From pete at digitalidentitylabs.com  Thu Jun  1 08:16:02 2023
From: pete at digitalidentitylabs.com (Pete Birkinshaw)
Date: Thu, 1 Jun 2023 09:16:02 +0100
Subject: SP setup for multiple IDPs
In-Reply-To: <PH0PR10MB5404F13A5CC3AA01D1120A93B3489@PH0PR10MB5404.namprd10.prod.outlook.com>
References: <DM8PR10MB53975B488BBFB6859CAC3893B3789@DM8PR10MB5397.namprd10.prod.outlook.com>
 <AA21DD0A-81A3-45B7-8BC7-97A0C3D18F81@osu.edu>
 <PH0PR10MB5404F13A5CC3AA01D1120A93B3489@PH0PR10MB5404.namprd10.prod.outlook.com>
Message-ID: <etPan.647853c7.1171c1fb.b622@digitalidentitylabs.com>

<ApplicationOverride id="APPNAME"?? entityID=https://APPNAME.uww.edu/shibboleth>

You seem to be missing some quotes around the entity ID - is it like that in your original?


Pete

--?
Pete Birkinshaw
Digital Identity Ltd |?http://www.digitalidentity.ltd.uk?
Registered in England and Wales No. 7121888?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230601/e43c9879/attachment.htm>

From herronj at uww.edu  Thu Jun  1 10:55:43 2023
From: herronj at uww.edu (Herron, Joel D)
Date: Thu, 1 Jun 2023 10:55:43 +0000
Subject: SP setup for multiple IDPs
In-Reply-To: <etPan.647853c7.1171c1fb.b622@digitalidentitylabs.com>
References: <DM8PR10MB53975B488BBFB6859CAC3893B3789@DM8PR10MB5397.namprd10.prod.outlook.com>
 <AA21DD0A-81A3-45B7-8BC7-97A0C3D18F81@osu.edu>
 <PH0PR10MB5404F13A5CC3AA01D1120A93B3489@PH0PR10MB5404.namprd10.prod.outlook.com>
 <etPan.647853c7.1171c1fb.b622@digitalidentitylabs.com>
Message-ID: <DM8PR10MB53972AEBEE1C0355AD7A2EB2B3499@DM8PR10MB5397.namprd10.prod.outlook.com>

No that was a pasting error. Quotes are there on the server.

--Joel
________________________________
From: Pete Birkinshaw <pete at digitalidentitylabs.com>
Sent: Thursday, June 1, 2023 3:16:02 AM
To: Herron, Joel D <herronj at uww.edu>; Shib Users <users at shibboleth.net>
Subject: Re: SP setup for multiple IDPs

EXTERNAL EMAIL
<ApplicationOverride id="APPNAME"   entityID=https://APPNAME.uww.edu/shibboleth<https://appname.uww.edu/shibboleth>>

You seem to be missing some quotes around the entity ID - is it like that in your original?


Pete

--
Pete Birkinshaw
Digital Identity Ltd | http://www.digitalidentity.ltd.uk<http://www.digitalidentity.ltd.uk/>
Registered in England and Wales No. 7121888

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230601/45d6a1c6/attachment.htm>

From cantor.2 at osu.edu  Thu Jun  1 12:22:21 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Thu, 1 Jun 2023 12:22:21 +0000
Subject: SP setup for multiple IDPs
In-Reply-To: <PH0PR10MB5404F13A5CC3AA01D1120A93B3489@PH0PR10MB5404.namprd10.prod.outlook.com>
References: <DM8PR10MB53975B488BBFB6859CAC3893B3789@DM8PR10MB5397.namprd10.prod.outlook.com>
 <AA21DD0A-81A3-45B7-8BC7-97A0C3D18F81@osu.edu>
 <PH0PR10MB5404F13A5CC3AA01D1120A93B3489@PH0PR10MB5404.namprd10.prod.outlook.com>
Message-ID: <92113C80-1BD4-4F2A-8891-EBCE495AD515@osu.edu>

> Reading the docs it says Sessions is a valid child element to
> <ApplicationOveride> and I understand that the default attributes are mostly
> ignored, so I duplicated what was there. I?m assuming something else is blocking
> this configuration. 

It is a valid element, so there are "facts not in evidence", added to the fact that the XML you're posting is being altered and is incomplete. Perhaps a hidden character somewhere.

As I said to begin with, there is nothing here requiring an override, so that's a pretty obvious fix. In effect, unless you have to override handlerURL itself, there's almost never a need for an override.

-- Scott



From smeyer at dfn.de  Mon Jun  5 09:10:38 2023
From: smeyer at dfn.de (Silke Meyer)
Date: Mon, 5 Jun 2023 11:10:38 +0200
Subject: SAML2NameID deprecated (and therefore eduPersonTargetedId?)
In-Reply-To: <361c83de-6cab-f668-0023-8a1a3800a1eb@jisc.ac.uk>
References: <361c83de-6cab-f668-0023-8a1a3800a1eb@jisc.ac.uk>
Message-ID: <a51696c1-6070-d6d2-eeb9-0a7bc0f9a796@dfn.de>

Hi Scott, hi all,

coming back to this older thread about the deprecation of SAML2NameID...

> The scoped pairwise ID subject Attribute isn't the replacement for this, it was replaced a decade ago by simply saying "use a SAML 2.0 persistent NameID". The Shibboleth SP has always treated those as functionally identical down to the syntax in the exported variable.
> 
> If there's honestly some crazy piece of code out there that can handle an XML-valued AttributeValue (which nothing ever handled beyond this except for our SP) and can't handle a NameID, then a) that's insane and b) it should get fixed.
> 
> I would like to remove this from the IdP, yes. Failing that, moving it into an unsupported plugin that we will not release ourselves but would make the code available for would be my preferred plan B, because if we don't force this, nobody seems willing to do anything about it. It's past time.

With the release of IdP v5 ahead I was wondering how to deal with the 
situation resp. what advice to give to our community:

We have been spreading the word about using the persistentID for years 
but as of today there are still almost 80 Service Providers in DFN-AAI 
who have labeled ePTID as a required attribute (not counting local SPs 
in the organizations). Not every SP operator publishes their required 
attributes so even more could be affected by the deprecation.

Removing it would certainly cause a considerable amount of support 
requests here. I guess I would have a hard time explaining that there is 
an unsupported and unreleased plugin that a relevant part of our 350+ 
Shibboleth IdPs would then need to use those ~80 SPs.

Afaik, the SAML2NameID is still part of the code right now. So I was 
wondering if there was maybe a plan C, e.g. let it run the way it is in 
v4. Is that an option?

Best, Silke

-- 
Silke Meyer

DFN-Verein | Verein zur F?rderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1 | 10178 Berlin | Germany

Phone: +49 30 884299-306 | Mail: smeyer at dfn.de

Vorstand:  Prof. Dr. O. Kao, Dr. R. Bockholt, C. Zens
Gesch?ftsf?hrer: Dr. C. Grimm, J. Pattloch
AG Charlottenburg VR7729B | USt.-ID. DE 136623822

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5403 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20230605/09632246/attachment.p7s>

From d.perry1 at yorksj.ac.uk  Mon Jun  5 09:31:29 2023
From: d.perry1 at yorksj.ac.uk (Dave Perry)
Date: Mon, 5 Jun 2023 09:31:29 +0000
Subject: SAML2NameID deprecated (and therefore eduPersonTargetedId?)
In-Reply-To: <a51696c1-6070-d6d2-eeb9-0a7bc0f9a796@dfn.de>
References: <361c83de-6cab-f668-0023-8a1a3800a1eb@jisc.ac.uk>
 <a51696c1-6070-d6d2-eeb9-0a7bc0f9a796@dfn.de>
Message-ID: <LO0P265MB52139F7801202AE7D9A06436E74DA@LO0P265MB5213.GBRP265.PROD.OUTLOOK.COM>

I wonder if, in the UK, we could get some support from the UK Federation/JISC on this? Our v4 installation has this same issue.

_________________________________________________

Dave Perry
Application Analyst  |  Innovation & Technology Services

York St John University

Lord Mayor?s Walk, York, YO31 7EX
T: +44(0)1904 876 0000
email at yorksj.ac.uk<mailto:email at yorksj.ac.uk>  |  www.yorksj.ac.uk<http://www.yorksj.ac.uk>

[cid:f064561d-8051-4753-bbd6-83b89119954a]

________________________________
From: users <users-bounces at shibboleth.net> on behalf of Silke Meyer <smeyer at dfn.de>
Sent: 05 June 2023 10:10
To: users at shibboleth.net <users at shibboleth.net>
Subject: Re: SAML2NameID deprecated (and therefore eduPersonTargetedId?)

Caution: Please take care when clicking on links or opening attachments in emails that originate from outside of the university. When in doubt, contact the ITS service desk.


Hi Scott, hi all,

coming back to this older thread about the deprecation of SAML2NameID...

> The scoped pairwise ID subject Attribute isn't the replacement for this, it was replaced a decade ago by simply saying "use a SAML 2.0 persistent NameID". The Shibboleth SP has always treated those as functionally identical down to the syntax in the exported variable.
>
> If there's honestly some crazy piece of code out there that can handle an XML-valued AttributeValue (which nothing ever handled beyond this except for our SP) and can't handle a NameID, then a) that's insane and b) it should get fixed.
>
> I would like to remove this from the IdP, yes. Failing that, moving it into an unsupported plugin that we will not release ourselves but would make the code available for would be my preferred plan B, because if we don't force this, nobody seems willing to do anything about it. It's past time.

With the release of IdP v5 ahead I was wondering how to deal with the
situation resp. what advice to give to our community:

We have been spreading the word about using the persistentID for years
but as of today there are still almost 80 Service Providers in DFN-AAI
who have labeled ePTID as a required attribute (not counting local SPs
in the organizations). Not every SP operator publishes their required
attributes so even more could be affected by the deprecation.

Removing it would certainly cause a considerable amount of support
requests here. I guess I would have a hard time explaining that there is
an unsupported and unreleased plugin that a relevant part of our 350+
Shibboleth IdPs would then need to use those ~80 SPs.

Afaik, the SAML2NameID is still part of the code right now. So I was
wondering if there was maybe a plan C, e.g. let it run the way it is in
v4. Is that an option?

