users Digest, Vol 59, Issue 83

Ram, Budh budh.ram at sap.com
Tue May 17 19:08:07 EDT 2016 

Thanks for the quick response.

> As the above POST request which is having ?SAMLResponse? header is the 3rd last request, I am not able to capture this header in my application as it is flushed out by the later GET requests fired.

It is not a header, it's a form field, and the SP is there to do that work. If you want access to the assertion, you can get it via the assertion export mechanism, but that's generally also a dubious thing to do. If you want to process the SAML *response* yourself, then you wouldn't be using the SP software also since that's its function.

Ok got it. All I need to do is fetch the authenticated email address sent by IDP so that I can take further decision in my application (authorization related) and redirect the user to appropriate location.
How and from where can I get it?

>But in actual implantation how can I change the URL not having ?Shibboleth.sso? portion in it while deploying to production.

You don't.

Ok..so if I understood correctly, my application URL will change from https://host:port/ to https://host:port/Shibboleth.sso/Login for my end users after SSO implementation?


Thanks,
Budh Ram

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of users-request at shibboleth.net
Sent: Wednesday, May 18, 2016 4:15 AM
To: users at shibboleth.net
Subject: users Digest, Vol 59, Issue 83

Send users mailing list submissions to
	users at shibboleth.net

To subscribe or unsubscribe via the World Wide Web, visit
	http://shibboleth.net/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
	users-request at shibboleth.net

You can reach the person managing the list at
	users-owner at shibboleth.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of users digest..."


Today's Topics:

   1. RE: Shib v3.2.1 cas-protocol authentication to BannerXe
      (O'Dowd, Josh)
   2. Capturing SAML Response sent by IDP (Ram, Budh)
   3. Re: Capturing SAML Response sent by IDP (Cantor, Scott)


----------------------------------------------------------------------

Message: 1
Date: Tue, 17 May 2016 21:06:58 +0000
From: "O'Dowd, Josh" <Josh.O'Dowd at mso.umt.edu>
To: Shib Users <users at shibboleth.net>
Subject: RE: Shib v3.2.1 cas-protocol authentication to BannerXe
Message-ID:
	<6C4BCDAB7291C340B9D5C096C70C6C25B66D99FA at UMMAIL02.gs.umt.edu>
Content-Type: text/plain; charset="utf-8"

For what it?s worth, we found that Banner XE, being a  grails app, uses a CAS security module which has a configurable property,  ?authenticationAssertionAttribute?. This property represents the name of the incoming request header attribute(from authentication response) to map to XE?s ?UDC_IDENTIFIER?.  Implementations can set this property to any attribute name representing the user?s unique ID.  In our case, we set the property value to ?uid? which is the attribute our IdP releases.

Josh O?Dowd
University of Montana

From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Marvin Addison
Sent: Tuesday, May 17, 2016 5:46 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Shib v3.2.1 cas-protocol authentication to BannerXe

On Fri, May 13, 2016 at 12:08 PM Niva Agmon <nagmon at temple.edu<mailto:nagmon at temple.edu>> wrote:
Not sure how to put the org.jasig.cas package in DEBUG ? I added a <logger name="org.jasig.cas" level="DEBUG"/> statement to logback.xml, but don?t really see more info, so am probably missing some steps..

Sorry, I meant turning up the log level on the client. There's no such package on the server. When you put org.jasig.cas in DEBUG, you ought to see the CAS protocol response from the IdP logged to your client application and you can determine whether the UDC_IDENTIFIER attribute is included.

M

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160517/997e4a00/attachment-0001.html>

------------------------------

Message: 2
Date: Tue, 17 May 2016 22:31:53 +0000
From: "Ram, Budh" <budh.ram at sap.com>
To: "users at shibboleth.net" <users at shibboleth.net>
Subject: Capturing SAML Response sent by IDP
Message-ID:
	<b0b3f771bfb14019ba88b994bd189237 at DEWDFE13DE01.global.corp.sap>
Content-Type: text/plain; charset="us-ascii"

Hi,

I am using Shibboleth SP for SSO implementation in my application (application is running on IIS7.5). My IDP was able to authenticate the user and sends back the SAML response to me as the response of this request "/Shibboleth.sso/SAML2/POST". After this request there are two more GET request fired to reach back to my application. As the above POST request which is having "SAMLResponse" header is the 3rd last request, I am not able to capture this header in my application as it is flushed out by the later GET requests fired.
Can you please help me out how can I capture this intermediate request header to fetch the information sent by my IDP?

My 2nd doubt is about the request URL. Currently I am browsing this URL http://<hostname>:<port>/Shibboleth.sso/Login<http://%3chostname%3e:%3cport%3e/Shibboleth.sso/Login>. But in actual implantation how can I change the URL not having "Shibboleth.sso" portion in it while deploying to production.
How can I keep the URL same for my end user and authenticate the users via SSO?

Thanks and Regards,
Budh Ram

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160517/fbfcf41c/attachment-0001.html>

------------------------------

Message: 3
Date: Tue, 17 May 2016 22:44:55 +0000
From: "Cantor, Scott" <cantor.2 at osu.edu>
To: Shib Users <users at shibboleth.net>
Subject: Re: Capturing SAML Response sent by IDP
Message-ID: <120E3FD3-7E65-4638-83B4-854C3313C3CC at osu.edu>
Content-Type: text/plain; charset="utf-8"

On 5/17/16, 5:31 PM, "users on behalf of Ram, Budh" <users-bounces at shibboleth.net on behalf of budh.ram at sap.com> wrote:



>I am using Shibboleth SP for SSO implementation in my application (application is running on IIS7.5). My IDP was able to authenticate the user and sends back the SAML response to me as the response of this request ?/Shibboleth.sso/SAML2/POST?. After this request there are two more GET request fired to reach back to my application.

No, there's one (a redirect to the RelayState-derived resource).

> As the above POST request which is having ?SAMLResponse? header is the 3rd last request, I am not able to capture this header in my application as it is flushed out by the later GET requests fired.

It is not a header, it's a form field, and the SP is there to do that work. If you want access to the assertion, you can get it via the assertion export mechanism, but that's generally also a dubious thing to do. If you want to process the SAML *response* yourself, then you wouldn't be using the SP software also since that's its function.

>Can you please help me out how can I capture this intermediate request header to fetch the information sent by my IDP?

The information sent by the IdP is consumed and decoded into HTTP headers by the SP software using all of its various features, you don't get it from the SAML response.

> 
>But in actual implantation how can I change the URL not having ?Shibboleth.sso? portion in it while deploying to production.

You don't.

>How can I keep the URL same for my end user and authenticate the users via SSO?

By protecting resources with the RequestMap and setting the requireSession setting to true, which is active protection. Using the /Login endpoint to initiate a session is something you do when you're passively protecting resources and manually causing the login to happen under specific circumstances.

-- Scott


------------------------------

Subject: Digest Footer

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

------------------------------

End of users Digest, Vol 59, Issue 83
*************************************

More information about the users mailing list