users Digest, Vol 50, Issue 127
Tony Pugielli
tpugielli at tti-wireless.com
Tue Aug 25 12:09:41 EDT 2015
The best scenario I can compare it to is Okta. In Okta you can add an endpoint, in this case it would be ClearPass. One added, I would export the metadata and import it into ClearPass. ClearPass will then send the SAML assertion to their SSO enabled applications. I have a document I can share but it is too large for the mailing list.
--
For service related issues, please call 732-553-9100 option 2, option 2 to speak with our TAC engineers. Email is not monitored for service requests.
--
Tony Pugielli
Manager of Systems Engineers
Turn-key Technologies, Inc. (TTI Wireless)
2400 Main St. Ext. Suite 12 Sayreville, NJ 08872
(W) 732-553-9100 ext. 123
(M) 732-320-0711
(F) 732-553-9107
www.turn-keytechnologies.com
www.ttiguardian.com
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of users-request at shibboleth.net
Sent: Friday, August 21, 2015 3:56 AM
To: users at shibboleth.net
Subject: users Digest, Vol 50, Issue 127
Send users mailing list submissions to
users at shibboleth.net
To subscribe or unsubscribe via the World Wide Web, visit
http://shibboleth.net/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
users-request at shibboleth.net
You can reach the person managing the list at
users-owner at shibboleth.net
When replying, please edit your Subject line so it is more specific than "Re: Contents of users digest..."
Today's Topics:
1. Re: users Digest, Vol 50, Issue 126 (Tony Pugielli)
2. Re: users Digest, Vol 50, Issue 126 (Cantor, Scott)
3. Incorrect ECP Accept header (John Dennis)
4. Translation of properties files (Lukas H?mmerle)
----------------------------------------------------------------------
Message: 1
Date: Fri, 21 Aug 2015 01:38:16 +0000
From: Tony Pugielli <tpugielli at tti-wireless.com>
To: "<users at shibboleth.net>" <users at shibboleth.net>
Subject: Re: users Digest, Vol 50, Issue 126
Message-ID: <B92654E2-9984-4FC6-B2F2-180E4F571123 at tti-wireless.com>
Content-Type: text/plain; charset="us-ascii"
Aruba has a feature called automatic sign on. When a user authenticates to wireless via 802.1x and makes a call to a web page that would be authenticated against shibboleth, we intercept the call, send it to ClearPass so it can send a SSO token with the users credentials to the web page so they don't need to login. In this case I believe we are the Idp. I think this is also called SAML chaining.
I apologize if I am not totally clear. I am not that familiar with SAML but working on getting up to speed on it.
Sent from my iPhone
> On Aug 20, 2015, at 9:29 PM, "users-request at shibboleth.net" <users-request at shibboleth.net> wrote:
>
> Send users mailing list submissions to
> users at shibboleth.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://shibboleth.net/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
> users-request at shibboleth.net
>
> You can reach the person managing the list at
> users-owner at shibboleth.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of users digest..."
>
>
> Today's Topics:
>
> 1. setup for SP proxy (Tony Pugielli)
> 2. Re: Add test shibboleth metadata to InCommon metadata file
> (Michael A Grady)
> 3. Re: Add test shibboleth metadata to InCommon metadata file
> (Cantor, Scott)
> 4. Re: setup for SP proxy (Cantor, Scott)
> 5. RE: ADFS integration (Paul B. Henson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 21 Aug 2015 00:23:50 +0000
> From: Tony Pugielli <tpugielli at tti-wireless.com>
> To: "users at shibboleth.net" <users at shibboleth.net>
> Subject: setup for SP proxy
> Message-ID: <6911716E-E2F9-4E66-9DDC-D4DE19480DAB at tti-wireless.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Good evening. Is there any documentation on how to setup shibboleth as an SP proxy? I am tying into Aruba's ClearPass and it requires shibboleth to act as an SP proxy.
>
> Any help would be appreciated
>
> Thank You
>
> Sent from my iPhone
>
> ------------------------------
>
> Message: 2
> Date: Thu, 20 Aug 2015 19:28:02 -0500
> From: Michael A Grady <mgrady at unicon.net>
> To: Shib Users <users at shibboleth.net>
> Subject: Re: Add test shibboleth metadata to InCommon metadata file
> Message-ID: <EC1AF0DF-3DFE-4189-832A-12807AA2480A at unicon.net>
> Content-Type: text/plain; charset=us-ascii
>
>
>> On Aug 20, 2015, at 7:20 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
>>
>> On 8/20/15, 7:59 PM, "users on behalf of John Kamminga" <users-bounces at shibboleth.net on behalf of jkamminga at ucmerced.edu> wrote:
>>
>>> I have a test instance of Shibboleth IdP v2.4.2 running and would like to add the metadata to the InCommon metadata file so I can test with some SPs.