Best, Silke

--
Silke Meyer

DFN-Verein | Verein zur F?rderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1 | 10178 Berlin | Germany

Phone: +49 30 884299-306 | Mail: smeyer at dfn.de

Vorstand:  Prof. Dr. O. Kao, Dr. R. Bockholt, C. Zens
Gesch?ftsf?hrer: Dr. C. Grimm, J. Pattloch
AG Charlottenburg VR7729B | USt.-ID. DE 136623822

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230605/9a4c0202/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-5utgwhwc.png
Type: image/png
Size: 12155 bytes
Desc: Outlook-5utgwhwc.png
URL: <http://shibboleth.net/pipermail/users/attachments/20230605/9a4c0202/attachment.png>

From cantor.2 at osu.edu  Mon Jun  5 12:12:17 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Mon, 5 Jun 2023 12:12:17 +0000
Subject: SAML2NameID deprecated (and therefore eduPersonTargetedId?)
In-Reply-To: <LO0P265MB52139F7801202AE7D9A06436E74DA@LO0P265MB5213.GBRP265.PROD.OUTLOOK.COM>
References: <361c83de-6cab-f668-0023-8a1a3800a1eb@jisc.ac.uk>
 <a51696c1-6070-d6d2-eeb9-0a7bc0f9a796@dfn.de>
 <LO0P265MB52139F7801202AE7D9A06436E74DA@LO0P265MB5213.GBRP265.PROD.OUTLOOK.COM>
Message-ID: <D56FE355-5A75-489B-B563-B499A98743EF@osu.edu>

The warning has been changed to "at risk" but it will not ever be documented or mentioned again as an official feature. We reserve the right to remove it at any time if a valid reason arises.

The only people that can fix this legacy mess are all of you. Were it me, I would have simply tested all these SPs with and without the Attribute populated. It takes time and that's the cost of operating an IdP.

My guess is that 90% or more of them will function identically with the NameID.

-- Scott





From peter.schober at univie.ac.at  Mon Jun  5 13:02:35 2023
From: peter.schober at univie.ac.at (Peter Schober)
Date: Mon, 5 Jun 2023 15:02:35 +0200
Subject: SAML2NameID deprecated (and therefore eduPersonTargetedId?)
In-Reply-To: <D56FE355-5A75-489B-B563-B499A98743EF@osu.edu>
References: <361c83de-6cab-f668-0023-8a1a3800a1eb@jisc.ac.uk>
 <a51696c1-6070-d6d2-eeb9-0a7bc0f9a796@dfn.de>
 <LO0P265MB52139F7801202AE7D9A06436E74DA@LO0P265MB5213.GBRP265.PROD.OUTLOOK.COM>
 <D56FE355-5A75-489B-B563-B499A98743EF@osu.edu>
Message-ID: <ZH3c635IJ8cb/Uij@aco.net>

* Cantor, Scott via users <users at shibboleth.net> [2023-06-05 14:12]:
> My guess is that 90% or more of them will function identically with
> the NameID.

And the rest of those SPs should be changed, with the information that
thousands of subjects from hundreds of IDPs may no longer be able to
log in soon(-ish) if they don't.
Even better if that message comes from paying customers (or a
collection of those) than from unrelated third parties such as
federation operators. (I still think we should coordinate this across
the community, see below).

Personally I'd rather ask them to start accepting pairwise-id if I
need to be having that conversation with them, instead of trying to
get them to the status quo of 2015 CE (when SAML 2.0 was released
introducing persistent NameIDs).

> The only people that can fix this legacy mess are all of you.

Right. Deployers need to move on this together, IMO, via eduGAIN or
REFEDS, also involving the SP side(s), e.g. via FIM4L and/or
communication efforts targeting all known "incapable" SPs.

-peter

From cantor.2 at osu.edu  Mon Jun  5 13:38:35 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Mon, 5 Jun 2023 13:38:35 +0000
Subject: SAML2NameID deprecated (and therefore eduPersonTargetedId?)
In-Reply-To: <ZH3c635IJ8cb/Uij@aco.net>
References: <361c83de-6cab-f668-0023-8a1a3800a1eb@jisc.ac.uk>
 <a51696c1-6070-d6d2-eeb9-0a7bc0f9a796@dfn.de>
 <LO0P265MB52139F7801202AE7D9A06436E74DA@LO0P265MB5213.GBRP265.PROD.OUTLOOK.COM>
 <D56FE355-5A75-489B-B563-B499A98743EF@osu.edu> <ZH3c635IJ8cb/Uij@aco.net>
Message-ID: <D2B755A7-C5ED-422D-8A43-385903B2F239@osu.edu>

> Personally I'd rather ask them to start accepting pairwise-id if I
> need to be having that conversation with them, instead of trying to
> get them to the status quo of 2015 CE (when SAML 2.0 was released
> introducing persistent NameIDs).

I get that, but rekeying tends to be impossible in general. My point is that the majority of these SPs are perfectly happy to run along with no changes if the IdP would just *test* it. Certainly in the case of Shibboleth SPs, and it's easy enough to know which are which.

It's one thing to try and get a ton of people to do a ton of work that requires joint coordination and discussion. It's another to flip an option and just run some tests, one by one.

Note that "I don't have access" isn't relevant. That's what impersonation is for. I do it all the time where it's necessary to maintain the operational state of my service.

-- Scott



From dabantz at alaska.edu  Mon Jun  5 18:54:50 2023
From: dabantz at alaska.edu (IAM David Bantz)
Date: Mon, 5 Jun 2023 11:54:50 -0700
Subject: Shibb with Asana?
Message-ID: <CAJ9XvwGYe+ZgfjLE5SXp1MwGo+Li8fYbaNPDjoW7-QmHmq34Og@mail.gmail.com>

Anyone using SAML SSO via Shibboleth for access to Asana?

AFAICT, support docs only mention ?Google SSO.?

David St Pierre Bantz
U Alaska IAM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230605/78685eaf/attachment.htm>

From eweintra at jhmi.edu  Mon Jun  5 19:02:58 2023
From: eweintra at jhmi.edu (Etan Weintraub)
Date: Mon, 5 Jun 2023 19:02:58 +0000
Subject: Shibb with Asana?
In-Reply-To: <CAJ9XvwGYe+ZgfjLE5SXp1MwGo+Li8fYbaNPDjoW7-QmHmq34Og@mail.gmail.com>
References: <CAJ9XvwGYe+ZgfjLE5SXp1MwGo+Li8fYbaNPDjoW7-QmHmq34Og@mail.gmail.com>
Message-ID: <BL3PR01MB7148F9842957950463F405D5B14DA@BL3PR01MB7148.prod.exchangelabs.com>

I?ve got an entityID for https://app.asana.com in our system?.

Not sure when it was configured, but seems like we?re just using a default release for uid, eppn, and UPN.

-Etan E. Weintraub
Enterprise IT Architect
Enterprise Authentication Team Lead
Enterprise Authentication & Cloud Workspace
IT at Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.<x-apple-data-detectors://4/>
Davis Building Suite<x-apple-data-detectors://4/> 3110B
Baltimore, MD 21209<x-apple-data-detectors://5/0>
E-mail: eweintra at jhmi.edu<mailto:eweintra at jhmi.edu>
Pronouns: he, him, his

[cid:image001.gif at 01D997BE.CD1B5040]
[cid:image002.png at 01D997BE.CD1B5040]

From: users <users-bounces at shibboleth.net> On Behalf Of IAM David Bantz via users
Sent: Monday, June 5, 2023 2:55 PM
To: Shib Users <users at shibboleth.net>
Cc: IAM David Bantz <dabantz at alaska.edu>
Subject: Shibb with Asana?


      External Email - Use Caution




Anyone using SAML SSO via Shibboleth for access to Asana?

AFAICT, support docs only mention ?Google SSO.?

David St Pierre Bantz
U Alaska IAM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230605/e733f488/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 5481 bytes
Desc: image001.gif
URL: <http://shibboleth.net/pipermail/users/attachments/20230605/e733f488/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 13287 bytes
Desc: image002.png
URL: <http://shibboleth.net/pipermail/users/attachments/20230605/e733f488/attachment.png>

From eweintra at jhmi.edu  Tue Jun  6 03:46:28 2023
From: eweintra at jhmi.edu (Etan Weintraub)
Date: Tue, 6 Jun 2023 03:46:28 +0000
Subject: Shibb with Asana?
In-Reply-To: <BL3PR01MB7148F9842957950463F405D5B14DA@BL3PR01MB7148.prod.exchangelabs.com>
References: <CAJ9XvwGYe+ZgfjLE5SXp1MwGo+Li8fYbaNPDjoW7-QmHmq34Og@mail.gmail.com>
 <BL3PR01MB7148F9842957950463F405D5B14DA@BL3PR01MB7148.prod.exchangelabs.com>
Message-ID: <BL3PR01MB71484260A6613209FA81DFFEB152A@BL3PR01MB7148.prod.exchangelabs.com>

Slight correction-
We are releasing all of the following attributes:
jhessopersistentid,userprincipalname,uid,eduPersonPrimaryAffiliation,eduPersonScopedAffiliation,eduPersonAffiliation,eduPersonPrincipalName,eduPersonUniqueId

UPN, uid, ePPN are in addition to the rest that we release by default to all applications currently.


Let me know if you have any questions or if I can review anything with you.

-Etan E. Weintraub
Enterprise IT Architect
Enterprise Authentication Team Lead
Enterprise Authentication & Cloud Workspace
IT at Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.<x-apple-data-detectors://4/>
Davis Building Suite<x-apple-data-detectors://4/> 3110B
Baltimore, MD 21209<x-apple-data-detectors://5/0>
E-mail: eweintra at jhmi.edu<mailto:eweintra at jhmi.edu>
Pronouns: he, him, his

[cid:image001.gif at 01D99807.DA588E50]
[cid:image002.png at 01D99807.DA588E50]

From: users <users-bounces at shibboleth.net> On Behalf Of Etan Weintraub via users
Sent: Monday, June 5, 2023 3:03 PM
To: 'Shib Users' <users at shibboleth.net>
Cc: Etan Weintraub <eweintra at jhmi.edu>
Subject: RE: Shibb with Asana?


      External Email - Use Caution




I?ve got an entityID for https://app.asana.com in our system?.

Not sure when it was configured, but seems like we?re just using a default release for uid, eppn, and UPN.

