Canvas Integration Examples
Jeremiah Brock
jbrock at everettcc.edu
Mon May 20 17:40:55 EDT 2019
Thanks for the Debug suggestion Art.
The NameID is what I am expecting.
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="_c9c586616dbc6094036b76969a6f784f"
IssueInstant="2019-05-20T21:34:57.637Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://idp-389ds-test.everettcc.edu/idp/shibboleth
</saml2:Issuer>
<saml2:Subject>
* <saml2:NameID*
*
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"*
*
NameQualifier="https://idp-389ds-test.everettcc.edu/idp/shibboleth
<https://idp-389ds-test.everettcc.edu/idp/shibboleth>"
SPNameQualifier="http://everettcc.instructure.com/saml2
<http://everettcc.instructure.com/saml2>">123456789</saml2:NameID>*
* <saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">*
* <saml2:SubjectConfirmationData Address="127.0.0.1"*
* InResponseTo="_cfe9f306-42d4-4e09-8e29-f92fd5d644e6"*
* NotOnOrAfter="2019-05-20T21:39:57.725Z"
Recipient="https://everettcc.test.instructure.com/login/saml
<https://everettcc.test.instructure.com/login/saml>"/>*
* </saml2:SubjectConfirmation>*
</saml2:Subject>
<saml2:Conditions NotBefore="2019-05-20T21:34:57.637Z"
NotOnOrAfter="2019-05-20T21:39:57.637Z">
<saml2:AudienceRestriction>
<saml2:Audience>http://everettcc.instructure.com/saml2
</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-05-20T21:34:57.437Z"
SessionIndex="_0f9fac55868abf7259d74090b72c478f">
<saml2:SubjectLocality Address="127.0.0.1"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="sid"
Name="urn:oid:0.9.2342.19200300.100.1.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>123456789</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
~Jeremy
On Mon, May 20, 2019 at 2:25 PM Aterea Brown <atbrown at aut.ac.nz> wrote:
> Are you using SSO tracer or some other saml capture plugin in your
> browser? You can check the nameid that has been generated. I think you
> can also increase the logging for
> <variable name="idp.loglevel.messages" value="DEBUG" />
> <variable name="idp.loglevel.encryption" value="DEBUG" />
> to see the SAML messages in your log file.
>
> Also bear in mind from
> https://wiki.shibboleth.net/confluence/display/IDP30/NameIDGenerationConfiguration
>
> Format Selection
>
> For any given request, the ordered list of Formats to try to generate is
> based on combining the SP's request (SAML 2 requests can include a
> <NameIDPolicy> element that requires a particular Format), the
> <NameIDFormat> element(s) in the SP's metadata, and the
> nameIDFormatPrecedence profile configuration
> <https://wiki.shibboleth.net/confluence/display/IDP30/RelyingPartyConfiguration>
> property, if set for the chosen relying party configuration. If the
> metadata contains nothing, or contains the "
> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" value, then the
> metadata is ignored.
>
> If a <NameIDPolicy> element with Format is supplied, a suitable
> identifier MUST be generated or an error will be returned.
>
> Otherwise the formats specified in an SP's metadata are filtered against a
> nameIDFormatPrecedence profile configuration
> <https://wiki.shibboleth.net/confluence/display/IDP30/RelyingPartyConfiguration>
> property, if set, and the resulting set of Formats is tried in order.
> That is, the first Format in the profile configuration that is also in the
> metadata and that results in a valid result will be used.
>
> Default Formats for each SAML version are set via *saml-nameid.properties*
> and are used in the event that nothing else is called for. You should
> *not* alter that setting in most cases.
>
> So you should check whats being returned for nameid. It might not be what
> you expect.
>
>
> -art
>
>
> ------------------------------
> *From:* users <users-bounces at shibboleth.net> on behalf of Jeremiah Brock <
> jbrock at everettcc.edu>
> *Sent:* Tuesday, 21 May 2019 8:18 AM
> *To:* users at shibboleth.net
> *Subject:* Canvas Integration Examples
>
> Good afternoon,
>
> I am trying to setup the Canvas SAML authentication using our
> Shibboleth v3 IDP instance and am having a heck of a time finding any
> recent documentation.
>
> I believe that Canvas ONLY supports the NameID
> or eduPersonPrincipalName for the Login Attribute. So I am attempting to
> use the NameID that I source on the fly from our sid attribute in the
> saml-nameid.xml .
>
> With the current configs (which I will have available below) I am
> directed to our IDP from Canvas to authenticate and after successful
> authentication, I am redirected to canvas and receive an error message
> "There was a problem logging into Everett Community College".
