Access Denied

Tabitha O. Locklear tabithao.locklear at uncp.edu
Wed Aug 8 13:47:39 EDT 2018 

Robert, I have tried your suggestions and I'm still getting the same response.
Access is denied.
Here is what I find in the logs.

2018-08-08 17:29:18,060 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:118] - Profile Action AddAttributeStatementToAssertion: Adding constructed AttributeStatement to Assertion _0919c27085387f5491745334edfb3b07 
2018-08-08 17:29:18,100 - DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:100] - Configuration specifies the following formats: []
2018-08-08 17:29:18,101 - DEBUG [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:113] - Configuration did not specify any formats, relying on metadata alone
2018-08-08 17:29:18,201 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.DecorateDelegatedAssertion:585] - Found Assertion with AuthnStatement to decorate in outbound Response
2018-08-08 17:29:18,201 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.DecorateDelegatedAssertion:288] - Issuance of delegated was not indicated, skipping assertion decoration


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Robert Bradley
Sent: Wednesday, August 08, 2018 8:13 AM
To: users at shibboleth.net
Subject: Re: Access Denied

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/08/18 19:49, Tabitha O. Locklear wrote:
> Back when we first created a login for our SP we used this 
> documentation.
> 
> 1.  have a deny policy to not release transient ID
> 
> 2.  new definition for username in resolver the username not as 
> string, but nameid
> 
> 3.  release this username to SP
> 
> 4. nameid's cannot be encrypted
> 
> 
> 
> 
> 
> In our Attribute-Filter.xml we have
> 
> STEP 1:
> 
> <afp:AttributeFilterPolicy id="releaseTransientId">
> 
> <afp:PolicyRequirementRule xsi:type="basic:NOT">
> 
> <basic:Rule xsi:type="basic:AttributeRequesterString"
> value="https://xxxx-stg.saasit.com/" />
> 
> </afp:PolicyRequirementRule>
> 
> <afp:AttributeRule attributeID="transientId">
> 
> <afp:PermitValueRule xsi:type="basic:ANY"/>
> 
> </afp:AttributeRule>
> 
> </afp:AttributeFilterPolicy>
> 
> 
> 
> STEP 2:
> 
> <resolver:AttributeDefinition id="Login" xsi:type="Simple"
> xmlns="urn:mace:shibboleth:2.0:resolver:ad"
> 
> sourceAttributeID="sAMAccountName">
> 
> <resolver:Dependency ref="myAD" />
> 
> <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
> 
> nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:transient"
> />
> 
> <resolver:AttributeEncoder xsi:type="SAML2StringNameID"
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
> 
> nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
> />
> 
> </resolver:AttributeDefinition>
> 
> 
> 
> STEP 3:
> 
> <AttributeFilterPolicy id="releaseLoginToSAASIT">
> 
> <PolicyRequirementRule xsi:type="Requester"
> value="https://uncp-stg.saasit.com/" />
> 
> 
> 
> <AttributeRule attributeID="Login">
> 
> <PermitValueRule xsi:type="ANY" />
> 
> </AttributeRule>
> 
> </AttributeFilterPolicy>
> 
If that saasit.com entityID is what I think it is, you probably don't need any of the custom NameID stuff for this...

Instead, you should be able to release the Login attribute as a normal attribute (called sAMAccountName in this example) and configure HEAT to use that attribute as the login ID (https://help.ivanti.com/ht/help/en_US/ISM/2017/Content/Configure/Securi
ty/ADFS%20SAML.htm
has details on the cloud-side of this).  The attribute-resolver.xml then would look something like (in v3 syntax):

    <resolver:AttributeDefinition id="sAMAccountName"
xsi:type="ad:Simple" sourceAttributeID=id="sAMAccountName">
        <resolver:Dependency ref="myAD" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:1.2.840.113556.1.4.221" friendlyName="sAMAccountName"
encodeType="false" />
    </resolver:AttributeDefinition>

In the "provisioning attributes" configuration, LoginID would be mapped to "urn:oid:1.2.840.113556.1.4.221" (MS's OID for sAMAccountName) .

The attribute-filter.xml fragment would look like:

    <afp:AttributeFilterPolicy id="attributeFilterPolicyForUucpStgSaasit
">
        <afp:PolicyRequirementRule
xsi:type="basic:AttributeRequesterString"
value="https://uncp-stg.saasit.com/" />

        <afp:AttributeRule attributeID="sAMAccountName">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>

Lastly, the default signing algorithm used by HEAT is SHA-1.  You will either need to configure it to use SHA-256 in their Web interface or use relying-party.xml to override it:

    <bean id="SHA1SecurityConfig"
parent="shibboleth.DefaultSecurityConfiguration"

p:signatureSigningConfiguration-ref="shibboleth.SigningConfiguration.SHA
1"
/>
...
    <util:list id="shibboleth.RelyingPartyOverrides">
        <bean parent="RelyingPartyByName"
c:relyingPartyIds="#{{'https://uncp-stg.saasit.com/',
'https://uncp.saasit.com/'}}">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO"
p:securityConfiguration-ref="SHA1SecurityConfig"
p:signAssertions="true" />
                </list>
            </property>
        </bean>
...
    </util:list>

Hope this helps...

- --
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEgF3NFfO9FqlA+ME+lGGnynav474FAltq3jgACgkQlGGnynav
476PSA/9GvBc2klBXapMl+V+G4BRhMGuZq2wYF7FBrIX/5SYEDy+CCAd/Xmn7dM4
EvAD0XjJjhdXiYrlVACoF+GPQfNYP3O2VpCLGBJWbVh6nBQLRQS2pQMH1xjss2QA
JhJJM5STM83ndmMorFGNVaDIiFKKOw80TS7frTh1RQcZxije2XQ1njqaxC6wBvP/
yY/P4tHXbA/bwRJnWEEn5PsU13DEE0Bi89djOKPBNuGqmgV4A0AbHEs9WWA6zrtz
B50jtMnjt/EWofV2iu6RKDvuW93iH5bOSGWVym9DB00T1UqzHsr3KjbJxhbwACBU
Ym1Ma+musaTX/jOdBWdHwVZTpt7m6qiuqATvToJqumNlVcr+MIdJPwG4d3IXR/Qq
eXOBBxqpDWASdvGZw0X8ALs3s2zaPGAjuBoNnWRCFrUQigJ0v1JyPKhDZjt+GUlC
42uuKbEqvsedjb5/h+qlHSHwSDp8AmdhIcnrkGEkZN5brxhsTUAjSecONngysWZ4
jl6Q8jH7CY3kvefDAjiIWoDBbr/SdR/RZOr9bc7ASlyZGBgmrAxnFYYwHcK0QAZK
KLgGgC6IHJsM2UAB3G/jCcL+oDHJdP9B8QD1XrbflK0tsmxh3Ik1MLrM0WK0Nyef
oX6XBOQ2spbQsxRBdszsgrH8S1EsvgXKYEjdVVrRSqSFLPzjWpE=
=PSKD
-----END PGP SIGNATURE-----
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list