-Etan E. Weintraub
Enterprise IT Architect
Enterprise Authentication Team Lead
Enterprise Authentication & Cloud Workspace
IT at Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.<x-apple-data-detectors://4/>
Davis Building Suite<x-apple-data-detectors://4/> 3110B
Baltimore, MD 21209<x-apple-data-detectors://5/0>
E-mail: eweintra at jhmi.edu<mailto:eweintra at jhmi.edu>
Pronouns: he, him, his

[cid:image001.gif at 01D99807.DA588E50]
[cid:image002.png at 01D99807.DA588E50]

From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> On Behalf Of IAM David Bantz via users
Sent: Monday, June 5, 2023 2:55 PM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Cc: IAM David Bantz <dabantz at alaska.edu<mailto:dabantz at alaska.edu>>
Subject: Shibb with Asana?


      External Email - Use Caution




Anyone using SAML SSO via Shibboleth for access to Asana?

AFAICT, support docs only mention ?Google SSO.?

David St Pierre Bantz
U Alaska IAM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230606/a8287478/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 5481 bytes
Desc: image001.gif
URL: <http://shibboleth.net/pipermail/users/attachments/20230606/a8287478/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 13287 bytes
Desc: image002.png
URL: <http://shibboleth.net/pipermail/users/attachments/20230606/a8287478/attachment.png>

From Krinetzki at itc.rwth-aachen.de  Tue Jun  6 09:21:14 2023
From: Krinetzki at itc.rwth-aachen.de (Krinetzki, Stephan)
Date: Tue, 6 Jun 2023 09:21:14 +0000
Subject: Error "SAML response reported an IdP error" after Login
Message-ID: <e333b990b86a4b81b357ab0ef17477fa@itc.rwth-aachen.de>

Hello all,

we have some users who currently can't log in to certain systems at all (for example Moodle). In the SP log I find the following entry:

2023-06-05 23:22:00 WARN Shibboleth.SSO.SAML2 [147] [default]: error processing incoming assertion: SAML response reported an IdP error.

I already looked into the IdP logs and I don't see any error there. It also unfortunately affects only a certain amount of users and that permanently, the error can be reproduced from the user, but not from my side. Anyone here have any idea where else I should look? Is a DEBUG output maybe helpful?

Regards

Stephan

--
Stephan Krinetzki
 
IT Center
Gruppe: Anwendungsbetrieb und Cloud
Abteilung: Systeme und Betrieb
RWTH Aachen University
Seffenter Weg 23 
52074 Aachen
Tel: +49 241 80-24866
Fax: +49 241 80-22134
krinetzki at itc.rwth-aachen.de
www.itc.rwth-aachen.de

Social Media Kan?le des IT Centers:
https://blog.rwth-aachen.de/itc/ 
https://www.facebook.com/itcenterrwth 
https://www.linkedin.com/company/itcenterrwth
https://twitter.com/ITCenterRWTH
https://www.youtube.com/channel/UCKKDJJukeRwO0LP-ac8x8rQ?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6358 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20230606/0706b201/attachment.p7s>

From ulf.seltmann at hmt-leipzig.de  Tue Jun  6 10:33:55 2023
From: ulf.seltmann at hmt-leipzig.de (Ulf Seltmann)
Date: Tue, 6 Jun 2023 10:33:55 +0000
Subject: Error "SAML response reported an IdP error" after Login
In-Reply-To: <e333b990b86a4b81b357ab0ef17477fa@itc.rwth-aachen.de>
References: <e333b990b86a4b81b357ab0ef17477fa@itc.rwth-aachen.de>
Message-ID: <8a0cf7f741075308f3dd6bec99aa46118dc65689.camel@hmt-leipzig.de>

Hi Stephan,

did you check the time? A too big gap between client and SP results in errors like this.

Cheers
Ulf

Am Dienstag, dem 06.06.2023 um 09:21 +0000 schrieb Krinetzki, Stephan:
> Hello all,
> 
> we have some users who currently can't log in to certain systems at all (for example Moodle). In the SP log I find the following entry:
> 
> 2023-06-05 23:22:00 WARN Shibboleth.SSO.SAML2 [147] [default]: error processing incoming assertion: SAML response reported an IdP error.
> 
> I already looked into the IdP logs and I don't see any error there. It also unfortunately affects only a certain amount of users and that permanently, the error can be reproduced from the user, but not from my side. Anyone here have any idea where else I should look? Is a DEBUG output maybe helpful?
> 
> Regards
> 
> Stephan
> 
> --
> Stephan Krinetzki
>  
> IT Center
> Gruppe: Anwendungsbetrieb und Cloud
> Abteilung: Systeme und Betrieb
> RWTH Aachen University
> Seffenter Weg 23 
> 52074 Aachen
> Tel: +49 241 80-24866
> Fax: +49 241 80-22134
> krinetzki at itc.rwth-aachen.de
> www.itc.rwth-aachen.de
> 
> Social Media Kan?le des IT Centers:
> https://blog.rwth-aachen.de/itc/ 
> https://www.facebook.com/itcenterrwth 
> https://www.linkedin.com/company/itcenterrwth
> https://twitter.com/ITCenterRWTH
> https://www.youtube.com/channel/UCKKDJJukeRwO0LP-ac8x8rQ?
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6575 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20230606/301d6a30/attachment.p7s>

From cantor.2 at osu.edu  Tue Jun  6 12:21:39 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Tue, 6 Jun 2023 12:21:39 +0000
Subject: Error "SAML response reported an IdP error" after Login
In-Reply-To: <e333b990b86a4b81b357ab0ef17477fa@itc.rwth-aachen.de>
References: <e333b990b86a4b81b357ab0ef17477fa@itc.rwth-aachen.de>
Message-ID: <87ECB276-7D7B-4ACC-A62A-021D267E8C6A@osu.edu>

> I already looked into the IdP logs and I don't see any error there. 

If it's not a bad error message, there is, without any doubt, something in the log about it. That doesn't make it an "ERROR" from a logging perspective, as logging categories have a very specific meaning.

If the IdP is returning a SAML error, it has a reason and it will say so, not to mention it being audited if configured to record the relevant field.

Of course, the SP could also simply be broken and not reporting the issue accurately.

-- Scott



From michael.fuchs at hm.edu  Wed Jun  7 14:00:22 2023
From: michael.fuchs at hm.edu (Fuchs, Michael)
Date: Wed, 7 Jun 2023 14:00:22 +0000
Subject: [Plugin OIDC OP] Addition in Confluence Documentation, so that OIDC
 Configuration can be retrieved
Message-ID: <CEEF1FB4-BD9A-496F-85C3-9BD70AE704D4@hm.edu>

Good day,

I noticed while configuring OIDC that the code snippet at https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP#conf%2Frelying-party.xml  would need to be adjusted. At this point, the bean <bean parent="OIDC.Configuration" /> should also be included in the list of unverified profileConfifugrations. The complete section of conf/relying-party.xml might look like:

    <bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">
        <property name="profileConfigurations">
            <list>
                <bean parent="OIDC.Configuration" />
                <ref bean="OIDC.Keyset" />
            </list>
        </property>
    </bean>
Otherwise, the openid configuration under /idp/profile/oidc/configuration cannot be retrieved and the documentation above is a bit misleading.



Please feel free to contact me for further queries!

Thank you for the addition to Confluence and many greetings,

Michael Fuchs

?

Michael Fuchs - Central IT
Munich University of Applied Sciences
Lothstr. 34, 80335 Munich, G2.21a
T +49 89 1265-1746
https://hm.edu <https://www.hm.edu/en/index~1.en.html> | https://hm.edu/data_protection_declaration <https://www.hm.edu/en/impressum_1/data_protection/data_protection_declaration.en.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230607/1a4904d3/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4399 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20230607/1a4904d3/attachment.p7s>

From cantor.2 at osu.edu  Wed Jun  7 14:07:12 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Wed, 7 Jun 2023 14:07:12 +0000
Subject: SP patch coming next week
Message-ID: <E14CCCC0-E918-466B-AD9F-75EA92C0EE03@osu.edu>

This is just a courtesy heads up, there will be an library patch released next week, and an SP on Windows update to distribute it.

The security issue is, with some level of uncertainty, low to moderate, I think.? It's not good by any means but so far the main attack I've thought up with it is denial of service, the lamest of security issues.

Barring unforeseen, I hope to get it out Monday.

-- Scott



From smathew at hbs.edu  Wed Jun  7 16:22:32 2023
From: smathew at hbs.edu (Mathew, Sunil)
Date: Wed, 7 Jun 2023 16:22:32 +0000
Subject: log4j-core-2.16.0.jar
In-Reply-To: <SJ0PR03MB65184C42B31A57D8FB966515A853A@SJ0PR03MB6518.namprd03.prod.outlook.com>
References: <SJ0PR03MB65184C42B31A57D8FB966515A853A@SJ0PR03MB6518.namprd03.prod.outlook.com>
Message-ID: <SJ0PR03MB6518DA166AFEDCDECBF4A81CA853A@SJ0PR03MB6518.namprd03.prod.outlook.com>

Hi All,

We are using shib-idp:4.2.1_20220624 docker image in AWS.

Qualys is complaining about the existence of this file:

/usr/local/tomcat/bin/log4j-core-2.16.0.jar

relates to this CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-45105 - description from Qualys:

Apache Log4j2 does not always protect from infinite recursion in lookup evaluation (CVE-2021-45105), this was made public on December 18, 2021

Affected versions:
Log4j versions all versions from 2.0-beta9 to 2.16.0, excluding 2.12.3, 2.3.1

QID Detection: (Authenticated) - Windows
On the Windows system, the QID identifies a vulnerable instance of log4j via WMI to check log4j included in the running processes via the command-line.

QID Detection: (Authenticated) - Linux
This detection is based on querying the OS package managers on the target. If the target has a log4j package with a version less than or equal to 2.16.0, the target is flagged! as vulnerable.

How can I remediate this vulnerability?


Regards,
Sunil

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230607/4784adb1/attachment.htm>

From matthew.slowe at jisc.ac.uk  Wed Jun  7 16:27:30 2023
From: matthew.slowe at jisc.ac.uk (Matthew Slowe)
Date: Wed, 7 Jun 2023 17:27:30 +0100
Subject: log4j-core-2.16.0.jar
In-Reply-To: <SJ0PR03MB6518DA166AFEDCDECBF4A81CA853A@SJ0PR03MB6518.namprd03.prod.outlook.com>
References: <SJ0PR03MB65184C42B31A57D8FB966515A853A@SJ0PR03MB6518.namprd03.prod.outlook.com>
 <SJ0PR03MB6518DA166AFEDCDECBF4A81CA853A@SJ0PR03MB6518.namprd03.prod.outlook.com>
Message-ID: <bfbbb867-7457-428b-59ab-62a9e643fbb7@jisc.ac.uk>

On 07/06/2023 17:22, Mathew, Sunil via users wrote:
> We are using shib-idp:4.2.1_20220624 docker image in AWS

That's not a long enough docker image name to go on? there's probably 
something before it like:

publisher/shib-idp

Either way, it's probably worth either getting in touch with the image 
maintainer (which I don't think will be the Shibboleth project) or 
rebuilding the image yourself.

