Shibboleth IdP with Webex

Sacilowski, Tadeusz ts2878 at tc.columbia.edu
Thu Nov 5 16:36:03 EST 2015


Andrew,

Thanks so much for the clarification. Apparently I had the NameID coming
across through a different attribute. My issue was a malformed email
attribute that I needed to scope properly (it's a scripted attribute built
from our UIDs... long story). Either way, your reply helped me understand
and address the issue properly.

I do have one more questions, if I may. How are you creating the "
modifytimestamp" attribute that you reference?

<resolver:AttributeDefinition xsi:type="ad:Simple"
id="webex_updatetimestamp" sourceAttributeID="modifytimestamp">
    <resolver:Dependency ref="ONIDLDAP" />
    <resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="updateTimeStamp" />
</resolver:AttributeDefinition>

Thanks again!
Teddy



*Tadeusz Sacilowski*
*Enterprise Architect & Security Engineer*
Teachers College, Columbia University
ts2878 at tc.columbia.edu

On Thu, Nov 5, 2015 at 12:35 PM, Andrew Morgan <morgan at orst.edu> wrote:

> On Thu, 5 Nov 2015, Sacilowski, Tadeusz wrote:
>
> Hi All,
>>
>> So I'm still having some issues with the WebEx auto account creation. The
>> error message on the WebEx side shows "Auto Account Creation failed (31)".
>> I've added the following to my attribute.resolver.xml:
>>
>> <!-- BEGIN: Attributes for WebEx auto account creation -->
>> <resolver:AttributeDefinition xsi:type="ad:Simple" id="WebExUid"
>> sourceAttributeID="uid">
>>     <resolver:Dependency ref="myLDAP" />
>>     <resolver:AttributeEncoder xsi:type="enc:SAML2String"
>> nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>> name="uid" />
>> </resolver:AttributeDefinition>
>>
>> <resolver:AttributeDefinition xsi:type="ad:Simple" id="WebExFirstname"
>> sourceAttributeID="givenName">
>>    <resolver:Dependency ref="myLDAP" />
>>    <resolver:AttributeEncoder xsi:type="enc:SAML2String"
>> nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>> name="firstname" />
>> </resolver:AttributeDefinition>
>>
>> <resolver:AttributeDefinition xsi:type="ad:Simple" id="WebExLastname"
>> sourceAttributeID="sn">
>>    <resolver:Dependency ref="myLDAP" />
>>    <resolver:AttributeEncoder xsi:type="enc:SAML2String"
>> nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>> name="lastname" />
>> </resolver:AttributeDefinition>
>>
>> <resolver:AttributeDefinition xsi:type="ad:Simple" id="WebExEmail"
>> sourceAttributeID="mail">
>>    <resolver:Dependency ref="myLDAP" />
>>    <resolver:AttributeEncoder xsi:type="enc:SAML2String"
>> nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>> name="email" />
>> </resolver:AttributeDefinition>
>> <!-- END: Attributes for WebEx auto account creation -->
>>
>> And I'm releasing them to WebEx as such (we will have multiple WebEx
>> sites,
>> hence the "basic:OR" for AttributeRequesterString):
>>
>> <!-- Release WebEx attributes -->
>> <afp:AttributeFilterPolicy id="releaseToWebEx">
>>    <afp:PolicyRequirementRule xsi:type="basic:OR">
>>        <basic:Rule xsi:type="basic:AttributeRequesterString" value="
>> http://www.webex.com" />
>>        <basic:Rule xsi:type="basic:AttributeRequesterString" value="
>> https://www.webex.com" />
>>    </afp:PolicyRequirementRule>
>>
>>    <afp:AttributeRule attributeID="WebExUid">
>>         <afp:PermitValueRule xsi:type="basic:ANY"/>
>>    </afp:AttributeRule>
>>
>>    <afp:AttributeRule attributeID="WebExFirstname">
>>        <afp:PermitValueRule xsi:type="basic:ANY"/>
>>    </afp:AttributeRule>
>>
>>    <afp:AttributeRule attributeID="WebExLastname">
>>        <afp:PermitValueRule xsi:type="basic:ANY"/>
>>    </afp:AttributeRule>
>>
>>    <afp:AttributeRule attributeID="WebExEmail">
>>        <afp:PermitValueRule xsi:type="basic:ANY"/>
>>    </afp:AttributeRule>
>> </afp:AttributeFilterPolicy>
>>
>> I see the values being populated in my logs... not sure what I'm doing
>> wrong. Hoping maybe someone might have some insight as I wait for a
>> response from their support folks.
>>
>
> You are setting a nameFormat on all of the attributes, but none of them
> are being encoded as a NameID.  You only need the nameFormat on the
> attribute you are encoding as a NameID.
>
> Here is OSU's working configuration (with 2 webex sites, btw).
>
> attribute-resolver.xml:
>
>     <!-- WebEx NameID attribute -->
>     <resolver:AttributeDefinition xsi:type="ad:Simple"
> id="webex-principal" sourceAttributeID="eduPersonPrincipalName">
>         <resolver:Dependency ref="ONIDLDAP" />
>         <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
> nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
>     </resolver:AttributeDefinition>
>
>     <!-- WebEx attributes -->
>     <resolver:AttributeDefinition xsi:type="ad:Simple" id="webex_uid"
> sourceAttributeID="uid">
>         <resolver:Dependency ref="ONIDLDAP" />
>         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="uid" />
>     </resolver:AttributeDefinition>
>
>     <resolver:AttributeDefinition xsi:type="ad:Simple"
> id="webex_firstname" sourceAttributeID="givenName">
>         <resolver:Dependency ref="ONIDLDAP" />
>         <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="firstname" />
