I'm sorry; we did fix this, it turned out to be a badly recorded path in our Puppet repository. I should have posed a "fixed" note to the list.
On Mon, Sep 24, 2012 at 01:54:39PM +0000, Aaron Coburn wrote: > Michael, > I'm not sure if you've figured this out already. Are you possibly not working > with a clean database? > > The only reason you would get the error you describe is if the following > conditions hold: > > (I am assuming that a user's eppn value looks like this: [email protected] -- > if there is a subdomain or non alpha-numeric values in the scoped portion of > the eppn, then that may be part of the issue) > > First, for this error to happen, this query must return 0 rows: > > SELECT name, shibonly > FROM affiliation > WHERE shibname = 'uchichago.edu' > > And this query returns one row: > > SELECT name, shibname > FROM affiliation > WHERE name LIKE 'uchicago%' > ORDER BY name DESC > LIMIT 1 > > Typically, you would expect either both queries to return 0 rows OR the first > query to return 1 row. > > If I were you, I would either start with a fresh database or manually add the > correct values to the affiliation table: > > INSERT INTO affiliation (name, shibname, shibonly) > VALUES ('UCHICAGO', 'uchicago.edu', 1) > > Best regards, > Aaron > > > On Sep 14, 2012, at 12:56 PM, Michael Jinks <[email protected]> wrote: > > > Hi, list. Me again... > > > > I have a dev instance of a VCL management node working great, talks to > > our Shib IdP, all good. Its name is "vlab-a". > > > > Now I'm trying to set up another instance using our deployment > > automation tools, before going production. The staging instance is > > named "vlab-b". > > > > Except for the EntityID, all of our shib-related configs are the same. > > shibd is running happily, our campus IdP has the metadata for the SP > > on both hosts, and our IdM group confirms that vlab-b is talking to the > > IdP. But, while vlab-a works fine, vlab-b is throwing the error: > > > > You have attempted to log in to VCL using a Shibboleth > > Identity Provider that VCL has not been configured to > > work with. VCL administrators have been notified of the > > problem. > > > > If I browse to vlab-b/Shibboleth.sso/Session, I get what looks like good > > session data. > > > > The shib portion of the authMechs array in conf.php: > > > > <quote> > > $authMechs = array( > > "UChicago Single Sign-On" => array( > > "type" => "redirect", > > "URL" => > > "/Shibboleth.sso/Login?target=/shibauth&entityID=urn:mace:incommon:uchicago.edu", > > "affiliationid" => 0, > > "help" => "Use \"UChicago Single Sign-On\" to log in with your > > UChicago ID."), > > </quote> > > > > (Again, that's identical to the working instance, but shown here for the > > sake of reference.) > > > > Looking at my SP's shib and apache logs, I don't find anything that > > looks like an error, though I could be missing something. > > > > Any clues for where to look next? I'm stumped. > > > > Thanks, > > -m > > > > -- > > Michael Jinks :: [email protected] > > University of Chicago IT Services > -- Michael Jinks :: [email protected] :: 773-469-9688 University of Chicago IT Services
