SP not mapping attributes from the Duo Access Gateway
Wessel, Keith
kwessel at illinois.edu
Thu Mar 19 11:34:03 EDT 2020
All,
We've got an SP on campus that's trying to use the Duo Access Gateway as its IdP. I believe the Duo Access Gateway is just a branded and customized version of SimpleSAMLphp. However, the SP seems to be complaining about the XML in the response, and it's skipping attributes even though tye exist in the Shibboleth attribute map. From the shibd log:
2020-03-18 09:33:08 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: validating signature profile
2020-03-18 09:33:08 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: attempting to validate signature with the peer's credentials
2020-03-18 09:33:08 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: signature validated with credential
2020-03-18 09:33:08 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: signature verified against message issuer
2020-03-18 09:33:08 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation [1]: assertion satisfied bearer confirmation requirements
2020-03-18 09:33:08 DEBUG Shibboleth.SSO.SAML2 [1]: SSO profile processing completed successfully
2020-03-18 09:33:08 DEBUG Shibboleth.SSO.SAML2 [1]: extracting pushed attributes...
2020-03-18 09:33:08 DEBUG Shibboleth.AttributeExtractor.XML [1]: unable to extract attributes, unknown XML object type: samlp:Response
2020-03-18 09:33:08 DEBUG Shibboleth.AttributeExtractor.XML [1]: skipping unmapped NameID with format (urn:oasis:names:tc:SAML:2.0:nameid-format:transient)
2020-03-18 09:33:08 DEBUG Shibboleth.AttributeExtractor.XML [1]: unable to extract attributes, unknown XML object type: saml:AuthnStatement
2020-03-18 09:33:08 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.16.840.1.113730.3.1.3, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
2020-03-18 09:33:08 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:0.9.2342.19200300.100.1.1, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
2020-03-18 09:33:08 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.3, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
2020-03-18 09:33:08 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.42, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
2020-03-18 09:33:08 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.4, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
2020-03-18 09:33:08 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:0.9.2342.19200300.100.1.3, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
2020-03-18 09:33:08 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: duo_username, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
2020-03-18 09:33:08 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: mail, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
2020-03-18 09:33:08 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: cn, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
2020-03-18 09:33:08 DEBUG Shibboleth.SSO.SAML2 [1]: resolving attributes...
2020-03-18 09:33:08 DEBUG Shibboleth.AttributeResolver.Query [1]: found AttributeStatement in input to new session, skipping query
Some of the skipped attributes are mapped in the SP's attribute map and, in fact, when we switch to a different IdP (not the Duo Access Gateway), the attributes come through.
I'm concerned about the two unknown XML object type entries. But those are just debug-level. Are those because the samlp: and saml: namesapces are defined in the opening <samlp:Response> tag and just haven't been processed yet? Because, clearly, the SP is processing the attributes to claim that they are unmapped:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_b14f27aa4da253bcee327c05a3cdb06f5c21bbbea3" Version="2.0" IssueInstant="2020-03-18T19:18:02Z" Destination="https://urbsmtest1.admin.uillinois.edu/Shibboleth.sso/SAML2/POST" InResponseTo="_798827dccd806e1987890050ea8fef97" >
My other thought is the attribute format, though the attribute map doesn't define any formats, and I'd think the format of basic that the Duo Access Gateway is sending wouldn't be an issue.
Any thoughts?
Thanks,
Keith
More information about the users
mailing list