Configuring Attribute Release Consent with SP blacklist

Lipscomb, Gary glipscomb at csu.edu.au
Tue Apr 19 19:35:31 EDT 2016 

Hi Etienne,

Yes and added extra debug, though not getting any extra debug information with

  <logger name="org.opensaml.saml.common.profile.logic.EntityAttributesPredicate.Candidate" level="DEBUG" />

Had to change to
  <logger name="org.opensaml.saml.common.profile.logic.EntityAttributesPredicate" level="DEBUG" />

With DEBUG [2] now shows  - no EntityAttributes extension found for https://AAAAAdevel.csu.edu.au/shibboleth

Looks as if something is wrong in metadata [3] but I can't see it :-(

Regards
Gary

[1] logback.xml

<!-- extra logging for testing -->
  <logger name="net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver" level="DEBUG" />
  <logger name="net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer" level="DEBUG" />
  <logger name="org.opensaml.saml.common.profile.logic.EntityAttributesPredicate" level="DEBUG" />

[2] ipd-process.log

2016-04-20 09:09:26,418 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:305] - Checking if relying party configuration shibboleth.NoUserConsentRelyingPartybyTag is applicable

2016-04-20 09:09:26,418 - DEBUG [org.opensaml.saml.common.profile.logic.EntityAttributesPredicate:183] - no EntityAttributes extension found for https://AAAAAdevel.csu.edu.au/shibboleth

2016-04-20 09:09:26,418 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:310] - Relying party configuration shibboleth.NoUserConsentRelyingPartybyTag is not applicable

2016-04-20 09:09:26,418 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:314] - No relying party configurations are applicable, returning the default configuration shibboleth.DefaultRelyingParty

[3] metadata

<md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                       xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
                       xmlns:saml="urn:oasis:names:tc:SAML:assertion">

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_4d35faa8519eba5b810db7474072fbd851cdcfe2" entityID="https://AAAAAdevel.csu.edu.au/shibboleth">

  <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>

    <mdattr:EntityAttributes>
       <saml:Attribute Name="ConsentReleaseRequired">
       <saml:AttributeValue>false</saml:AttributeValue>
       </saml:Attribute>
    </mdattr:EntityAttributes>

  </md:Extensions>

<!-- ... rest of metadata for entity -->

</md:EntityDescriptor>
</md:EntitiesDescriptor

> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Etienne
> Dysli-Metref
> Sent: Tuesday, 19 April 2016 17:54
> To: users at shibboleth.net
> Subject: Re: Configuring Attribute Release Consent with SP blacklist
>
> On 15/04/16 05:47, Lipscomb, Gary wrote:
> > [2] relying-party.xml
> > <bean id="shibboleth.NoUserConsentRelyingPartybyTag"
> parent="RelyingPartyByTag">
>
> You've put this bean into <util:list
> id="shibboleth.RelyingPartyOverrides">, right?
>
> > [3] idp-process.log
> > 2016-04-15 13:30:53,298 - DEBUG
> [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAML
> Peer:132] - Profile Action InitializeRelyingPartyContextFromSAMLPeer:
> Attaching RelyingPartyContext based on SAML peer
> https://AAAAAdevel.csu.edu.au/shibboleth
> > 2016-04-15 13:30:53,327 - DEBUG
> [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResol
> ver:293] - Resolving relying party configuration
> > 2016-04-15 13:30:53,328 - DEBUG
> [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResol
> ver:305] - Checking if relying party configuration
> shibboleth.NoUserConsentRelyingPartybyTag is applicable
> > 2016-04-15 13:30:53,329 - DEBUG
> [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResol
> ver:310] - Relying party configuration
> shibboleth.NoUserConsentRelyingPartybyTag is not applicable
> > 2016-04-15 13:30:53,329 - DEBUG
> [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResol
> ver:314] - No relying party configurations are applicable, returning the default
> configuration shibboleth.DefaultRelyingParty
>
> Do you have DEBUG turned on for
> org.opensaml.saml.common.profile.logic.EntityAttributesPredicate.Candidat
> e?
> That's the object checking the condition.
>
>   Etienne


Charles Sturt University

| ALBURY-WODONGA | BATHURST | CANBERRA | DUBBO | GOULBURN | MELBOURNE | ORANGE | PORT MACQUARIE | SYDNEY | WAGGA WAGGA |

LEGAL NOTICE
This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University (CSU) does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with CSU may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at CSU. The views expressed in this email are not necessarily those of CSU.

Charles Sturt University in Australia
http://www.csu.edu.au
The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795
(ABN: 83 878 708 551; CRICOS Provider Numbers: 00005F (NSW), 01947G (VIC), 02960B (ACT)). TEQSA Provider Number: PV12018


Consider the environment before printing this email.

More information about the users mailing list