Delegated Auth with

Eric Dalquist eric.dalquist at doit.wisc.edu
Thu Nov 3 20:24:49 GMT 2011 

No joy with FireFox & modifying the headers (captured using a SSL 
capable proxy)

GET /secure/printenv HTTP/1.1
Host: my-dev.doit.wisc.edu
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 
Firefox/7.0.1
Accept: application/vnd.paos+xml
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Connection: keep-alive
PAOS: 
ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" 



HTTP/1.1 302 Found
Date: Thu, 03 Nov 2011 20:13:17 GMT
Server: Apache
Set-Cookie: 
_shibstate_1363d753=https%3A%2F%2Fmy-dev.doit.wisc.edu%2Fsecure%2Fprintenv; 
path=/; secure
Expires: Wed, 01 Jan 1997 12:00:00 GMT
Cache-Control: private,no-store,no-cache,max-age=0
Location: 
https://logintest.wisc.edu/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZLNbsIwEIRfJfKdOD8tqBaJlMKhSLQgkvbQS%2BU4C7Hk2KnXgfL2DYSW9oLk287O7HzyFHmjWpZ1rtYb%2BOwAnffVKI3sPEhIZzUzHCUyzRtA5gTLs%2Bcli%2FyAtdY4I4wiXoYI1kmjZ0Zj14DNwe6lgNfNMiG1cy0ySpvjqIK9Xxnp%2FINE4UPV0byWZWkUuNpHNPTkHdH1Ki%2BIN%2B%2BPkZqfbK8myuykdv3kaiGrlvanbKWCy%2F4GKmlBOJrnK%2BIt5gn5iMMyGAsu4vFW3POoFJOxiDhMHu6icluWUS9D7GCh0XHtEhIFYTjqXxAXUcDCmIWTd%2BKtL40fpa6k3t3GUw4iZE9FsR4Nnd7A4rlPLyDp9ASZnYPtH%2By3bfkPa5LeJIu%2FZKf0T84Q2rKX3ngxXxslxdHLlDKHmQXuICEhoemw8v9jpN8%3D&RelayState=cookie%3A1363d753 

Content-Length: 747
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a 
href="https://logintest.wisc.edu/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZLNbsIwEIRfJfKdOD8tqBaJlMKhSLQgkvbQS%2BU4C7Hk2KnXgfL2DYSW9oLk287O7HzyFHmjWpZ1rtYb%2BOwAnffVKI3sPEhIZzUzHCUyzRtA5gTLs%2Bcli%2FyAtdY4I4wiXoYI1kmjZ0Zj14DNwe6lgNfNMiG1cy0ySpvjqIK9Xxnp%2FINE4UPV0byWZWkUuNpHNPTkHdH1Ki%2BIN%2B%2BPkZqfbK8myuykdv3kaiGrlvanbKWCy%2F4GKmlBOJrnK%2BIt5gn5iMMyGAsu4vFW3POoFJOxiDhMHu6icluWUS9D7GCh0XHtEhIFYTjqXxAXUcDCmIWTd%2BKtL40fpa6k3t3GUw4iZE9FsR4Nnd7A4rlPLyDp9ASZnYPtH%2By3bfkPa5LeJIu%2FZKf0T84Q2rKX3ngxXxslxdHLlDKHmQXuICEhoemw8v9jpN8%3D&amp;RelayState=cookie%3A1363d753">here</a>.</p>
</body></html>

You are more than welcome to poke at 
https://my-dev.doit.wisc.edu/secure/printenv if you'd like. I've 
attached the shib config for the server (note my original email was 
about a target server named j2eedev and this is my-dev) just to make 
sure we're all on the same page.

We'll look into enabling the native log. Also we're not above manually 
adding logging to various places in the SP source (since we compile from 
source on Solaris) and recompiling to find out more of what is going on, 
we'd just need some pointers on where to add the logging :)

Thanks,
-Eric

On 11/03/2011 01:57 PM, Cantor, Scott wrote:
> On 11/3/11 1:58 PM, "Eric Dalquist"<eric.dalquist at doit.wisc.edu>  wrote:
>
>> The code did work and what I'm seeing on the wire shows unescaped values
>> being sent to Apache.
> Ok. I'll have to look closer, but nothing is coming to mind here. Short of
> debugging it or adding a logging statement to capture it, I don't know
> what to say. Can you try a test using Firefox and Modify Headers? See if
> you can get that SP to recognize it if the browser sends those headers. I
> do that for testing.
>
>> Not sure if it helps at all but this is all we see in the shibd logs for
>> the request:
> The native log would be the relevant one, but it probably won't show much.
>
> All I can think of is that the setting is not being honored. For that to
> be true, you'd probably have to be editing the wrong XML file and not
> actually changing the real config, but I'm sure that's easy enough to
> prove wrong.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shibboleth2.xml
Type: text/xml
Size: 16889 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20111103/21d84baf/attachment-0001.xml 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7430 bytes
Desc: S/MIME Cryptographic Signature
Url : http://shibboleth.net/pipermail/users/attachments/20111103/21d84baf/attachment-0001.bin

More information about the users mailing list