-- 
Matthew Slowe [he/him] (GPG: 0x6BE0CF7D04600314)
Principal technical consultant and infrastructure specialist, Jisc
Team: 01235 822185
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG


From smathew at hbs.edu  Wed Jun  7 16:30:30 2023
From: smathew at hbs.edu (Mathew, Sunil)
Date: Wed, 7 Jun 2023 16:30:30 +0000
Subject: log4j-core-2.16.0.jar
In-Reply-To: <bfbbb867-7457-428b-59ab-62a9e643fbb7@jisc.ac.uk>
References: <SJ0PR03MB65184C42B31A57D8FB966515A853A@SJ0PR03MB6518.namprd03.prod.outlook.com>
 <SJ0PR03MB6518DA166AFEDCDECBF4A81CA853A@SJ0PR03MB6518.namprd03.prod.outlook.com>
 <bfbbb867-7457-428b-59ab-62a9e643fbb7@jisc.ac.uk>
Message-ID: <SJ0PR03MB6518DC0938AFD0D55D16C915A853A@SJ0PR03MB6518.namprd03.prod.outlook.com>

tier/shib-idp:4.2.1_20220624

Here is the image:
https://hub.docker.com/layers/tier/shib-idp/4.2.1_20220624/images/sha256-60089f9871f254a12f86b0287e611ae0668fa1ef450352f8d1f11116ca3b1efe?context=explore

Sunil


From: users <users-bounces at shibboleth.net> on behalf of Matthew Slowe via users <users at shibboleth.net>
Date: Wednesday, June 7, 2023 at 12:27 PM
To: users at shibboleth.net <users at shibboleth.net>
Cc: Matthew Slowe <matthew.slowe at jisc.ac.uk>
Subject: Re: log4j-core-2.16.0.jar
On 07/06/2023 17:22, Mathew, Sunil via users wrote:
> We are using shib-idp:4.2.1_20220624 docker image in AWS

That's not a long enough docker image name to go on? there's probably
something before it like:

publisher/shib-idp

Either way, it's probably worth either getting in touch with the image
maintainer (which I don't think will be the Shibboleth project) or
rebuilding the image yourself.

--
Matthew Slowe [he/him] (GPG: 0x6BE0CF7D04600314)
Principal technical consultant and infrastructure specialist, Jisc
Team: 01235 822185
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

--
For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=05%7C01%7Csmathew%40hbs.edu%7Ca1e4ece3200a489036ff08db67741e1c%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C638217520681899420%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=P7I97meelo0CdMRxD6lYTjBRBIOjahuSzbc71RJGgnQ%3D&reserved=0<https://shibboleth.atlassian.net/wiki/x/ZYEpPw>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230607/80ecb1ce/attachment.htm>

From bmoon at scu.edu  Wed Jun  7 16:33:53 2023
From: bmoon at scu.edu (Brian Moon)
Date: Wed, 7 Jun 2023 09:33:53 -0700
Subject: log4j-core-2.16.0.jar
In-Reply-To: <SJ0PR03MB6518DC0938AFD0D55D16C915A853A@SJ0PR03MB6518.namprd03.prod.outlook.com>
References: <SJ0PR03MB65184C42B31A57D8FB966515A853A@SJ0PR03MB6518.namprd03.prod.outlook.com>
 <SJ0PR03MB6518DA166AFEDCDECBF4A81CA853A@SJ0PR03MB6518.namprd03.prod.outlook.com>
 <bfbbb867-7457-428b-59ab-62a9e643fbb7@jisc.ac.uk>
 <SJ0PR03MB6518DC0938AFD0D55D16C915A853A@SJ0PR03MB6518.namprd03.prod.outlook.com>
Message-ID: <CAH-7XYLWYiSeRVRb6kD-NnD4x-Q2Uyj2nsRBPCjH2ZJjXnWZ=w@mail.gmail.com>

Check out this image instead:
https://hub.docker.com/r/i2incommon/shib-idp/tags

Source can be found at
https://github.internet2.edu/docker/shib-idp/tree/master, with the branches
corresponding to the different available tags.

We are using 4.3.1_20230330_rocky8_multiarch at the moment and that
has log4j-core-2.18.0.jar.

Cheers!

Brian Moon
Senior System Administrator, Enterprise Systems
Santa Clara University


On Wed, Jun 7, 2023 at 9:30?AM Mathew, Sunil via users <users at shibboleth.net>
wrote:

> tier/shib-idp:4.2.1_20220624
>
>
>
> Here is the image:
>
>
> https://hub.docker.com/layers/tier/shib-idp/4.2.1_20220624/images/sha256-60089f9871f254a12f86b0287e611ae0668fa1ef450352f8d1f11116ca3b1efe?context=explore
> <https://urldefense.com/v3/__https://hub.docker.com/layers/tier/shib-idp/4.2.1_20220624/images/sha256-60089f9871f254a12f86b0287e611ae0668fa1ef450352f8d1f11116ca3b1efe?context=explore__;!!MLMg-p0Z!CCUHX-gSRMP96Wexi1Dvi8zftDUr8SdsE_vpw7nwE7hj73VVoTRBEqXJS-bLe-MW9S8MIUAsrqJ1T2g$>
>
>
>
> Sunil
>
>
>
>
>
> *From: *users <users-bounces at shibboleth.net> on behalf of Matthew Slowe
> via users <users at shibboleth.net>
> *Date: *Wednesday, June 7, 2023 at 12:27 PM
> *To: *users at shibboleth.net <users at shibboleth.net>
> *Cc: *Matthew Slowe <matthew.slowe at jisc.ac.uk>
> *Subject: *Re: log4j-core-2.16.0.jar
>
> On 07/06/2023 17:22, Mathew, Sunil via users wrote:
> > We are using shib-idp:4.2.1_20220624 docker image in AWS
>
> That's not a long enough docker image name to go on? there's probably
> something before it like:
>
> publisher/shib-idp
>
> Either way, it's probably worth either getting in touch with the image
> maintainer (which I don't think will be the Shibboleth project) or
> rebuilding the image yourself.
>
> --
> Matthew Slowe [he/him] (GPG: 0x6BE0CF7D04600314)
> Principal technical consultant and infrastructure specialist, Jisc
> Team: 01235 822185
> Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
>
> --
> For Consortium Member technical support, see
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=05%7C01%7Csmathew%40hbs.edu%7Ca1e4ece3200a489036ff08db67741e1c%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C638217520681899420%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=P7I97meelo0CdMRxD6lYTjBRBIOjahuSzbc71RJGgnQ%3D&reserved=0
> <https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!MLMg-p0Z!CCUHX-gSRMP96Wexi1Dvi8zftDUr8SdsE_vpw7nwE7hj73VVoTRBEqXJS-bLe-MW9S8MIUAsdXs2wU4$>
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> --
> For Consortium Member technical support, see
> https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!MLMg-p0Z!CCUHX-gSRMP96Wexi1Dvi8zftDUr8SdsE_vpw7nwE7hj73VVoTRBEqXJS-bLe-MW9S8MIUAsdXs2wU4$
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230607/4e24a4f7/attachment.htm>

From smathew at hbs.edu  Wed Jun  7 16:19:22 2023
From: smathew at hbs.edu (Mathew, Sunil)
Date: Wed, 7 Jun 2023 16:19:22 +0000
Subject: log4j-core-2.16.0.jar
Message-ID: <SJ0PR03MB65184C42B31A57D8FB966515A853A@SJ0PR03MB6518.namprd03.prod.outlook.com>

Hi All,

We are using shib-idp:4.2.1_20220624 docker image in AWS.

Qualys is complaining about the existence of this file:

/usr/local/tomcat/bin/log4j-core-2.16.0.jar

relates to this CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-45105 - description from Qualys:

[Image]

How can I remediate this vulnerability?


Regards,
Sunil

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230607/f27967b7/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 473024 bytes
Desc: image001.png
URL: <http://shibboleth.net/pipermail/users/attachments/20230607/f27967b7/attachment-0001.png>

From michael.fuchs at hm.edu  Thu Jun  8 12:48:05 2023
From: michael.fuchs at hm.edu (Fuchs, Michael)
Date: Thu, 8 Jun 2023 12:48:05 +0000
Subject: SP patch coming next week
In-Reply-To: <E14CCCC0-E918-466B-AD9F-75EA92C0EE03@osu.edu>
References: <E14CCCC0-E918-466B-AD9F-75EA92C0EE03@osu.edu>
Message-ID: <DECD8F61-BB2C-4AAD-A59F-01BA0AE31C74@hm.edu>

Thanks for the tip! 

I understand the security concerns about your DoS attack. Nevertheless, I think a note in the documentation would be useful. Otherwise, configuring OIDC and accessing the OIDC configuration could be more difficult than the rest of the documentation.

Many greetings,
Michael

?
Michael Fuchs - Central IT
Munich University of Applied Sciences
Lothstr. 34, 80335 Munich, G2.21a
T +49 89 1265-1746
https://hm.edu <https://www.hm.edu/en/index~1.en.html> | https://hm.edu/data_protection_declaration <https://www.hm.edu/en/impressum_1/data_protection/data_protection_declaration.en.html>

> On 7. Jun 2023, at 16:07, Cantor, Scott via users <users at shibboleth.net> wrote:
> 
> This is just a courtesy heads up, there will be an library patch released next week, and an SP on Windows update to distribute it.
> 
> The security issue is, with some level of uncertainty, low to moderate, I think.? It's not good by any means but so far the main attack I've thought up with it is denial of service, the lamest of security issues.
> 
> Barring unforeseen, I hope to get it out Monday.
> 
> -- Scott
> 
> 
> -- 
> For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230608/e5f5bdea/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4399 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20230608/e5f5bdea/attachment.p7s>

From cantor.2 at osu.edu  Thu Jun  8 12:59:09 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Thu, 8 Jun 2023 12:59:09 +0000
Subject: SP patch coming next week
In-Reply-To: <DECD8F61-BB2C-4AAD-A59F-01BA0AE31C74@hm.edu>
References: <E14CCCC0-E918-466B-AD9F-75EA92C0EE03@osu.edu>
 <DECD8F61-BB2C-4AAD-A59F-01BA0AE31C74@hm.edu>
Message-ID: <564CBC84-75C1-4DAB-8CB8-A3D9CC91C0D6@osu.edu>

> I understand the security concerns about your DoS attack. Nevertheless, I think
> a note in the documentation would be useful. Otherwise, configuring OIDC and
> accessing the OIDC configuration could be more difficult than the rest of the
> documentation.

