Cherwell application (on-prem)

Lohr, Donald lohrda at jmu.edu
Fri Apr 26 16:55:36 EDT 2019 

Not wanting to share too much specific data, which was why I mentioned 
off-line.

We are not specifically wanting to Shib the thick client, but the 
portal.  We are not choosing the email address, but Windows Login (not 
using email is a long story in and of itself).  In the SP metadata is:

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:*nameid-format:kerberos*</md:NameIDFormat>

Attempting to follow two different on-line Cherwell documents (public) 
we guessed and put the following in our respected IdP files:

attribute-resolver.xml
<resolver:AttributeDefinition id="sAMAccountName" xsi:type="ad:Simple" 
sourceAttributeID="cn">
     <resolver:Dependency ref="oud" />
     <resolver:AttributeEncoder xsi:type="enc:SAML2String" 
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" 
name="sAMAccountName" encodeType="false" />
</resolver:AttributeDefinition>

attribute-filter.xml
<afp:AttributeFilterPolicy id="cherwellportal">
         <afp:PolicyRequirementRule 
xsi:type="basic:AttributeRequesterString" 
value="https://xxxx.sss.ccc/CherwellClient"/>
         <afp:AttributeRule attributeID="sAMAccountName">
                 <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
</afp:AttributeFilterPolicy>

But we get the following error at login:

*SAML Auth failed: An error occured, SAML status codes: 
urn:oasis:names:tc:SAML:2.0:status:Requestor, 
urn:oassis:names:tc:SAML:2.0:status:InvalidNameIDPolicy *

We are running Cherwell v9.3.5.x and our Shib IdP is v3.3.3. Our Shib 
IdP is back by a non-AD LDAP directory.

There online docs do not seem to use Shib 3.x speak in their examples.

Thx,
DL

On 4/26/19 4:18 PM, Cantor, Scott wrote:
> I did a quick review. It's almost vanilla, I'm sending it a NameID in emailAddress format. It had a key and supports encryption. It didn't used to support SHA-2 signatures, but does now. The non-vanilla bit was that I was never able to get it to accept signed responses alone (it claims to, but it didn't work last I tested), so I had to toggle the metadata for it to trigger assertion signing, and that was about all.
>
> -- Scott
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190426/0edec2ae/attachment.html>

More information about the users mailing list