Google Apps with IdP v3 not working

David Langenberg davel at uchicago.edu
Thu Aug 27 10:02:37 EDT 2015 

It is populated, but populated with the string g_principal.  Here's what a successful audit log looks like:

Aug 27 05:10:48 15be95cbfeaf [qtp254413710-6275] [Shibboleth-Audit.SSO:241] - [205.208.122.155] 20150827T051048Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|dpnlomihbneebagnanenjdbjfmpkjbnopgknlmoi|google.com|http://shibboleth.net/ns/profiles/saml2/sso/browser|urn:mace:incommon:uchicago.edu|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_b0c0f7a79b9c4e39158fd38529a3a167|davel|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|eduPersonPrincipalName|davel|_0844585d6ef961b7375281cd4338e676

Note, you don't actually see an attribute "principal" in the audit message, you see a username.  Try looking at your encoders and ensuring everything there is correct?

Dave


> On Aug 27, 2015, at 7:19 AM, Dave Perry <Dave.Perry at hull-college.ac.uk> wrote:
> 
> I dropped Dave's config into the files he said, and I now get this error (with successful login to AD):
> ERROR - Access Denied
> You are not eligible for the service requested.
> 
> It looks like my g_principal attribute is populated, and the attribute filter knows to release it to google.com.
> 
> From idp-process.log:
> 2015-08-27 14:06:18,847 - DEBUG [net.shibboleth.idp.attribute.filter.AttributeRule:168] - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_6c47673fb51640537340245b5b78e9e2'  Filtering values for attribute 'g_principal' which currently contains 1 values
> 2015-08-27 14:06:18,847 - DEBUG [net.shibboleth.idp.attribute.filter.AttributeRule:177] - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_6c47673fb51640537340245b5b78e9e2'  Filter has permitted the release of 1 values for attribute 'g_principal'
> 2015-08-27 14:06:18,850 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:167] - Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for attribute 'g_principal' remained after filtering
> 2015-08-27 14:06:18,854 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.PopulateProfileInterceptorContext:126] - Profile Action PopulateProfileInterceptorContext: Installing flow intercept/context-check into interceptor context
> 2015-08-27 14:06:18,857 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.FilterFlowsByNonBrowserSupport:52] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do
> 2015-08-27 14:06:18,858 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:101] - Profile Action SelectProfileInterceptorFlow: Checking flow intercept/context-check for applicability...
> 2015-08-27 14:06:18,859 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:84] - Profile Action SelectProfileInterceptorFlow: Selecting flow intercept/context-check
> 2015-08-27 14:06:18,997 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:181] - Error event ContextCheckDenied will be handled locally
> 2015-08-27 14:06:19,019 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:206] - Profile Action PopulateAuditContext: Adding 1 value(s) for field 'attr'
> 2015-08-27 14:06:19,020 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] - Profile Action PopulateAuditContext: Adding 1 value for field 'u'
> 2015-08-27 14:06:19,021 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] - Profile Action PopulateAuditContext: Skipping field 's' not included in audit format
> 2015-08-27 14:06:19,024 - INFO [Shibboleth-Audit.SSO:241] - 20150827T130619Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|gmdapadbcmamchajhbpkcjjamgiehnlhaekpemif|google.com|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://shibb.hull-college.ac.uk/idp/shibboleth|||70012521||g_principal||
> 
> And idp-audit:
> 20150827T130619Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|gmdapadbcmamchajhbpkcjjamgiehnlhaekpemif|google.com|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://shibb.hull-college.ac.uk/idp/shibboleth|||myusername||g_principal||
> 
> Any ideas welcome.
> 
> _________________________________________________
> Dave Perry
> eLearning Technologist, Hull College Group
> 
> Room L34 - Queens Gardens Library
> Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
> Extension 2230 / Direct Dial 01482 381930
> 
> * Need a fast reply? Try elearning at hull-college.ac.uk *
> 
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of David Langenberg
> Sent: 26 August 2015 16:38
> To: Shib Users
> Subject: Re: Google Apps with IdP v3 not working
> 
> 
>> On Aug 26, 2015, at 9:30 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
>> 
>> On 8/26/15, 11:19 AM, "users on behalf of David Langenberg" <users-bounces at shibboleth.net on behalf of davel at uchicago.edu> wrote:
>> 
>>> No
>>> 
>>> Dave
>>> 
>>>> On Aug 26, 2015, at 9:02 AM, Dave Perry <Dave.Perry at hull-college.ac.uk> wrote:
>>>> 
>>>> That's brilliant, thanks Dave!
>>>> 
>>>> Did you make any changes to saml-nameid.properties?
>> 
>> He did omit one extra piece, releasing the attribute used to source the NameID in the filter policy. That will (optionally) go away in a future release.
> 
> Thanks Scott, you're right, I forgot the filter.  We are releasing principal to Google.
> 
> Dave
> 
> --
> David Langenberg
> Identity & Access Management Architect
> The University of Chicago
> 
> 
> 
> -- 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> 
> **********************************************************************
> This message is sent in confidence for the addressee
> only. It may  contain confidential or sensitive
> information.  The contents are not to be disclosed
> to anyone other than the addressee.  Unauthorised
> recipients are requested to preserve this
> confidentiality and to advise us of any errors in
> transmission.  Any views expressed in this message
> are solely the views of the individual and do not
> represent the views of the College.  Nothing in this
> message should be construed as creating a contract.
> 
> Hull College Group owns the email infrastructure, including the contents.
> 
> Hull College Group is committed to sustainability, please reflect before printing this email.
> **********************************************************************
> 
> TEXT
> -- 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

--
David Langenberg
Identity & Access Management Architect
The University of Chicago

More information about the users mailing list