OIDC Geant module missing attributes
Lipscomb, Gary
glipscomb at csu.edu.au
Wed Jul 8 10:28:42 UTC 2020
IdP 3.4.6
Geant OIDC module 1.1.0
Hi list,
We are having an issue where attributes are not added to the response for some users
2020-07-08 09:59:21,142 - 110.142.93.136 - INFO [Shibboleth-Audit.OIDCSSO:275] - 20200707T235921Z|AuthenticationRequest||https://studentrequests.csu.edu.au/oidc|http://csc.fi/ns/profiles/oidc/sso/browser|https://idp.csu.edu.au|AuthenticationSuccessResponse||gcXXXXX||sub,aud,auth_time,iss,name,exp,given_name,iat,family_name,nonce|G3PBNIMJEIYU7VA6BSQCEXQ7FVD2MFX3||
2020-07-08 09:59:42,852 - 110.142.93.136 - INFO [Shibboleth-Audit.OIDCSSO:275] - 20200707T235942Z|AuthenticationRequest||https://studentrequests.csu.edu.au/oidc|http://csc.fi/ns/profiles/oidc/sso/browser|https://idp.csu.edu.au|AuthenticationSuccessResponse||gcXXXXX||sub,aud,auth_time,iss,name,exp,given_name,iat,family_name,nonce|G3PBNIMJEIYU7VA6BSQCEXQ7FVD2MFX3||
2020-07-08 10:07:05,688 - 110.142.93.136 - INFO [Shibboleth-Audit.OIDCSSO:275] - 20200708T000705Z|AuthenticationRequest||https://studentrequests.csu.edu.au/oidc|http://csc.fi/ns/profiles/oidc/sso/browser|https://idp.csu.edu.au|AuthenticationSuccessResponse||gcXXXXX||sub,aud,auth_time,iss,name,exp,given_name,iat,family_name,nonce|G3PBNIMJEIYU7VA6BSQCEXQ7FVD2MFX3||
2020-07-08 10:48:54,804 - 137.166.241.24 - INFO [Shibboleth-Audit.OIDCSSO:275] - 20200708T004854Z|AuthenticationRequest||https://studentrequests.csu.edu.au/oidc|http://csc.fi/ns/profiles/oidc/sso/browser|https://idp.csu.edu.au|AuthenticationSuccessResponse||mpXXXX||sub,aud,auth_time,iss,name,exp,given_name,iat,family_name,nonce|3ZYVMM7PQWGHYET5RLCUXVJXDODY3WGF||
2020-07-08 10:52:56,123 - 137.166.241.24 - INFO [Shibboleth-Audit.OIDCSSO:275] - 20200708T005256Z|AuthenticationRequest||https://studentrequests.csu.edu.au/oidc|http://csc.fi/ns/profiles/oidc/sso/browser|https://idp.csu.edu.au|AuthenticationSuccessResponse||mpXXXX||sub,aud,auth_time,iss,name,exp,given_name,iat,family_name,nonce|3ZYVMM7PQWGHYET5RLCUXVJXDODY3WGF||
2020-07-08 11:38:49,273 - 180.150.81.221 - INFO [Shibboleth-Audit.OIDCSSO:275] - 20200708T013849Z|AuthenticationRequest||https://studentrequests.csu.edu.au/oidc|http://csc.fi/ns/profiles/oidc/sso/browser|https://idp.csu.edu.au|AuthenticationSuccessResponse||gbXXXX||sub,aud,auth_time,iss,name,exp,given_name,iat,family_name,nonce|L3RJJFKMNTSVTMRAASBTE5UILWDES7UY||
2020-07-08 11:44:23,146 - 180.150.81.221 - INFO [Shibboleth-Audit.OIDCSSO:275] - 20200708T014423Z|AuthenticationRequest||https://studentrequests.csu.edu.au/oidc|http://csc.fi/ns/profiles/oidc/sso/browser|https://idp.csu.edu.au|AuthenticationSuccessResponse||gbXXXX||sub,aud,auth_time,iss,name,exp,given_name,iat,family_name,nonce|L3RJJFKMNTSVTMRAASBTE5UILWDES7UY||
