one purpose: to send logout
notifications. This back reference
wreaks havoc with clustering.

To eliminate the Session Manager's use
of the explicit back reference, could the
StorageService send Spring events on
object add/remove that the
SessionManager could then listen for
and use to send the login/logout events?
Since the StorageService is also a
Spring bean, it can easily accept the
ApplicationContext necessary to publish
events. That would decouple the objects
in the storage from the generator of
those objects, make them independent
of the environment in which they're
generated, and move the responsibility
for clustering the change events onto
the storage service (which is where it
belongs, I think). It would also allow
other things that use the StorageService
to be notified easily on removal of
objects, if that ever becomes necessary.

I implemented this idea, and I can share
the code, if that would be something
It would be nice to be able to support
multiple languages for the login/error
web pages. IIRC, the Spring Framework
provides means to support
internationalization (i.e. resource
bundles to translate strings, locale
selection based on browser request or
user choice).


                                            673 of 748
Currently default configuration option
are only in the schema. This causes
issues with the schema files shared by
the SP and also means that beans
created programmaticly have different
defaults than those created by
configuration.

So, move the schema defaults into the
bean classes.
With default settings for logging on Shib   Apache Tomcat 5.5   Sun 1.5
2.0 SP and Shib 2.0 IdP on RedHat,
there is too little information to enable
linking a session on the SP to a session
on the IdP. There are no shared
identifiers between the following log
entries, other than the time stamp and
that cannot be relied on. If a user
misuses the resource, this means that
the IdP cannot work out who this person
was from information supplied by the SP.

This bug will be duplicated for the SP as
it affects both systems.

Sample log entries:

SP

shid.log
2008-07-04 12:38:16 INFO
Shibboleth.SessionCache [26]: new
session created: ID
(_b2c31b4ed82daa948745cbcc110b225
8) IdP (https://far-
project.lse.ac.uk/shibboleth-idp)
Protocol(urn:oasis:names:tc:SAML:2.0:pr
otocol) Address (158.143.8.41)


                                                                          674 of 748
In a clustered environment, when the       JBoss 4.2 Tomcat   Sun 1.6
Saml2LoginContext attempts to call
deserializeRequest() to reconstruct the
AuthnRequest object, it gets an
IllegalArgumentException in
XMLHelper.constructQName(String,
String, String) called from
XMLHelper.getNodeQName(Node)
called from the OpenSAML
UnmarshallerFactory.getUnmarshaller(El
ement) method in order to construct the
QName from the Element -- "local part
cannot be null".

The XML is parsed properly, but both
the getLocalName() and the
getNamespaceURI() methods on the
Element return null. The parser isn't
configured correctly. You only see this
issue in a configuration where the
HttpSession object is clustered, because
the server that generated the
Saml2LoginContext object is able to
keep the de-serialized (transient)
AuthnRequest object and doesn't have
to re-parse the XML.

Whether that's because of an issue with
the Xerces 2.7.1 that I have to use




                                                                        675 of 748
SAML 1 authentication responses             Apache Tomcat 5.5   Sun 1.5
generated by the Shibboleth 2.0 IdP do
not contain an Audience condition
containing the SP's entity ID, where the
1.3 and prior IdPs did do so.

Scott's comment:

It's a bug in the IdP to do this, we
definitely shouldn't be issuing
untargeted bearer assertions. I don't see
any code in the profile handlers
for audience, so it's missing.




                                                                          676 of 748
In the following example, the filter policy   Apache Tomcat 6.0   Sun 1.5
"DOES NOT" ignore case:

<AttributeRule
attributeID="eduPersonAffiliation">
<PermitValueRule xsi:type="basic:OR">
<basic:Rule
xsi:type="basic:AttributeValueString"
value="faculty" ignoreCase="true" />
<basic:Rule
xsi:type="basic:AttributeValueString"
value="student" ignoreCase="true" />
<basic:Rule
xsi:type="basic:AttributeValueString"
value="staff" ignoreCase="true" />
<basic:Rule
xsi:type="basic:AttributeValueString"
value="alum" ignoreCase="true" />
<basic:Rule
xsi:type="basic:AttributeValueString"
value="member" ignoreCase="true" />
<basic:Rule
xsi:type="basic:AttributeValueString"
value="affiliate" ignoreCase="true" />
<basic:Rule
xsi:type="basic:AttributeValueString"
value="employee" ignoreCase="true" />
<basic:Rule
xsi:type="basic:AttributeValueString"




                                                                            677 of 748
This happens only when deploying the       Apache Tomcat 6.0   Sun 1.6
IdP to / (e.g. via a context deployment
fragment
conf/Catalina/localhost/ROOT.xml):
When using the UsernamePassword
LoginHandler for AuthN, during the
POST of the credentials the
_idp_session cookie is being set with an
empty path (Path=""), which effectively
sets the path to /Authn.
So when subsequently accessing other
SPs the RFC 2965-conforming UA does
not present the _idp_session cookie to
the SSO service (in this case using
HTTP-Redirect, at
/profile/SAML2/Redirect/SSO?SAMLReq
uest=....) because the path is not
prefixed with "/Authn", hence no login
context is being found, the
PreviousSession login handlers fails and
the UsernamePassword handler is
invoked.




                                                                         678 of 748
When omitting the Attribute 'id' for         Apache Tomcat 5.5   Sun 1.5
'ValidationInfo', the config parser
complains about not having 'Id' specified.

14:11:43.953 ERROR
[edu.internet2.middleware.shibboleth.co
mmon.config.BaseService:187] -
Configuration was not loaded for
shibboleth.RelyingPartyConfigurationMa
nager service, error creating
components. The root cause of this
error was: Configuration problem:
Configuration problem: Id is required for
element 'ValidationInfo' when used as a
top-level tag

The correct error message should be
"[...] problem: id is required for element
[...]", 'Id' is not accepted:

14:18:55.666 ERROR
[edu.internet2.middleware.shibboleth.co
mmon.config.BaseService:187] -
Configuration was not loaded for
shibboleth.RelyingPartyConfigurationMa
nager service, error creating
components. The root cause of this
error was: cvc-complex-type.3.2.2:
Attribute 'Id' is not allowed to appear in




                                                                           679 of 748
During the tests I'm encountering more      Apache Tomcat 5.5   Sun 1.5
exceptions. These ones occur when
there are multiple simultaneous requests
for SAML1 Artifact Resolution (I manage
to trigger this with 10 users).

16:58:20.870 DEBUG
[edu.internet2.middleware.shibboleth.idp.
profile.IdPProfileHandlerManager:93] -
shibboleth.HandlerManager: Located
profile handler of the fo
llowing type for the request path:
edu.internet2.middleware.shibboleth.idp.
profile.saml1.ArtifactResolution
16:58:20.870 DEBUG
[edu.internet2.middleware.shibboleth.idp.
profile.saml1.ArtifactResolution:139] -
Decoding message with decoder binding
urn:oasis:names:tc:SA
ML:1.0:bindings:SOAP-binding
16:58:20.871 ERROR
[org.opensaml.ws.message.decoder.Bas
eMessageDecoder:165] - Encountered
error parsing message into its DOM
representation
org.opensaml.xml.parse.XMLParserExce
ption: Invalid XML
at
org.opensaml.xml.parse.BasicParserPool




                                                                          680 of 748
I am enterring this as a tracking item. I   Apache Tomcat 5.5   Sun 1.5
spotted it happening 3 or 4 time at
Installfest and although I have not had a
chance to reproduce it.

The best symtom seemed to be if
someone ran the installation to the
wrong target directory (say
/opt/shibboleth-V2.0/ and then re-ran the
install with a different target (say
/opt/shibboleth/) then installer wiould
have some memory of the old location.
install.properties was correct, but the
web.xml would still point to the old, bad
target.

Because there was often a failed install
unpacked into that directory things
sometime limped on further.

In one ocurrance (and I trust the
reporter) there was no previous attempt
at an install....

The workaround I adopted is to copy
install.properties somewhere safe, then
nuke the unpacked tree put
install.properties back and then run ant.
This causes everything to be re-built.




                                                                          681 of 748
If no cert for the specific SP (relying    Apache Tomcat 5.5   Sun 1.5
party) is found in the metadata. But the
Assertion has to be encrypted by
SAML2 default configuration. The
following error message is send from idp
to sp:

Status:
urn:oasis:names:tc:SAML:2.0:status:Res
ponder
Message: Unable to construct NameID

This should be improved by an exacter
error message.




