Frequently Asked Questions

How do I get more verbose output in the Shibboleth logs?: Try changing the values of attributes /IdPConfig/Logging/ErrorLog/@level and /IdPConfig/Logging/TransactionLog/@level to "DEBUG" in the IdP config file.

Why are the GridShib for Shibboleth classes not being deployed to Tomcat?: If you have followed the gridshib-idp installation notes but still see an error message in IDP_HOME/logs/shib-error.log that states "Name Mapping refers to an implementation class that cannot be loaded [...] ClassNotFoundException [...] GridShibNameIdentifierMapping", then it's possible your Tomcat configuration in server.xml has the /Engine/Host/@unpackWARs attribute set to "true" . If that is the case, Tomcat is not expanding the new WAR file that you've just installed, it's using the old expanded WAR directory instead. The solution is to stop Tomcat, remove the "webapps/shibboleth-idp" directory entirely, and then restart Tomcat, which will then expand the new WAR into the "webapps/shibboleth-idp" directory. Note that this will affect non-GridShib Shibboleth upgrades since it is a Tomcat issue.

Why doesn't the GridShib CA work with my home IdP?: Most likely your home IdP does not release attribute eduPersonPrincipalName by default (and hence, REMOTE_USER is blank). Talk to your IdP administrator or use OpenIdP or ProtectNetwork.