Google Apps with IdP v3 not working

Dave Perry Dave.Perry at hull-college.ac.uk
Thu Aug 27 10:25:09 EDT 2015 

I tried it with and without your encoding example, but using g_principal as that's what my attribute filter is setup for.

These log lines are from the same request but earlier on in the process, so it suggests something is behaving itself:
2015-08-27 15:20:01,035 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:352] - Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies for 'g_principal'
2015-08-27 15:20:01,036 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:368] - Attribute Resolver 'ShibbolethAttributeResolver': Finished resolving dependencies for g_principal
2015-08-27 15:20:01,036 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:247] - Attribute Definition 'g_principal': produced an attribute with the following values [StringAttributeValue{value=Dave.Perry at hull-college.ac.uk}]
2015-08-27 15:20:01,037 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:271] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute definition 'g_principal' produced an attribute with 1 values
2015-08-27 15:20:01,037 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:200] - Attribute Resolver 'ShibbolethAttributeResolver': Finalizing resolved attributes

So the following *should* release it to google?
	<afp:AttributeFilterPolicy id="google-principal">
         <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com" />
         <afp:AttributeRule attributeID="g_principal">
             <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
     </afp:AttributeFilterPolicy>

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at hull-college.ac.uk *


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of David Langenberg
Sent: 27 August 2015 15:03
To: Shib Users
Subject: Re: Google Apps with IdP v3 not working

It is populated, but populated with the string g_principal.  Here's what a successful audit log looks like:

Aug 27 05:10:48 15be95cbfeaf [qtp254413710-6275] [Shibboleth-Audit.SSO:241] - [205.208.122.155] 20150827T051048Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|dpnlomihbneebagnanenjdbjfmpkjbnopgknlmoi|google.com|http://shibboleth.net/ns/profiles/saml2/sso/browser|urn:mace:incommon:uchicago.edu|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_b0c0f7a79b9c4e39158fd38529a3a167|davel|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|eduPersonPrincipalName|davel|_0844585d6ef961b7375281cd4338e676

Note, you don't actually see an attribute "principal" in the audit message, you see a username.  Try looking at your encoders and ensuring everything there is correct?