>>>
>>>
>>> Do I just upload the shib test X.509 certificate to the InCommon Federation Manager and then add it to my existing production metadata? Or, do I need to have a separate metadata entityId in the InCommon Metadata file?
>>
>> That's not a totally well-defined question because "testing" can mean a lot of different things, but generally speaking there is no reason to test an IdP that way. You can emulate your existing IdP top to bottom and use local /etc/hosts changes to do your testing, as long as the back channel isn't involved.
>>
>> -- Scott
>
> And you can't register a 2nd IdP with InCommon unless you want to spend extra dollars:
>
>
> https://spaces.internet2.edu/display/InCFederation/Test+IdPs+in+Metada
> ta
>
> But as Kevin Foote noted, you really want to check with InCommon administration to get the official answers, through your InCommon Site Admin and/or Exec.
>
> --
> Michael A. Grady
> IAM Architect, Unicon, Inc.
>
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 21 Aug 2015 00:30:21 +0000
> From: "Cantor, Scott" <cantor.2 at osu.edu>
> To: Shib Users <users at shibboleth.net>
> Subject: Re: Add test shibboleth metadata to InCommon metadata file
> Message-ID: <591FB529-A271-424B-A48E-F5C3A70FCF54 at osu.edu>
> Content-Type: text/plain; charset="utf-8"
>
>> On 8/20/15, 8:28 PM, "users on behalf of Michael A Grady" <users-bounces at shibboleth.net on behalf of mgrady at unicon.net> wrote:
>>
>> And you can't register a 2nd IdP with InCommon unless you want to spend extra dollars:
>>
>> https://spaces.internet2.edu/display/InCFederation/Test+IdPs+in+Metad
>> ata
>>
>> But as Kevin Foote noted, you really want to check with InCommon administration to get the official answers, through your InCommon Site Admin and/or Exec.
>
> You can also provide more background on the testing scenario and requirements, goals, what have you, and we can suggest the best approaches. There may be constraints we don't know, such as a forced hostname change, key or entityID changes (just don't), etc.
>
> -- Scott
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 21 Aug 2015 00:42:22 +0000
> From: "Cantor, Scott" <cantor.2 at osu.edu>
> To: Shib Users <users at shibboleth.net>
> Subject: Re: setup for SP proxy
> Message-ID: <4BE5D153-0CA2-40C6-8338-52BF60D38C78 at osu.edu>
> Content-Type: text/plain; charset="utf-8"
>
>> On 8/20/15, 8:23 PM, "users on behalf of Tony Pugielli" <users-bounces at shibboleth.net on behalf of tpugielli at tti-wireless.com> wrote:
>>
>> Good evening. Is there any documentation on how to setup shibboleth as an SP proxy? I am tying into Aruba's ClearPass and it requires shibboleth to act as an SP proxy.
>
> I'm really not sure what you mean by that.
>
> We have ClearPass at OSU, and it acts as a SAML SP, which our IdP is successfully working with on our wireless network for device registration.
>
> I don't know if you're talking about the IdP, SP, or in what sense you think it can be a proxy. As a general matter, that isn't our design, but it depends what you're talking about.
>
> -- Scott
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 21 Aug 2015 01:28:43 +0000
> From: "Paul B. Henson" <henson at cpp.edu>
> To: Shib Users <users at shibboleth.net>
> Subject: RE: ADFS integration
> Message-ID:
>
> <SN1PR01MB17580385AAB6CF28702CC5DBD2650 at SN1PR01MB1758.prod.exchangelab
> s.com>
>
> Content-Type: text/plain; charset="iso-8859-1"
>
>> From: Johan ?kerstr?m
>> Sent: Thursday, August 20, 2015 1:48 AM
>>
>> I sense a bit of open/propriety code politics here but hey it is not
>> my prerogative criticize.
>
> Heh, I certainly won't deny a bias for open source software, but this isn't really about open versus proprietary code, more about open versus proprietary standards. Rather than being able to easily avail of whatever SAML based solution you might have, they pretty much try to force you to run ADFS.
>
>> authentication protocol in SAML. So if your front end authn solution
>> is Shibboleth or ADFS now it doesn't mean it has to be at a later stage.
>
> I don't like wasting time implementing one thing when the goal is to be another thing, while not always feasible, my preference is to simply try to aim for the final product in the beginning...
>
>> If you need to overcome the Claims Provider solution then you have
>> two options in ADFSv3.
>
> Thanks, I will pass this info on to our Windows guys for evaluation.
