Google Apps with IdP v3 not working

David Langenberg davel at uchicago.edu
Thu Aug 27 10:30:06 EDT 2015 

Yeah, I have the same filter.  I did encounter this same problem with another SP & different NameID requirements.  I resorted in that case to going back to the v2 way of encoding it as a SAML2StringNameID in the AttributeResolver.

Dave

> On Aug 27, 2015, at 8:25 AM, Dave Perry <Dave.Perry at hull-college.ac.uk> wrote:
> 
> I tried it with and without your encoding example, but using g_principal as that's what my attribute filter is setup for.
> 
> These log lines are from the same request but earlier on in the process, so it suggests something is behaving itself:
> 2015-08-27 15:20:01,035 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:352] - Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies for 'g_principal'
> 2015-08-27 15:20:01,036 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:368] - Attribute Resolver 'ShibbolethAttributeResolver': Finished resolving dependencies for g_principal
> 2015-08-27 15:20:01,036 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:247] - Attribute Definition 'g_principal': produced an attribute with the following values [StringAttributeValue{value=Dave.Perry at hull-college.ac.uk}]
> 2015-08-27 15:20:01,037 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:271] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute definition 'g_principal' produced an attribute with 1 values
> 2015-08-27 15:20:01,037 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:200] - Attribute Resolver 'ShibbolethAttributeResolver': Finalizing resolved attributes
> 
> So the following *should* release it to google?
> 	<afp:AttributeFilterPolicy id="google-principal">
>         <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com" />
>         <afp:AttributeRule attributeID="g_principal">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
>     </afp:AttributeFilterPolicy>
> 
> _________________________________________________
> Dave Perry
> eLearning Technologist, Hull College Group
> 
> Room L34 - Queens Gardens Library
> Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
> Extension 2230 / Direct Dial 01482 381930
> 
> * Need a fast reply? Try elearning at hull-college.ac.uk *
> 
> 
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of David Langenberg
> Sent: 27 August 2015 15:03
> To: Shib Users
> Subject: Re: Google Apps with IdP v3 not working
> 
> It is populated, but populated with the string g_principal.  Here's what a successful audit log looks like:
> 
> Aug 27 05:10:48 15be95cbfeaf [qtp254413710-6275] [Shibboleth-Audit.SSO:241] - [205.208.122.155] 20150827T051048Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|dpnlomihbneebagnanenjdbjfmpkjbnopgknlmoi|google.com|http://shibboleth.net/ns/profiles/saml2/sso/browser|urn:mace:incommon:uchicago.edu|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_b0c0f7a79b9c4e39158fd38529a3a167|davel|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|eduPersonPrincipalName|davel|_0844585d6ef961b7375281cd4338e676
> 
> Note, you don't actually see an attribute "principal" in the audit message, you see a username.  Try looking at your encoders and ensuring everything there is correct?
> 
> Dave
> 
> 
>> On Aug 27, 2015, at 7:19 AM, Dave Perry <Dave.Perry at hull-college.ac.uk> wrote:
>> 
>> I dropped Dave's config into the files he said, and I now get this error (with successful login to AD):
>> ERROR - Access Denied
>> You are not eligible for the service requested.
>> 
>> It looks like my g_principal attribute is populated, and the attribute filter knows to release it to google.com.
>> 
>> From idp-process.log:
>> 2015-08-27 14:06:18,847 - DEBUG 
>> [net.shibboleth.idp.attribute.filter.AttributeRule:168] - Attribute 
>> filtering engine 
>> '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_6c4
>> 7673fb51640537340245b5b78e9e2'  Filtering values for attribute 
>> 'g_principal' which currently contains 1 values
>> 2015-08-27 14:06:18,847 - DEBUG [net.shibboleth.idp.attribute.filter.AttributeRule:177] - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_6c47673fb51640537340245b5b78e9e2'  Filter has permitted the release of 1 values for attribute 'g_principal'
>> 2015-08-27 14:06:18,850 - DEBUG 
>> [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:167] - 
>> Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for 
>> attribute 'g_principal' remained after filtering
>> 2015-08-27 14:06:18,854 - DEBUG 
>> [net.shibboleth.idp.profile.interceptor.impl.PopulateProfileIntercepto
>> rContext:126] - Profile Action PopulateProfileInterceptorContext: 
>> Installing flow intercept/context-check into interceptor context
>> 2015-08-27 14:06:18,857 - DEBUG 
