HELP
Pat Tedesco
ptedesco at ims.consulting
Thu Aug 13 13:38:54 UTC 2020
Pasquale Tedesco
Network Administrator
[cid:fb7cfde8-629e-46a8-9eb4-57776243d315]<https://ims.consulting/>
Infrastructure Management Solutions, LLC
Washington, DC
Los Angeles, CA
New York, NY
Office: 800.764.6685
Fax: 703.842.8917
Mobile: 914.589.5879
ptedesco at ims.consulting
http://ims.consulting<http://ims.consulting/>
[cid:2a2cd2ed-269d-4574-8cea-ab29db36a094]<https://www.linkedin.com/company/infrastructure-management-solutions-llc>
A Certified Virginia Small Business!
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or missions in the contents of this message, which arise as a result of e-mail transmission.
________________________________
From: users <users-bounces at shibboleth.net> on behalf of users-request at shibboleth.net <users-request at shibboleth.net>
Sent: Thursday, August 13, 2020 8:00 AM
To: users at shibboleth.net <users at shibboleth.net>
Subject: users Digest, Vol 110, Issue 9
Send users mailing list submissions to
users at shibboleth.net
To subscribe or unsubscribe via the World Wide Web, visit
https://shibboleth.net/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
users-request at shibboleth.net
You can reach the person managing the list at
users-owner at shibboleth.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of users digest..."
Today's Topics:
1. Re: IDP proxy - attribute (Jerry Bailie)
2. Non standard parameter name for SAMLResponse
(Yngvi ??r Sigurj?nsson)
3. Re: Non standard parameter name for SAMLResponse (Cantor, Scott)
4. Re: Open access control for testing (Mathew, Sunil)
5. Re: IDP proxy - attribute (Cantor, Scott)
----------------------------------------------------------------------
Message: 1
Date: Wed, 12 Aug 2020 08:04:39 -0400
From: Jerry Bailie <jebailie at vassar.edu>
To: Shib Users <users at shibboleth.net>
Subject: Re: IDP proxy - attribute
Message-ID:
<CALAoxZA+fVvsPFYv4mtquPpVjqeV0h-ndn45FpY6trMWQz66Sw at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
#'s 3 and 4, I think we're good to go.
1 and 2, not so much...
I see this in the idp-process.log:
2020-08-12 07:53:45,847 - x.x.x.x - INFO
[net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication:443]
- Profile Action ValidateSAMLAuthentication: No transcoding rule for
Attribute 'eduPersonScopedAffiliation'
So we know that it is being 'exported' out of the proxy. This is true
because I can turn it 'off' on the proxy end and this message does not
present itself in the log.
This is what we have in attribute-filter.xml :
<AttributeFilterPolicy id="proxy">
<PolicyRequirementRule xsi:type="Issuer" value="
https://vassar.onelogin.com" />
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
1) What should the "value" of the issuer be? When the xsi:type is
"Requester", it is www.example.com/sp<http://www.example.com/sp> or some such related to the SP.
2) It's not clear how to 'map' the incoming attribute to a Transcoding rule.
- Jerry
On Tue, Aug 11, 2020 at 3:34 PM Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 8/11/20, 3:12 PM, "users on behalf of Jerry Bailie" <
> users-bounces at shibboleth.net on behalf of jebailie at vassar.edu> wrote:
>
> > The question is, is how to obtain that attribute
> (eduPersonScopedAffiliation) from Onelogin ?
>
> https://wiki.shibboleth.net/confluence/display/IDP4/SAMLAuthnConfiguration
>
> Attribute Extraction and Filtering
> Attribute Resolution
>
> i.e.
>
> 1. Make sure the Attribute Registry transcoding rules map the necessary
> SAML Attribute(s) into their internal IDs.
> 2. Add filter rules as required to accept those attribute IDs from the
> "issuer".
> 3. Add a Subject data connector to export the attribute(s) back out of the
> resolver.
> 4. Add filter rules as required to release the attribute IDs to the SP.
>
> That's generally all it takes unless the use case is more complex.
>
> (3) automates all the complex parts that are happening under the covers.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200812/e34aa464/attachment-0001.htm>
------------------------------
Message: 2
Date: Wed, 12 Aug 2020 14:24:23 +0000
From: Yngvi ??r Sigurj?nsson <blitzkopf at gmail.com>
To: users at shibboleth.net
Subject: Non standard parameter name for SAMLResponse
Message-ID:
<CAFeGNAoSNK+CfhjvcfaPTmmxS-3HZUTaVURWVST-8euNieY6sA at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi!
I'm trying to integrate Shibboleth Service Provider with an IdP (
innskraning.island.is ) that claims to use SAML 2 but I believe it is a
half baked attempt.
The Response is posted in application/x-www-form-urlencoded body but the
name of the parameter is token like so
token=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGlu......
I still believe the response received is a valid Response but I get this
message from Shibboleth
Request missing SAMLRequest or SAMLResponse form parameter.
Is there a way to configure the parameter name (SAMLResponse) expected to
hold the response?