I have literally no idea what you're talking about here. This is an SP issue and has nothing to do with documentation, it's just a heads up about a patch, in the style of OpenSSL's "preannouncements" that I think are a service to the community.

-- Scott



From michael.fuchs at hm.edu  Fri Jun  9 07:11:05 2023
From: michael.fuchs at hm.edu (Fuchs, Michael)
Date: Fri, 9 Jun 2023 07:11:05 +0000
Subject: SP patch coming next week
In-Reply-To: <564CBC84-75C1-4DAB-8CB8-A3D9CC91C0D6@osu.edu>
References: <E14CCCC0-E918-466B-AD9F-75EA92C0EE03@osu.edu>
 <DECD8F61-BB2C-4AAD-A59F-01BA0AE31C74@hm.edu>
 <564CBC84-75C1-4DAB-8CB8-A3D9CC91C0D6@osu.edu>
Message-ID: <038858D2-7F71-49EA-8C48-A5A4EBC4E842@hm.edu>

Good day,

I apologize for the misunderstanding. I thought your message was in response to my post in the users mail list, which was published a few minutes before. I was indeed also a bit confused on the reply???? ?

Nonetheless, I would like to see an answer to my initial question, which can also be found at http://shibboleth.net/pipermail/users/2023-June/053925.html.

Many greetings,
Michael

> On 8. Jun 2023, at 14:59, Cantor, Scott <cantor.2 at osu.edu> wrote:
> 
>> I understand the security concerns about your DoS attack. Nevertheless, I think
>> a note in the documentation would be useful. Otherwise, configuring OIDC and
>> accessing the OIDC configuration could be more difficult than the rest of the
>> documentation.
> 
> I have literally no idea what you're talking about here. This is an SP issue and has nothing to do with documentation, it's just a heads up about a patch, in the style of OpenSSL's "preannouncements" that I think are a service to the community.
> 
> -- Scott
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4399 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20230609/c4810fdb/attachment.p7s>

From Krinetzki at itc.rwth-aachen.de  Fri Jun  9 13:45:15 2023
From: Krinetzki at itc.rwth-aachen.de (Krinetzki, Stephan)
Date: Fri, 9 Jun 2023 13:45:15 +0000
Subject: Error "SAML response reported an IdP error" after Login
In-Reply-To: <87ECB276-7D7B-4ACC-A62A-021D267E8C6A@osu.edu>
References: <e333b990b86a4b81b357ab0ef17477fa@itc.rwth-aachen.de>
 <87ECB276-7D7B-4ACC-A62A-021D267E8C6A@osu.edu>
Message-ID: <21f9b73e28e9491ea17c979a738506a9@itc.rwth-aachen.de>

Hi Scott and Hi Ulf,

The time settings on the servers (Shibboleth SP and Shibboleth IdP) are identical and have no deviation.

According to the log, the login also went through successfully, or am I missing something here?

IDP_PROCESS|2023-06-08 16:28:27,461|INFO|[net.shibboleth.idp.authn.impl.LDAPCredentialValidator:163]|XXX.XXX.XXX.XXX|JSESSIONID|Credential Validator ldap: Login by 'USER' succeeded
IDP_PROCESS|2023-06-08 16:28:27,462|INFO|[net.shibboleth.idp.authn.impl.FinalizeAuthentication:196]|XXX.XXX.XXX.XXX|JSESSIONID|Profile Action FinalizeAuthentication: Principal USER authenticated
IDP_PROCESS|2023-06-08 16:28:27,619|INFO|[Shibboleth-Audit.SSO:338]|XXX.XXX.XXX.XXX|JSESSIONID|XXX.XXX.XXX.XXX|2023-06-08T14:27:52.625420Z|2023-06-08T14:28:27.619125Z|USER|SP|_608ee17ec4b811d1772d11ba3cf00ed0|password|2023-06-08T14:28:27.462712Z|eduPersonEntitlement,rwthSystemIDs_LMS,organizationName,eduPersonScopedAffiliation,mail,surname,schacHomeOrganization,rwthRufname|AAdzZWNyZXQxVn5AgkKyPxAvRkVX3hT0dQRFpjEcrv3+VG02R5YJ3hAoSuTxFgeqmGVg9neSgFS8cgWauZn19P9QKN6qrG/0iyMZITzE+YTpuxxRlhNBrzgynaxkPuZS+4lOMhWl1q5BxE1t9dipjls=|transient|false|false|AES128-GCM|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||Success||85d35935d0dc7a84f69ec4b0c2c5ecd3055a07708c2bcbff061b579615ca363e|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.41
IDP_PROCESS|2023-06-08 16:32:23,488|ERROR|[org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:91]|XXX.XXX.XXX.XXX|JSESSIONID|

The error in the last line should have nothing to do with the login (notice the 4 minutes time difference).

The Shibboleth Service Provider however displays the user the following Error:

Please include the following message in any email:

opensaml::FatalProfileException at (
SP)

SAML response reported an IdP error.

Error from identity provider:

*Status:* urn:oasis:names:tc:SAML:2.0:status:Responder
*Message:* An error occurred.

In the shibd.log of the SP:

2023-06-08 16:27:52 INFO Shibboleth.SessionCache [5104] [APP]: new session created: ID (_d590d2ddeb8ede18f5eccefd38145c47) IdP (IDP) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (XXX.XXX.XXX.XXX)

The transaction.log:

2023-06-08 16:27:52|Shibboleth-TRANSACTION.Login||_d590d2ddeb8ede18f5eccefd38145c47|IDP|_864e6684a60caf42066a1d09dc3c19ea|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|2023-06-08T16:27:51|RONID(1),affiliation(1),entitlement(1),rwthSystemIDs(1)|AAdzZWNyZXQxqfxy0PgmwVCahfqsts+nl6PyHY+fIHrQIuaJWLspKrbxqrGVEjBxtaElUSx5V1/gBDqi+iSspMPtDl6Cp99+RpNidSXfSuMaDMoK4S7CSvIk1fkgbk6j2Hsi3JIFspN6IW+4iqcXUMd9/WTN8I+E2tbu|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||urn:oasis:names:tc:SAML:2.0:status:Success|||Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0|XXX.XXX.XXX.XXX

Seems tob e pretty normal.

Any ideas where i can debug further?

Regards

Stephan

--
Stephan Krinetzki
 
IT Center
Gruppe: Anwendungsbetrieb und Cloud
Abteilung: Systeme und Betrieb
RWTH Aachen University
Seffenter Weg 23 
52074 Aachen
Tel: +49 241 80-24866
Fax: +49 241 80-22134
krinetzki at itc.rwth-aachen.de
www.itc.rwth-aachen.de

Social Media Kan?le des IT Centers:
https://blog.rwth-aachen.de/itc/ 
https://www.facebook.com/itcenterrwth 
https://www.linkedin.com/company/itcenterrwth
https://twitter.com/ITCenterRWTH
https://www.youtube.com/channel/UCKKDJJukeRwO0LP-ac8x8rQ?

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott via users
Sent: Tuesday, June 6, 2023 2:22 PM
To: Shib Users <users at shibboleth.net>
Cc: Cantor, Scott <cantor.2 at osu.edu>
Subject: Re: Error "SAML response reported an IdP error" after Login

> I already looked into the IdP logs and I don't see any error there. 

If it's not a bad error message, there is, without any doubt, something in the log about it. That doesn't make it an "ERROR" from a logging perspective, as logging categories have a very specific meaning.

If the IdP is returning a SAML error, it has a reason and it will say so, not to mention it being audited if configured to record the relevant field.

Of course, the SP could also simply be broken and not reporting the issue accurately.

-- Scott


-- 
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6358 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20230609/4fb39d8a/attachment.p7s>

From cantor.2 at osu.edu  Fri Jun  9 15:36:28 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Fri, 9 Jun 2023 15:36:28 +0000
Subject: Error "SAML response reported an IdP error" after Login
In-Reply-To: <21f9b73e28e9491ea17c979a738506a9@itc.rwth-aachen.de>
References: <e333b990b86a4b81b357ab0ef17477fa@itc.rwth-aachen.de>
 <87ECB276-7D7B-4ACC-A62A-021D267E8C6A@osu.edu>
 <21f9b73e28e9491ea17c979a738506a9@itc.rwth-aachen.de>
Message-ID: <51510E95-2D63-4528-A54E-42F859F96B37@osu.edu>

There may be an error, but nothing you showed there would correlate with the SP raising an error because there's no indication the IdP sent it one. Nor are any of the SP logs indicative of that, they show a successful login.

So what you're looking at is not the logging from whatever led to the error.

-- Scott



From cantor.2 at osu.edu  Fri Jun  9 16:13:17 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Fri, 9 Jun 2023 16:13:17 +0000
Subject: [Plugin OIDC OP] Addition in Confluence Documentation, so that
 OIDC Configuration can be retrieved
In-Reply-To: <CEEF1FB4-BD9A-496F-85C3-9BD70AE704D4@hm.edu>
References: <CEEF1FB4-BD9A-496F-85C3-9BD70AE704D4@hm.edu>
Message-ID: <4165AC91-C299-4CC0-8883-7D870B4A2457@osu.edu>

> Otherwise, the openid configuration under /idp/profile/oidc/configuration
> cannot be retrieved and the documentation above is a bit misleading.

I don't think we really see client registration as a "core" feature so it isn't part of any quick-start material, it's covered *if* you want to actually support that feature. That's why the follow on section talks about just mocking up some metadata for testing.

Client registration requires a database and I would never advocate that anybody deploy a database with their IdP. There are a half dozen other problems with the approach that make it a trap for anybody so not the sort of thing I would ever encourage in the introductory material.

