Shibboleth IdP with Webex
Sacilowski, Tadeusz
ts2878 at tc.columbia.edu
Thu Nov 5 16:36:03 EST 2015
Andrew,
Thanks so much for the clarification. Apparently I had the NameID coming
across through a different attribute. My issue was a malformed email
attribute that I needed to scope properly (it's a scripted attribute built
from our UIDs... long story). Either way, your reply helped me understand
and address the issue properly.
I do have one more questions, if I may. How are you creating the "
modifytimestamp" attribute that you reference?
<resolver:AttributeDefinition xsi:type="ad:Simple"
id="webex_updatetimestamp" sourceAttributeID="modifytimestamp">
<resolver:Dependency ref="ONIDLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="updateTimeStamp" />
</resolver:AttributeDefinition>
Thanks again!
Teddy
*Tadeusz Sacilowski*
*Enterprise Architect & Security Engineer*
Teachers College, Columbia University
ts2878 at tc.columbia.edu
On Thu, Nov 5, 2015 at 12:35 PM, Andrew Morgan <morgan at orst.edu> wrote:
> On Thu, 5 Nov 2015, Sacilowski, Tadeusz wrote:
>
> Hi All,
>>
>> So I'm still having some issues with the WebEx auto account creation. The
>> error message on the WebEx side shows "Auto Account Creation failed (31)".
>> I've added the following to my attribute.resolver.xml:
>>
>> <!-- BEGIN: Attributes for WebEx auto account creation -->
>> <resolver:AttributeDefinition xsi:type="ad:Simple" id="WebExUid"
>> sourceAttributeID="uid">
>> <resolver:Dependency ref="myLDAP" />
>> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
>> nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>> name="uid" />
>> </resolver:AttributeDefinition>
>>
>> <resolver:AttributeDefinition xsi:type="ad:Simple" id="WebExFirstname"
>> sourceAttributeID="givenName">
>> <resolver:Dependency ref="myLDAP" />
>> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
>> nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>> name="firstname" />
>> </resolver:AttributeDefinition>
>>
>> <resolver:AttributeDefinition xsi:type="ad:Simple" id="WebExLastname"
>> sourceAttributeID="sn">
>> <resolver:Dependency ref="myLDAP" />
>> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
>> nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>> name="lastname" />
>> </resolver:AttributeDefinition>
>>
>> <resolver:AttributeDefinition xsi:type="ad:Simple" id="WebExEmail"
>> sourceAttributeID="mail">
>> <resolver:Dependency ref="myLDAP" />
>> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
>> nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>> name="email" />
>> </resolver:AttributeDefinition>
>> <!-- END: Attributes for WebEx auto account creation -->
>>
>> And I'm releasing them to WebEx as such (we will have multiple WebEx
>> sites,
>> hence the "basic:OR" for AttributeRequesterString):
>>
>> <!-- Release WebEx attributes -->
>> <afp:AttributeFilterPolicy id="releaseToWebEx">
>> <afp:PolicyRequirementRule xsi:type="basic:OR">
>> <basic:Rule xsi:type="basic:AttributeRequesterString" value="
>> http://www.webex.com" />
>> <basic:Rule xsi:type="basic:AttributeRequesterString" value="
>> https://www.webex.com" />
>> </afp:PolicyRequirementRule>
>>
>> <afp:AttributeRule attributeID="WebExUid">
>> <afp:PermitValueRule xsi:type="basic:ANY"/>
>> </afp:AttributeRule>
>>
>> <afp:AttributeRule attributeID="WebExFirstname">
>> <afp:PermitValueRule xsi:type="basic:ANY"/>
>> </afp:AttributeRule>
>>
>> <afp:AttributeRule attributeID="WebExLastname">
>> <afp:PermitValueRule xsi:type="basic:ANY"/>
>> </afp:AttributeRule>
>>
>> <afp:AttributeRule attributeID="WebExEmail">
>> <afp:PermitValueRule xsi:type="basic:ANY"/>
>> </afp:AttributeRule>
>> </afp:AttributeFilterPolicy>
>>
>> I see the values being populated in my logs... not sure what I'm doing
>> wrong. Hoping maybe someone might have some insight as I wait for a
>> response from their support folks.
>>
>
> You are setting a nameFormat on all of the attributes, but none of them
> are being encoded as a NameID. You only need the nameFormat on the
> attribute you are encoding as a NameID.
>
> Here is OSU's working configuration (with 2 webex sites, btw).