>
>
> --
> Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/
> Operating Systems and Network Analyst | henson at cpp.edu California
> State Polytechnic University | Pomona CA 91768
>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
> ------------------------------
>
> End of users Digest, Vol 50, Issue 126
> **************************************
------------------------------
Message: 2
Date: Fri, 21 Aug 2015 01:53:08 +0000
From: "Cantor, Scott" <cantor.2 at osu.edu>
To: Shib Users <users at shibboleth.net>
Subject: Re: users Digest, Vol 50, Issue 126
Message-ID: <ED1E5333-77B1-468E-BDDB-85B38DF67D68 at osu.edu>
Content-Type: text/plain; charset="utf-8"
On 8/20/15, 9:38 PM, "users on behalf of Tony Pugielli" <users-bounces at shibboleth.net on behalf of tpugielli at tti-wireless.com> wrote:
>Aruba has a feature called automatic sign on. When a user authenticates to wireless via 802.1x and makes a call to a web page that would be authenticated against shibboleth, we intercept the call, send it to ClearPass so it can send a SSO token with the users credentials to the web page so they don't need to login. In this case I believe we are the Idp. I think this is also called SAML chaining.
I really don't know how to translate that into anything I can answer. And there's nothing in SAML that I can think of called chaining.
>I apologize if I am not totally clear. I am not that familiar with SAML but working on getting up to speed on it.
I really don't yet know what part of Shibboleth you're trying to use, and I can't really figure out from that description what you'd be trying to do with that piece. If you have a pointer to documentation or something that outlines something you're having a question about, I might be able to skim it at some point and formulate some kind of advice from the perspective of what I would do if somebody here pointed me to it and asked me to support it.
-- Scott
------------------------------
Message: 3
Date: Fri, 21 Aug 2015 00:10:54 -0400
From: John Dennis <jdennis at redhat.com>
To: Shib Users <users at shibboleth.net>
Subject: Incorrect ECP Accept header
Message-ID: <55D6A4CE.5040705 at redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
We've been doing some ECP interoperability testing and have uncovered what appears to be both a mistake in both the SAML spec and in the mod_shib implementation (v2.5.3).
The following SAML specs:
"Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 5 OASIS Standard, 15 March 2005"
"SAML V2.0 Enhanced Client or Proxy Profile Version 2.0 Committee Specification 01 26 August 2013"
both use the following non-normative example of an Accept header:
Accept: text/html; application/vnd.paos+xml
In this example there are supposed to be two media types, html and paos, but the separator between the media types is a semicolon when instead it should be a comma, at least that's how I'm reading the HTTP spec
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
A semicolon is used to separate the type from it's optional parameters, types and their associated parameters are separated by commas. The example appearing in the SAML specs is illegal HTTP syntax because it's stating there is one media type of text/html with a parameter of application/vnd.paos+xml (which is nonsensical).
So why does this work in mod_shib? In the v2.5.3 code (the only version I checked) shibsp/handler/impl/SAML2SessionInitiator.cpp line 249 uses this code to test for paos in the accept header:
request.getHeader("Accept").find("application/vnd.paos+xml")
however doing a string search is not the same thing as parsing the header and can lead to erroneous results.
So it seems like there are two independent issues:
1) The SAML specs need to be edited (I checked the most recent errata and the error is still there).
2) mod_shib consumes a syntactically incorrect header and processes the request without error.
BTW, the reason this came up is because our SP never recognized the example ECP request because it thought the only media type in the Accept header was text/html (it ignores type parameters and does an exact match on the media type).
--
John
------------------------------
Message: 4
Date: Fri, 21 Aug 2015 09:55:39 +0200
From: Lukas H?mmerle <lukas.haemmerle at switch.ch>
To: Shib Users <users at shibboleth.net>
Subject: Translation of properties files
Message-ID: <55D6D97B.1030207 at switch.ch>
Content-Type: text/plain; charset=utf-8
Hello all
An increasing number of our IdPs are now deploying v3. Most of them
would like to provide localized login/consent/ToU pages. Some of them
already translated some of the content of the default properties file
(authn-messages, consent-messages, error-messages -> ~ 130 strings).
Is there a place or a way how such translations could be shared in an
official/unofficial way to save other IdP admins some translation work?
Most deployers will want to adapt the text on their login pages. So, one
could argue that the default locales as well as unofficial locales would
be modified anyway. But still, providing/sharing some such translations
might save people some work as changes probably would affect mostly
organisation/federation name.
This topic already has briefly popped up in the thread "Consent Wording"
and Scott mentioned that one way would be to host unofficial
translations on the wiki. So, would that be what the project recommends?
One disadvantage of the Wiki-approach might be that adding/changing
default (English) strings would quickly bring the other translations out
of sync without some diff/notification. Therefore, some hosted solution
(my search queries led for example to https://poeditor.com/) could be an
option.
Best Regards
Lukas
--
SWITCH
Lukas H?mmerle, Central Solutions
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 05, direct +41 44 268 15 64
lukas.haemmerle at switch.ch, http://www.switch.ch
------------------------------
Subject: Digest Footer
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
------------------------------
End of users Digest, Vol 50, Issue 127
**************************************
More information about the users
mailing list