Shibboleth, curl and NSS
One thing which needs tweaking: Shibboleth-sp uses curl to request attributes from the identity provider if they've not been pushed in the original communication.

The new servers are using a later version of Fedora, in which curl has been built to use the NSS libraries for SSL support. This breaks the attribute request mechanism, and in the shibd logs you can find errors like this:

Shibboleth.AttributeResolver.Query [5]: exception during SAML query to
https://typekey.sdss.ac.uk:8443/typekey/AA: CURLSOAPTransport failed
while contacting SOAP responder: Unknown cipher in
list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2

A solution is to rebuild curl from the source RPM with different configuration options, as described in this very helpful post.

T

Labels: fedora, shibboleth

- posted by Tim Bruce @ 2:36 PM