Consent Attribute Release with conditional metadata attributes
Lipscomb, Gary
glipscomb at csu.edu.au
Mon Apr 25 23:57:19 EDT 2016
Hi,
I can't get the consent attribute release to work based on metadata attributes. In the log [1] I keep on getting " no EntityAttributes extension found for https://AAaaAAdevel.csu.edu.au/shibboleth" and it then proceeds to the consent GUI. If I go to the BBbbBBdevel or CCccCCdevel sites the consent GUI is bypassed.
The metadata file [2] has the entity attributes defined. I know is the right file being loaded since if I change the mdui:DisplayName this is displayed on the login page correctly.
The relyingparty.xml [3] is shown below.
Am I going about this the right way? Is there extra debugging I can turn on to help resolve this?
Regards
Gary
Gary Lipscomb
Technical Officer, Systems (Infrastructure) | Systems
Infrastructure & Client Services | Division of Information Technology
Charles Sturt University
[0] versions
2016-04-26 13:13:58,799 - INFO [net.shibboleth.idp.log.LogbackLoggingService:240] - Shibboleth IdP Version 3.2.0
2016-04-26 13:13:58,827 - INFO [net.shibboleth.idp.log.LogbackLoggingService:241] - Java version='1.8.0_77' vendor='Oracle Corporation'
[1] idp-process.log
2016-04-26 13:19:26,910 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:132] - Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching RelyingPartyContext based on SAML peer https://AAaaAAdevel.csu.edu.au/shibboleth
2016-04-26 13:19:26,948 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:293] - Resolving relying party configuration
2016-04-26 13:19:26,949 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:305] - Checking if relying party configuration EntityNames[https://CCccCCdevel.csu.edu.au/shibboleth,https://BBbbBBdevel.csu.edu.au/shibboleth,] is applicable
2016-04-26 13:19:26,949 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:310] - Relying party configuration EntityNames[https://CCccCCdevel.csu.edu.au/shibboleth,https://BBbbBBdevel.csu.edu.au/shibboleth,] is not applicable
2016-04-26 13:19:26,949 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:305] - Checking if relying party configuration shibboleth.NoUserConsentRelyingPartybyTag is applicable
2016-04-26 13:19:26,950 - DEBUG [org.opensaml.saml.common.profile.logic.EntityAttributesPredicate:183] - no EntityAttributes extension found for https://AAaaAAdevel.csu.edu.au/shibboleth
2016-04-26 13:19:26,950 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:310] - Relying party configuration shibboleth.NoUserConsentRelyingPartybyTag is not applicable
2016-04-26 13:19:26,950 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:314] - No relying party configurations are applicable, returning the default configuration shibboleth.DefaultRelyingParty
[2] metadata file
<?xml version="1.0" encoding="UTF-8"?> <md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:EntityDescriptor entityID="https://AAaaAAdevel.csu.edu.au/shibboleth">
<md:Extensions>
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<saml:Attribute
xmlns:saml="urn:oasis:names:tc:SAML:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="ConsentReleaseRequired">
<saml:AttributeValue>NotRequired</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
</md:Extensions>
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
<md:Extensions>
<mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
<mdui:DisplayName xml:lang="en">AAaaAA.csu devel</mdui:DisplayName>
</mdui:UIInfo>
</md:Extensions>
<!-- other SPSSODescriptor stuff -->
</md:SPSSODescriptor>
</md:EntityDescriptor>
</md:EntitiesDescriptor>
[3] relyingparty.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
xmlns:saml="urn:oasis:names:tc:SAML:assertion"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<!-- <bean parent="SAML2.SSO" p:encryptAssertions="false" /> -->
</list>
</property>
</bean>
<!--
Default configuration, with default settings applied for all profiles, and enables
the attribute-release consent flow.
-->
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
<ref bean="SAML1.AttributeQuery" />
<ref bean="SAML1.ArtifactResolution" />
<bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
<ref bean="SAML2.ECP" />
<ref bean="SAML2.Logout" />
<ref bean="SAML2.AttributeQuery" />
<ref bean="SAML2.ArtifactResolution" />
<ref bean="Liberty.SSOS" />
</list>
</property>
</bean>
<!-- Container for any overrides you want to add. -->
<util:list id="shibboleth.RelyingPartyOverrides">
<bean id="shibboleth.NoUserConsentRelyingParty" parent="RelyingPartyByName"
c:relyingPartyIds="#{{'https://CCccCCdevel.csu.edu.au/shibboleth', 'https://BBbbBBdevel.csu.edu.au/shibboleth'}}">
<property name="profileConfigurations">
<list>
<ref bean="Shibboleth.SSO" />
<ref bean="SAML1.AttributeQuery" />
<ref bean="SAML1.ArtifactResolution" />
<ref bean="SAML2.SSO" />
<ref bean="SAML2.ECP" />
<ref bean="SAML2.Logout" />
<ref bean="SAML2.AttributeQuery" />
<ref bean="SAML2.ArtifactResolution" />
</list>
</property>
</bean>
<bean id="shibboleth.NoUserConsentRelyingPartybyTag" parent="RelyingPartyByTag">
<constructor-arg name="candidates">
<list>
<bean id="noAttributeConsentRequired" parent="TagCandidate"
c:name="ConsentReleaseRequired"
p:values="NotRequired" />
</list>
</constructor-arg>
<property name="profileConfigurations">
<list>
<ref bean="Shibboleth.SSO" />
<ref bean="SAML1.AttributeQuery" />
<ref bean="SAML1.ArtifactResolution" />
<ref bean="SAML2.SSO" />
<ref bean="SAML2.ECP" />
<ref bean="SAML2.Logout" />
<ref bean="SAML2.AttributeQuery" />
<ref bean="SAML2.ArtifactResolution" />
</list>
</property>
</bean>
</util:list>
Charles Sturt University
| ALBURY-WODONGA | BATHURST | CANBERRA | DUBBO | GOULBURN | MELBOURNE | ORANGE | PORT MACQUARIE | SYDNEY | WAGGA WAGGA |
LEGAL NOTICE
This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University (CSU) does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with CSU may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at CSU. The views expressed in this email are not necessarily those of CSU.
Charles Sturt University in Australia
http://www.csu.edu.au
The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795
(ABN: 83 878 708 551; CRICOS Provider Numbers: 00005F (NSW), 01947G (VIC), 02960B (ACT)). TEQSA Provider Number: PV12018
Consider the environment before printing this email.
More information about the users
mailing list