Ticket #29 (defect)
Opened 2 years ago
Last modified 2 years ago
Internal system use of ePPN is failing
Status: new
| Reported by: | jpr@openidp.org | Assigned to: | jpr@openidp.org |
|---|---|---|---|
| Priority: | standard | Keywords: | |
| Cc: |
When using external providers the VO apps no long get the ePPN mapped to REMOTE_USER which caused authn errors to the sample VO apps.
The fix is to remove the scoping rules from the ePPN definition in the AAP.xml. Essentially, when the internal idp releases the received ePPN as an echoed attribute and unscoped the AAP on the sp side shouldn't be expected a scoped attribute, or it will fail.
Attribute scoping is a bit of a mystery to me. Clearly the internal idp shouldn't be scoping the ePPN value since it is legitimately structured as user@domain internally. This fix will work until the issue is better understood.
Save the following to AAP.xml.patch and apply with patch -p0 < AAP.xml.patch
--- AAP.xml 2007/07/27 21:04:12 1.3 +++ AAP.xml 2007/07/30 18:19:13 @@ -66,11 +66,11 @@ </AnySite> </AttributeRule> - <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Scoped="true" Header="REMOTE_USER" Alias="user"> + <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Scoped="false" Header="REMOTE_USER" Alias="user"> <!-- Basic rule to pass through any value. --> <AnySite> <!-- <Value Type="regexp">^[^@]+$</Value> --> - <Scope Accept="true">myvocs-box</Scope> + <!-- <Scope Accept="true">myvocs-box</Scope> --> <AnyValue/> </AnySite> </AttributeRule>