Attributes TransientID and uid not released

Gilles Badouet badouetg at uni.coventry.ac.uk
Tue Jul 30 14:59:33 EDT 2013


Nate,

  
I have re- verified all what you asked me  at the IdP side and all was ok.


After reverifying and copying  an extract of the shidb log, I just notice a "/" missing at the end of the uid attribute name element :) :). If I could just have an xml editor to detect easily such types of mistakes. This is third time I am spending about an entire day because of a" /", or a  " , " or a " >"... missing. Thanks a lot for your assistance Nate.
 



Kind regards





Gilles Rubens Badouet

Student ID: 3940347

Faculty of Engineering and Computing

MSc Network Computing Course

Mobile: 07424486426

________________________________________
From: users-bounces at shibboleth.net <users-bounces at shibboleth.net> on behalf of users-request at shibboleth.net <users-request at shibboleth.net>
Sent: 30 July 2013 19:15
To: users at shibboleth.net
Subject: users Digest, Vol 25, Issue 136

Send users mailing list submissions to
        users at shibboleth.net

To subscribe or unsubscribe via the World Wide Web, visit
        http://shibboleth.net/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
        users-request at shibboleth.net

You can reach the person managing the list at
        users-owner at shibboleth.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of users digest..."


Today's Topics:

   1. Re: users Digest, Vol 25, Issue 134 (Nate Klingenstein)
   2. Re: users Digest, Vol 25, Issue 134 (Nate Klingenstein)
   3. Re: login.config to use private-CA-issued certificate
      (David Bantz)


----------------------------------------------------------------------

Message: 1
Date: Tue, 30 Jul 2013 18:08:22 +0000
From: Nate Klingenstein <ndk at internet2.edu>
Subject: Re: users Digest, Vol 25, Issue 134
To: Shib Users <users at shibboleth.net>
Message-ID: <A975B894-DA1F-46EE-B3FD-BE6974B80666 at internet2.edu>
Content-Type: text/plain; charset="us-ascii"

Gilles,

> 16:24:52.727 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:114] - Filtered attributes for principal yoyo.  The following attributes remain: [uid, surname, givenName, commonName, transientId, email, telephoneNumber, mobileNumber]

So, it looks like uid is present and the IdP is releasing it.  The next thing to check is whether the SP is receiving it and dropping it because there is no mapping or there is some policy check being failed.  The SP logs will give you the information here; as far as the IdP is concerned, assuming you're using the default encoders, all is well.


------------------------------

Message: 2
Date: Tue, 30 Jul 2013 18:12:57 +0000
From: Nate Klingenstein <ndk at internet2.edu>
Subject: Re: users Digest, Vol 25, Issue 134
To: Shib Users <users at shibboleth.net>
Message-ID: <89B1A2C0-0088-45C0-8541-D4B8903B56D4 at internet2.edu>
Content-Type: text/plain; charset="us-ascii"

I should add, double-check to make sure you have:

11:57:48.650 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:247] - Encoded attribute uid with encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder

in the IdP logs, and look for the uid in the assertion that follows just to be sure.

      <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">superego</saml2:AttributeValue>
      </saml2:Attribute>

On Jul 30, 2013, at 18:08 , Nate Klingenstein wrote:

> Gilles,
>
>> 16:24:52.727 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:114] - Filtered attributes for principal yoyo.  The following attributes remain: [uid, surname, givenName, commonName, transientId, email, telephoneNumber, mobileNumber]
>
> So, it looks like uid is present and the IdP is releasing it.  The next thing to check is whether the SP is receiving it and dropping it because there is no mapping or there is some policy check being failed.  The SP logs will give you the information here; as far as the IdP is concerned, assuming you're using the default encoders, all is well.
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>




------------------------------

Message: 3
Date: Tue, 30 Jul 2013 10:14:30 -0800
From: David Bantz <dabantz at alaska.edu>
Subject: Re: login.config to use private-CA-issued certificate
To: Shib Users <users at shibboleth.net>
Message-ID: <64314C9B-AE76-4C73-BFC0-11C1E0624DFB at Alaska.edu>
Content-Type: text/plain; charset="windows-1252"

Bingo!

For the record, using TLS on port 3268 rather than SSL on port 3269 successfully established encrypted communication with the AD server using the imported private-CA-issued certificate (config fragment & log output below).

If this seems worth documenting in the wiki as a sample config, which page would you recommend I add it to?

Thank you!

David Bantz


On Tue, 30 Jul 2013, at 08:41 , Daniel Fisher <dfisher at vt.edu> wrote:
> ...
> Try using port 3268 with ssl="false" and tls="true". Using a custom SSL socket factory with LDAPS is going to require a more complicated configuration than what you have here.




login.config fragment:

// UA AD Auth
   edu.vt.middleware.ldap.jaas.LdapLoginModule sufficient
      ldapUrl="ldap://fbk-adua02.ua.ad.alaska.edu:3268"
      baseDn="dc=ua,dc=ad,dc=alaska,dc=edu"
      bindDn="cn=uashib,ou=uaf_service,ou=uaf,dc=ua,dc=ad,dc=alaska,dc=edu"
      bindCredential="??????????"
      subtreeSearch="true"
// Directly reference imported server certificate for TLS on 3268
      sslSocketFactory="{trustCertificates=file:/opt/shibboleth-idp/trustedservercerts/Fbk-Adua02.ua.ad.alaska.edu.pem}"
      ssl="false"
      tls="true"
      userField="sAMAccountName,uaIdentifier";

debug-level idp-process.log fragment during authN:

