AAD and IDP Shibboleth 3.0 integration

Joseph Fischetti Joseph.Fischetti at marist.edu
Fri Mar 13 10:57:28 EDT 2020 

Peter,
> ("ImmutableID") serves no purpose: It doesn't have an encoder attached,
doesn't match any attribute id in the new attribute registry default
configuration and also isn't being used by any other attribute in the
resolver. So pointless.

I do believe, if he has an entry in conf/saml-nameid.xml that uses the
immutableid as the attributeSourceId, that an encoder is unnecessary. So,
it's possible it's not entirely pointless.

The documentation that's available out there is incredibly outdated (at
least it was when I set it up in 2018).  That's probably where he's getting
all the deprecated configuration from.

I haven't read through the rest of the chain so I can't provide any valuable
feedback on what's going on.

> -----Original Message-----
> From: users <users-bounces at shibboleth.net> On Behalf Of Peter Schober
> Sent: Friday, March 13, 2020 8:33 AM
> To: users at shibboleth.net
> Subject: Re: AAD and IDP Shibboleth 3.0 integration
> 
> [EXTERNAL EMAIL]
> 
> * Gustavo Duarte <gus.duarte at gmail.com> [2020-03-12 20:18]:
> > Seeing the logs, i cant figure out what is the attribute error
> > configuration.
> 
> You seriously expect other people to read your own logs on your behalf,
all
> 20777 lines of them?
> If that's your attitude (or level of competence) you should really look
for
> someone else to handle setting up a SAML IDP for you.
> 
> But here are a few things to get you started:
> 
> Your LDAP config was/is incorrect:
> 
> 2020-03-12 12:46:44,709 - IP - WARN
> [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:192
> ] - Profile Action      ValidateUsernamePasswordAgainstLDAP: Login by
> ceibaltest1 at gusduarte.tech produced exception
> org.ldaptive.LdapException: javax.naming.NameNotFoundException: [LDAP:
> error code 32 - No Such Object]; remaining name 'ou=people,
> dc=gusduarte,dc=tech'
>     at
>
org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.j
> ava:77)
> Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 -
> No Such Object]
> 
> You have undefined properties, probably from having messed up the
> conf/ldap.properties file:
> 
> 2020-03-12 18:18:44,302 - IP - WARN
> [net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:551
> ] - Exception encountered during  context initialization - cancelling
refresh
> attempt: org.springframework.beans.factory.BeanDefinitionStoreException:
> Invalid bean definition  with name 'myLDAP' defined in null: Could not
> resolve placeholder 'idp.attribute.resolver.LDAP.searchFilter' in value
> "%{idp.attribute.       resolver.LDAP.searchFilter}"; nested exception is
> java.lang.IllegalArgumentException: Could not resolve placeholder
> 'idp.attribute.resolver.  LDAP.searchFilter' in value
> "%{idp.attribute.resolver.LDAP.searchFilter}"
> 
> That's what stops your resolver from loading.
> 
> Also, your IDP does not support the NameID the SP requested:
> 
> 2020-03-12 18:19:52,507 - IP - WARN
> [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
> occurred while processing the request: InvalidNameIDPolicy
> 
> Further comments (amazing, for a resolver config that's only 69 lines):
> 
> So you started by moving to the old, deprecated sytax and removed the
> (modern) InputAttributeDefinition child elements, and relaced them with
> (deprecated) Depency child elemenst. A choice that doesn't make any sense
> to me.
> 
> You have two attribute definitions in that file and the first one
> ("ImmutableID") serves no purpose: It doesn't have an encoder attached,
> doesn't match any attribute id in the new attribute registry default
> configuration and also isn't being used by any other attribute in the
resolver.
> So pointless.
> The other one seems confused to me: A "UserId" attribute that actually
pulls
> data from your "mail" attribtue in LDAP (so isn't a UserId) and has an
encoder
> that puts that into an attribute callesd "IDPEmail". But at least that
could work
> (provided the NameFormat is correct for what the SP expects I don't know.)
> 
> -peter
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-
> unsubscribe at shibboleth.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5561 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20200313/07144d82/attachment.p7s>

More information about the users mailing list