2020-07-08 11:51:26,370 - 120.159.34.107 - INFO [Shibboleth-Audit.OIDCSSO:275] - 20200708T015126Z|AuthenticationRequest||https://studentrequests.csu.edu.au/oidc|http://csc.fi/ns/profiles/oidc/sso/browser|https://idp.csu.edu.au|AuthenticationSuccessResponse||EpXXXXX||sub,aud,auth_time,iss,name,exp,given_name,iat,family_name,nonce|7PP5HYI5ZGN7BOWR5KMOVDIS3SUO444J||
And for other users it defines all the attributes
2020-07-08 14:19:03,970 - 58.171.66.198 - INFO [Shibboleth-Audit.OIDCSSO:275] - 20200708T041903Z|AuthenticationRequest||https://studentrequests.csu.edu.au/oidc|http://csc.fi/ns/profiles/oidc/sso/browser|https://idp.csu.edu.au|AuthenticationSuccessResponse||JcXXXX||sub,iss,given_name,nonce,aud,CSUID,auth_time,name,exp,iat,family_name,email|V3PFDXTWPW2O4YVWGOJ336SKKEAHB6MH||
2020-07-08 14:59:23,457 - 10.9.228.212 - INFO [Shibboleth-Audit.OIDCSSO:275] - 20200708T045923Z|AuthenticationRequest||https://studentrequests.csu.edu.au/oidc|http://csc.fi/ns/profiles/oidc/sso/browser|https://idp.csu.edu.au|AuthenticationSuccessResponse||jhXXXX||sub,iss,given_name,nonce,aud,CSUID,auth_time,name,exp,iat,family_name,email|UDIJ2JTUJDCG3QE3J6CGIIFWVYT7ZCAJ||
2020-07-08 15:36:34,679 - 137.166.80.99 - INFO [Shibboleth-Consent-Audit.OIDCSSO:275] - 20200708T053634Z|https://studentrequests.csu.edu.au/oidc|AttributeReleaseConsent|smXXXXXX|CSUID,displayName,email,givenName,subject,surname|BUYzlL2WCUlyrhRefJJ5RdxE2U6pw/Al7MiqAAS0zns=,ry+7WjwlpOR6REWZqXa4wY1gFlcNEJAraTGr0JPavjw=,nhz2if2tEGRDOwHoLsUAPvEG4UlPVjIvFgy7gMCwxz8=,Fa4COoyJZILDP5mFpED7HinUY2b0b44TYfj05qrOOVI=,p74NOGut2d7f0Z6dR8mqg8c9e0idfQM+NjVnjU4Waj0=,8v58R1R1li4cmkrI9k+oYPiY8nmz+4+hvXiblQP5TIM=|true,true,true,true,true,true
2020-07-08 15:36:34,691 - 137.166.80.99 - INFO [Shibboleth-Audit.OIDCSSO:275] - 20200708T053634Z|AuthenticationRequest||https://studentrequests.csu.edu.au/oidc|http://csc.fi/ns/profiles/oidc/sso/browser|https://idp.csu.edu.au|AuthenticationSuccessResponse||smXXXXX||sub,iss,given_name,nonce,aud,CSUID,auth_time,name,exp,iat,family_name,email|IO7NDCWIGWNO3EPSR2CEYZDNTDYAA3P5||
2020-07-08 16:03:12,254 - 106.70.123.166 - INFO [Shibboleth-Consent-Audit.OIDCSSO:275] - 20200708T060312Z|https://studentrequests.csu.edu.au/oidc|AttributeReleaseConsent|cfZZZZZ|CSUID,displayName,email,givenName,subject,surname|tSnL1hyyrpePMQU7dx1tutmL4zh0aIkTe0wI2O7C+Wo=,8zIsg2PdSJSlk0TA3zrmJci6eC9bbupuNjwhCp85/Fc=,QDsXV6P9LxKuPYAi8W2tUtNau434Ef8G86yT2C3pwG8=,7JRvkx2XKyeUmZh/EX8m4R/t1bZncx55zyvue5Uc2Zg=,Yyk5pdTDfvU6yZKaB8grGdQLeyCuzfJsoWFIHnnPM30=,bkcc/LFG0EbMnpdXNk+69VqqkC8QcCcN6Xz35D2do8M=|true,true,true,true,true,true