>> [net.shibboleth.idp.profile.interceptor.impl.FilterFlowsByNonBrowserSu
>> pport:52] - Profile Action FilterFlowsByNonBrowserSupport: Request 
>> does not have non-browser requirement, nothing to do
>> 2015-08-27 14:06:18,858 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:101] - Profile Action SelectProfileInterceptorFlow: Checking flow intercept/context-check for applicability...
>> 2015-08-27 14:06:18,859 - DEBUG 
>> [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorF
>> low:84] - Profile Action SelectProfileInterceptorFlow: Selecting flow 
>> intercept/context-check
>> 2015-08-27 14:06:18,997 - DEBUG 
>> [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:181
>> ] - Error event ContextCheckDenied will be handled locally
>> 2015-08-27 14:06:19,019 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:206] - Profile Action PopulateAuditContext: Adding 1 value(s) for field 'attr'
>> 2015-08-27 14:06:19,020 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] - Profile Action PopulateAuditContext: Adding 1 value for field 'u'
>> 2015-08-27 14:06:19,021 - DEBUG 
>> [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] - 
>> Profile Action PopulateAuditContext: Skipping field 's' not included 
>> in audit format
>> 2015-08-27 14:06:19,024 - INFO [Shibboleth-Audit.SSO:241] - 
>> 20150827T130619Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|gm
>> dapadbcmamchajhbpkcjjamgiehnlhaekpemif|google.com|http://shibboleth.ne
>> t/ns/profiles/saml2/sso/browser|https://shibb.hull-college.ac.uk/idp/s
>> hibboleth|||70012521||g_principal||
>> 
>> And idp-audit:
>> 20150827T130619Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|gm
>> 20150827T130619Z|dapadbcmamchajhbpkcjjamgiehnlhaekpemif|google.com|htt
>> 20150827T130619Z|p://shibboleth.net/ns/profiles/saml2/sso/browser|http
>> 20150827T130619Z|s://shibb.hull-college.ac.uk/idp/shibboleth|||myusern
>> 20150827T130619Z|ame||g_principal||
>> 
>> Any ideas welcome.
>> 
>> _________________________________________________
>> Dave Perry
>> eLearning Technologist, Hull College Group
>> 
>> Room L34 - Queens Gardens Library
>> Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG Extension 2230 / 
>> Direct Dial 01482 381930
>> 
>> * Need a fast reply? Try elearning at hull-college.ac.uk *
>> 
>> -----Original Message-----
>> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of David 
>> Langenberg
>> Sent: 26 August 2015 16:38
>> To: Shib Users
>> Subject: Re: Google Apps with IdP v3 not working
>> 
>> 
>>> On Aug 26, 2015, at 9:30 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
>>> 
>>> On 8/26/15, 11:19 AM, "users on behalf of David Langenberg" <users-bounces at shibboleth.net on behalf of davel at uchicago.edu> wrote:
>>> 
>>>> No
>>>> 
>>>> Dave
>>>> 
>>>>> On Aug 26, 2015, at 9:02 AM, Dave Perry <Dave.Perry at hull-college.ac.uk> wrote:
>>>>> 
>>>>> That's brilliant, thanks Dave!
>>>>> 
>>>>> Did you make any changes to saml-nameid.properties?
>>> 
>>> He did omit one extra piece, releasing the attribute used to source the NameID in the filter policy. That will (optionally) go away in a future release.
>> 
>> Thanks Scott, you're right, I forgot the filter.  We are releasing principal to Google.
>> 
>> Dave
>> 
>> --
>> David Langenberg
>> Identity & Access Management Architect The University of Chicago
>> 
>> 
>> 
>> --
>> To unsubscribe from this list send an email to 
>> users-unsubscribe at shibboleth.net
>> 
>> **********************************************************************
>> This message is sent in confidence for the addressee only. It may  
>> contain confidential or sensitive information.  The contents are not 
>> to be disclosed to anyone other than the addressee.  Unauthorised 
>> recipients are requested to preserve this confidentiality and to 
>> advise us of any errors in transmission.  Any views expressed in this 
>> message are solely the views of the individual and do not represent 
>> the views of the College.  Nothing in this message should be construed 
>> as creating a contract.
>> 
>> Hull College Group owns the email infrastructure, including the contents.
>> 
>> Hull College Group is committed to sustainability, please reflect before printing this email.
>> **********************************************************************
>> 
>> TEXT
>> --
>> To unsubscribe from this list send an email to 
>> users-unsubscribe at shibboleth.net
> 
> --
> David Langenberg
> Identity & Access Management Architect
> The University of Chicago
> 
> 
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> -- 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

--
David Langenberg
Identity & Access Management Architect
The University of Chicago

More information about the users mailing list