Dave


> On Aug 27, 2015, at 7:19 AM, Dave Perry <Dave.Perry at hull-college.ac.uk> wrote:
> 
> I dropped Dave's config into the files he said, and I now get this error (with successful login to AD):
> ERROR - Access Denied
> You are not eligible for the service requested.
> 
> It looks like my g_principal attribute is populated, and the attribute filter knows to release it to google.com.
> 
> From idp-process.log:
> 2015-08-27 14:06:18,847 - DEBUG 
> [net.shibboleth.idp.attribute.filter.AttributeRule:168] - Attribute 
> filtering engine 
> '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_6c4
> 7673fb51640537340245b5b78e9e2'  Filtering values for attribute 
> 'g_principal' which currently contains 1 values
> 2015-08-27 14:06:18,847 - DEBUG [net.shibboleth.idp.attribute.filter.AttributeRule:177] - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_6c47673fb51640537340245b5b78e9e2'  Filter has permitted the release of 1 values for attribute 'g_principal'
> 2015-08-27 14:06:18,850 - DEBUG 
> [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:167] - 
> Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for 
> attribute 'g_principal' remained after filtering
> 2015-08-27 14:06:18,854 - DEBUG 
> [net.shibboleth.idp.profile.interceptor.impl.PopulateProfileIntercepto
> rContext:126] - Profile Action PopulateProfileInterceptorContext: 
> Installing flow intercept/context-check into interceptor context
> 2015-08-27 14:06:18,857 - DEBUG 
> [net.shibboleth.idp.profile.interceptor.impl.FilterFlowsByNonBrowserSu
> pport:52] - Profile Action FilterFlowsByNonBrowserSupport: Request 
> does not have non-browser requirement, nothing to do
> 2015-08-27 14:06:18,858 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:101] - Profile Action SelectProfileInterceptorFlow: Checking flow intercept/context-check for applicability...
> 2015-08-27 14:06:18,859 - DEBUG 
> [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorF
> low:84] - Profile Action SelectProfileInterceptorFlow: Selecting flow 
> intercept/context-check
> 2015-08-27 14:06:18,997 - DEBUG 
> [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:181
> ] - Error event ContextCheckDenied will be handled locally
> 2015-08-27 14:06:19,019 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:206] - Profile Action PopulateAuditContext: Adding 1 value(s) for field 'attr'
> 2015-08-27 14:06:19,020 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] - Profile Action PopulateAuditContext: Adding 1 value for field 'u'
> 2015-08-27 14:06:19,021 - DEBUG 
> [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] - 
> Profile Action PopulateAuditContext: Skipping field 's' not included 
> in audit format
> 2015-08-27 14:06:19,024 - INFO [Shibboleth-Audit.SSO:241] - 
> 20150827T130619Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|gm
> dapadbcmamchajhbpkcjjamgiehnlhaekpemif|google.com|http://shibboleth.ne
> t/ns/profiles/saml2/sso/browser|https://shibb.hull-college.ac.uk/idp/s
> hibboleth|||70012521||g_principal||
> 
> And idp-audit:
> 20150827T130619Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|gm
> 20150827T130619Z|dapadbcmamchajhbpkcjjamgiehnlhaekpemif|google.com|htt
> 20150827T130619Z|p://shibboleth.net/ns/profiles/saml2/sso/browser|http
> 20150827T130619Z|s://shibb.hull-college.ac.uk/idp/shibboleth|||myusern
> 20150827T130619Z|ame||g_principal||
> 
> Any ideas welcome.
> 
> _________________________________________________
> Dave Perry
> eLearning Technologist, Hull College Group
> 
> Room L34 - Queens Gardens Library
> Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG Extension 2230 / 
> Direct Dial 01482 381930
> 
> * Need a fast reply? Try elearning at hull-college.ac.uk *
> 
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of David 
> Langenberg
> Sent: 26 August 2015 16:38
> To: Shib Users
> Subject: Re: Google Apps with IdP v3 not working
> 
> 
>> On Aug 26, 2015, at 9:30 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
>> 
>> On 8/26/15, 11:19 AM, "users on behalf of David Langenberg" <users-bounces at shibboleth.net on behalf of davel at uchicago.edu> wrote:
>> 
>>> No
>>> 
>>> Dave
>>> 
>>>> On Aug 26, 2015, at 9:02 AM, Dave Perry <Dave.Perry at hull-college.ac.uk> wrote:
>>>> 
>>>> That's brilliant, thanks Dave!
>>>> 
>>>> Did you make any changes to saml-nameid.properties?
>> 
>> He did omit one extra piece, releasing the attribute used to source the NameID in the filter policy. That will (optionally) go away in a future release.
> 
> Thanks Scott, you're right, I forgot the filter.  We are releasing principal to Google.
> 
> Dave
> 
> --
> David Langenberg
> Identity & Access Management Architect The University of Chicago
> 
> 
> 
> --
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net
> 
> **********************************************************************
> This message is sent in confidence for the addressee only. It may  
> contain confidential or sensitive information.  The contents are not 
> to be disclosed to anyone other than the addressee.  Unauthorised 
> recipients are requested to preserve this confidentiality and to 
> advise us of any errors in transmission.  Any views expressed in this 
> message are solely the views of the individual and do not represent 
> the views of the College.  Nothing in this message should be construed 
> as creating a contract.
> 
> Hull College Group owns the email infrastructure, including the contents.
> 
> Hull College Group is committed to sustainability, please reflect before printing this email.
> **********************************************************************
> 
> TEXT
> --
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net

--
David Langenberg
Identity & Access Management Architect
The University of Chicago



--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list