-- Scott



From hy93 at cornell.edu  Mon Jun 12 12:48:31 2023
From: hy93 at cornell.edu (Hong Ye)
Date: Mon, 12 Jun 2023 12:48:31 +0000
Subject: Shibboleth Service Provider Security Advisory [12 June 2023]
In-Reply-To: <42D3702F-1E7E-4960-BCB7-B73DDBF8E2A5@osu.edu>
References: <42D3702F-1E7E-4960-BCB7-B73DDBF8E2A5@osu.edu>
Message-ID: <CH2PR04MB68695465504EB31D50FD71B3CE54A@CH2PR04MB6869.namprd04.prod.outlook.com>

Hi Scott,

Could you provide a link to download the latest XMLTooling library for Linux?

Thanks,
Hong

From: announce <announce-bounces at shibboleth.net> on behalf of Cantor, Scott via announce <announce at shibboleth.net>
Date: Monday, June 12, 2023 at 8:35 AM
To: announce at shibboleth.net <announce at shibboleth.net>
Cc: Cantor, Scott <cantor.2 at osu.edu>
Subject: Shibboleth Service Provider Security Advisory [12 June 2023]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Service Provider Security Advisory [12 June 2023]

An updated version of the XMLTooling library that is part of the
OpenSAML and Shibboleth Service Provider software is now available
which corrects a server-side request forgery (SSRF) vulnerability.

Parsing of KeyInfo elements can cause remote resource access.
=============================================================
Including certain legal but "malicious in intent" content in the
KeyInfo element defined by the XML Signature standard will result
in attempts by the SP's shibd process to dereference untrusted
URLs.

While the content of the URL must be supplied within the message
and does not include any SP internal state or dynamic content,
there is at minimum a risk of denial of service, and the attack
could be combined with others to create more serious vulnerabilities
in the future.

This issue is *not* specific to the V3 XMLTooling software and is
believed to impact all versions prior to V3.2.4.

Recommendations
===============
Update to V3.2.4 or later of the XMLTooling library, which is
now available. Note that on Linux and similar platforms, upgrading
this component will require restarting the shibd process to correct
the bug.

The updated version of the library has been included in a V3.4.1.3
patch release of the Service Provider software on Windows.

Other Notes
===========
The xmltooling git commit containing the fix for this issue is
6080f6343f98fec085bc0fd746913ee418cc9d30 and may be in general terms
applicable to V2 of the library.

Credits
=======
Juri?n de Jong, an independent security researcher in the Netherlands

URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20230612.txt

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmSHDk4ACgkQN4uEVAIn
eWKdwg/9H2DoBB5xU53ZkNPHQW2MLHvhT/EKXp+1TfL1YD6fpqBrsY1A4pJmwamA
U/PRkEGV7EitP0AJZ+lWxJoMcDupu8wsPh2nm0MJUUcgkuYdD38/ixyLs1HQ4jwT
SMDQsfTDlEZvbMqdr7B20HxzIGU/bX8pxgvkP1IyclfiSOBIPdbDOQG3OvdZYl5u
aJv0mACkPkiH1/JbRI9ODm3zYpwe8C2vpPyBhNrOARB9QzdogN2zx7l5xDyUiHtC
YJHWnSMUEn9xvZJUTS+dHZpCmh2R3cpxmbL7WsT5xHq/LH7UUXELwcOiCgUNQgDn
rz5lwF2FpXKw4qQ8u49Emqjb9pqPOD+OT1gRc/j3oibqINQunmrdjWt4m8MAK6Bh
eS4S3zjGw7JNfaO91PV2TYypYf6hSqGemQBlCmnVHTZqVf068S87ZpFyG1F/VRB5
voEbdoOMBVGpeaan8snRoQTHEMG/tUdlmL7g076NvExH8W9dmhcWW/SiP/gWQ8ko
NdUKfqYxONOBCDOlBzC9lBk6D106qbcCsnInwBHdPvWlX36M56oZU/DjV/lNMK+Y
j2HS3DtBWxX+1nsrg/DLzyi+8ULOqbawyOqCaaolVjZzTOHGFwpd35XYblyb3iwb
JbpmuRuk5cHGTwlHwXNI/5FzECOOe4KMLUzvrgzSiTWU89XBQ1M=
=XkeU
-----END PGP SIGNATURE-----

--
To unsubscribe from this list send an email to announce-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230612/b39c7dd8/attachment.htm>

From cantor.2 at osu.edu  Mon Jun 12 12:53:03 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Mon, 12 Jun 2023 12:53:03 +0000
Subject: Shibboleth Service Provider Security Advisory [12 June 2023]
In-Reply-To: <CH2PR04MB68695465504EB31D50FD71B3CE54A@CH2PR04MB6869.namprd04.prod.outlook.com>
References: <42D3702F-1E7E-4960-BCB7-B73DDBF8E2A5@osu.edu>
 <CH2PR04MB68695465504EB31D50FD71B3CE54A@CH2PR04MB6869.namprd04.prod.outlook.com>
Message-ID: <3D9FB6A7-4254-445E-9C98-EEAA0DB3F311@osu.edu>

> Could you provide a link to download the latest XMLTooling library for Linux? 

The sources are where they always are [1] and the RPMs are where they always are [2].

-- Scott

[1] https://shibboleth.net/downloads/c++-opensaml/latest/
[2] https://shibboleth.net/downloads/service-provider/RPMS/


From dabantz at alaska.edu  Tue Jun 13 00:15:16 2023
From: dabantz at alaska.edu (IAM David Bantz)
Date: Mon, 12 Jun 2023 19:15:16 -0500
Subject: SSO to Asana with Shibboleth IdP resolved more or less
Message-ID: <CAJ9XvwHaWZRE_EJHu2H66kEpJ_NTMFyw+0WDjmzuinO+n2JOww@mail.gmail.com>

I previously posted on configuring Asana for SAML SSO using Shibb IdP;
Etan E. Weintraub (Johns Hopkins) confirmed it was possible so I plowed
ahead.
This is followup after getting this (sorta) working.

FYI, in addition to providing no actual metadata, no certificate public key:
Additional issues / anomalies with configuring Asana for SAML SSO:


   1. Initial instructions asked us to configure for an
   https://app.asana.com <https://asana.com/>
   however on first attempted connection, the request comes from
   https://app.asana.com/ <https://asana.com/>
   I changed the entity ID in my cache of SP metadata correspondingy
   2. The SAML request generated requests the users? browser be sent to an
   ACS end point not previously documented:
   https://app.asana.com/-/saml/consume
   I added that to the cached metadata for this SP
   3. The request indicates the service wants a nameID-format of email
   address
   Added a relying party override to release nameID with that format
   4. Presuming Asana wants users ?email address? to be users' canonical
   address = principal name
   I added a saml-nameid override to prefer use of ePPN in constructing the
   nameID
   5. And, finally, I added an attribute release policy to allow release of
   ePPN to Asana



Those 5 changes enabled the Identity Provider to recognize the service and
prompt fro authN
and successful sign-in to our instance of Asana. No certificate so alas no
encryption and probably
no checking signature of our assertion.

David St Pierre Bantz
U Alaska IAM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230612/ad03f933/attachment.htm>

From arron.merrill at york.ac.uk  Tue Jun 13 10:15:44 2023
From: arron.merrill at york.ac.uk (Arron Merrill)
Date: Tue, 13 Jun 2023 11:15:44 +0100
Subject: Issues with setting up SSO with Tableau
Message-ID: <CADwFZ3xzRhAHM3+xqYJA2x9pUfB7ps7v8GGdbBXH8NeSgqZVdA@mail.gmail.com>

Good morning all,

We are having difficulty with setting up a working configuration with
Tableau (I have seen a similar thread from August 2022). We are releasing
'uid', 'mail' and 'displayName'. Tableau is insisting that we need to
release a new attribute, 'username', containing the uid value.

At first I tried using a transcoding rule specific to Tableau to translate
the saml2.name of 'uid' to 'username' but Tableau was not accepting this.

>From Scott's reply in the earlier thread, mapping a non-mail identifier to
a custom attribute was the solution. Mapping 'uid' to a custom 'username'
attribute in the resolver should achieve the desired result?

Kind regards,
Arron

-- 
Arron Merrill - Identity Systems
IT Services, University of York
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230613/76b33ce1/attachment.htm>

From foltz2 at oakland.edu  Tue Jun 13 11:56:28 2023
From: foltz2 at oakland.edu (Lee Foltz)
Date: Tue, 13 Jun 2023 07:56:28 -0400
Subject: Issues with setting up SSO with Tableau
In-Reply-To: <CADwFZ3xzRhAHM3+xqYJA2x9pUfB7ps7v8GGdbBXH8NeSgqZVdA@mail.gmail.com>
References: <CADwFZ3xzRhAHM3+xqYJA2x9pUfB7ps7v8GGdbBXH8NeSgqZVdA@mail.gmail.com>
Message-ID: <CAPcR9uSy0ogG=fN8aRYj0mE=5egJhMYXncGH0yGC=iiQZo_d4A@mail.gmail.com>

We have done this with other SP's for a custom attribute they want.  We
don't like doing custom attributes, but this works for us.

In the attribute-resolver.xml, you want to do something like this.

<AttributeDefinition xsi:type="Simple" id="username" >
        <InputDataConnector ref="myLDAP" attributeNames="uid" />
        <AttributeEncoder xsi:type="SAML2String" name="username" />
</AttributeDefinition>

or if they need OID with a friendly name.

 <AttributeDefinition xsi:type="Simple" id="username" >
        <InputDataConnector ref="myLDAP" attributeNames="uid" />
        <AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:uid" />
        <AttributeEncoder xsi:type="SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="username" />
 </AttributeDefinition>

Then in attribute-filter.xml release the username to Tableau.  Put the
entityID for Tableau in the value field below.
You can then test with SAML tracer or via shib logs on what is being
released to that SP.

<AttributeFilterPolicy id="Tableau">
           <PolicyRequirementRule xsi:type="Requester" value="
https://tableau.example.com" />
            <AttributeRule attributeID="username">
              <PermitValueRule xsi:type="ANY" />
            </AttributeRule>
</AttributeFilterPolicy>

Hope this helps.

