Google Apps with IdP v3 not working

Dave Perry Dave.Perry at hull-college.ac.uk
Fri Aug 28 06:21:17 EDT 2015 

That didn't work either sadly.

Interestingly, I don't seem to get a saml interaction in the logs at all. Here's the last few lines of an attempt (stating that it had a value in the attribute to send, but seems to skip sending a message):

2015-08-28 11:12:34,209 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:167] - Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for attribute 'g_principal' remained after filtering
2015-08-28 11:12:34,219 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.PopulateProfileInterceptorContext:126] - Profile Action PopulateProfileInterceptorContext: Installing flow intercept/context-check into interceptor context
2015-08-28 11:12:34,222 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.FilterFlowsByNonBrowserSupport:52] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do
2015-08-28 11:12:34,223 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:101] - Profile Action SelectProfileInterceptorFlow: Checking flow intercept/context-check for applicability...
2015-08-28 11:12:34,224 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:84] - Profile Action SelectProfileInterceptorFlow: Selecting flow intercept/context-check
2015-08-28 11:12:34,333 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:181] - Error event ContextCheckDenied will be handled locally
2015-08-28 11:12:34,386 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:206] - Profile Action PopulateAuditContext: Adding 1 value(s) for field 'attr'
2015-08-28 11:12:34,387 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] - Profile Action PopulateAuditContext: Adding 1 value for field 'u'
2015-08-28 11:12:34,388 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] - Profile Action PopulateAuditContext: Skipping field 's' not included in audit format
2015-08-28 11:12:34,401 - INFO [Shibboleth-Audit.SSO:241] - 20150828T101234Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|andhjikocfhkikkdfjekccmabdpjkfopjimonbjk|google.com|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://shibb.hull-college.ac.uk/idp/shibboleth|||70012521||g_principal||

Any ideas what might cause the 'contextcheckdenied' error? 
It seems odd that there is a value there, but it doesn't even try to send it off.


Thanks,
Dave

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at hull-college.ac.uk *


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of David Langenberg
Sent: 27 August 2015 15:30
To: Shib Users
Subject: Re: Google Apps with IdP v3 not working

Yeah, I have the same filter.  I did encounter this same problem with another SP & different NameID requirements.  I resorted in that case to going back to the v2 way of encoding it as a SAML2StringNameID in the AttributeResolver.