If no cert for the specific SP (relying    Apache Tomcat 5.5   Sun 1.5
party) is found in the metadata. But the
Assertion has to be encrypted by
SAML2 default configuration. The
following error message is send from idp
to sp:

Status:
urn:oasis:names:tc:SAML:2.0:status:Res
ponder
Message: Unable to construct NameID

This should be improved by an exacter
error message.




                                                                         682 of 748
If no cert for the specific SP (relying    Apache Tomcat 5.5   Sun 1.5
party) is found in the metadata. But the
Assertion has to be encrypted by
SAML2 default configuration. The
following error message is send from idp
to sp:

Status:
urn:oasis:names:tc:SAML:2.0:status:Res
ponder
Message: Unable to construct NameID

This should be improved by an exacter
error message.




If no cert for the specific SP (relying    Apache Tomcat 5.5   Sun 1.5
party) is found in the metadata. But the
Assertion has to be encrypted by
SAML2 default configuration. The
following error message is send from idp
to sp:

Status:
urn:oasis:names:tc:SAML:2.0:status:Res
ponder
Message: Unable to construct NameID

This should be improved by an exacter
error message.




                                                                         683 of 748
NullPointerException when optional            Apache Tomcat 6.0   Sun 1.6
NameIDPolicy tag does not exist in
AuthnRequest. Example AuthnRequest:

<?xml version="1.0" encoding="UTF-
8"?><samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol"
Destination="https://omiitest12.omii.ac.uk
:9443/idp/profile/SAML2/POST/SSO"
ForceAuthn="false"
ID="_0x566e295de8567e3616d8bc6011
374dd1" IsPassive="false"
IssueInstant="2008-05-
20T11:05:38.143Z"
Version="2.0"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">https://yewbie.omii.ac.uk:7
002/weblogic</saml:Issuer></samlp:Auth
nRequest>


Exception thrown is :


14:27:37.465 DEBUG
[edu.internet2.middleware.shibboleth.idp.
profile.saml2.AbstractSAML2ProfileHandl
er:790] - Using attribute transientId
Technically we shouldn't use the SAML         Apache Tomcat 5.5   Sun 1.5
2 class strings as 1.1 auth methods. We
definitely shouldn't use them as decl refs.

Better choice for now might be to just
hardcode them as class refs and not
support decls.

Longer term a more complex config may
be needed.


                                                                            684 of 748
PKIX validation was not enabled, so the      Apache Tomcat 5.5   Sun 1.5
SP's client certificate of the
AttributeQuery could not be verified.
This results in an NPE.

22:13:25.752 ERROR
[edu.internet2.middleware.shibboleth.idp.
profile.saml1.AttributeQueryProfileHandl
er:175] - Message did not meet security
requirementsorg.opensaml.ws.security.S
ecurityPolicyException: Client certificate
authentication failed for context issuer
entity ID
at
org.opensaml.ws.security.provider.Client
CertAuthRule.doEvaluate(ClientCertAuth
Rule.java:143)
at
org.opensaml.ws.security.provider.Client
CertAuthRule.evaluate(ClientCertAuthRu
le.java:109)
at
org.opensaml.ws.security.provider.Basic
SecurityPolicy.evaluate(BasicSecurityPoli
cy.java:50)
at
org.opensaml.ws.message.decoder.Bas
eMessageDecoder.decode(BaseMessag
eDecoder.java:84)
use SLF4J Mapped Diagnostic Contexts
to make either the idp session ID or
tomcat session ID (or something other
ID... thread maybe?) available for
logging. This allows deployers to identify
which request the IdP was processing
when a particular message was logged.




                                                                           685 of 748
Have a directive that works like the C
preprocessor #include directive to allow
a configuration file to include another
configuration file at a particular point. It
might be useful to allow included files to
include other files, though my particular
use case does not require it.

I'm not proficient enough in XML to
know if there is already a standard way
to do this, or how one might ideally
define such a feature so that the XML
still validates.

SAML 2 requests do not log released            Apache Tomcat 5.5   Sun 1.5
attributes in neiter audit.log nor
process.log:
|urn:oasis:names:tc:SAML:2.0:bindings:H
TTP-
Redirect|...|urn:mace:shibboleth:2.0:profil
es:saml2:sso|...|urn:oasis:names:tc:SAM
L:2.0:bindings:HTTP-
POST|...|urn:oasis:names:tc:SAML:2.0:a
c:classes:unspecified||

using SAML1 the released attributes are
logged:
|urn:oasis:names:tc:SAML:1.0:bindings:S
OAP-
binding|...|urn:mace:shibboleth:2.0:profile
s:saml1:query:attribute|...|urn:oasis:name
s:tc:SAML:1.0:bindings:SOAP-
binding|....||displayName,eduPersonEntitl
ement,email,eduPersonOrgDN,.....,|




                                                                             686 of 748
Following comment appears twice in the
relying-party.xml

<!--
The attributes provided for each of these
profile is set to its default value
that is, the values that would be in effect
if those attributes were not present.
We list them here so that people are
aware of them (since they seem
reluctant to
read the documentation).
-->




Inclusion of double dependencies in the       Apache Tomcat 5.5   Sun 1.5
same attribute definition, such as:

<resolver:AttributeDefinition...>
<resolver:Dependency
ref="staticAttributes" />
<resolver:Dependency
ref="staticAttributes" />

<!-- encoders go here -->

</resolver>

cause a failure to define any attribute
values. This might not be expected
behavior, and a WARN or simply
ignoring the duplicate would be helpful.




                                                                            687 of 748
It'd be nice to include a PrincipalName
attribute definition in the distribution
attribute-resolver.xml since I've found
many deployers would like to use it.
Shouldn't pose any risk without other
dependent mappings and/or a release
filter.
When I started the Shibboleth IdP in
order use the Kerberos support for
authentication

ShibUserPassAuth {

...

// Example Kerberos authentication,
requires Sun's JVM
// See:
https://spaces.internet2.edu/display/SHIB
2/IdPAuthUserPass

com.sun.security.auth.module.Krb5Login
Module required
keyTab="/etc/apache2/apache2.keytab";
};


I get the following error/debug message

DEBUG
[edu.internet2.middleware.shibboleth.idp.
authn.provider.UsernamePasswordLogin
Servlet:186] - User authentication failed
javax.security.auth.login.LoginException:
Configuration Error - useKeyTab should
be set to true to use the



                                            688 of 748
After I downloaded the stable release of     Apache Tomcat 5.5   Sun 1.5
Shibboleth 2.0.0 IdP and deployed it into
ApacheTomcat-5.5.20 environment,
catalina returns

INFO: WARNING: Security role name
user used in an <auth-constraint>
without being defined in a <security-role>

after first startup. There simply was the
following code:

<security-role>
<description>
An example role defined in "conf/tomcat-
users.xml"
</description>
<role-name>user</role-name>
</security-role>

in WEB-INF/web.xml file missing.

Markus

It is not possible to create entries         Apache Tomcat 5.0   Sun 1.6
without selecting anything in the
sections "Endorsed Libraries" and
"Servlet Container". I don't have
anything in my endoresed dir, so i am
forced to lie in oder to be able to create
a bug report.




                                                                           689 of 748
/usr/src/identityprovider# sh ant.sh           Apache Tomcat 5.0   Sun 1.6
Buildfile: build.xml

install:
Is this a new installation? Answering yes
will overwrite your current configuration.
[yes|no]
yes
Where should the Shibboleth Identity
Provider software be installed? [default:
/usr/local/shibboleth-idp-2.0.0]

What is the hostname of the Shibboleth
Identity Provider server? [default:
localhost]

A keystore is about to be generated for
you. Please enter a password that will
be used to protect it.

Updating property file:
/usr/src/identityprovider/install.properties

BUILD FAILED
/usr/src/identityprovider/build.xml:190:
java.lang.IllegalStateException: No
match found

Total time: 11 seconds
If you don't have it set then the batch file   Apache Tomcat 5.5   Sun 1.5
will fail with an inpenetrable "The Syntax
of the command is incorrect".

I can fix this once the streams situation
has settled down.