On Tue, Jun 13, 2023 at 6:16?AM Arron Merrill via users <
users at shibboleth.net> wrote:

> Good morning all,
>
> We are having difficulty with setting up a working configuration with
> Tableau (I have seen a similar thread from August 2022). We are releasing
> 'uid', 'mail' and 'displayName'. Tableau is insisting that we need to
> release a new attribute, 'username', containing the uid value.
>
> At first I tried using a transcoding rule specific to Tableau to translate
> the saml2.name of 'uid' to 'username' but Tableau was not accepting this.
>
> From Scott's reply in the earlier thread, mapping a non-mail identifier to
> a custom attribute was the solution. Mapping 'uid' to a custom 'username'
> attribute in the resolver should achieve the desired result?
>
> Kind regards,
> Arron
>
> --
> Arron Merrill - Identity Systems
> IT Services, University of York
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>


-- 
Lee Foltz
Oakland University - UTS
Senior Identity and Access Management Engineer

248-370-2675
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230613/7e4723c8/attachment.htm>

From cantor.2 at osu.edu  Tue Jun 13 12:42:19 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Tue, 13 Jun 2023 12:42:19 +0000
Subject: Issues with setting up SSO with Tableau
In-Reply-To: <CAPcR9uSy0ogG=fN8aRYj0mE=5egJhMYXncGH0yGC=iiQZo_d4A@mail.gmail.com>
References: <CADwFZ3xzRhAHM3+xqYJA2x9pUfB7ps7v8GGdbBXH8NeSgqZVdA@mail.gmail.com>
 <CAPcR9uSy0ogG=fN8aRYj0mE=5egJhMYXncGH0yGC=iiQZo_d4A@mail.gmail.com>
Message-ID: <A8E39CC2-87B0-4B27-B160-80DFFB94F5E3@osu.edu>

> We are having difficulty with setting up a working configuration with Tableau (I 
> have seen a similar thread from August 2022). We are releasing 'uid', 'mail' and
> 'displayName'. Tableau is insisting that we need to release a new attribute,
> 'username', containing the uid value. 

Tableau is wrong. We did no such thing, we passed them what we wanted to use and it was mapped in. Our Tableau team at the time did the set up, so the vendor wasn't involved. I don't personally have access to the settings of this particular app.

-- Scott



From m.leonhartsberger at cumulo.at  Tue Jun 13 14:42:46 2023
From: m.leonhartsberger at cumulo.at (Martin Leonhartsberger)
Date: Tue, 13 Jun 2023 14:42:46 +0000
Subject: SAML proxy subject issue with oidc plugin 
Message-ID: <9CE1313B-42DD-46AA-98BB-CB3DDA4A17A1@cumulo.at>

dear list,

following setting: shibboleth 4.3.1 + oidc 3.4.0 plugin
using saml proxy for authentication to an saml-upstream-idp

some attributes are subject derived from the upstream IDP, authorization code flow design

on an oidc based sp logon it performs as follows:

  *   saml proxy authentication
  *   oidc authorization works, attributes being resolved, subject canonicalization works, all upstream subject derived attributes resolved (though not needed in that step)
  *   rp now issues token request with accesstoken/authorization code flow (from server, not from client any more, in own session)
     *   attributes are being resolved again, which works for all local available attributes
     *   upstream subject is now not available, possibly because the subject from the upstream is contained in the user session and not related to the access token?
     *   So subject derived attributes cannot be resolved.
  *   though the upstream subject is still available (but I suspect in the user session from authorization, not in the Server-to-Application TokenResponse Session)

any ideas how to solve that?

best regards,
Martin




## Token Request which does not find Subject
2023-06-13 15:34:04,568 - x.x.x.252- DEBUG [net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractInitializeOutboundResponseMessageContext:69] - Profile Action InitializeOutboundTokenResponseMessageContext: Initialized outbound message context
2023-06-13 15:34:04,570 - x.x.x.252- DEBUG [PROTOCOL_MESSAGE.OAUTH2:77] - OIDCTokenRequestDecoder{authorizationGrant=AuthorizationCodeGrant{authorizationCode=***, codeVerifier=com.nimbusds.oauth2.sdk.pkce.CodeVerifier at 1f76d5cf<mailto:codeVerifier=com.nimbusds.oauth2.sdk.pkce.CodeVerifier at 1f76d5cf>, redirectionURI=***, type=authorization_code}, clientAuthentication=ClientAuthentication{clientId=***, method=client_secret_basic}, customParameters={}, endpointURI=https://127.0.0.1:8080/idp/profile/oidc/token}
2023-06-13 15:34:04,571 - x.x.x.252- DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'net.shibboleth.idp.plugin.oidc.op.profile.impl.OIDCMetadataLookupHandler' on INBOUND message context
2023-06-13 15:34:04,571 - x.x.x.252- DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'com.nimbusds.oauth2.sdk.TokenRequest'
2023-06-13 15:34:04,571 - x.x.x.252- DEBUG [net.shibboleth.idp.plugin.oidc.op.profile.impl.OIDCMetadataLookupHandler:121] - Message Handler:  net.shibboleth.oidc.metadata.context.OIDCMetadataContext added to MessageContext as child of org.opensaml.messaging.context.MessageContext
2023-06-13 15:34:04,571 - x.x.x.252- DEBUG [net.shibboleth.idp.plugin.oidc.op.profile.impl.InitializeRelyingPartyContext:162] - Attaching RelyingPartyContext for ***
2023-06-13 15:34:04,571 - x.x.x.252- DEBUG [net.shibboleth.idp.plugin.oidc.op.profile.impl.InitializeRelyingPartyContext:168] - Profile Action InitializeRelyingPartyContext: Setting the rp context verified
2023-06-13 15:34:04,571 - x.x.x.252- DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:253] - Resolving relying party configuration
2023-06-13 15:34:04,573 - x.x.x.252- DEBUG [net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:174] - Profile Action SelectRelyingPartyConfiguration: Found relying party configuration shibboleth.DefaultRelyingParty for request
2023-06-13 15:34:04,573 - x.x.x.252- DEBUG [net.shibboleth.idp.profile.interceptor.impl.PopulateProfileInterceptorContext:147] - Profile Action PopulateProfileInterceptorContext: No inbound interceptor flows active for this request
2023-06-13 15:34:04,574 - x.x.x.252- DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeAuthenticationContext:222] - Profile Action InitializeAuthenticationContext: Created authentication context: AuthenticationContext{initiationInstant=2023-06-13T13:34:04.573998Z, isPassive=false, forceAuthn=false, requiredName=null, hintedName=null, maxAge=null, potentialFlows=[], activeResults=[], attemptedFlow=null, signaledFlowId=null, authenticationStateMap={}, resultCacheable=true, authenticationResult=null, completionInstant=null}
2023-06-13 15:34:04,575 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:213] - Profile Action PopulateAuthenticationContext: Installed 1 potential authentication flows into AuthenticationContext
2023-06-13 15:34:04,575 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.InitializeRequestedPrincipalContext:152] - Profile Action InitializeRequestedPrincipalContext: Profile configuration did not supply any default authentication methods
2023-06-13 15:34:04,575 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByForcedAuthn:57] - Profile Action FilterFlowsByForcedAuthn: Request does not have forced authentication requirement, nothing to do
2023-06-13 15:34:04,575 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:76] - Profile Action FilterFlowsByNonBrowserSupport: Retaining flow authn/OAuth2Client, it supports non-browser authentication
2023-06-13 15:34:04,575 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:88] - Profile Action FilterFlowsByNonBrowserSupport: Potential authentication flows left after filtering: [authn/OAuth2Client]
2023-06-13 15:34:04,576 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:274] - Profile Action SelectAuthenticationFlow: No specific Principals requested
2023-06-13 15:34:04,576 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:312] - Profile Action SelectAuthenticationFlow: No usable active results available, selecting an inactive flow
2023-06-13 15:34:04,576 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:369] - Profile Action SelectAuthenticationFlow: Selecting inactive authentication flow authn/OAuth2Client
2023-06-13 15:34:04,582 - x.x.x.252- DEBUG [net.shibboleth.idp.plugin.oidc.op.authn.impl.OIDCClientInfoCredentialValidator:143] - Credential Validator oauth2-clientinfo: Attempting to authenticate effective client ID ***
2023-06-13 15:34:04,583 - x.x.x.252- INFO [net.shibboleth.idp.plugin.oidc.op.authn.impl.OIDCClientInfoCredentialValidator:152] - Credential Validator oauth2-clientinfo: Login by *** succeeded
2023-06-13 15:34:04,583 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.AbstractValidationAction:398] - Profile Action ValidateCredentials: Adding custom Principal(s) defined on underlying flow descriptor
2023-06-13 15:34:04,583 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.PopulateSubjectCanonicalizationContext:75] - Profile Action PopulateSubjectCanonicalizationContext: Installing 3 canonicalization flows into SubjectCanonicalizationContext
2023-06-13 15:34:04,584 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:100] - Profile Action SelectSubjectCanonicalizationFlow: Checking canonicalization flow c14n/attribute for applicability...
2023-06-13 15:34:04,584 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:83] - Profile Action SelectSubjectCanonicalizationFlow: Selecting canonicalization flow c14n/attribute
2023-06-13 15:34:04,585 - x.x.x.252- DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:251] - Attribute Resolver 'ShibbolethAttributeResolver': Initiating attribute resolution with label: c14n/attribute
2023-06-13 15:34:04,585 - x.x.x.252- DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:280] - Attribute Resolver 'ShibbolethAttributeResolver': Attempting to resolve the following attribute definitions [canonicalUsername]
2023-06-13 15:34:04,585 - x.x.x.252- DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:469] - Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies for 'canonicalUsername'
2023-06-13 15:34:04,585 - x.x.x.252- DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:478] - Attribute Resolver 'ShibbolethAttributeResolver': Finished resolving dependencies for 'canonicalUsername'
2023-06-13 15:34:04,585 - x.x.x.252- INFO [net.shibboleth.idp.attribute.resolver.ad.impl.ContextDerivedAttributeDefinition:176] - SubjectDerivedAttributeDefinition canonicalUsername Generated no values, no attribute resolved


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230613/6e9d57ed/attachment.htm>

From cantor.2 at osu.edu  Tue Jun 13 14:49:27 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Tue, 13 Jun 2023 14:49:27 +0000
Subject: SAML proxy subject issue with oidc plugin 
In-Reply-To: <9CE1313B-42DD-46AA-98BB-CB3DDA4A17A1@cumulo.at>
References: <9CE1313B-42DD-46AA-98BB-CB3DDA4A17A1@cumulo.at>
Message-ID: <887B7269-A1F5-4BC7-8CE2-3BBB99CADB9F@osu.edu>

> any ideas how to solve that? 