09:37:23.859 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:170] - Attempting to authenticate user dabantz
09:37:23.877 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:180] - useFirstPass = false
09:37:23.877 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:181] - tryFirstPass = false
09:37:23.878 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:182] - storePass = false
09:37:23.878 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:183] - clearPass = false
09:37:23.879 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:184] - setLdapPrincipal = true
09:37:23.879 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:185] - setLdapDnPrincipal = false
09:37:23.879 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:186] - setLdapCredential = true
09:37:23.880 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:187] - defaultRole = []
09:37:23.880 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:188] - principalGroupName = null
09:37:23.881 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:189] - roleGroupName = null
09:37:23.881 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:77] - userRoleAttribute = []
09:37:24.063 - DEBUG [edu.vt.middleware.ldap.ssl.X509CertificatesCredentialReader:76] - Successfully loaded file:/opt/shibboleth-idp/trustedservercerts/Fbk-Adua02.ua.ad.alaska.edu.pem
09:37:24.072 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:83] - Created authenticator: edu.vt.middleware.ldap.auth.AuthenticatorConfig at 1037797730::env={java.naming.provider.url=ldap://fbk-adua02.ua.ad.alaska.edu:3268, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}
09:37:24.075 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:108] - Looking up DN using userField
09:37:24.076 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:193] - Search with the following parameters:
09:37:24.076 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:194] -   dn = dc=ua,dc=ad,dc=alaska,dc=edu
09:37:24.077 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:195] -   filter = (|(sAMAccountName={0})(uaIdentifier={0}))
09:37:24.077 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:196] -   filterArgs = [dabantz]
09:37:24.077 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:197] -   searchControls = javax.naming.directory.SearchControls at 6db0d235
09:37:24.078 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:198] -   handler = [edu.vt.middleware.ldap.handler.FqdnSearchResultHandler at 73b8cdd5]
09:37:24.078 - DEBUG [edu.vt.middleware.ldap.handler.TlsConnectionHandler:130] - Bind with the following parameters:
09:37:24.079 - DEBUG [edu.vt.middleware.ldap.handler.TlsConnectionHandler:131] -   authtype = simple
09:37:24.079 - DEBUG [edu.vt.middleware.ldap.handler.TlsConnectionHandler:132] -   dn = cn=uashib,ou=uaf_service,ou=uaf,dc=ua,dc=ad,dc=alaska,dc=edu
09:37:24.080 - DEBUG [edu.vt.middleware.ldap.handler.TlsConnectionHandler:139] -   credential = <suppressed>
09:37:24.406 - DEBUG [edu.vt.middleware.ldap.handler.TlsConnectionHandler:130] - Bind with the following parameters:
09:37:24.407 - DEBUG [edu.vt.middleware.ldap.handler.TlsConnectionHandler:131] -   authtype = simple
09:37:24.408 - DEBUG [edu.vt.middleware.ldap.handler.TlsConnectionHandler:132] -   dn = CN=dabantz,OU=userAccounts,dc=ua,dc=ad,dc=alaska,dc=edu
09:37:24.408 - DEBUG [edu.vt.middleware.ldap.handler.TlsConnectionHandler:139] -   credential = <suppressed>
09:37:24.656 - INFO [edu.vt.middleware.ldap.jaas.JaasAuthenticator:176] - Authentication succeeded for dn: CN=dabantz,OU=userAccounts,dc=ua,dc=ad,dc=alaska,dc=edu
09:37:24.674 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:108] - Looking up DN using userField
09:37:24.675 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:193] - Search with the following parameters:
09:37:24.675 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:194] -   dn = dc=ua,dc=ad,dc=alaska,dc=edu
09:37:24.676 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:195] -   filter = (|(sAMAccountName={0})(uaIdentifier={0}))
09:37:24.676 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:196] -   filterArgs = [dabantz]
09:37:24.677 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:197] -   searchControls = javax.naming.directory.SearchControls at 52ed3bff
09:37:24.677 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:198] -   handler = [edu.vt.middleware.ldap.handler.FqdnSearchResultHandler at 73b8cdd5]
09:37:24.711 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:223] - Committed the following principals: [dabantz[]]
09:37:24.712 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:229] - Committed the following roles: []
09:37:24.712 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:178] - Successfully authenticated user dabantz
09:37:24.715 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:144] - Returning control to authentication engine
09:37:24.716 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:209] - Processing incoming request
09:37:24.716 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:514] - Completing user authentication process
09:37:24.717 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:585] - Validating authentication was performed successfully
09:37:24.717 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:696] - Updating session information for principal dabantz
09:37:24.718 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:700] - Creating shibboleth session for principal dabantz
09:37:24.734 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:806] - Adding IdP session cookie to HTTP response
09:37:24.735 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:715] - Recording authentication and service information in Shibboleth session for principal: dabantz
09:37:24.738 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:560] - User dabantz authenticated with method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
09:37:24.739 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:161] - Returning control to profile handler

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130730/9436d828/attachment.html

------------------------------

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

End of users Digest, Vol 25, Issue 136
**************************************




More information about the users mailing list