                                                                             690 of 748
Tracking only. I'll find time to chase this
up further. The initial failure is:

01-Apr-2008 15:10:25
org.apache.catalina.core.StandardConte
xt listenerStart
SEVERE: Exception sending context
initialized event to listener instance of
class
org.springframework.web.context.Contex
tLoaderListener
org.springframework.beans.factory.Bean
DefinitionStoreException: IOException
parsing XML document from URL
[file:/program]; nested exception is
java.io.FileNotFoundException:
\program (The system cannot find the
file specified)

Eddited to add:

The is also an issue with "MSDOS
drives" under windows (C:\ &c) which is
related to this. They should be fixed
together




                                              691 of 748
If the IdP shall refresh the attribute-        Apache Tomcat 5.5   Sun 1.5
filter.xml file from a URL, one can use
something like:

<ConfigurationResource
url="https://talang.switch.ch/gen_attribute
-
filter.php/aaitest/lewotolo.switch.ch/attrib
ute-filter.xml"
xsi:type="resource:HttpResource" />

in the server.xml. This works fine, but for
availability reasons it would be a better
idea to use a FileBackedHttpResource"
with:

<ConfigurationResource
url="https://talang.switch.ch/gen_attribute
-
filter.php/aaitest/lewotolo.switch.ch/attrib
ute-filter.xml" file="/opt/shibboleth-idp-
trunk/conf/attribute-filter.xml" xs
i:type="resource:FileBackedHttpResourc
e" />

However, when using this I get:
11:04:16.683 [main] ERROR
o.s.web.context.ContextLoader -
Context initialization failed
The example relying-party.xml file has a       Apache Tomcat 5.5   Sun 1.5
big comment at the top of it. Twice.
Once is surely enough.

Also, it should be "these profiles" in the
first line of the comment.




                                                                             692 of 748
<resolver:AttributeDefinition                  Apache Tomcat 5.5   Sun 1.5
id="eduPersonTargetedID.old"
xsi:type="Scoped"
xmlns="urn:mace:shibboleth:2.0:resolver:
ad"
scope="iay.org.uk"
sourceAttributeID="computedID">
<resolver:Dependency
ref="computedID" />

<resolver:AttributeEncoder
xsi:type="SAML1ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute
:encoder"
name="urn:mace:dir:attribute-
def:eduPersonTargetedID" />
</resolver:AttributeDefinition>

1) Missing body end tag in the login.jsp.      Apache Tomcat 5.5   Sun 1.5

Solution:
Add </body>

2) Missing head and title tags in login.jsp:
Solution:

Add < head><title>Shibboleth Identity
Provider</title></head>




                                                                             693 of 748
Session initiation:                         Apache Tomcat 5.5   Sun 1.6

https://sp2.example.org/Shibboleth.sso/L
ogin?entityID=https://idp2.example.org/id
p/shibboleth&forceAuthn=1&target=https:
//sp2.example.org/secure


SAML AuthnRequest as decoded at the
IdP:

<?xml version="1.0" encoding="UTF-
8"?><samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol"
AssertionConsumerServiceIndex="1"
Destination="https://idp2.example.org/idp
/profile/SAML2/Redirect/SSO"
ForceAuthn="1"
ID="_6527abdf684eb7600be5e60b23d3c
6d7" IssueInstant="2008-03-
19T13:38:57Z" Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">https://sp2.example.org/shi
bboleth/cztestfed/sp</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="1"/>
</samlp:AuthnRequest>

Would be nice to hack in a SAML2SSO
profile handler attribute for setting a
SessionNotOnOrAfter value when
issuing SSO assertions.




                                                                          694 of 748
It looks like the authentication engine
hardcodes the setSecure method to
false when it creates the session cookie,
would be nice to make that an option for
people that aren't dumb enough to run
this over http.

The 2.0 AA query endpoint returned,            Apache Tomcat 6.0   Sun 1.6
when no attributes were released, an
empty assertion. Suggest this be
changed to an empty Response to avoid
useless caching of the assertion by the
SP.

I also noticed it was using the sender-
vouches confirmation method. The
profile isn't terribly specific on that, but
it's generally accepted that they
shouldn't have a confirmation method.
The code had a branch to a function that
requires a conf method, but an if null
check should bypass that logic.

Didn't test the 1.1 AA yet.




                                                                             695 of 748
I configured the persistentID generation   Apache Tomcat 5.5   Sun 1.5
in the attribute-resolver.xml using the
configuration below:

<resolver:AttributeDefinition
id="persistentID" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:
ad">
<resolver:Dependency
ref="myPersistentID" />
<resolver:AttributeEncoder
xsi:type="SAML1String"
xmlns="urn:mace:shibboleth:2.0:attribute
:encoder" name="urn:mace:dir:attribute-
def:persistentId" />
<resolver:AttributeEncoder
xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute
:encoder"
name="urn:oid:2.16.840.1.113730.3.1.3.
0001" friendlyName="persistentID" />
</resolver:AttributeDefinition>



<resolver:DataConnector
xsi:type="StoredId"
xmlns="urn:mace:shibboleth:2.0:resolver:
dc"




                                                                         696 of 748
This could be fat fingering. I'm still     Apache Tomcat 5.5   Sun 1.5
investigating.

Consider the following segment

<resolver:AttributeDefinition
xsi:type="PrincipalName"
xmlns="urn:mace:shibboleth:2.0:resolver:
ad"
id="PpN2" >
<resolver:Dependency ref="myLDAP" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition id="PPN3"
xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:
ad"
sourceAttributeID="PpN2">
<resolver:Dependency ref="myLDAP" />


This gives way to the following log:


11:54:19.562 DEBUG
[edu.internet2.middleware.shibboleth.co
mmon.attribute.resolver.provider.Shibbol
ethAttributeResolver:294] - Resolving
attribute PPN3 for principal rdw2




                                                                         697 of 748
(I'm still investigating this - I put it in so   Apache Tomcat 5.5   Sun 1.5
you can get a heads up)

Below is the NPE.

The trouble is that
shibScopeValueBuilder is NULL. This is
initialized via

private final
XMLObjectBuilder<ShibbolethScopedVal
ue> shibScopeValueBuilder =
Configuration.getBuilderFactory()
.getBuilder(ShibbolethScopedValue.TYP
E_NAME);

The attribute is defined thus:

<resolver:AttributeDefinition
id="principalName" xsi:type="Scoped"
xmlns="urn:mace:shibboleth:2.0:resolver:
ad"
scope="steadingsoftware.net"
sourceAttributeID="sAMAccountName">
<resolver:Dependency ref="myLDAP" />

<resolver:AttributeEncoder
xsi:type="SAML1ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute




                                                                               698 of 748
When I try to run aacli I get the below.     Apache Tomcat 5.5   Sun 1.5
This module
(edu.internet2.middleware.shibboleth.co
mmon.config.service.ServletContextAttrib
uteExporter) is new in RC2.

C:\opt\shibboleth-idp-trunk> bin\aacli.bat
--configDir=conf/ --principal=rdw --
requester=http://example.org/sp --saml1
Exception in thread "main"
org.springframework.beans.factory.Bean
CreationException: Error creating bean
with name
'shibboleth.ServiceServletContex
tAttributeExporter': Invocation of init
method failed; nested exception is
edu.internet2.middleware.shibboleth.com
mon.service.ServiceException: Th
is service may only be used when
services are loaded within a
WebApplicationContext
at
org.springframework.beans.factory.supp
ort.AbstractAutowireCapableBeanFactor
y.initializeBean(AbstractAutowireCapable
BeanFactory.java:126
0)
at
org.springframework.beans.factory.supp
No big deal. But easily fixable (assign to
me if you wish)
10:10:21.599 DEBUG                           Apache Tomcat 5.5   Sun 1.5
[edu.internet2.middleware.shibboleth.idp.
profile.AbstractSAMLProfileHandler:275]
- Encoding response to SAML request
null from relying party
https://address.fdu.edu/shibboleth/testshi
b/sp



                                                                           699 of 748
When using the metadata signature           Apache Tomcat 5.5   Sun 1.5
validation with this configuration:

<MetadataProvider
id="URLMD"
xsi:type="FileBackedHTTPMetadataProvi
der"
xmlns="urn:mace:shibboleth:2.0:metadat
a"
metadataURL="http://www.switch.ch/aai/f
ederation/aaitest/metadata.aaitest_signe
d.xml"
backingFile="/etc/shibboleth/metadata.aa
itest.xml"
maintainExpiredMetadata="true"
cacheDuration="3600">
<MetadataFilter
xsi:type="SignatureValidation"
trustEngineRef="shibboleth.MetadataTru
stEngine"
requireSignedMetadata="true"
xmlns="urn:mace:shibboleth:2.0:metadat
a" />
</MetadataProvider>

and

<security:TrustEngine
id="shibboleth.MetadataTrustEngine"
It'd be neat if the IdP could load entire
folders of metadata, including by default
the /metadata subdirectory of the
installation. One of my deployers
expected this to be the standard method
of functioning.




