idp login issue connecting to ldap

Jason Separovic jseppa01 at gmail.com
Sun Aug 2 17:05:08 EDT 2015


Here¹s the config that has been modified from the defaults:

[root at dev1 conf]# more attribute-resolver.xml
<?xml version="1.0" encoding="UTF-8"?>
<resolver:AttributeResolver
        xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
        xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
        xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
        xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
        xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
        xmlns:sec="urn:mace:shibboleth:2.0:security"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver
http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
                            urn:mace:shibboleth:2.0:resolver:pc
http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd
                            urn:mace:shibboleth:2.0:resolver:ad
http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd
                            urn:mace:shibboleth:2.0:resolver:dc
http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd
                            urn:mace:shibboleth:2.0:attribute:encoder
http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd
                            urn:mace:shibboleth:2.0:security
http://shibboleth.net/schema/idp/shibboleth-security.xsd">

    <resolver:AttributeDefinition id="eduPersonPrincipalName"
xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
        <resolver:Dependency ref="uid" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false"
/>
        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
friendlyName="eduPersonPrincipalName" encodeType="false" />
    </resolver:AttributeDefinition>

    <resolver:AttributeDefinition id="uid" xsi:type="ad:PrincipalName">
        <resolver:AttributeEncoder xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:uid" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid"
encodeType="false" />
    </resolver:AttributeDefinition>

    <resolver:AttributeDefinition id="mail" xsi:type="ad:Template">
        <resolver:Dependency ref="uid" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:mail" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail"
encodeType="false" />
        <ad:Template>
          <![CDATA[
               ${uid}@jseppa.com
          ]]>
        </ad:Template>
        <ad:SourceAttribute>uid</ad:SourceAttribute>
    </resolver:AttributeDefinition>

    <resolver:AttributeDefinition id="eduPersonScopedAffiliation"
xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="affiliation">
        <resolver:Dependency ref="staticAttributes" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
friendlyName="eduPersonScopedAffiliation" encodeType="false" />
    </resolver:AttributeDefinition>

    <resolver:DataConnector id="staticAttributes" xsi:type="dc:Static">
        <dc:Attribute id="affiliation">
            <dc:Value>member</dc:Value>
        </dc:Attribute>
    </resolver:DataConnector>

    <resolver:AttributeDefinition xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                                  id="googleNameID"
                                  sourceAttributeID="mail">
        <resolver:Dependency ref="ldap" />
        <resolver:AttributeEncoder xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                   
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
    </resolver:AttributeDefinition>

    <resolver:DataConnector id="ldap" xsi:type="dc:LDAPDirectory"
        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
        principal="%{idp.attribute.resolver.LDAP.bindDN}"
        
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}">
        <dc:FilterTemplate>
            <![CDATA[
                %{idp.attribute.resolver.LDAP.searchFilter}
            ]]>
        </dc:FilterTemplate>
    </resolver:DataConnector>
</resolver:AttributeResolver>



[root at dev1 conf]# more attribute-filter.xml
<?xml version="1.0" encoding="UTF-8"?>
<afp:AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
        xmlns:afp="urn:mace:shibboleth:2.0:afp"
        xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
        xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp
http://shibboleth.net/schema/idp/shibboleth-afp.xsd
                            urn:mace:shibboleth:2.0:afp:mf:basic
http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd
                            urn:mace:shibboleth:2.0:afp:mf:saml
http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd">

    <afp:AttributeFilterPolicy id="google.com/a/jseppa.com">
        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="google.com/a/jseppa.com" />
        <afp:AttributeRule attributeID="googleNameID">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>

    <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
        <afp:PolicyRequirementRule xsi:type="basic:NOT">
            <basic:Rule xsi:type="basic:AttributeRequesterString"
value="google.com" />
        </afp:PolicyRequirementRule>
        <afp:AttributeRule attributeID="transientId">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>
</afp:AttributeFilterPolicyGroup>



[root at dev1 conf]# more ../metadata/google-metadata.xml
<EntityDescriptor entityID="google.com/a/jseppa.com"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDF
ormat>
        <AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location="https://www.google.com/a/jseppa.com/acs" />
    </SPSSODescriptor>
</EntityDescriptor>



[root at dev1 conf]# egrep "^idp" idp.properties
idp.additionalProperties= /conf/ldap.properties,
/conf/saml-nameid.properties, /conf/services.properties
idp.entityID= https://sso.jseppa.com/idp/shibboleth
idp.scope= jseppa.com
idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks
idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver
idp.sealer.storePassword= xxxxxxx
idp.sealer.keyPassword= xxxxxxx
idp.signing.key= %{idp.home}/credentials/idp-signing.key
idp.signing.cert= %{idp.home}/credentials/idp-signing.crt
idp.encryption.key= %{idp.home}/credentials/idp-encryption.key
idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt
idp.encryption.optional = true
idp.session.enabled = true
idp.authn.flows= Password
idp.authn.flows.initial = Password
idp.status.accessPolicy= AccessByIPAddress
idp.resolvertest.accessPolicy= AccessByIPAddress
idp.reload.accessPolicy= AccessByIPAddress
idp.ui.fallbackLanguages= en,fr,de




