Anyone have any success setting up with Starfishsolutions?

Brady, Jason W jbrady at sbccd.cc.ca.us
Tue May 7 11:40:52 EDT 2019 

Same for us. We only ever provide the uid, and that long entity ID looks similar to ours. We have an export from Colleague that gets sent to Starfish to create accounts.

From: users <users-bounces at shibboleth.net> On Behalf Of Mircea Baciu
Sent: Tuesday, May 7, 2019 7:46 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Anyone have any success setting up with Starfishsolutions?

We were asked to release only the user identifier to Starfish (in our case that's uid). The accounts need to be provisioned ahead of time via some connector software they provide, so if that's not set up yet then that error message makes sense.

The second entityID you listed (urn:saml:starfishsolutions:v1:manhattan-test_starfish-sp-2019-2024-production) looks like the one to use.

Mircea
--
Mircea Baciu, Senior Unix Systems Administrator
Simmons University | 300 The Fenway | Boston, MA 02115 | 617-521-2194


On Tue, May 7, 2019 at 9:43 AM Melvin Lasky <melvin.lasky at manhattan.edu<mailto:melvin.lasky at manhattan.edu>> wrote:
Hey all,
We are trying to implement Shibboleth with Starfishsolutions…..

We are continuing to get a

You do not have a user account in the Starfish system.

Please contact your system administrator if you should have or would like to gain access to this application.

—

What concerns me is this… In my attribute-filter, I tried as a regex https://*.starfishsolutions.com/* etc….

<AttributeFilterPolicy id="releaseForSTARFISH" >
  <PolicyRequirementRule xsi:type="RequesterRegex" regex="https:\/\/.*\.starfishsolutions\.com\/.*\/.*" />
  <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="mail">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
   <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="eduPersonAffiliation">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="uid">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
</AttributeFilterPolicy>

Didn’t work. I also tried this:

<AttributeFilterPolicy id="releaseForSTARFISH" >
  <PolicyRequirementRule xsi:type="Requester" value="urn:saml:starfishsolutions:v1:manhattan-test_starfish-sp-2019-2024-production" />
  <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="mail">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
   <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="eduPersonAffiliation">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="uid">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
</AttributeFilterPolicy>

Both have same result

When I look at the logs, what I notice is this:

shib-idp;idp-process.log;dev;nothing; - [149.61.2.59]2019-05-07 13:36:47,435 - INFO [Shibboleth-Audit.SSO:275] - 20190507T133647Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|a1gd9hb4b8cahc0f4e775c0778fa6i4|urn:saml:starfishsolutions:v1:manhattan-test_starfish-sp-2019-2024-production|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://ourshibbolethserver.manhattan.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_c9c7ed626a291e8be9b328a6a99534e9|melvin.lasky|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,mail,surname,givenName,eduPersonPrincipalName|AAdzZWNyZXQxfzIVftcT7532TD2JqJInMnzix0aGjqTF8d+kGWDuE0G8W+A4fTv5ZKJiHVh8lZE9uLStuOhdU/xcV0yXgTsrDf0wLi4ztNpCbdrZsM9TDJBnTlkDzlK0UiIWOR5crwRSI66OPH176Asy6m6Qx1erS0cHwr6ByRbpjhEMsx+KXl3UpPkELS5DkSAFIIKA/A==|_4fdc3ba871d1cb09e3c521a07eff1e12|<http://shibboleth.net/ns/profiles/saml2/sso/browser%7Chttps:/ourshibbolethserver.manhattan.edu/idp/shibboleth%7Curn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST%7C_c9c7ed626a291e8be9b328a6a99534e9%7Cmelvin.lasky%7Curn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport%7Cuid,mail,surname,givenName,eduPersonPrincipalName%7CAAdzZWNyZXQxfzIVftcT7532TD2JqJInMnzix0aGjqTF8d+kGWDuE0G8W+A4fTv5ZKJiHVh8lZE9uLStuOhdU/xcV0yXgTsrDf0wLi4ztNpCbdrZsM9TDJBnTlkDzlK0UiIWOR5crwRSI66OPH176Asy6m6Qx1erS0cHwr6ByRbpjhEMsx+KXl3UpPkELS5DkSAFIIKA/A==%7C_4fdc3ba871d1cb09e3c521a07eff1e12%7C>


First, I don’t see it coming from an https://* address like my other requests, I see it coming from urn:saml:starfishsolutions:v1:manhattan-test_starfish-sp-2019-2024-production

Also, it looks like it is sending the attributes, but not the ones I selected? uid,mail,surname,givenName,eduPersonPrincipalName

Do you think it’s something on our side or their side? Also, why can’t I get the attributes I listed to be released, and why is it releasing those attributes? Any help will be greatly appreciated.

Thanks

Mel

Melvin Lasky
Associate Director of Enterprise Architecture

[cid:image001.jpg at 01D504B0.932CA730]



Riverdale, NY 10471
Phone: 718-862-7410
melvin.lasky at manhattan.edu<mailto:melvin.lasky at manhattan.edu>
www.manhattan.edu<http://www.manhattan.edu/>





--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

This Footer added by SBCCD Technology & Educational Support Services: This message is from an external NON-SBCCD sender. TESS / Helpdesk will NEVER ask for your password. Any such request is not from SBCCD. Any email asking you to click on a link and provide account information is an attempt to compromise your account! Always use caution when deciding to click a link. If you are not sure, ask for help. ---Footer automatically generated by SBCCD mail server.---
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190507/9e8e7c64/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 7478 bytes
Desc: image001.jpg
URL: <http://shibboleth.net/pipermail/users/attachments/20190507/9e8e7c64/attachment.jpg>

More information about the users mailing list