                                                                          700 of 748
It'd be neat to be able to associate a
location somehow with a handler so that,
for example, multiple RemoteUser
handlers could be defined at different
locations for different methods.

<LoginHandler xsi:type="RemoteUser"
location="CertRemoteUser>
<AuthenticationMethod>urn:oasis:names
:tc:SAML:2.0:ac:classes:TLSClient</Auth
enticationMethod>
</LoginHandler>

<LoginHandler xsi:type="RemoteUser"
location=UnspecifiedUser">
<AuthenticationMethod>urn:oasis:names
:tc:SAML:2.0:ac:classes:unspecified</Au
thenticationMethod>
</LoginHandler>




                                           701 of 748
ERROR

Error Message: Invalid identity provider
profile URL.

is displayed to the user on most any
failure of the IdP to process an
AuthnRequest. This is seriously user-
facing, so could we change it to
something more friendly and useful, like:

"Something went wrong with your login
request. Please either try the page you
want to access again, or contact your
help desk or administrator."


209 <regexSplit input="${idp.hostname}"     Apache Tomcat 5.5   Sun 1.5
regex="^.*\.(.*\..*$)"
addproperty="idp.scope" />

explodes with "localhost"

ant.sh is not executable. Change rights     Apache Tomcat 5.5   Sun 1.5
from:

-rw-r--r--

to

-rwxr-xr-x




                                                                          702 of 748
Unzip archive shibboleth-idp-2.0-rc1-         Apache Tomcat 5.5   Sun 1.5
bin.zip produces waring due to the use
of absolute paths in zip file:


aar:/opt/src # unzip shibboleth-idp-2.0-
rc1-bin.zip
Archive: shibboleth-idp-2.0-rc1-bin.zip
warning: stripped absolute path spec
from /
mapname: conversion of failed
warning: stripped absolute path spec
from /identityprovider/
creating: identityprovider/
warning: stripped absolute path spec
from /identityprovider/build-lib/
creating: identityprovider/build-lib/
warning: stripped absolute path spec
from /identityprovider/build-lib/ant-1.6.5-
junit.jar
inflating: identityprovider/build-lib/ant-
1.6.5-junit.jar
warning: stripped absolute path spec
from /identityprovider/build-lib/ant-1.6.5-
launcher.jar
inflating: identityprovider/build-lib/ant-
1.6.5-launcher.jar
warning: stripped absolute path spec
from /identityprovider/build-lib/ant-1.6.5-




                                                                            703 of 748
The URI                                     Apache Tomcat 5.0   Sun 1.5

urn:oasis:names:tc:SAML:2.0:nameid-
format:unspecified

mentioned on page

https://spaces.internet2.edu/display/SHIB
2/IdPNameIdentifier

does not exist. This may be a simple
doc bug, but if the IdP actually emits
such a URI, then this is a software bug
as well.




                                                                          704 of 748
2008-01-24 00:55:02 DEBUG                      Apache Tomcat 5.5   Sun 1.5
OpenSAML.MessageDecoder.SAML2PO
ST [2]: <?xml version="1.0"
encoding="UTF-8"?>
<samlp:Response
Destination="https://sp.testshib.org/Shibb
oleth.sso/SAML2/POST"
ID="_34e2d4944fc4156de2b78b67b90cff
12"
InResponseTo="_74aa8c6bd75a46e346
564fa9baded824" IssueInstant="2008-
01-24T05:54:57.202Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol"><saml:Issuer
Format="urn:oasis:names:tc:SAML:2.0:n
ameid-format:entity"
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">https://idp.testshib.org/idp/s
hibboleth</saml:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xm
ldsig#">
<ds:SignedInfo
xmlns:ds="http://www.w3.org/2000/09/xm
ldsig#">
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/x
ml-exc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xm
ldsig#"/>




                                                                             705 of 748
Another "I'd like a pony" request.

Automatically generating certificates and
keys for users during the installation
process with ant to replace
example.org.key and example.org.crt
would be super neat. Doubly so if they
were named something that made it
clear they'd actually be usable,
potentially reducing the number of steps
to set up an IdP by at least 2.

Seriously, though, a pony would rock.

This is the piece of config most likely to
be changed, so I'd like to see it at the
top of logging.xml:

<!--
Loggers define inidicate which
packages/categories are logged, at
which level, and to which appender.
Levels: ALL, ERROR, WARN, INFO,
DEBUG, OFF
-->

<!-- Logs IdP, but not OpenSAML,
messages -->
<logger
name="edu.internet2.middleware.shibbol
eth">
<level value="DEBUG" />
<!-- Appender, IDP_PROCESS, is
inherited from the root logger -->
</logger>




                                             706 of 748
It'd be really nice to unify these so they
are the same xsi:type and same class.
It'd simplify things a lot. Force people to
use file:/path/to/metadata and leave the
backingFile optional, as it should be
anyway.

<!-- MetadataProvider reading metadata
from a URL. -->
<!-- Fill in metadataURL and backingFile
attributes with deployment specific
information -->
<!--
<MetadataProvider id="URLMD"
xsi:type="FileBackedHTTPMetadataProvi
der"
xmlns="urn:mace:shibboleth:2.0:metadat
a"
metadataURL="http://example.org/my/m
etadata/file.xml"
backingFile="$IDP_HOME$/temp/metad
ata/somefile.xml" />
-->

<!-- MetadataProvider reading metadata
from the filesystem -->
<!-- Fill in metadataFile attribute with
deployment specific information -->
<!--




                                              707 of 748
Can't figure out which part of the match   Apache Tomcat 5.5   Sun 1.5
is failing...

11:29:13.219 DEBUG
[edu.internet2.middleware.shibboleth.co
mmon.relyingparty.provider.SAMLMDRel
yingPartyConfigurationManager] No
relying party configuration was
registered for https://stc-
test11.cis.brown.edu/Shibboleth.sso/Met
adata looking up configuration based on
metadata groups

11:29:13.220 DEBUG
[edu.internet2.middleware.shibboleth.co
mmon.relyingparty.provider.SAMLMDRel
yingPartyConfigurationManager] No
relying party configuration found for
https://stc-
test11.cis.brown.edu/Shibboleth.sso/Met
adata using default configuration

11:29:13.243 ERROR
[edu.internet2.middleware.shibboleth.co
mmon.profile.ProfileRequestDispatcherS
ervlet] Encountered error processing
request to /SAML2/Redirect/SSO,
invoking error handler
java.lang.NullPointerException




                                                                         708 of 748
http://idp.two.testshib.org/idp/profile/SAM   Apache Tomcat 5.5   Sun 1.5
L2/Redirect/SSO?SAMLResponse=Hi!

04:43:01.995 ERROR
[org.opensaml.saml2.binding.decoding.H
TTPRedirectDeflateDecoder] Unable to
Base64 decode and inflate SAML
message
java.lang.NullPointerException
at
java.io.ByteArrayInputStream.<init>(Byte
ArrayInputStream.java:89)
at
org.opensaml.saml2.binding.decoding.H
TTPRedirectDeflateDecoder.decodeMes
sage(HTTPRedirectDeflateDecoder.java:
122)
at
org.opensaml.saml2.binding.decoding.H
TTPRedirectDeflateDecoder.doDecode(
HTTPRedirectDeflateDecoder.java:94)
at
org.opensaml.ws.message.decoder.Bas
eMessageDecoder.decode(BaseMessag
eDecoder.java:71)
at
edu.internet2.middleware.shibboleth.idp.
profile.saml2.SSOProfileHandler.decode
Request(SSOProfileHandler.java:303)




                                                                            709 of 748
Literally null response presented to the   Apache Tomcat 5.5   Sun 1.5
user rather than the authentication
mechanism. https://stc-
test11.cis.brown.edu/Shibboleth.sso/Met
adata may or may not have been in the
metadata files he was loading; didn't
think to check.

