SLO Problems

Wed Apr 17 10:10:36 EDT 2019

Yes, I was aware. It's on my long to do list to try the TIER Shibboleth IdP
image. At the time we were setting up our IdP I think the TIER images were
still wrapped up bulky VM images and it wasn't what we were looking for but
I understand that this is not the case anymore.

I can't recall if I've already taken a brief look at the TIER Shibboleth
IdP image and determined that it was more difficult to implement the
Kubernetes deployment we are doing. We use a alpine based git initContainer
to do a single branch clone from our git repo for the Shib configuration
and that gets mounted into various locations in the IdP image (metadata,
messages, conf, etc). This makes for nicely versioned configuration and
easy to rollback quickly to a previous configuration if something breaks.
When I get around to it and if I run into problems I'll probably jump over
the the Internet2 slack channels to discuss.

On Wed, Apr 17, 2019 at 9:18 AM Paul Caskey <pcaskey at internet2.edu> wrote:

> Hi Darren-
>
>
>
> InCommon also maintains containers for Shibboleth IdP, SP (both Windows
> and Linux) and Grouper and COmanage.
>
>
>
> See here for more info:
> https://spaces.at.internet2.edu/display/ITAP/InCommon+Trusted+Access+Platform+Release
>
>
>
>
>
> TTYL
>
>
>
> *From:* users <users-bounces at shibboleth.net> *On Behalf Of *Darren Boss
> *Sent:* Wednesday, April 17, 2019 8:14 AM
> *To:* Shib Users <users at shibboleth.net>
> *Subject:* Re: SLO Problems
>
>
>
> I was starting to feel bad about hijacking this thread but turns out we
> really were working on the same issue! I'm still having issue even when
> removing the jetty-rewrite.xml completely but now I'm closer to a working
> configuration. I see a status 502 for PropagateLogout
> (PropagateLogout?SessionKey=N) url when I use the developer console in
> chrome. In Firefox the logout now gets to the point where the red x is now
> displayed beside each SP and in both browsers I no longer see the error
> messages I reported before. I also confirmed in the dev console that the
> csp and frameoptions http headers are no longer there.
>
>
>
> I wasn't sure that there were many using the Unicon image but I noticed
> that it was still getting quickly updated when a new release of the IdP
> came out and they recently started using multi-stage builds so it's still
> being supported and even if it wasn't it's pretty simple to tweak the
> Dockerfile to target new versions of Jetty, Shib IdP or Java and rebuild.
>
>
>
>
>
> On Tue, Apr 16, 2019 at 7:41 PM Bob Allison <shib at allisonr.us> wrote:
>
> I am also using that image. I confirmed that removing jetty-rewrite.xml
> completely solved my problems. Only removing the last addRule was not
> enough for me. I guess the question is if there is any reason to have the
> file at all if both rules have been removed.
>
>
>
> On Apr 16, 2019, at 13:07, Darren Boss <darren.boss at computecanada.ca>
> wrote:
>
>
>
> So I think I tracked it down to Jetty configuration. I'm using the Unicon
> shibboleth-idp-dockerized image although I rebuild it and I do make some
> minor tweaks as a layer on top of their image.
>
>
>
>
> https://github.com/Unicon/shibboleth-idp-dockerized/blob/master/opt/shib-jetty-base/etc/jetty-rewrite.xml
>
>
>
> I think that's the culprit and that last addRule can be removed. If it
> works I'll create a PR to their project.
>
>
>
> On Tue, Apr 16, 2019 at 11:19 AM Cantor, Scott <cantor.2 at osu.edu> wrote:
>
> On 4/16/19, 9:43 AM, "users on behalf of Darren Boss" <
> users-bounces at shibboleth.net on behalf of darren.boss at computecanada.ca>
> wrote:
>
> > It does look like my problem might be related to running under
> Kubernetes, specifically that http headers are being set
> > by the nginx proxy.
>
> That doesn't inherently mean the headers are in fact correctly usable out
> of the box, there still might be a mistake in our understanding.
>
> You should NOT need to alter the headers to make logout work, and I have
> never had to do so in any testing scenarios I've attempted. So either my
> testing is artificial and doesn't match a real world issue in some way, or
> people are mistaken somewhere about what Chrome is really saying.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
>
>
>
> --
>
> *Darren Boss*
>
>
>
>
> *Senior Programmer/Analyst Programmeur-analyste principal
> darren.boss at computecanada.ca <darren.boss at computecanada.ca> (o)
> 416.228.1234 x *230
>
> *(c) 919.525.0083*
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
>
>
>
> --
>
> *Darren Boss*
>
>
>
>
> *Senior Programmer/Analyst Programmeur-analyste principal
> darren.boss at computecanada.ca <darren.boss at computecanada.ca> (o)
> 416.228.1234 x *230
>
> *(c) 919.525.0083*
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net

-- 

*Darren Boss*
*Senior Programmer/Analyst*
*Programmeur-analyste principal*
*darren.boss at computecanada.ca <darren.boss at computecanada.ca>*
*(o) 416.228.1234 x *230
*(c) 919.525.0083*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190417/3d71f9eb/attachment.html>