Michael, I'm not sure if you've figured this out already. Are you possibly not working with a clean database?
The only reason you would get the error you describe is if the following conditions hold: (I am assuming that a user's eppn value looks like this: [email protected] -- if there is a subdomain or non alpha-numeric values in the scoped portion of the eppn, then that may be part of the issue) First, for this error to happen, this query must return 0 rows: SELECT name, shibonly FROM affiliation WHERE shibname = 'uchichago.edu' And this query returns one row: SELECT name, shibname FROM affiliation WHERE name LIKE 'uchicago%' ORDER BY name DESC LIMIT 1 Typically, you would expect either both queries to return 0 rows OR the first query to return 1 row. If I were you, I would either start with a fresh database or manually add the correct values to the affiliation table: INSERT INTO affiliation (name, shibname, shibonly) VALUES ('UCHICAGO', 'uchicago.edu', 1) Best regards, Aaron On Sep 14, 2012, at 12:56 PM, Michael Jinks <[email protected]> wrote: > Hi, list. Me again... > > I have a dev instance of a VCL management node working great, talks to > our Shib IdP, all good. Its name is "vlab-a". > > Now I'm trying to set up another instance using our deployment > automation tools, before going production. The staging instance is > named "vlab-b". > > Except for the EntityID, all of our shib-related configs are the same. > shibd is running happily, our campus IdP has the metadata for the SP > on both hosts, and our IdM group confirms that vlab-b is talking to the > IdP. But, while vlab-a works fine, vlab-b is throwing the error: > > You have attempted to log in to VCL using a Shibboleth > Identity Provider that VCL has not been configured to > work with. VCL administrators have been notified of the > problem. > > If I browse to vlab-b/Shibboleth.sso/Session, I get what looks like good > session data. > > The shib portion of the authMechs array in conf.php: > > <quote> > $authMechs = array( > "UChicago Single Sign-On" => array( > "type" => "redirect", > "URL" => > "/Shibboleth.sso/Login?target=/shibauth&entityID=urn:mace:incommon:uchicago.edu", > "affiliationid" => 0, > "help" => "Use \"UChicago Single Sign-On\" to log in with your > UChicago ID."), > </quote> > > (Again, that's identical to the working instance, but shown here for the > sake of reference.) > > Looking at my SP's shib and apache logs, I don't find anything that > looks like an error, though I could be missing something. > > Any clues for where to look next? I'm stumped. > > Thanks, > -m > > -- > Michael Jinks :: [email protected] > University of Chicago IT Services