10:01:03.928 DEBUG
[edu.internet2.middleware.shibboleth.co
mmon.relyingparty.provider.SAMLMDRel
yingPartyConfigurationManager] No
relying party configuration found for
https://stc-
test11.cis.brown.edu/Shibboleth.sso/Met
adata using default
configuration10:01:03.972 ERROR
[edu.internet2.middleware.shibboleth.co
mmon.profile.ProfileRequestDispatcherS
ervlet] Encountered error processing
request to /SAML2/Redirect/SSO,
invoking error handler
java.lang.NullPointerException
at
edu.internet2.middleware.shibboleth.idp.
profile.saml2.SSOProfileHandler.perform
Authentication(SSOProfileHandler.java:1
65)
at




                                                                         710 of 748
<saml:NameID                                Apache Tomcat 5.5   Sun 1.5
Format="urn:oasis:names:tc:SAML:2.0:n
ameid-format:unspecified"
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion"></saml:NameID>

19:54:57.922 DEBUG
[edu.internet2.middleware.shibboleth.co
mmon.attribute.resolver.provider.Shibbol
ethAttributeResolver] Resolving principal
name from name identifier of format:
urn:oasis:names:tc:SAML:2.0:nameid-
format:unspecified

19:54:57.922 DEBUG
[edu.internet2.middleware.shibboleth.co
mmon.attribute.resolver.provider.Shibbol
ethAttributeResolver] Using principal
connector saml2Unspec to resolve
principal name.

19:54:57.922 ERROR
[edu.internet2.middleware.shibboleth.co
mmon.profile.ProfileRequestDispatcherS
ervlet] Encountered error processing
request to
/SAML2/SOAP/AttributeQuery, invoking
error handler
java.lang.NullPointerException




                                                                          711 of 748
<S:Envelope                                  Apache Tomcat 5.5   Sun 1.5
xmlns:S="http://schemas.xmlsoap.org/so
ap/envelope/"><S:Body><samlp:Attribute
Query
xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol"
ID="7" IssueInstant="2008-01-
11T00:18:56Z"
Version="2.0"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">https://sp.two.testshib.org/
Shibboleth.sso/Metadata</saml:Issuer>
<saml:Subject
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:n
ameid-format:unspecified"
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">Nate</saml:NameID>
</saml:Subject></samlp:AttributeQuery>
</S:Body></S:Envelope>


<resolver:PrincipalConnector
xsi:type="Transient"
xmlns="urn:mace:shibboleth:2.0:resolver:
pc" id="saml2Transient"
nameIDFormat="urn:oasis:names:tc:SA




                                                                           712 of 748
18:49:50.829 INFO [Shibboleth-Access]       Apache Tomcat 5.5   Sun 1.5
20080110T234950Z|75.171.155.30|idp.t
wo.testshib.org:443|/profile/SAML2/Redir
ect/SSO|

18:49:50.831 ERROR
[edu.internet2.middleware.shibboleth.idp.
profile.saml2.SSOProfileHandler] Error
decoding authentication request
message
org.opensaml.ws.message.decoder.Mes
sageDecodingException: Encountered
error parsing message into its DOM
representation
at
org.opensaml.ws.message.decoder.Bas
eMessageDecoder.unmarshallMessage(
BaseMessageDecoder.java:160)
at
org.opensaml.saml2.binding.decoding.H
TTPRedirectDeflateDecoder.doDecode(
HTTPRedirectDeflateDecoder.java:100)
at
org.opensaml.ws.message.decoder.Bas
eMessageDecoder.decode(BaseMessag
eDecoder.java:71)
at
edu.internet2.middleware.shibboleth.idp.
profile.saml2.SSOProfileHandler.decode




                                                                          713 of 748
-rw-r--r-- 1 root root 196 Jan 10 18:29     Apache Tomcat 5.5   Sun 1.5
install.properties
-rw-r--r-- 1 root root 72 Dec 6 16:42
install.properties.mine
-rw-r--r-- 1 root root 98 Dec 6 12:46
install.properties.r2504
-rw-r--r-- 1 root root 87 Jan 10 18:29
install.properties.r2554

install.properties contents:

<<<<<<< .mine
idp.home = /usr/local/idp
war.name=idp.war
idp.overwrite-config = false
=======
idp.home = /opt/shibboleth-idp-${version}
war.name=idp.war
idp.overwrite-config = false>>>>>>>
.r2554




                                                                          714 of 748
13:07:33.146 DEBUG                           Apache Tomcat 5.5   Sun 1.5
[edu.internet2.middleware.shibboleth.co
mmon.attribute.filtering.provider.Shibbole
thAttributeFilteringEngine] Evaluating if
filter policy null is active for principal
myself

13:07:33.146 DEBUG
[edu.internet2.middleware.shibboleth.co
mmon.attribute.filtering.provider.Shibbole
thAttributeFilteringEngine] Filter policy
null is active for principal myself

13:07:33.146 DEBUG
[edu.internet2.middleware.shibboleth.co
mmon.attribute.filtering.provider.Shibbole
thAttributeFilteringEngine] Filtering
values of attribute givenName for
principal myself

13:07:33.146 DEBUG
[edu.internet2.middleware.shibboleth.co
mmon.attribute.filtering.provider.Shibbole
thAttributeFilteringEngine] Removing
attribute from return set, no more
values: {}uid

13:07:33.149 ERROR
[edu.internet2.middleware.shibboleth.co




                                                                           715 of 748
Not obviously typos, but still             Apache Tomcat 5.5   Sun 1.5
catastrophic. Went away when I
removed the element.

13:01:49.240 ERROR
[edu.internet2.middleware.shibboleth.co
mmon.config.BaseService]
Configuration was not loaded for
shibboleth.RelyingPartyConfigurationMa
nager service, error creating components
org.springframework.beans.factory.Bean
CreationException: Error creating bean
with name
'org.opensaml.saml2.metadata.provider.
SignatureValidationFilter#0': Cannot
resolve reference to bean
'shibboleth.SignatureTrustEngine' while
setting constructor argument; nested
exception is
org.springframework.beans.factory.Bean
CreationException: Error creating bean
with name
'shibboleth.SignatureTrustEngine':
Cannot resolve reference to bean
'ShibbolethMetadata' while setting bean
property 'metadataProvider'; nested
exception is
org.springframework.beans.factory.Bean
CreationException: Error creating bean




                                                                         716 of 748
In attribute-resolver.xml:                 Apache Tomcat 5.5   Sun 1.5

<AttributeResolver
xmlns="urn:mace:shibboleth:2.0:resolver
"
xmlns:resolver="urn:mace:shibboleth:2.0:
resolver"
xmlns:xsi="http://www.w3.org/2001/XML
Schema-instance"
xmlns:pc="urn:mace:shibboleth:2.0:resol
ver:pc"
xmlns:ad="urn:mace:shibboleth:2.0:resol
ver:ad"
xmlns:dc="urn:mace:shibboleth:2.0:resol
ver:dc"
xmlns:enc="urn:mace:shibboleth:2.0:attri
bute:encoder"
xmlns:sec="urn:mace:shibboleth:2.0:sec
urity"
xsi:schemaLocation="urn:mace:shibbolet
h:2.0:resolver
classpath:/schema/shibboleth-2.0-
attribute-resolver.xsd
urn:mace:shibboleth:2.0:resolver:pc
classpath:/schema/shibboleth-2.0-
attribute-resolver-pc.xsd
urn:mace:shibboleth:2.0:resolver:ad
classpath:/schema/shibboleth-2.0-
attribute-resolver-ad.xsd




                                                                         717 of 748
                                             Apache Tomcat 5.5   Sun 1.5


21:49:58.945 DEBUG
[org.opensaml.saml2.metadata.provider.
ChainingMetadataProvider] Checking
child metadata provider for entity
descriptor with entity ID:
https://sp.two.testshib.org/Shibboleth.sso
/Metadata

21:49:58.946 DEBUG
[org.opensaml.saml2.metadata.provider.
AbstractMetadataProvider] Getting
descriptor for entity
https://sp.two.testshib.org/Shibboleth.sso
/Metadata

21:49:58.946 DEBUG
[org.opensaml.saml2.metadata.provider.
AbstractMetadataProvider] Searching
for entity descriptor with an entity ID of
https://sp.two.testshib.org/Shibboleth.sso
/Metadata

21:49:58.946 DEBUG
[org.opensaml.saml2.metadata.provider.
AbstractMetadataProvider] Entity
descriptor for the ID




                                                                           718 of 748
The following exception occurs               Apache Tomcat 5.5   Sun 1.5
occasionally, displaying a Null Error
Message to the client:

...