Dave

> On Aug 27, 2015, at 8:25 AM, Dave Perry <Dave.Perry at hull-college.ac.uk> wrote:
> 
> I tried it with and without your encoding example, but using g_principal as that's what my attribute filter is setup for.
> 
> These log lines are from the same request but earlier on in the process, so it suggests something is behaving itself:
> 2015-08-27 15:20:01,035 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:352] - Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies for 'g_principal'
> 2015-08-27 15:20:01,036 - DEBUG 
> [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:368] 
> - Attribute Resolver 'ShibbolethAttributeResolver': Finished resolving 
> dependencies for g_principal
> 2015-08-27 15:20:01,036 - DEBUG 
> [net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:247
> ] - Attribute Definition 'g_principal': produced an attribute with the 
> following values 
> [StringAttributeValue{value=Dave.Perry at hull-college.ac.uk}]
> 2015-08-27 15:20:01,037 - DEBUG 
> [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:271] 
> - Attribute Resolver 'ShibbolethAttributeResolver': Attribute 
> definition 'g_principal' produced an attribute with 1 values
> 2015-08-27 15:20:01,037 - DEBUG 
> [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:200] 
> - Attribute Resolver 'ShibbolethAttributeResolver': Finalizing 
> resolved attributes
> 
> So the following *should* release it to google?
> 	<afp:AttributeFilterPolicy id="google-principal">
>         <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com" />
>         <afp:AttributeRule attributeID="g_principal">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
>     </afp:AttributeFilterPolicy>
> 
> _________________________________________________
> Dave Perry
> eLearning Technologist, Hull College Group
> 
> Room L34 - Queens Gardens Library
> Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG Extension 2230 / 
> Direct Dial 01482 381930
> 
> * Need a fast reply? Try elearning at hull-college.ac.uk *
> 
> 
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of David 
> Langenberg
> Sent: 27 August 2015 15:03
> To: Shib Users
> Subject: Re: Google Apps with IdP v3 not working
> 
> It is populated, but populated with the string g_principal.  Here's what a successful audit log looks like:
> 
> Aug 27 05:10:48 15be95cbfeaf [qtp254413710-6275] 
> [Shibboleth-Audit.SSO:241] - [205.208.122.155] 
> 20150827T051048Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|dp
> nlomihbneebagnanenjdbjfmpkjbnopgknlmoi|google.com|http://shibboleth.ne
> t/ns/profiles/saml2/sso/browser|urn:mace:incommon:uchicago.edu|urn:oas
> is:names:tc:SAML:2.0:bindings:HTTP-POST|_b0c0f7a79b9c4e39158fd38529a3a
> 167|davel|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTran
> sport|eduPersonPrincipalName|davel|_0844585d6ef961b7375281cd4338e676
> 
> Note, you don't actually see an attribute "principal" in the audit message, you see a username.  Try looking at your encoders and ensuring everything there is correct?
> 
> Dave
> 
> 
>> On Aug 27, 2015, at 7:19 AM, Dave Perry <Dave.Perry at hull-college.ac.uk> wrote:
>> 
>> I dropped Dave's config into the files he said, and I now get this error (with successful login to AD):
>> ERROR - Access Denied
>> You are not eligible for the service requested.
>> 
>> It looks like my g_principal attribute is populated, and the attribute filter knows to release it to google.com.
>> 
>> From idp-process.log:
>> 2015-08-27 14:06:18,847 - DEBUG
>> [net.shibboleth.idp.attribute.filter.AttributeRule:168] - Attribute 
>> filtering engine
>> '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_6c
>> 4 7673fb51640537340245b5b78e9e2'  Filtering values for attribute 
>> 'g_principal' which currently contains 1 values
>> 2015-08-27 14:06:18,847 - DEBUG [net.shibboleth.idp.attribute.filter.AttributeRule:177] - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_6c47673fb51640537340245b5b78e9e2'  Filter has permitted the release of 1 values for attribute 'g_principal'
>> 2015-08-27 14:06:18,850 - DEBUG
>> [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:167] - 
>> Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for 
>> attribute 'g_principal' remained after filtering
>> 2015-08-27 14:06:18,854 - DEBUG
>> [net.shibboleth.idp.profile.interceptor.impl.PopulateProfileIntercept
>> o rContext:126] - Profile Action PopulateProfileInterceptorContext:
>> Installing flow intercept/context-check into interceptor context
>> 2015-08-27 14:06:18,857 - DEBUG
>> [net.shibboleth.idp.profile.interceptor.impl.FilterFlowsByNonBrowserS
>> u pport:52] - Profile Action FilterFlowsByNonBrowserSupport: Request 
>> does not have non-browser requirement, nothing to do
