Internet2 is investigating a security incident involving a compromise to a confluence server that affected https://spaces.at.internet2.edu on April 10, 2019, which was successfully mitigated on April 12, 2019. If you did not receive an email from us, it’s unlikely that any of the content you submitted to the Internet2 Spaces Wiki needs to be re-entered. We apologize for any inconvenience this may have caused. Should you have any questions or require further assistance, please email collaboration-support@internet2.edu.
Child pages
  • IdP Failure Scenarios
Skip to end of metadata
Go to start of metadata

Task 1: Missing or Incorrect Metadata

Create the problem:

Configure your IdP so that it does not have the SP's metadata (or has incorrect metadata).

Steps:

Change the URL on your metadata provider to be incorrect or create a filesystem-based MetadataProvider that does not contain the classroom test SP's metadata.

Observations:

The IdP will complain about not having metadata when it gets an AuthenticationRequest from the SP (prior to login) and will log an ERROR in your idp-process.log file.

Task 2: Not all expected attributes were released, but they were populated in LDAP

Create the problem:

Configure your IdP to release an undefined attribute.
-OR-
Configure your IdP to not be able to communicate with the LDAP server.

Steps:

Change one or more attribute definition's ID parameter in attribute-resolver.xml or attribute-filter.xml (change only one of these files, such that they no longer match).
-OR-
Introduce an error in the credentials for the LDAP DataConnector in attribute-resolver.xml (add extra characters to the 'principalCredential').

Observations:

Everything will appear to be normal - login will be successful, but either no attributes will be released or an incomplete set of attributes will be released.

Task 3: Login configuration errors

Create the problem:

Introduce a configuration error in the authentication configuration for your IdP.

Steps:

Make a typo in the login.config file (add extra characters to the bindCredential or change the LDAP URL).

Observations:

Login will fail and you will see an 'authentication failed' message on the login page.  An ERROR will be written to the idp-process.log.

  • No labels