help with push attributes and potential curl ssl problem

Ben Marsh blmarsh at gmail.com
Mon May 12 12:01:07 EDT 2014 

Hi

I am trying to get shibboleth to talk to a vendors IdP.  I am having
troubles.  Admittedly I am unexperienced but somehow I got the shibboleth
to work with three different IdP's.

The problem is that I am not getting any of the user information back from
the IdP.  After turning up the logging I found this:

2014-05-07 11:25:14 DEBUG XMLTooling.libcurl [4]: About to connect() to
aaa.bbb.cc port 443 (#0)

2014-05-07 11:25:14 DEBUG XMLTooling.libcurl [4]:   Trying
xxx.xxx.xxx.xxx...
2014-05-07 11:25:14 DEBUG XMLTooling.libcurl [4]: connected

2014-05-07 11:25:14 DEBUG XMLTooling.libcurl [4]: Connected to aaa.bbb.ccc
(xxx.xxx.xxx.xxx) port 443 (#0)

2014-05-07 11:25:14 DEBUG XMLTooling.libcurl [4]: Initializing NSS with
certpath: sql:/etc/pki/nssdb

2014-05-07 11:25:14 DEBUG XMLTooling.libcurl [4]: Unknown cipher in list:
ALL:!aNULL:!LOW:!EXPORT:!SSLv2

2014-05-07 11:25:14 DEBUG XMLTooling.libcurl [4]: NSS error -5978

2014-05-07 11:25:14 DEBUG XMLTooling.libcurl [4]: Closing connection #0

I am using centos 6.3 and I think that libcurl has ssl support compiled in
so  I dont think that recompiling anything will help. (But I could be
wrong)  Am I wrong?

Is this significant?:
curl-config  --features
SSL
IPv6
libz
IDN
NTLM

curl-config  --protocols
HTTP
HTTPS
FTP
FTPS
FILE
TELNET
LDAP
LDAPS
DICT
TFTP
SCP
SFTP

Anyway I was told by the IdP vendor that I might have a way to avoid this
all together by getting the user attributes the IdP sends me rather than
asking for them seperately.  This is what I need help with.  This is what
is happening now:

2014-05-07 11:25:14 DEBUG Shibboleth.SSO.SAML2 [4]: extracting pushed
attributes...
2014-05-07 11:25:14 DEBUG Shibboleth.AttributeExtractor.XML [4]: unable to
extract attributes, unknown XML object type: saml2p:Response
2014-05-07 11:25:14 DEBUG Shibboleth.AttributeExtractor.XML [4]: skipping
unmapped NameID with format
(urn:oasis:names:tc:SAML:2.0:nameid-format:transient)
2014-05-07 11:25:14 DEBUG Shibboleth.AttributeExtractor.XML [4]: unable to
extract attributes, unknown XML object type: saml2:AuthnStatement
2014-05-07 11:25:14 DEBUG Shibboleth.SSO.SAML2 [4]: resolving attributes...
2014-05-07 11:25:14 DEBUG Shibboleth.AttributeResolver.Query [4]:
attempting SAML 2.0 attribute query
2014-05-07 11:25:14 DEBUG XMLTooling.XMLObject.Builder [4]: located
XMLObjectBuilder for element name: saml2:NameID
2014-05-07 11:25:14 DEBUG XMLTooling.XMLObject [4]: unmarshalling DOM
element (saml2:NameID)
2014-05-07 11:25:14 DEBUG XMLTooling.XMLObject [4]: unmarshalling
attributes for DOM element (saml2:NameID)
2014-05-07 11:25:14 DEBUG XMLTooling.XMLObject [4]: processing generic
attribute
2014-05-07 11:25:14 DEBUG XMLTooling.XMLObject [4]: processing generic
attribute
2014-05-07 11:25:14 DEBUG XMLTooling.XMLObject [4]: processing generic
attribute
2014-05-07 11:25:14 DEBUG XMLTooling.XMLObject [4]: unmarshalling child
nodes of DOM element (saml2:NameID)
2014-05-07 11:25:14 DEBUG XMLTooling.XMLObject [4]: processing text content
at position (0)

Are these the problems?

2014-05-07 11:25:14 DEBUG Shibboleth.AttributeExtractor.XML [4]: unable to
extract attributes, unknown XML object type: saml2p:Response
2014-05-07 11:25:14 DEBUG Shibboleth.AttributeExtractor.XML [4]: unable to
extract attributes, unknown XML object type: saml2:AuthnStatement


Is there more information I could provide to be useful?

Thanks,
Ben Marsh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140512/7aea5961/attachment.html

More information about the users mailing list