Issues getting PagerDuty which uses SAML 2.0 to talk to Shibboleth IDP.

Wed Jun 3 19:42:07 EDT 2015

Please keep replies to the list.

* Cahill, Charles (GE Appliances) <Charles.Cahill at ge.com> [2015-06-02 16:21]:
> I did make the below changes but got multiple errors in the logs.

That's not a technical error report, of cours. But 2 sources of errors
are explained fully below.

What I'd like to know from you, though, is from looking at the log
yourself, did you determine that the error you had so far (treating
the SAML SP you want to integrate with as "anonymous") was solved by
the suggested metadata/configuration changes?
If so, that's great to hear and we can move on to other errors
(details below).
Otherwise is the SP still not recognized and we therefore still have
to concentrate on your relying-party and metadata configuration.

> Would you kindly scan the attached RelyingParty and
> attributeResolver xml files and let me know where I am going wrong?

If that attribute-resolver.xml was the full file, you've changed it
quite drastically from the installed defaults. (Not an issue in itself
if it works and does what you need.)
I'm assuming you removed parts of the file before posting (not just
replacing passwords etc), since many attribute definitions have a
Dependency that doesn't exist in that file. But from an incomplete
file I cannot say whether the sourceAttributeID and Dependency from my
example exists in your config, of course.

> 	<resolver:AttributeDefinition xsi:type="ad:Simple" id="emailNameID" sourceAttributeID="email">
>     	        <resolver:Dependency ref="email" />
>     	        <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
>       	        nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
>    	</resolver:AttributeDefinition>

So the example configuration I sent for generating a NameID containing
the subject's email address assumed you had an AttributeDefinition
with id="email" in your resolver, there was none in the file you
send. If there indeed is none, you'd need to add one, e.g, following
your definitions for "uid" or "cn".

Right below you pasted the configuration example I said to put into
your attribute-filter.xml (step 3 in my post) into the
attribute-resolver.xml, which cannot work:
>    	
>         <afp:AttributeFilterPolicy id="EmailNameID4PagerDuty">
> 	        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
>                 value="https :// ge-appliances.pagerduty.com" />
>                 <afp:AttributeRule attributeID="emailNameID">
>                 <afp:PermitValueRule xsi:type="basic:ANY" />
>                 </afp:AttributeRule>
>         </afp:AttributeFilterPolicy>

That alone will prevent the IDP from starting, as you will have seen.
So fix that first before even looking at any error messages in the log.

Also you failed to remove the artificially introduced spaces around
the entityID of that SP in the 3rd line of the above example policy
rule, like I told you to. So that rule would never match and therefore
not do anything useful (but will not cause errors in the logs, at least).
-peter