21:39:01.554 DEBUG
[edu.internet2.middleware.shibboleth.co
mmon.attribute.filtering.provider.Shibbole
thAttributeFilteringEngine] Removing
attribute from return set, no more
values: {}givenName

21:39:01.554 DEBUG
[edu.internet2.middleware.shibboleth.co
mmon.attribute.filtering.provider.Shibbole
thAttributeFilteringEngine] Removing
attribute from return set, no more
values: {}uid

21:39:01.554 DEBUG
[edu.internet2.middleware.shibboleth.co
mmon.attribute.filtering.provider.Shibbole
thAttributeFilteringEngine] Removing
attribute from return set, no more
values: {}cn

21:39:01.554 DEBUG
[edu.internet2.middleware.shibboleth.co




                                                                           719 of 748
The example /SAML2/POST/SSO              Apache Tomcat 5.5   Sun 1.5
ProfileHandler in handler.xml should
support a SimpleSign outbound binding
as well; e.g.

<ProfileHandler xsi:type="SAML2SSO"
inboundBinding="urn:oasis:names:tc:SA
ML:2.0:bindings:HTTP-POST"
outboundBindingEnumeration="urn:oasis
:names:tc:SAML:2.0:bindings:HTTP-
POST
urn:oasis:names:tc:SAML:2.0:bindings:H
TTP-Artifact">
<RequestPath>/SAML2/POST/SSO</Re
questPath>
</ProfileHandler>

should be

<ProfileHandler xsi:type="SAML2SSO"
inboundBinding="urn:oasis:names:tc:SA
ML:2.0:bindings:HTTP-POST-
SimpleSign"
outboundBindingEnumeration="urn:oasis
:names:tc:SAML:2.0:bindings:HTTP-
POST-SimpleSign
urn:oasis:names:tc:SAML:2.0:bindings:H
TTP-POST
urn:oasis:names:tc:SAML:2.0:bindings:H




                                                                       720 of 748
(x3) A rule that checks the signature on   Apache Tomcat 5.5   Sun 1.5
SAML protocols messages.

"protocol"

A rule that inspects the message issue
instant and ensures that it within a
certain timeframe.

"it is"

<complexType name="Replay">
<annotation>
<documentation>
A security policy rule that ensure the a
recieved SAML message's issue instant
is not before the current
time (as defined by the system) or older
than a given expiration threshold.
</documentation>

Is this really accurate? Misnamed
attribute, or wrong documentation?




                                                                         721 of 748
given components may chose to use the         Apache Tomcat 5.5   Sun 1.5
credential for either encryption of signing
operations.

"choose", "or"

Trust engine used to validate an X509
credentials against PKIX information
from metadata.

"credential"

Security policies define a set of rules
that are evaluated against incomming
messages to

"incoming"

A security rule that requires that an
incoming message by authenticated.

"be authenticated."




A match function that performs a logical      Apache Tomcat 5.5   Sun 1.5
NOT on the resultof the contained
matching function.

"result of"

evaluates to true if any value matches
the given expression

missing "."




                                                                            722 of 748
A match function that evaluates to true if   Apache Tomcat 5.5   Sun 1.5
the attribute producer is found in
metadata and is a member

should probably be "attribute issuer"

A match function that ensures that an
attributes value's scope matches a
scope given in metadata for the entity or
role.

"attribute value's"
Rerfence to a PolicyRequirement              Apache Tomcat 5.5   Sun 1.5
defined within this policy group or
another.

"Reference"

Rerfence to a AttribtueRule defined
within this policy group or another.

"Reference", "AttributeRule"

Rerfence to a PermitValueRule defined
within this policy group or another.

"Reference"




                                                                           723 of 748
<documentation>The SAML 2                 Apache Tomcat 5.5   Sun 1.5
NameQualfier of the
NameID.</documentation>

"NameQualifier"

If scopeType is "inline", this is the
delimeter used to between the attribute
value and

"used between"


<documentation>A attribute definition     Apache Tomcat 5.5   Sun 1.5
used to construct transient subejct
identifiers.</documentation>

"subject"

be bound to script attribute

"a script"

multiples times, iterating over each
dependency.

"multiple times"




                                                                        724 of 748
(x2) A connection, or pool of             Apache Tomcat 5.5   Sun 1.5
connections, to the database managed
the application container.

"managed by"

(x2) A connection, or pool of
connections, to the database managed
the data connector.

"managed by"

A template that will be used to create
SQL query used to pull information from
the database.

"the SQL query"/"a SQL query"

execute as quckly as possible and must
return at least one result.

"quickly"

Name of the template engine defined
within the applicaiton.

"application"

A property used when contrusting a
(x2) A princpal connector that returns    Apache Tomcat 5.5   Sun 1.5
the SAML name identifier valueas the
principal name.




                                                                        725 of 748
An attribute encoder is responsible for        Apache Tomcat 5.5   Sun 1.5
converting an attribute, and it's values,
into a protocol

<attribute name="nameIDFormat"
type="anyURI" use="required">

--> "NameIDFormat"?




Filters out, from an entity descriptor, that   Apache Tomcat 5.5   Sun 1.5
do not appear in the role whitelist.
Optionally
role-less entity descriptor and
entity/entities discriptor-less entities
descriptors may be removed.

missing noun; "discriptor"

A boolean flag indicating that entity
descriptors, after filter, contain no roles
should be removed.

needs a "that" or "containing" and
maybe "filtering"

A boolean flag indicating that entities
descriptors, after filter, contain no entity
or entities descriptors.

needs a "that" or containing", a "should
be removed.", and maybe "filtering"




                                                                             726 of 748
(x3) on the relying party configuration     Apache Tomcat 5.5   Sun 1.5
than signing will not occur regardless of
this setting.

--> "then"


<attribute name="encryptNameIds"
type="boolean" default="false">

-> encryptNameID's?
The IdP session manager does not            Apache Tomcat 5.5   Sun 1.5
currently observe the destructions of
container sessions. This means that
session cruft can build up in the session
manager until the IdP sessions expire
and they are swept from the manager.

Create a servlet context listener that,
when web app sessions expire, they kill
off the associates IdP session.




                                                                          727 of 748
Probably a bad comparison in code            Apache Tomcat 5.5   Sun 1.5
added to prevent dorks sending
AuthnRequests to query handlers.

2007-12-17 15:03:23 DEBUG
XMLTooling.libcurl [2]: <S:Envelope
xmlns:S="http://schemas.xmlsoap.org/so
ap/envelope/"><S:Body><samlp:Attribute
Query
xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol"
ID="_8b3c1e5e54051c35783ce391f4181
a10" IssueInstant="2007-12-
17T20:03:23Z"
Version="2.0"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">https://sp.two.testshib.org/
Shibboleth.sso/Metadata</saml:Issuer><
ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xm
ldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/x
ml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/x
mldsig#rsa-sha1"/>
<ds:Reference




                                                                           728 of 748
<S:Envelope                                  Apache Tomcat 5.5   Sun 1.5
xmlns:S="http://schemas.xmlsoap.org/so
ap/envelope/">
<S:Body>
<samlp:AttributeQuery
xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol"
ID="g"
IssueInstant="2007-12-17T19:08Z"
Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">https://sp.two.testshib.org/
Shibboleth.sso/Metadata</saml:Issuer>
<saml:Subject
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:protocol">
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:n
ameid-
format:transient">_700dd4076489708bd
120e9da0113b8e6</saml:NameID></sa
ml:Subject>
</samlp:AttributeQuery>
</S:Body>
<S:Header/>
</S:Envelope>

14:08:07.263 ERROR




                                                                           729 of 748
Probably falls into "liberal in what you    Apache Tomcat 5.5   Sun 1.5
receive", but:

All SAML time values have the type
xs:dateTime, which is built in to the W3C
XML Schema Datatypes
specification [Schema2], and MUST be
expressed in UTC form, with no time
zone component.