>
>
> * metadata-providers.xml*
>
> <MetadataProvider id="CanvasMetadata"
> xsi:type="FileBackedHTTPMetadataProvider"
>
> backingFile="/opt/shibboleth-idp/metadata/canvas-metadata.xml"
> metadataURL="https://everettcc.instructure.com/saml2"/>
>
>
>
> * attribute-resolver.xml*
>
> <AttributeDefinition xsi:type="Simple" id="sid"
> sourceAttributeID="employeenumber">
> <Dependency ref="389DSLDAP" />
> <AttributeEncoder xsi:type="SAML1String"
> name="urn:mace:dir:attribute-def:uid" encodeType="false" />
> <AttributeEncoder xsi:type="SAML2String"
> name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="sid"
> encodeType="false" />
> </AttributeDefinition>
>
>
>
> * attribute-filter.xml*
>
>
> <!-- For Canvas Testing -->
> <AttributeFilterPolicy id="InstructureCanvasPolicy">
> <PolicyRequirementRule xsi:type="Requester" value="
> http://everettcc.instructure.com/saml2"/>
>
> <AttributeRule attributeID="NameID">
> <PermitValueRule xsi:type="ANY"/>
> </AttributeRule>
>
> <AttributeRule attributeID="sid">
> <PermitValueRule xsi:type="ANY"/>
> </AttributeRule>
>
> </AttributeFilterPolicy>
>
>
> * saml-nameid.xml*
>
> <!-- NEW WAY PER SP!!!! JB 20190520 -->
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
> p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> p:attributeSourceIds="#{ {'sid'} }">
>
> <property name="activationCondition">
> <bean parent="shibboleth.Conditions.RelyingPartyId"
> c:candidate="http://everettcc.instructure.com/saml2" />
> </property>
> </bean>
>
>
> *relying-party.xml*
>
> <!-- Canvas-->
> <bean parent="RelyingPartyByName" c:relyingPartyIds="
> http://everettcc.instructure.com/saml2">
> <property name="profileConfigurations">
> <list>
> <bean parent="Shibboleth.SSO" />
> <bean parent="SAML2.SSO"
> p:encryptAssertions="false"
> p:signAssertions="false"
> p:encryptNameIDs="false"
> p:nameIDFormatPrecedence="#{{'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'}}"
> />
> <ref bean="SAML2.Logout" />
> </list>
> </property>
> </bean>
>
>
>
> Here is what I see in the *idp-process.log* after a successful
> authentication, the population of NameID with the sid attribute and the
> release of the sid (but not the NameID?).
>
> 2019-05-20 12:57:07,018 - DEBUG
> [net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:154]
> - Beginning to encode attribute sid
> 2019-05-20 12:57:07,018 - DEBUG
> [net.shibboleth.idp.saml.attribute.encoding.SAMLEncoderSupport:73] -
> Encoding value 123456789 of attribute sid
> 2019-05-20 12:57:07,019 - DEBUG
> [net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:191]
> - Completed encoding 1 values for attribute sid
> 2019-05-20 12:57:07,019 - DEBUG
> [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:116]
> - Profile Action AddAttributeStatementToAssertion: Adding constructed
> AttributeStatement to Assertion _2aa1a4c562370d0af02cbf0adce804ac
> 2019-05-20 12:57:07,023 - DEBUG
> [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:124]
> - Configuration specifies the following formats:
> [urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified]
> 2019-05-20 12:57:07,023 - DEBUG
> [net.shibboleth.idp.saml.profile.logic.DefaultNameIdentifierFormatStrategy:141]
> - Metadata did not specify any formats, relying on configuration alone
> 2019-05-20 12:57:07,024 - DEBUG
> [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:197]
> - *Checking for source attribute sid*
> 2019-05-20 12:57:07,024 - DEBUG
> [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:216]
> - *Generating NameID from String-valued attribute sid*
> 2019-05-20 12:57:07,041 - DEBUG
> [net.shibboleth.idp.saml.saml2.profile.delegation.impl.DecorateDelegatedAssertion:592]
> - Found Assertion with AuthnStatement to decorate in outbound Response
> 2019-05-20 12:57:07,041 - DEBUG
> [net.shibboleth.idp.saml.saml2.profile.delegation.impl.DecorateDelegatedAssertion:290]
> - Issuance of delegated was not indicated, skipping assertion decoration
> 2019-05-20 12:57:07,062 - DEBUG
> [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:179] -
> Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of
> type 'org.opensaml.messaging.handler.impl.BasicMessageHandlerChain' on
> OUTBOUND message context
> 2019-05-20 12:57:07,062 - DEBUG
> [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] -
> Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on
> message context containing a message of type
> 'org.opensaml.saml.saml2.core.impl.ResponseImpl'
> 2019-05-20 12:57:07,068 - DEBUG
> [net.shibboleth.idp.saml.profile.impl.SpringAwareMessageEncoderFactory:100]
> - Looking up message encoder based on binding URI:
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
> 2019-05-20 12:57:07,072 - DEBUG
> [net.shibboleth.idp.profile.impl.RecordResponseComplete:89] - Profile
> Action RecordResponseComplete: Record response complete
> 2019-05-20 12:57:07,073 - INFO [Shibboleth-Audit.SSO:275] -
> 20190520T195707Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_bd08fcee-9195-4093-b01d-428224c54864|
> http://everettcc.instructure.com/saml2|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp-389ds-test.everettcc.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_2dfbb1143bb975720f03d1582c5960c7|jbrock|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|sid|123456789|_2aa1a4c562370d0af02cbf0adce804ac|
>
>
>
> In the Canvas SAML options I have the following :
>
> Login Attribute : NameID
>
> Identifier Format : urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
>
> Authentication Context : No value
>
> Message Signing : Not Signed
>
>
>
>
> Thanks for any advise or working examples.
>
> ~Jeremy
> --
> Jeremiah Brock
> IT Web, Data and Development Services / Information Security
> 425-259-8707
> jbrock at everettcc.edu
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
--
Jeremiah Brock
IT Web, Data and Development Services / Information Security
425-259-8707
jbrock at everettcc.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190520/751e15c8/attachment.html>
More information about the users
mailing list