persitentID nameID for specific SPs, transient for default

Jehan PROCACCIA jehan.procaccia at tem-tsp.eu
Wed Dec 13 11:40:40 EST 2017 

I removed logs because of pb sending my mail with all the logs, I try to send here the essential, I guess your looking for logs prefix with ERROR ?
I'll more below :

from idp-process.log , 1st it doesn't seem to match the condidate condition !? 

2017-12-13 17:22:00,188 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:334] - Metadata backing store does not contain any EntityDescriptors with the ID: https://services.renater.fr/shibboleth

although that SP is really here !

root at idp3 conf]# grep services.renater.fr/shibboleth ../metadata/main-sps-renater-metadata.xml 
		</md:EntityDescriptor><md:EntityDescriptor entityID="https://services.renater.fr/shibboleth">

latter in the logs


2017-12-13 17:22:00,207 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:259] - Resolving credentials from supplied RoleDescriptor using usage: ENCRYPTION.  Effective entityID was: https://services.renater.fr/shibboleth
2017-12-13 17:22:00,217 - DEBUG [net.shibboleth.idp.saml.profile.impl.ExtractSubjectFromRequest:144] - Profile Action ExtractSubjectFromRequest: No Subject NameID/NameIdentifier in message needs inbound processing
2017-12-13 17:22:00,218 - DEBUG [org.opensaml.saml.common.profile.impl.VerifyChannelBindings:154] - Profile Action VerifyChannelBindings: No channel bindings found to verify, nothing to do
...
2017-12-13 17:22:11,278 - DEBUG [org.opensaml.saml.common.profile.logic.AbstractNameIDPolicyPredicate:218] - Policy checking disabled for NameIDPolicy with Format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
2017-12-13 17:22:11,278 - DEBUG [org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:82] - Metadata specifies the following formats: []
2017-12-13 17:22:11,278 - DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:100] - Configuration specifies the following formats: []
2017-12-13 17:22:11,278 - DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:110] - No formats specified in configuration or in metadata, returning default
2017-12-13 17:22:11,279 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:323] - Profile Action AddNameIDToSubjects: Candidate NameID formats: [urn:oasis:names:tc:SAML:2.0:nameid-format:transient]
2017-12-13 17:22:11,279 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:396] - Profile Action AddNameIDToSubjects: Trying to generate NameID with Format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
2017-12-13 17:22:11,280 - ERROR [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:404] - Profile Action AddNameIDToSubjects: Error while generating NameID
org.opensaml.saml.common.SAMLException: Invalid NameIdentifierGenerationService configuration
        at net.shibboleth.idp.saml.nameid.impl.ProxySAML2NameIDGenerator.generate(ProxySAML2NameIDGenerator.java:62)

2017-12-13 17:22:11,280 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:341] - Profile Action AddNameIDToSubjects: Unable to generate a NameID, leaving empty
2017-12-13 17:22:11,281 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddSubjectConfirmationToSubjects:267] - Profile Action AddSubjectConfirmationToSubjects: Attempting to add SubjectConfirmation to assertions in outgoing Response

and finally the saml assertion 

2017-12-13 17:22:11,290 - DEBUG [org.opensaml.saml.saml2.profile.impl.EncryptAssertions:132] - Profile Action EncryptAssertions: Assertion before encryption:
<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="_c4d76b71f6a31d3f8dcd8c7a6a729a50"
    IssueInstant="2017-12-13T16:22:11.269Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Issuer>https://idpr3.tem-tsp.eu/idp/shibboleth</saml2:Issuer>
    <saml2:Subject>
        <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData Address="191.160.129.124"
                InResponseTo="_1b36afb4833c7cafa8e35f4da86889dc"
                NotOnOrAfter="2017-12-13T16:27:11.282Z" Recipient="https://services.renater.fr/Shibboleth.sso/SAML2/POST"/>
        </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2017-12-13T16:22:11.269Z" NotOnOrAfter="2017-12-13T16:27:11.269Z">
        <saml2:AudienceRestriction>
            <saml2:Audience>https://services.renater.fr/shibboleth</saml2:Audience>
        </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2017-12-13T16:22:07.224Z" SessionIndex="_3bf26d03f5020709f5cac65cf2826eb1">
        <saml2:SubjectLocality Address="191.160.129.124"/>
        <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
        </saml2:AuthnContext>
     <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
        </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement>
        <saml2:Attribute FriendlyName="uid"
            Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue
                xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">procacci</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute FriendlyName="mail"
            Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue
                xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">jehan.procaccia at tem-tsp.eu</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute FriendlyName="eduPersonPrincipalName"
            Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue
                xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">procacci at tem-tsp.eu</saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>
</saml2:Assertion>

thanks.


----- Mail original -----
De: "Cantor, Scott" <cantor.2 at osu.edu>
À: "users" <users at shibboleth.net>
Envoyé: Mercredi 13 Décembre 2017 16:42:19
Objet: Re: persitentID nameID for specific SPs, transient for default

On 12/13/17, 10:06 AM, "users on behalf of Jehan PROCACCIA" <users-bounces at shibboleth.net on behalf of jehan.procaccia at tem-tsp.eu> wrote:
 
> Where did I done wrong ? 

You ignored the giant slog of errors in the log far above anything you're looking at that will tell you what the syntax error is preventing the config from loading.

-- Scott


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list