IssueInstant="2007-12-17T22:02+03:00"
Version="2.0">

--> assertion issued




                                                                          730 of 748
<S:Envelope                                  Apache Tomcat 5.5   Sun 1.5
xmlns:S="http://schemas.xmlsoap.org/so
ap/envelope/">
<S:Body>
<samlp:AttributeQuery
xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol"
ID=""
IssueInstant="2007-12-17T18:54:06Z"
Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">https://sp.two.testshib.org/
Shibboleth.sso/Metadata</saml:Issuer>
<saml:Subject
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:n
ameid-
format:transient">_700dd4076489708bd
120e9da0113b8e6</saml:NameID></sa
ml:Subject>
</samlp:AttributeQuery>
</S:Body>
<S:Header/>
</S:Envelope>

13:52:24.206 ERROR




                                                                           731 of 748
13:45:51.524 ERROR                          Apache Tomcat 5.5   Sun 1.5
[edu.internet2.middleware.shibboleth.co
mmon.profile.ProfileRequestDispatcherS
ervlet] Encountered error processing
request to
/SAML2/SOAP/AttributeQuery, invoking
error handler
java.lang.IllegalArgumentException:
Invalid format: ""
at
org.joda.time.format.DateTimeFormatter.
parseMillis(DateTimeFormatter.java:634)
at
org.joda.time.convert.StringConverter.get
InstantMillis(StringConverter.java:65)
at
org.joda.time.base.BaseDateTime.<init>(
BaseDateTime.java:171)
at
org.joda.time.DateTime.<init>(DateTime.j
ava:213)




                                                                          732 of 748
<S:Envelope                                  Apache Tomcat 5.5   Sun 1.5
xmlns:S="http://schemas.xmlsoap.org/so
ap/envelope/">
<S:Body>
<samlp:AttributeQuery
xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:assertion"
ID="_c4f384f3cb7277fbe762468adbc09c
ca"
IssueInstant="2007-12-17T18:25:06Z"
Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">https://sp.two.testshib.org/
Shibboleth.sso/Metadata</saml:Issuer>
<saml:Subject
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:n
ameid-
format:transient">_700dd4076489708bd
120e9da0113b8e6</saml:NameID></sa
ml:Subject>
</samlp:AttributeQuery>
</S:Body>
<S:Header/>
</S:Envelope>




                                                                           733 of 748
<!-- Envelope, header and body -->       Apache Tomcat 5.5   Sun 1.5
<xs:element name="Envelope"
type="tns:Envelope" />
<xs:complexType name="Envelope" >
<xs:sequence>
<xs:element ref="tns:Header"
minOccurs="0" />
<xs:element ref="tns:Body"
minOccurs="1" />
<xs:any namespace="##other"
minOccurs="0"
maxOccurs="unbounded"
processContents="lax" />
</xs:sequence>
<xs:anyAttribute namespace="##other"
processContents="lax" />
</xs:complexType>


<S:Envelope
xmlns:S="http://schemas.xmlsoap.org/so
ap/envelope/">
<S:Body>
<samlp:AttributeQuery
xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol"
ID="_a4f384f3cb7277fbe762468adbc09c
ca"
IssueInstant="2007-12-17T18:25:06Z"




                                                                       734 of 748
3.3.4 of SAML-Core referred to by            Apache Tomcat 5.5   Sun 1.5
3.3.2.3, AttributeQuery states:

In response to a SAML-defined query
message, every assertion returned by a
SAML authority MUST contain a
<saml:Subject> element that strongly
matches the <saml:Subject> element
found in the query.

strongly matches fairly explicitly defined

<S:Envelope
xmlns:S="http://schemas.xmlsoap.org/so
ap/envelope/">
<S:Body>
<samlp:AttributeQuery
xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol"
ID="_a4f384f3cb7277fbe762468adbc09c
ca"
IssueInstant="2007-12-17T18:25:06Z"
Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">https://sp.two.testshib.org/
Shibboleth.sso/Metadata</saml:Issuer>
<saml:Subject
xmlns:saml="urn:oasis:names:tc:SAML:2




                                                                           735 of 748
<S:Envelope                              Apache Tomcat 5.5   Sun 1.5
xmlns:S="http://schemas.xmlsoap.org/so
ap/envelope/">
<S:Header>
<m:goo
xmlns:m="Hello"
S:mustUnderstand="1">Garbage</m:goo
>
</S:Header>
<S:Body>
<samlp:AttributeQuery
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol"
...




                                                                       736 of 748
If you send it an:                            Apache Tomcat 5.5   Sun 1.5

<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol"
AssertionConsumerServiceIndex="1"
Destination="https://idp.two.testshib.org/i
dp/profile/saml2/Redirect/SSO"
ID="_54b5459132006c8ddcc218d1d7de
eef5"
IssueInstant="2007-12-15T20:54:43Z"
Version="2.0"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">https://sp.two.testshib.org/
Shibboleth.sso/Metadata</saml:Issuer><
samlp:NameIDPolicy
AllowCreate="1"/></samlp:AuthnRequest
>

15:53:44.030 DEBUG
[edu.internet2.middleware.shibboleth.idp.
profile.saml2.AttributeQueryProfileHandl
er] Decoded request

15:53:44.030 ERROR
[edu.internet2.middleware.shibboleth.co
mmon.profile.ProfileRequestDispatcherS
ervlet] Encountered error processing
request to




                                                                            737 of 748
14:51:42.378 INFO [Shibboleth-Access]       Apache Tomcat 5.5   Sun 1.5
20071215T195142Z|71.208.229.5|idp.tw
o.testshib.org:443|/profile/Shibboleth/SS
O|

14:51:42.379 DEBUG
[edu.internet2.middleware.shibboleth.idp.
profile.IdPProfileHandlerManager]
shibboleth.HandlerManager: Looking up
profile handler for request path:
/Shibboleth/SSO

14:51:42.379 DEBUG
[edu.internet2.middleware.shibboleth.idp.
profile.IdPProfileHandlerManager]
shibboleth.HandlerManager: Located
profile handler of the following type for
the request path:
edu.internet2.middleware.shibboleth.idp.
profile.saml1.ShibbolethSSOProfileHandl
er

14:51:42.379 DEBUG
[edu.internet2.middleware.shibboleth.idp.
profile.saml1.ShibbolethSSOProfileHandl
er] Processing incomming request

14:51:42.379 DEBUG
[edu.internet2.middleware.shibboleth.idp.




                                                                          738 of 748
14:51:42.379 DEBUG                          Apache Tomcat 5.5   Sun 1.5
[edu.internet2.middleware.shibboleth.idp.
profile.saml1.ShibbolethSSOProfileHandl
er] Processing incomming request
14:51:42.380 DEBUG
[org.opensaml.saml2.metadata.provider.
AbstractMetadataProvider] Metadata
was an entities descriptor, checking if
any of it's descendant entity descriptors
is the one we're looking for.




At least true for /Authn/RemoteUser.        Apache Tomcat 5.5   Sun 1.5
Quitting the browser still works.
The SP has a flag, handlerSSL, that
overrides the scheme sent in from the
web server for messages sent directly to
handler endpoints. This would force the
SAML assertion generated after a
request for http://example.org/secure to
be sent to
https://example.org/Shibboleth.sso/SAML
/POST instead of
http://example.org/Shibboleth.sso/SAML/
POST.

A similar optional flag that forces user
authentication over TLS/SSL rather than
inheriting the scheme from Tomcat
might be useful to many deployers. It
would guarantee that user passwords
are never sent over cleartext to
authentication handlers.