Regards
Yngvi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200812/ae6906da/attachment-0001.htm>
------------------------------
Message: 3
Date: Wed, 12 Aug 2020 14:28:09 +0000
From: "Cantor, Scott" <cantor.2 at osu.edu>
To: Shib Users <users at shibboleth.net>
Subject: Re: Non standard parameter name for SAMLResponse
Message-ID: <09669722-CA28-4113-B6D8-70307DC38053 at osu.edu>
Content-Type: text/plain; charset="utf-8"
On 8/12/20, 10:24 AM, "users on behalf of Yngvi ??r Sigurj?nsson" <users-bounces at shibboleth.net on behalf of blitzkopf at gmail.com> wrote:
> Is there a way to configure the parameter name (SAMLResponse) expected to hold the response?
No.
-- Scott
------------------------------
Message: 4
Date: Wed, 12 Aug 2020 19:09:15 +0000
From: "Mathew, Sunil" <smathew at hbs.edu>
To: Shib Users <users at shibboleth.net>
Subject: Re: Open access control for testing
Message-ID: <8DF73AFE-C93B-4C85-B923-DE7412C0C980 at hbs.edu>
Content-Type: text/plain; charset="utf-8"
We just added the VPN NAT address t o access control and that worked.
<entry key="AccessByIPAddress">
<bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
p:allowedRanges="#{ {'199.94.00.00/32', '127.0.0.1/32', '::1/128'} }" />
</entry>
PS: This is a test environment that we are setting up Shibboleth in ECS and the security group is limiting to clients only from VPN ip address.
Sunil
?On 8/12/20, 4:02 AM, "users on behalf of Peter Schober" <users-bounces at shibboleth.net on behalf of peter.schober at univie.ac.at> wrote:
* Mathew, Sunil <smathew at hbs.edu> [2020-08-11 19:20]:
> Here is my problem. I deployed Shibboleth to ECS. But I was getting the following error in IdP logs:
>
> IDP_WARN: 2020-08-10 17:33:37,057 - 10.140.0.162 - ERROR
> [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:200]
> - Message Handler: SAML message intended destination endpoint
> 'https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsso.hbsstg.org%2Fidp%2Fprofile%2FSAML2%2FRedirect%2FSSO&data=02%7C01%7Csmathew%40hbs.edu%7Cde308d73e83d4630d4d408d83e96064e%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637328161378736967&sdata=iOWEEcNGiTmOYRS2Pq1mNdoaO1wGpjkR5bMREojkobs%3D&reserved=0' did not
> match the recipient endpoint
> 'https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsso.hbsstg.org%2Fidp%2Fprofile%2FSAML2%2FRedirect%2FSSO&data=02%7C01%7Csmathew%40hbs.edu%7Cde308d73e83d4630d4d408d83e96064e%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637328161378741957&sdata=pX6yxbFNPshWQdKyZI2v%2Bmt2e8Rm53F7pSqP2l%2FhmZs%3D&reserved=0'
[...]
> requestScheme:http
> requestIsSecure:false
> requestServerPort:80
>
> We are trying to add tomcat valve with
> protocolHeader="x-forwarded-proto" so that we can get past the
> error.
Alternatively you could try setting the relevant attributes on the
relevant Tomcat (plain) HTTP Connector, e.g.
proxyPort="443"
scheme="https"
secure="true"
Of course you need to make sure there's no plain HTTP traffic being
accepted/forward to/from your TLS offloading service. (And IDP doesn't
need plain HTTP support, not even with redirects to HTTPS, so just
bock all non-HTTPS requests at the TLS offloading service.)
Cheers,
-peter
--
For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=02%7C01%7Csmathew%40hbs.edu%7Cde308d73e83d4630d4d408d83e96064e%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637328161378741957&sdata=C7yQbZDYtVik6b3R%2BfiFsxQNtdnAyjqymTcL22bPuCU%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
------------------------------
Message: 5
Date: Wed, 12 Aug 2020 23:08:28 +0000
From: "Cantor, Scott" <cantor.2 at osu.edu>
To: Shib Users <users at shibboleth.net>
Subject: Re: IDP proxy - attribute
Message-ID: <BD56F869-2E66-439F-8F91-54B419872DDA at osu.edu>
Content-Type: text/plain; charset="utf-8"
> So we know that it is being 'exported' out of the proxy.
No, some bogus, made-up SAML Attribute that is *not* defined by eduPerson is being exported. eduPerson attributes in SAML 2 have names derived from OIDs in the form of URNs. The defined mapping rules are correct out of the box. Passing data that is not correct will not be processed, and the message reflects that.
> 1) What should the "value" of the issuer be?
The entityID of the IdP you're proxying to is the issuer for a rule that handles acceptance, it's just the inverse of a release rule.
> 2) It's not clear how to 'map' the incoming attribute to a Transcoding rule.
I wouldn't in this particular case, but the documentation on creating custom rules is in the wiki.
https://wiki.shibboleth.net/confluence/display/IDP4/AttributeRegistryConfiguration
-- Scott
------------------------------
Subject: Digest Footer
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
------------------------------
End of users Digest, Vol 110, Issue 9
*************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200813/2b995e4c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-hiputeng.png
Type: image/png
Size: 8419 bytes
Desc: Outlook-hiputeng.png
URL: <http://shibboleth.net/pipermail/users/attachments/20200813/2b995e4c/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-rbsv0ctz.png
Type: image/png
Size: 8420 bytes
Desc: Outlook-rbsv0ctz.png
URL: <http://shibboleth.net/pipermail/users/attachments/20200813/2b995e4c/attachment-0001.png>
More information about the users
mailing list