Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Code Block
titleHTTP User-Agent IP address in audit and access log
fgrep /opt/shibboleth-idp/logs/idp-audit.log /var/log/tomcat9/access.log

What attributes (and NameIDs) will the IDP


send for userid X to service X?

The aacli is a very useful tool to test what data the running IDP would send for a given subject (replace SOME_USERID below with the login name the subject would enter during authentication) to a given SP. Not only does that help verifying your attribute resolver  and attribute filter configuration when you're making changes to either (or both), it can also be useful in debugging access problems someone experiences at a given SP as you can easily compare what data would go out for different subjects (e.g. in cases where access works vs. where it fails) without needing their cooperation in this issue.