>> 2015-08-27 14:06:18,858 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:101] - Profile Action SelectProfileInterceptorFlow: Checking flow intercept/context-check for applicability...
>> 2015-08-27 14:06:18,859 - DEBUG
>> [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptor
>> F low:84] - Profile Action SelectProfileInterceptorFlow: Selecting 
>> flow intercept/context-check
>> 2015-08-27 14:06:18,997 - DEBUG
>> [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:18
>> 1 ] - Error event ContextCheckDenied will be handled locally
>> 2015-08-27 14:06:19,019 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:206] - Profile Action PopulateAuditContext: Adding 1 value(s) for field 'attr'
>> 2015-08-27 14:06:19,020 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] - Profile Action PopulateAuditContext: Adding 1 value for field 'u'
>> 2015-08-27 14:06:19,021 - DEBUG
>> [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] - 
>> Profile Action PopulateAuditContext: Skipping field 's' not included 
>> in audit format
>> 2015-08-27 14:06:19,024 - INFO [Shibboleth-Audit.SSO:241] -
>> 20150827T130619Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|g
>> 20150827T130619Z|m
>> dapadbcmamchajhbpkcjjamgiehnlhaekpemif|google.com|http://shibboleth.n
>> dapadbcmamchajhbpkcjjamgiehnlhaekpemif|e
>> t/ns/profiles/saml2/sso/browser|https://shibb.hull-college.ac.uk/idp/
>> s
>> hibboleth|||70012521||g_principal||
>> 
>> And idp-audit:
>> 20150827T130619Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|g
>> 20150827T130619Z|m
>> 20150827T130619Z|dapadbcmamchajhbpkcjjamgiehnlhaekpemif|google.com|ht
>> 20150827T130619Z|dapadbcmamchajhbpkcjjamgiehnlhaekpemif|t
>> 20150827T130619Z|p://shibboleth.net/ns/profiles/saml2/sso/browser|htt
>> 20150827T130619Z|p 
>> 20150827T130619Z|s://shibb.hull-college.ac.uk/idp/shibboleth|||myuser
>> 20150827T130619Z|n
>> 20150827T130619Z|ame||g_principal||
>> 
>> Any ideas welcome.
>> 
>> _________________________________________________
>> Dave Perry
>> eLearning Technologist, Hull College Group
>> 
>> Room L34 - Queens Gardens Library
>> Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG Extension 2230 / 
>> Direct Dial 01482 381930
>> 
>> * Need a fast reply? Try elearning at hull-college.ac.uk *
>> 
>> -----Original Message-----
>> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of David 
>> Langenberg
>> Sent: 26 August 2015 16:38
>> To: Shib Users
>> Subject: Re: Google Apps with IdP v3 not working
>> 
>> 
>>> On Aug 26, 2015, at 9:30 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
>>> 
>>> On 8/26/15, 11:19 AM, "users on behalf of David Langenberg" <users-bounces at shibboleth.net on behalf of davel at uchicago.edu> wrote:
>>> 
>>>> No
>>>> 
>>>> Dave
>>>> 
>>>>> On Aug 26, 2015, at 9:02 AM, Dave Perry <Dave.Perry at hull-college.ac.uk> wrote:
>>>>> 
>>>>> That's brilliant, thanks Dave!
>>>>> 
>>>>> Did you make any changes to saml-nameid.properties?
>>> 
>>> He did omit one extra piece, releasing the attribute used to source the NameID in the filter policy. That will (optionally) go away in a future release.
>> 
>> Thanks Scott, you're right, I forgot the filter.  We are releasing principal to Google.
>> 
>> Dave
>> 
>> --
>> David Langenberg
>> Identity & Access Management Architect The University of Chicago
>> 
>> 
>> 
>> --
>> To unsubscribe from this list send an email to 
>> users-unsubscribe at shibboleth.net
>> 
>> *********************************************************************
>> * This message is sent in confidence for the addressee only. It may 
>> contain confidential or sensitive information.  The contents are not 
>> to be disclosed to anyone other than the addressee.  Unauthorised 
>> recipients are requested to preserve this confidentiality and to 
>> advise us of any errors in transmission.  Any views expressed in this 
>> message are solely the views of the individual and do not represent 
>> the views of the College.  Nothing in this message should be 
>> construed as creating a contract.
>> 
>> Hull College Group owns the email infrastructure, including the contents.
>> 
>> Hull College Group is committed to sustainability, please reflect before printing this email.
>> *********************************************************************
>> *
>> 
>> TEXT
>> --
>> To unsubscribe from this list send an email to 
>> users-unsubscribe at shibboleth.net
> 
> --
> David Langenberg
> Identity & Access Management Architect The University of Chicago
> 
> 
> 
> --
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net
> --
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net

--
David Langenberg
Identity & Access Management Architect
The University of Chicago



--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list