2020-07-08 16:03:12,277 - 106.70.123.166 - INFO [Shibboleth-Audit.OIDCSSO:275] - 20200708T060312Z|AuthenticationRequest||https://studentrequests.csu.edu.au/oidc|http://csc.fi/ns/profiles/oidc/sso/browser|https://idp.csu.edu.au|AuthenticationSuccessResponse||cfZZZZZ||sub,iss,given_name,nonce,aud,CSUID,auth_time,name,exp,iat,family_name,email|JP4BB32JKL5DXRKHPRLNYEKYKFJQRNJ4||
2020-07-08 16:56:47,768 - 121.223.128.71 - INFO [Shibboleth-Consent-Audit.OIDCSSO:275] - 20200708T065647Z|https://studentrequests.csu.edu.au/oidc|AttributeReleaseConsent|apZZZZ|CSUID,displayName,email,givenName,subject,surname|BLayGe7INhUt2VhJyRr01u3cumQdTry8cD8KbwYQcuM=,NJVX1mywwAjPmC9oBhTl+0/cUCVWtw1tc8/kIUuZv8c=,Eo7J3ERD+yb2AZFNXPBOrG3AxP7m9WjsNwYP4dUh4/I=,BFbhQWFLKZnbfezhptute48CXEJOkWTSirDtmeisdkg=,EM4c7wfXhJUut9p8/lx8a2gz6458HlrDWWAbws3rNsU=,hp33SDcJBInIFw0yIarQKd/ZfmCgUNwyhO+a3PMP1hg=|true,true,true,true,true,true
2020-07-08 16:56:47,798 - 121.223.128.71 - INFO [Shibboleth-Audit.OIDCSSO:275] - 20200708T065647Z|AuthenticationRequest||https://studentrequests.csu.edu.au/oidc|http://csc.fi/ns/profiles/oidc/sso/browser|https://idp.csu.edu.au|AuthenticationSuccessResponse||apZZZZZ||sub,iss,given_name,nonce,aud,CSUID,auth_time,name,exp,iat,family_name,email|G3YOLYR2MUV47EU6LYQU57HQZ7AE62OA||
We have shibboleth configured to not prompt for consent but I'm seeing an AttributeReleaseConsent for those that are successful. The SP Sitefinity requires CSUID for an account to be created.
Relying-party.xml
</snip>
<bean id="shibboleth.RelyingParty_OIDC_NoUserConsent" p:responderIdLookupStrategy-ref="profileResponderIdLookupFunction"
parent="RelyingPartyByName"
c:relyingPartyIds="#{{'https://studentrequestsdev.csu.edu.au/oidc',
'https://studentrequests.csu.edu.au/oidc',
'https://studentrequests.csu.edu.au/oidc'}}">
<property name="profileConfigurations">
<list>
<bean parent="Shibboleth.SSO" p:postAuthenticationFlows="member" />
<ref bean="SAML1.AttributeQuery" />
<ref bean="SAML1.ArtifactResolution" />
<bean parent="SAML2.SSO" p:postAuthenticationFlows="member" />
<ref bean="SAML2.ECP" />
<ref bean="SAML2.Logout" />
<ref bean="SAML2.AttributeQuery" />
<ref bean="SAML2.ArtifactResolution" />
<ref bean="Liberty.SSOS" />
<bean parent="OIDC.SSO" p:postAuthenticationFlows="member" />
<bean parent="OIDC.UserInfo"/>
<bean parent="OAUTH2.Revocation"/>
</list>
</property>
</bean>
<!-- OIDC extension relying party definitions -->
<import resource="oidc-relying-party.xml" />
</snip>
I've just noticed as that I have the RelyingPartyID duplicated in the above. Would this be a contributing factor?