>     </resolver:AttributeDefinition>
>
>     <resolver:AttributeDefinition xsi:type="ad:Simple" id="webex_lastname"
> sourceAttributeID="sn">
>         <resolver:Dependency ref="ONIDLDAP" />
>         <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="lastname" />
>     </resolver:AttributeDefinition>
>
>     <resolver:AttributeDefinition xsi:type="ad:Simple" id="webex_email"
> sourceAttributeID="eduPersonPrincipalName">
>         <resolver:Dependency ref="ONIDLDAP" />
>         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="email"
> />
>     </resolver:AttributeDefinition>
>
>     <resolver:AttributeDefinition xsi:type="ad:Simple"
> id="webex_updatetimestamp" sourceAttributeID="modifytimestamp">
>         <resolver:Dependency ref="ONIDLDAP" />
>         <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="updateTimeStamp" />
>     </resolver:AttributeDefinition>
>
>     <resolver:AttributeDefinition xsi:type="ad:Script"
> id="webex_affiliation">
>         <resolver:Dependency ref="ismemberof" />
>         <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="webex_affiliation" />
>         <ad:Script>
>             <![CDATA[
>
> importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
>                 webex_affiliation = new
> BasicAttribute("webex_affiliation");
>                 if (typeof ismemberof != "undefined" && ismemberof !=
> null) {
>                     for (var i=0; i<ismemberof.getValues().size(); i++) {
>                         var group = ismemberof.getValues().get(i);
>                         if (group.toLowerCase() ==
> "cn=staff,ou=webex,ou=app,ou=is,ou=org,ou=osu,ou=grouper,ou=groups,o=
> orst.edu") {
>                             webex_affiliation.getValues().add('staff');
>                         }
>                         if (group.toLowerCase() ==
> "cn=students,ou=webex,ou=app,ou=is,ou=org,ou=osu,ou=grouper,ou=groups,o=
> orst.edu") {
>                             webex_affiliation.getValues().add('students');
>                         }
>                     }
>                 }
>             ]]>
>         </ad:Script>
>     </resolver:AttributeDefinition>
>
>
> attribute-filter.xml:
>
>     <!-- WebEx filters -->
>     <afp:AttributeFilterPolicy id="webex-deny-transientid">
>         <afp:PolicyRequirementRule xsi:type="basic:OR">
>             <basic:Rule xsi:type="basic:AttributeRequesterString" value="
> https://oregonstate-staff.webex.com" />
>             <basic:Rule xsi:type="basic:AttributeRequesterString" value="
> https://oregonstate-students.webex.com" />
>         </afp:PolicyRequirementRule>
>         <afp:AttributeRule attributeID="transientId">
>             <afp:DenyValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
>     </afp:AttributeFilterPolicy>
>
>     <afp:AttributeFilterPolicy id="webex-staff">
>         <afp:PolicyRequirementRule xsi:type="basic:AND">
>             <basic:Rule xsi:type="basic:AttributeRequesterString" value="
> https://oregonstate-staff.webex.com" />
>             <basic:Rule xsi:type="basic:AttributeValueString"
> attributeID="webex_affiliation" value="staff" />
>         </afp:PolicyRequirementRule>
>         <afp:AttributeRule attributeID="webex-principal">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
>         <afp:AttributeRule attributeID="webex_uid">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
>         <afp:AttributeRule attributeID="webex_firstname">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
>         <afp:AttributeRule attributeID="webex_lastname">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
>         <afp:AttributeRule attributeID="webex_email">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
>         <afp:AttributeRule attributeID="webex_updatetimestamp">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
>     </afp:AttributeFilterPolicy>
>
>     <afp:AttributeFilterPolicy id="webex-students">
>         <afp:PolicyRequirementRule xsi:type="basic:AND">
>             <basic:Rule xsi:type="basic:AttributeRequesterString" value="
> https://oregonstate-students.webex.com" />
>             <basic:Rule xsi:type="basic:AttributeValueString"
> attributeID="webex_affiliation" value="students" />
>         </afp:PolicyRequirementRule>
>         <afp:AttributeRule attributeID="webex-principal">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
>         <afp:AttributeRule attributeID="webex_uid">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
>         <afp:AttributeRule attributeID="webex_firstname">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
>         <afp:AttributeRule attributeID="webex_lastname">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
>         <afp:AttributeRule attributeID="webex_email">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
>         <afp:AttributeRule attributeID="webex_updatetimestamp">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
>     </afp:AttributeFilterPolicy>
>
>
> I'm happy to help!  Ask questions.  :)
>
>         Andy
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151105/e3efaaa3/attachment-0001.html>


More information about the users mailing list