New CAS metadata support in 3.4
Paul B. Henson
henson at cpp.edu
Mon Nov 26 21:02:17 EST 2018
> From: Marvin Addison
> Sent: Thursday, November 15, 2018 6:39 AM
>
> That's correct. I defined a global bean for the indexes,
> shibboleth.CASMetadataIndices, that you need to reference in the
> configuration in metadata-providers.xml:
So I got back from my Thanksgiving vacation :), switched to a FilesystemMetadataProvider with the necessary indexes for my CAS metadata testing, and was now able to successfully authenticate. However, no attributes were passed to the service :(.
To review, I currently have the following entry for a CAS service:
<EntityDescriptor entityID="https://proxy.library.cpp.edu/">
<SPSSODescriptor protocolSupportEnumeration="https://www.apereo.org/cas/protocol">
<AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/login"
Location="http://proxy.library.cpp.edu/login"
index="1"/>
<AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/login"
Location="http://proxy-dev.library.cpp.edu/login"
index="2"/>
<AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/login"
Location="http://login.proxy.library.cpp.edu/login"
index="3"/>
<AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/login"
Location="http://login.proxy-dev.library.cpp.edu/login"
index="4"/>
<AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/login"
Location="https://proxy.library.cpp.edu/login"
index="5"/>
<AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/login"
Location="https://proxy-dev.library.cpp.edu/login"
index="6"/>
<AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/login"
Location="https://login.proxy.library.cpp.edu/login"
index="7"/>
<AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/login"
Location="https://login.proxy-dev.library.cpp.edu/login"
index="8"/>
</SPSSODescriptor>
</EntityDescriptor>
and added a release policy with a requester rule that matched the entity id:
<PolicyRequirementRule xsi:type="Requester" value="https://proxy.library.cpp.edu/" />
It appears after enabling debugging though that the requester is not the entityid, but the specific URL that was authenticated to?
2018-11-26 17:44:43,056 - 2620:df:8000:f000:0:1:250:134/23F89F74AB11A35DBC9394267EF3ED0B - DEBUG [net.shibboleth.idp.attribute.filter.policyrule.filtercontext.impl.AttributeRequesterPolicyRule:54] - Attribute Filter '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/PolicyRequirementRule:_39d70b4d59810dd0be9d7d6766417146': Found attribute requester: https://login.proxy-dev.library.cpp.edu/login
I updated my release policy to match that specific URL:
<PolicyRequirementRule xsi:type="Requester" value="https://login.proxy-dev.library.cpp.edu/login" />
and the service received the proper attributes. Is this expected operation? I would've thought release policies would be based on the configured entityid rather than each of the individual separate AssertionConsumerService URLs, which are a prefix match and not fully inclusive of every possible URL?
Am I doing something else wrong now 8-/?
Thanks much...
More information about the users
mailing list