Attribute-filter.xml
<AttributeFilterPolicy id="StudentRequest PortalConnect">
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="Requester" value="https://studentrequestsdev.csu.edu.au/oidc" />
<Rule xsi:type="Requester" value="https://studentrequestsqa.csu.edu.au/oidc" />
<Rule xsi:type="Requester" value="https://studentrequests.csu.edu.au/oidc" />
</PolicyRequirementRule>
<AttributeRule attributeID="email">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="CSUID">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
Attribute-resolver.xml
<AttributeResolver
xmlns="urn:mace:shibboleth:2.0:resolver"
xmlns:sec="urn:mace:shibboleth:2.0:security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oidcext="org.geant.idpextension.oidc.attribute.encoder"
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd org.geant.idpextension.oidc.attribute.encoder classpath:/schema/idp-oidc-extension-attribute-encoder.xsd
urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
<AttributeDefinition id="email" xsi:type="Simple">
<InputDataConnector ref="ldap" attributeNames="mail"/>
<DisplayName xml:lang="en">Email Address</DisplayName>
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
<AttributeEncoder xsi:type="oidcext:OIDCString" name="email" />
</AttributeDefinition>
<AttributeDefinition id="displayName" xsi:type="Simple">
<InputDataConnector ref="ldap" attributeNames="displayName"/>
<DisplayName xml:lang="en">Display Name</DisplayName>
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
<AttributeEncoder xsi:type="oidcext:OIDCString" name="name" />
</AttributeDefinition>
<AttributeDefinition id="uid" xsi:type="Simple">
<InputDataConnector ref="ldap" attributeNames="uid"/>
<DisplayName xml:lang="en">User Name</DisplayName>
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
<AttributeEncoder xsi:type="oidcext:OIDCString" name="uid" />
</AttributeDefinition>
<AttributeDefinition id="givenName" xsi:type="Simple">
<InputDataConnector ref="ldap" attributeNames="givenName"/>
<DisplayName xml:lang="en">Given Name</DisplayName>
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
<AttributeEncoder xsi:type="oidcext:OIDCString" name="given_name" />
</AttributeDefinition>
<AttributeDefinition id="surname" xsi:type="Simple">
<InputDataConnector ref="ldap" attributeNames="sn"/>
<DisplayName xml:lang="en">Surname</DisplayName>
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
<AttributeEncoder xsi:type="oidcext:OIDCString" name="family_name" />
</AttributeDefinition>
<AttributeDefinition id="CSUID" xsi:type="RegexSplit"
regex="^urn:.*:personalUniqueID:au:csuid:(.+)$">
<InputDataConnector ref="ldap" attributeNames="schacPersonalUniqueID"/>
<DisplayName xml:lang="en">CSU Id</DisplayName>
<AttributeEncoder xsi:type="SAML2String" name="CSUID" friendlyName="CSUID" encodeType="false" />
<AttributeEncoder xsi:type="oidcext:OIDCString" name="CSUID" />
</AttributeDefinition>
Any ideas of where to look next?
Regards
Gary
Gary Lipscomb
Technical Officer, Systems(Infrastructure) | Infrastructure & Client Services | Division of Information Technology
Charles Sturt University
Panorama Avenue
Bathurst NSW 2795
| ALBURY-WODONGA | BATHURST | BRISBANE | CANBERRA | DUBBO | GOULBURN | MELBOURNE | ORANGE | PORT MACQUARIE | SYDNEY | WAGGA WAGGA |
LEGAL NOTICE
This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with Charles Sturt University may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at Charles Sturt University. The views expressed in this email are not necessarily those of Charles Sturt University.
Charles Sturt University in Australia The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 551; CRICOS Provider Number: 00005F (National)). TEQSA Provider Number: PV12018
Consider the environment before printing this email.
More information about the users
mailing list