>
> attribute-resolver.xml:
>
> <!-- WebEx NameID attribute -->
> <resolver:AttributeDefinition xsi:type="ad:Simple"
> id="webex-principal" sourceAttributeID="eduPersonPrincipalName">
> <resolver:Dependency ref="ONIDLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
> nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
> </resolver:AttributeDefinition>
>
> <!-- WebEx attributes -->
> <resolver:AttributeDefinition xsi:type="ad:Simple" id="webex_uid"
> sourceAttributeID="uid">
> <resolver:Dependency ref="ONIDLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="uid" />
> </resolver:AttributeDefinition>
>
> <resolver:AttributeDefinition xsi:type="ad:Simple"
> id="webex_firstname" sourceAttributeID="givenName">
> <resolver:Dependency ref="ONIDLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="firstname" />
> </resolver:AttributeDefinition>
>
> <resolver:AttributeDefinition xsi:type="ad:Simple" id="webex_lastname"
> sourceAttributeID="sn">
> <resolver:Dependency ref="ONIDLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="lastname" />
> </resolver:AttributeDefinition>
>
> <resolver:AttributeDefinition xsi:type="ad:Simple" id="webex_email"
> sourceAttributeID="eduPersonPrincipalName">
> <resolver:Dependency ref="ONIDLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="email"
> />
> </resolver:AttributeDefinition>
>
> <resolver:AttributeDefinition xsi:type="ad:Simple"
> id="webex_updatetimestamp" sourceAttributeID="modifytimestamp">
> <resolver:Dependency ref="ONIDLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="updateTimeStamp" />
> </resolver:AttributeDefinition>
>
> <resolver:AttributeDefinition xsi:type="ad:Script"
> id="webex_affiliation">
> <resolver:Dependency ref="ismemberof" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="webex_affiliation" />
> <ad:Script>
> <![CDATA[
>
> importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
> webex_affiliation = new
> BasicAttribute("webex_affiliation");
> if (typeof ismemberof != "undefined" && ismemberof !=
> null) {
> for (var i=0; i<ismemberof.getValues().size(); i++) {
> var group = ismemberof.getValues().get(i);
> if (group.toLowerCase() ==
> "cn=staff,ou=webex,ou=app,ou=is,ou=org,ou=osu,ou=grouper,ou=groups,o=
> orst.edu") {
> webex_affiliation.getValues().add('staff');
> }
> if (group.toLowerCase() ==
> "cn=students,ou=webex,ou=app,ou=is,ou=org,ou=osu,ou=grouper,ou=groups,o=
> orst.edu") {
> webex_affiliation.getValues().add('students');
> }
> }
> }
> ]]>
> </ad:Script>
> </resolver:AttributeDefinition>
>
>
> attribute-filter.xml:
>
> <!-- WebEx filters -->
> <afp:AttributeFilterPolicy id="webex-deny-transientid">
> <afp:PolicyRequirementRule xsi:type="basic:OR">
> <basic:Rule xsi:type="basic:AttributeRequesterString" value="
> https://oregonstate-staff.webex.com" />
> <basic:Rule xsi:type="basic:AttributeRequesterString" value="
> https://oregonstate-students.webex.com" />
> </afp:PolicyRequirementRule>
> <afp:AttributeRule attributeID="transientId">
> <afp:DenyValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> </afp:AttributeFilterPolicy>
>
> <afp:AttributeFilterPolicy id="webex-staff">
> <afp:PolicyRequirementRule xsi:type="basic:AND">
> <basic:Rule xsi:type="basic:AttributeRequesterString" value="
> https://oregonstate-staff.webex.com" />
> <basic:Rule xsi:type="basic:AttributeValueString"
> attributeID="webex_affiliation" value="staff" />
> </afp:PolicyRequirementRule>
> <afp:AttributeRule attributeID="webex-principal">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_uid">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_firstname">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_lastname">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_email">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_updatetimestamp">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> </afp:AttributeFilterPolicy>
>
> <afp:AttributeFilterPolicy id="webex-students">
> <afp:PolicyRequirementRule xsi:type="basic:AND">
> <basic:Rule xsi:type="basic:AttributeRequesterString" value="
> https://oregonstate-students.webex.com" />
> <basic:Rule xsi:type="basic:AttributeValueString"
> attributeID="webex_affiliation" value="students" />
> </afp:PolicyRequirementRule>
> <afp:AttributeRule attributeID="webex-principal">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_uid">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_firstname">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_lastname">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_email">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_updatetimestamp">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> </afp:AttributeFilterPolicy>
>
>
> I'm happy to help! Ask questions. :)
>
> Andy
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151105/e3efaaa3/attachment-0001.html>
More information about the users
mailing list