[root at dev1 conf]# egrep "^idp" ldap.properties
idp.authn.LDAP.authenticator                    = bindSearchAuthenticator
idp.authn.LDAP.ldapURL                          = ldap://localhost:389
idp.authn.LDAP.useStartTLS                      = false
idp.authn.LDAP.useSSL                           = false
idp.authn.LDAP.connectTimeout                   = 3000
idp.authn.LDAP.sslConfig                        = jvmTrust
idp.authn.LDAP.trustCertificates                =
%{idp.home}/credentials/ldap-server.crt
idp.authn.LDAP.trustStore                       =
%{idp.home}/credentials/ldap-server.truststore
idp.authn.LDAP.returnAttributes                 = cn,businessCategory,mail
idp.authn.LDAP.baseDN                           = ou=Users,dc=jseppa,dc=com
idp.authn.LDAP.subtreeSearch                    = true
idp.authn.LDAP.userFilter                       = (uid={user})
idp.authn.LDAP.bindDN                           =
cn=Manager,dc=jseppa,dc=com
idp.authn.LDAP.bindDNCredential                 = xxxxxxx
idp.authn.LDAP.dnFormat                         =
uid=%s,ou=Users,dc=jseppa,dc=com
idp.attribute.resolver.LDAP.ldapURL             = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.baseDN              = %{idp.authn.LDAP.baseDN}
idp.attribute.resolver.LDAP.bindDN              = %{idp.authn.LDAP.bindDN}
idp.attribute.resolver.LDAP.bindDNCredential    =
%{idp.authn.LDAP.bindDNCredential}
idp.attribute.resolver.LDAP.useStartTLS         =
%{idp.authn.LDAP.useStartTLS:true}
idp.attribute.resolver.LDAP.trustCertificates   =
%{idp.authn.LDAP.trustCertificates}
idp.attribute.resolver.LDAP.searchFilter        =
(uid=$requestContext.principalName)
idp.pool.LDAP.minSize                           = 3
idp.pool.LDAP.maxSize                           = 10
idp.pool.LDAP.validateOnCheckout                = false
idp.pool.LDAP.validatePeriodically              = true
idp.pool.LDAP.validatePeriod                    = 300
idp.pool.LDAP.prunePeriod                       = 300
idp.pool.LDAP.idleTime                          = 600
idp.pool.LDAP.blockWaitTime                     = 3000
idp.pool.LDAP.failFastInitialize                = false



[root at dev1 conf]# cat saml-nameid.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:c="http://www.springframework.org/schema/c"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd"
       default-init-method="initialize"
       default-destroy-method="destroy">

    <util:list id="shibboleth.SAML1NameIdentifierGenerators">
        <ref bean="shibboleth.SAML1TransientGenerator" />
        <!--
        <bean parent="shibboleth.SAML1AttributeSourcedGenerator"
            
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
            p:attributeSourceIds="#{ {'mail'} }" />
        -->
    </util:list>

    <util:list id="shibboleth.SAML2NameIDGenerators">
        <ref bean="shibboleth.SAML2TransientGenerator" />
        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
            p:attributeSourceIds="#{ {'googleNameID'} }" />
    </util:list>
</beans>



[root at dev1 jetty]# more start.ini
-Xmx512m
-XX:MaxPermSize=128m

jetty.threadPool.minThreads=10
jetty.threadPool.maxThreads=200
jetty.threadPool.idleTimeout=60000
jetty.httpConfig.secureScheme=https
jetty.httpConfig.securePort=443
# jetty.httpConfig.outputBufferSize=32768
# jetty.httpConfig.outputAggregationSize=8192
# jetty.httpConfig.requestHeaderSize=8192
# jetty.httpConfig.responseHeaderSize=8192
# jetty.httpConfig.sendServerVersion=true
# jetty.httpConfig.sendDateHeader=false
# jetty.httpConfig.headerCacheSize=512
# jetty.httpConfig.delayDispatchUntilContent=true
# jetty.server.stopAtShutdown=true
# jetty.server.dumpAfterStart=false
# jetty.server.dumpBeforeStop=false

jetty.http.host=0.0.0.0
jetty.http.port=80
# jetty.http.idleTimeout=30000
# jetty.http.soLingerTime=-1
# jetty.http.acceptors=-1
# jetty.http.selectors=-1
# jetty.http.acceptorQueueSize=0
# jetty.http.acceptorPriorityDelta=0

jetty.deploy.monitoredDir=webapps
jetty.deploy.scanInterval=5
jetty.deploy.extractWars=true

--module=home-base-warning
--module=ext
--module=resources
--module=server
--module=http
--module=deploy
--module=jsp
--module=websocket
--module=jstl
--module=plus
--module=servlets
--module=annotations
--module=logging
--module=requestlog
--module=jaas
--module=security

etc/jetty-ssl-context.xml
etc/jetty-ssl.xml
etc/jetty-https.xml



Software Versions
IDP 3.1.2
java version "1.8.0_51"
JCE unlimited installed:
jetty-9.3.1.v20150714 - 14 July 2015
Centos 6.5
openldap 2.4.39-8.el6



[root at dev1 bin]# ./aacli.sh --requester google.com/a/jseppa.com --principal
jason

{
"requester": "google.com/a/jseppa.com",
"principal": "jason",
"attributes": [


  {
    "name": "googleNameID",
    "values": [
              "StringAttributeValue{value=jason at jseppa.com}"          ]
  }

]
}

Any hints on where to look next would be greatly appreciated? There is
clearly no ldap client request being made at all when I enter user/pass into
the login form.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150802/b66310cc/attachment-0001.html>


More information about the users mailing list