                                                                          739 of 748
13:03:13.833 DEBUG                           Apache Tomcat 5.5   Sun 1.5
[edu.internet2.middleware.shibboleth.idp.
profile.saml2.SSOProfileHandler]
Decoding message with decoder binding
null
<EntityDescriptor                            Apache Tomcat 5.5   Sun 1.5
entityID="https://sp.two.testshib.org/Shib
boleth.sso/Metadata"
validUntil="2010-01-01T00:00:00Z">

<AssertionConsumerService index="1"
isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:b
indings:HTTP-POST"
Location="https://sp.two.testshib.org/Shi
bboleth.sso/SAML2/POST"/>
<AssertionConsumerService index="2"
Binding="urn:oasis:names:tc:SAML:2.0:b
indings:HTTP-POST-SimpleSign"
Location="https://sp.two.testshib.org/Shi
bboleth.sso/SAML2/POST-SimpleSign"/>
<AssertionConsumerService index="3"
Binding="urn:oasis:names:tc:SAML:2.0:b
indings:HTTP-Artifact"
Location="https://sp.two.testshib.org/Shi
bboleth.sso/SAML2/Artifact"/>
<AssertionConsumerService index="4"
Binding="urn:oasis:names:tc:SAML:2.0:b
indings:PAOS"
Location="https://sp.two.testshib.org/Shi
bboleth.sso/SAML2/ECP"/>
<AssertionConsumerService index="5"
Binding="urn:oasis:names:tc:SAML:1.0:p
rofiles:browser-post"




                                                                           740 of 748
<S:Envelope                                Apache Tomcat 5.5   Sun 1.5
xmlns:S="http://schemas.xmlsoap.org/so
ap/envelope/">
<S:Body>

</S:Body>
</S:Envelope>

16:58:10.185 ERROR
[edu.internet2.middleware.shibboleth.co
mmon.profile.ProfileRequestDispatcherS
ervlet] Encountered error processing
request to
/SAML2/SOAP/AttributeQuery, invoking
error handler
java.lang.NullPointerException
at
edu.internet2.middleware.shibboleth.idp.
profile.saml2.AttributeQueryProfileHandl
er.decodeRequest(AttributeQueryProfile
Handler.java:161)
at
edu.internet2.middleware.shibboleth.idp.
profile.saml2.AttributeQueryProfileHandl
er.processRequest(AttributeQueryProfile
Handler.java:74)
at
edu.internet2.middleware.shibboleth.idp.
profile.saml2.AttributeQueryProfileHandl




                                                                         741 of 748
[root@two trunk]# wget --no-check-             Apache Tomcat 5.5   Sun 1.5
certificate --header='Content-Type:
random/message' --post-
file='/var/www/sp-testshib/soap.xml'
https://idp.two.testshib.org:8443/idp/profil
e/SAML2/SOAP/AttributeQuery
--16:35:57--
https://idp.two.testshib.org:8443/idp/profil
e/SAML2/SOAP/AttributeQuery
Resolving idp.two.testshib.org...
146.186.26.154
Connecting to
idp.two.testshib.org|146.186.26.154|:844
3... connected.
WARNING: cannot verify
idp.two.testshib.org's certificate, issued
by
`/C=US/ST=Pennsylvania/L=Pittsburgh/
O=TestShib/CN=idp.testshib.org':
Self-signed certificate encountered.
WARNING: certificate common name
`idp.testshib.org' doesn't match
requested host name
`idp.two.testshib.org'.
HTTP request sent, awaiting response...
200 OK
Length: unspecified [text/xml]
Saving to: `AttributeQuery.46'




                                                                             742 of 748
<S:Envelope                                  Apache Tomcat 5.5   Sun 1.5
xmlns:S="http://schemas.xmlsoap.org/so
ap/envelope/">
<S:Body>

<samlp:AttributeQuery
xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol"
ID=""
IssueInstant="2007-12-
14T21:12:38.710Z" Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">https://sp.two.testshib.org/
Shibboleth.sso/Metadata</saml:Issuer>
<saml:Subject
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion"><saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:n
ameid-
format:transient">_3e485ed0ba6da6a74
3aa45318035dac5</saml:NameID></sa
ml:Subject></samlp:AttributeQuery>


or

<samlp:AttributeQuery
xmlns:samlp="urn:oasis:names:tc:SAML:




                                                                           743 of 748
<S:Envelope                                  Apache Tomcat 5.5   Sun 1.5
xmlns:S="http://schemas.xmlsoap.org/so
ap/envelope/">
<S:Body>

<samlp:AttributeQuery
xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol"
ID="_386e36ee60f4b73a5e3b04d8c3492
c67"
IssueInstant="Tomorrow, probably"
Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">https://sp.two.testshib.org/
Shibboleth.sso/Metadata</saml:Issuer>
<saml:Subject
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion"><saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:n
ameid-
format:transient">_3e485ed0ba6da6a74
3aa45318035dac5</saml:NameID></sa
ml:Subject></samlp:AttributeQuery>



</S:Body>
</S:Envelope>




                                                                           744 of 748
<security:SecurityPolicy                  Apache Tomcat 5.5   Sun 1.5
id="shibboleth.DefaultSecurityPolicy"
xsi:type="security:SecurityPolicyType">
<security:Rule
xsi:type="samlsec:Replay"/>
<security:Rule
xsi:type="samlsec:IssueInstant"/>
<security:Rule
xsi:type="samlsec:MandatoryIssuer"/>
<security:Rule
xsi:type="samlsec:ProtocolWithXMLSign
ature"
trustEngineRef="shibboleth.SignatureTru
stEngine" />
<security:Rule
xsi:type="samlsec:SAML2HTTPRedirect
SimpleSign"
trustEngineRef="shibboleth.SignatureTru
stEngine" />
<security:Rule
xsi:type="samlsec:SAML2HTTPPostSim
pleSign"
trustEngineRef="shibboleth.SignatureTru
stEngine" />
<security:Rule
xsi:type="security:ClientCertAuth"
trustEngineRef="shibboleth.CredentialTr
ustEngine" />
</security:SecurityPolicy>




                                                                        745 of 748
15:45:44.712 DEBUG                           Apache Tomcat 5.5   Sun 1.5
[edu.internet2.middleware.shibboleth.idp.
profile.saml2.AbstractSAML2ProfileHandl
er] Resolving principal name for subject
of SAML request
_676e36ee60f4b73a5e3b04d8c3492c67
from relying party
https://sp.two.testshib.org/Shibboleth.sso
/Metadata

15:45:44.712 DEBUG
[edu.internet2.middleware.shibboleth.co
mmon.attribute.resolver.provider.Shibbol
ethAttributeResolver] Resolving principal
name from name identifier of format:
urn:oasis:names:tc:SAML:2.0:nameid-
format:transient

15:45:44.712 DEBUG
[edu.internet2.middleware.shibboleth.co
mmon.attribute.resolver.provider.Shibbol
ethAttributeResolver] Using principal
connector saml2Transient to resolve
principal name.

15:45:44.717 ERROR
[edu.internet2.middleware.shibboleth.co
mmon.profile.ProfileRequestDispatcherS
ervlet] Encountered error processing




                                                                           746 of 748
Should either implement matching or           Apache Tomcat 5.5   Sun 1.5
error out

<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol"
AssertionConsumerServiceIndex="1"
Destination="https://idp.two.testshib.org/i
dp/profile/saml2/Redirect/SSO"
ID="_2b0226190ca1c22de6f66e85f5c95
158" IssueInstant="2007-12-
13T22:45:20Z"
Version="2.0"><saml:Subject
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">Nate</saml:Subject><saml
:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">https://sp.two.testshib.org/
Shibboleth.sso/Metadata</saml:Issuer><
samlp:NameIDPolicy
AllowCreate="1"/></samlp:AuthnRequest
>




                                                                            747 of 748
<samlp:AuthnRequest                           Apache Tomcat 5.5   Sun 1.5
xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol"
AssertionConsumerServiceIndex="1"
Destination="https://idp.two.testshib.org/i
dp/profile/saml2/Redirect/SSO"
ID="_114ea8b008a44e4346451d646225
85e5" ForceAuthn="foo"
IssueInstant="2007-12-13T22:27:34Z"
Version="2.0"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2
.0:assertion">https://sp.two.testshib.org/
Shibboleth.sso/Metadata</saml:Issuer><
samlp:NameIDPolicy
AllowCreate="1"/></samlp:AuthnRequest
>

results in no error; true results in no re-
authentication.


Also possible to use in combo with
AssertionConsumerServiceIndex. This
AuthnRequest is processed successfully
and results in an assertion to the SP's
default ACS.

<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol"
Destination="https://idp.two.testshib.org/i
dp/profile/saml2/Redirect/SSO"
ID="_b0842313eef0b1c06cc633babd814
3be" ProtocolBinding="foo"
IssueInstant="2007-12-13T22:20:20Z




                                                                            748 of 748

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:2/17/2013
language:Unknown
pages:748