Anyone have any success setting up with Starfishsolutions?

Mircea Baciu mircea.baciu at simmons.edu
Tue May 7 10:46:25 EDT 2019 

We were asked to release only the user identifier to Starfish (in our case
that's uid). The accounts need to be provisioned ahead of time via some
connector software they provide, so if that's not set up yet then that
error message makes sense.

The second entityID you listed
(urn:saml:starfishsolutions:v1:manhattan-test_starfish-sp-2019-2024-production)
looks like the one to use.

Mircea
--
Mircea Baciu, Senior Unix Systems Administrator
Simmons University | 300 The Fenway | Boston, MA 02115 | 617-521-2194


On Tue, May 7, 2019 at 9:43 AM Melvin Lasky <melvin.lasky at manhattan.edu>
wrote:

> Hey all,
> We are trying to implement Shibboleth with Starfishsolutions…..
>
> We are continuing to get a
>
> You do not have a user account in the Starfish system.
>
> Please contact your system administrator if you should have or would like
> to gain access to this application.
>
>>
> What concerns me is this… In my attribute-filter, I tried as a regex
> https://*.starfishsolutions.com/* etc….
>
> <AttributeFilterPolicy id="releaseForSTARFISH" >
>   <PolicyRequirementRule xsi:type="RequesterRegex"
> regex="https:\/\/.*\.starfishsolutions\.com\/.*\/.*" />
>   <AttributeRule attributeID="eduPersonPrincipalName">
>     <PermitValueRule xsi:type="ANY" />
>   </AttributeRule>
>   <AttributeRule attributeID="displayName">
>     <PermitValueRule xsi:type="ANY" />
>   </AttributeRule>
>   <AttributeRule attributeID="mail">
>     <PermitValueRule xsi:type="ANY" />
>   </AttributeRule>
>    <AttributeRule attributeID="surname">
>     <PermitValueRule xsi:type="ANY" />
>   </AttributeRule>
>   <AttributeRule attributeID="givenName">
>     <PermitValueRule xsi:type="ANY" />
>   </AttributeRule>
>   <AttributeRule attributeID="eduPersonAffiliation">
>     <PermitValueRule xsi:type="ANY" />
>   </AttributeRule>
>   <AttributeRule attributeID="uid">
>     <PermitValueRule xsi:type="ANY" />
>   </AttributeRule>
> </AttributeFilterPolicy>
>
> Didn’t work. I also tried this:
>
> <AttributeFilterPolicy id="releaseForSTARFISH" >
>   <PolicyRequirementRule xsi:type="Requester"
> value="urn:saml:starfishsolutions:v1:manhattan-test_starfish-sp-2019-2024-production"
> />
>   <AttributeRule attributeID="eduPersonPrincipalName">
>     <PermitValueRule xsi:type="ANY" />
>   </AttributeRule>
>   <AttributeRule attributeID="displayName">
>     <PermitValueRule xsi:type="ANY" />
>   </AttributeRule>
>   <AttributeRule attributeID="mail">
>     <PermitValueRule xsi:type="ANY" />
>   </AttributeRule>
>    <AttributeRule attributeID="surname">
>     <PermitValueRule xsi:type="ANY" />
>   </AttributeRule>
>   <AttributeRule attributeID="givenName">
>     <PermitValueRule xsi:type="ANY" />
>   </AttributeRule>
>   <AttributeRule attributeID="eduPersonAffiliation">
>     <PermitValueRule xsi:type="ANY" />
>   </AttributeRule>
>   <AttributeRule attributeID="uid">
>     <PermitValueRule xsi:type="ANY" />
>   </AttributeRule>
> </AttributeFilterPolicy>
>
> Both have same result
>
> When I look at the logs, what I notice is this:
>
> shib-idp;idp-process.log;dev;nothing; - [149.61.2.59]2019-05-07
> 13:36:47,435 - INFO [Shibboleth-Audit.SSO:275] -
> 20190507T133647Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|a1gd9hb4b8cahc0f4e775c0778fa6i4|urn:saml:starfishsolutions:v1:manhattan-test_starfish-sp-2019-2024-production|
> http://shibboleth.net/ns/profiles/saml2/sso/browser|https://ourshibbolethserver.manhattan.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_c9c7ed626a291e8be9b328a6a99534e9|melvin.lasky|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,mail,surname,givenName,eduPersonPrincipalName|AAdzZWNyZXQxfzIVftcT7532TD2JqJInMnzix0aGjqTF8d+kGWDuE0G8W+A4fTv5ZKJiHVh8lZE9uLStuOhdU/xcV0yXgTsrDf0wLi4ztNpCbdrZsM9TDJBnTlkDzlK0UiIWOR5crwRSI66OPH176Asy6m6Qx1erS0cHwr6ByRbpjhEMsx+KXl3UpPkELS5DkSAFIIKA/A==|_4fdc3ba871d1cb09e3c521a07eff1e12|
> <http://shibboleth.net/ns/profiles/saml2/sso/browser%7Chttps://ourshibbolethserver.manhattan.edu/idp/shibboleth%7Curn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST%7C_c9c7ed626a291e8be9b328a6a99534e9%7Cmelvin.lasky%7Curn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport%7Cuid,mail,surname,givenName,eduPersonPrincipalName%7CAAdzZWNyZXQxfzIVftcT7532TD2JqJInMnzix0aGjqTF8d+kGWDuE0G8W+A4fTv5ZKJiHVh8lZE9uLStuOhdU/xcV0yXgTsrDf0wLi4ztNpCbdrZsM9TDJBnTlkDzlK0UiIWOR5crwRSI66OPH176Asy6m6Qx1erS0cHwr6ByRbpjhEMsx+KXl3UpPkELS5DkSAFIIKA/A==%7C_4fdc3ba871d1cb09e3c521a07eff1e12%7C>
>
> First, I don’t see it coming from an https://* address like my other
> requests, I see it coming from
> urn:saml:starfishsolutions:v1:manhattan-test_starfish-sp-2019-2024-production
>
> Also, it looks like it is sending the attributes, but not the ones I
> selected? uid,mail,surname,givenName,eduPersonPrincipalName
>
> Do you think it’s something on our side or their side? Also, why can’t I
> get the attributes I listed to be released, and why is it releasing those
> attributes? Any help will be greatly appreciated.
>
> Thanks
>
> Mel
>
> *Melvin Lasky*
> *Associate Director of Enterprise Architecture*
>
>
>
>
> Riverdale, NY 10471
> Phone: 718-862-7410
> melvin.lasky at manhattan.edu
> www.manhattan.edu
>
>
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190507/77cc8777/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: email_logo.jpg
Type: image/jpeg
Size: 7478 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20190507/77cc8777/attachment.jpg>

More information about the users mailing list