Strictly speaking that sort of data probably should be stored locally after it's obtained because this isn't a generally solvable problem, but you can encode them into the code/tokens with the setting that enables that, whose name isn't really top of mind for me. Probably encodeAttributes or something similar.

-- Scott



From henson at cpp.edu  Wed Jun 14 02:01:01 2023
From: henson at cpp.edu (Paul B. Henson)
Date: Wed, 14 Jun 2023 02:01:01 +0000
Subject: Ex: Re: Issues with setting up SSO with Tableau
In-Reply-To: <A8E39CC2-87B0-4B27-B160-80DFFB94F5E3@osu.edu>
References: <CADwFZ3xzRhAHM3+xqYJA2x9pUfB7ps7v8GGdbBXH8NeSgqZVdA@mail.gmail.com>
 <CAPcR9uSy0ogG=fN8aRYj0mE=5egJhMYXncGH0yGC=iiQZo_d4A@mail.gmail.com>
 <A8E39CC2-87B0-4B27-B160-80DFFB94F5E3@osu.edu>
Message-ID: <ZIkfXV5oe4Wt/NRm@bender.cpp.edu>

On Tue, Jun 13, 2023 at 12:42:19PM +0000, Cantor, Scott via users wrote:

> Tableau is wrong. We did no such thing, we passed them what we wanted
> to use and it was mapped in. Our Tableau team at the time did the set
> up, so the vendor wasn't involved. I don't personally have access to
> the settings of this particular app.

Same here. We're passing uid and mail, works fine (well, works as well
as you can expect some random vendor's SP to work :) ).

One of my colleagues in our windows group manages that box, I could
probably get screenshots of the settings if you'd like.


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  henson at cpp.edu
California State Polytechnic University  |  Pomona CA 91768

From arron.merrill at york.ac.uk  Wed Jun 14 14:46:10 2023
From: arron.merrill at york.ac.uk (Arron Merrill)
Date: Wed, 14 Jun 2023 15:46:10 +0100
Subject: Ex: Re: Issues with setting up SSO with Tableau
In-Reply-To: <ZIkfXV5oe4Wt/NRm@bender.cpp.edu>
References: <CADwFZ3xzRhAHM3+xqYJA2x9pUfB7ps7v8GGdbBXH8NeSgqZVdA@mail.gmail.com>
 <CAPcR9uSy0ogG=fN8aRYj0mE=5egJhMYXncGH0yGC=iiQZo_d4A@mail.gmail.com>
 <A8E39CC2-87B0-4B27-B160-80DFFB94F5E3@osu.edu>
 <ZIkfXV5oe4Wt/NRm@bender.cpp.edu>
Message-ID: <CADwFZ3zLSqnHkQiM3-+O-mxyN_W_U20O=0VRzSV9DjFU9N9gAg@mail.gmail.com>

Hi all,

Thanks for your input. After catching a glimpse of the settings in Tableau
myself we have got this sorted, releasing uid and mail, sans any custom
'username' attribute mischief.

Regards,
Arron

On Wed, 14 Jun 2023 at 03:01, Paul B. Henson <henson at cpp.edu> wrote:

> On Tue, Jun 13, 2023 at 12:42:19PM +0000, Cantor, Scott via users wrote:
>
> > Tableau is wrong. We did no such thing, we passed them what we wanted
> > to use and it was mapped in. Our Tableau team at the time did the set
> > up, so the vendor wasn't involved. I don't personally have access to
> > the settings of this particular app.
>
> Same here. We're passing uid and mail, works fine (well, works as well
> as you can expect some random vendor's SP to work :) ).
>
> One of my colleagues in our windows group manages that box, I could
> probably get screenshots of the settings if you'd like.
>
>
> --
> Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
> Operating Systems and Network Analyst  |  henson at cpp.edu
> California State Polytechnic University  |  Pomona CA 91768



-- 
Arron Merrill - Identity Systems
IT Services, University of York
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230614/bd320e2c/attachment.htm>

From pascal.panneels at belnet.be  Fri Jun 16 11:51:49 2023
From: pascal.panneels at belnet.be (Pascal Panneels)
Date: Fri, 16 Jun 2023 13:51:49 +0200
Subject: No bean named 'shibboleth.BasicX509CredentialFactoryBean' available
 in v4.3.1
Message-ID: <41b5dbef-5c5c-88a4-acda-794b132a4b34@belnet.be>

hi,

While trying to update a Shibboleth IdP (from version 4.1.0) to latest 
4.3.1, I was receiving these kind of errors in idp-warn/idp-process log 
files :

2023-06-16 13:29:12,697 -? - ERROR 
[net.shibboleth.utilities.java.support.service.AbstractReloadableService:232] 
- Service 'shibboleth.RelyingPartyResolverService': Reload for 
shibboleth.RelyingPartyResolverService failed
net.shibboleth.utilities.java.support.service.ServiceException: 
org.springframework.beans.factory.BeanDefinitionStoreException: Invalid 
bean definition with name 'shibboleth.DefaultSigningCredential' defined 
in file [/opt/shibboleth-idp/conf/credentials.xml]: Could not resolve 
parent bean definition 'shibboleth.BasicX509CredentialFactoryBean'; 
nested exception is 
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean 
named 'shibboleth.BasicX509CredentialFactoryBean' available

I've also tried to reinstall from scratch (thus doing a fresh clean 
install), but still the same problem.

It seems that the shibboleth.BasicX509CredentialFactoryBean is nowhere 
to be found from what the message is saying...

If I'm correct, it should reside somewhere in the jar file 
idp-profile-spring-4.3.1.jar, right ?

root at idp-staff-duo:/opt/shibboleth-idp/dist/webapp/WEB-INF/lib# jar -tf 
idp-profile-spring-4.3.1.jar | grep BasicX509CredentialFactoryBean
net/shibboleth/idp/profile/spring/factory/BasicX509CredentialFactoryBean.class

The file is well in the idp.war :

root at idp-staff-duo:/opt/shibboleth-idp/war# jar -tf idp.war | grep 
idp-profile-spring-4.3.1.jar
WEB-INF/lib/idp-profile-spring-4.3.1.jar

(maybe my debugging method is not correct but I'm at level 0.00001 in 
Java ;) )

Any idea what is causing the problem ?

Tnx,

PP

-- 
*Pascal Panneels*
System Architect
Belnet - Services
WTC III
Simon Bolivarlaan 30 Boulevard Simon Bolivar
Brussel 1000 Bruxelles
Belgi? - Belgique
T: +32 2 790 33 33
*www.belnet.be <http://www.belnet.be>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230616/b7122875/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4846 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20230616/b7122875/attachment.p7s>

From rdw at steadingsoftware.com  Fri Jun 16 12:00:47 2023
From: rdw at steadingsoftware.com (Rod Widdowson)
Date: Fri, 16 Jun 2023 13:00:47 +0100
Subject: No bean named 'shibboleth.BasicX509CredentialFactoryBean'
 available in v4.3.1
In-Reply-To: <41b5dbef-5c5c-88a4-acda-794b132a4b34@belnet.be>
References: <41b5dbef-5c5c-88a4-acda-794b132a4b34@belnet.be>
Message-ID: <012101d9a04a$317cb220$94761660$@steadingsoftware.com>

> It seems that the shibboleth.BasicX509CredentialFactoryBean is nowhere to be found from what the message is saying...
> If I'm correct, it should reside somewhere in the jar file idp-profile-spring-4.3.1.jar, right ?

No, it?s defined in an xml file (security-system.xml) inside idp-conf-impl.jar

Given  that no one else is having this issue I?d look for a _file) called security-system.xml lurking around somewhere either in your classpath (edit-webapp) or in your conf folder.  ?system? should be empty.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230616/f571d3bc/attachment.htm>

From pascal.panneels at belnet.be  Fri Jun 16 13:28:54 2023
From: pascal.panneels at belnet.be (Pascal Panneels)
Date: Fri, 16 Jun 2023 15:28:54 +0200
Subject: No bean named 'shibboleth.BasicX509CredentialFactoryBean'
 available in v4.3.1
In-Reply-To: <012101d9a04a$317cb220$94761660$@steadingsoftware.com>
References: <41b5dbef-5c5c-88a4-acda-794b132a4b34@belnet.be>
 <012101d9a04a$317cb220$94761660$@steadingsoftware.com>
Message-ID: <7cb703d8-8c01-6a02-1108-af2ee4074ace@belnet.be>

Le 16/06/2023 ? 14:00, Rod Widdowson a ?crit?:
>
> > It seems that the shibboleth.BasicX509CredentialFactoryBean is 
> nowhere to be found from what the message is saying...
> > If I'm correct, it should reside somewhere in the jar file 
> idp-profile-spring-4.3.1.jar, right ?
>
> No, it?s defined in an xml file (security-system.xml) inside 
> idp-conf-impl.jar
>
> Given? that no one else is having this issue I?d look for a _file) 
> called security-system.xml lurking around somewhere either in your 
> classpath (edit-webapp) or in your conf folder.? ?system? should be empty.
>
>
well, I don't have any such file (security-system.xml) anywhere; as I 
said, I've started a fresh clean install to be sure to avoid problem 
with old/corrupted files.

these are the 2 consecutive messages (1 WARN and 1 ERR) I see in the logs :

-8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<--

2023-06-16 15:01:59,961 -? - WARN 
[net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:591] 
- Exception encountered during context initialization - cancelling 
refresh attempt: 
org.springframework.beans.factory.BeanDefinitionStoreException: Invalid 
bean definition with name 'shibboleth.DefaultSigningCredential' defined 
in file [/opt/shibboleth-idp/conf/credentials.xml]: Could not resolve 
parent bean definition 'shibboleth.BasicX509CredentialFactoryBean'; 
nested exception is 
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean 
named 'shibboleth.BasicX509CredentialFactoryBean' available

2023-06-16 15:01:59,965 -? - ERROR 
[net.shibboleth.utilities.java.support.service.AbstractReloadableService:182] 
- Service 'shibboleth.RelyingPartyResolverService': Initial load failed
net.shibboleth.utilities.java.support.service.ServiceException: 
org.springframework.beans.factory.BeanDefinitionStoreException: Invalid 
bean definition with name 'shibboleth.DefaultSigningCredential' defined 
in file [/opt/shibboleth-idp/conf/credentials.xml]: Could not resolve 
parent bean definition 'shibboleth.BasicX509CredentialFactoryBean'; 
nested exception is 
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean 
named 'shibboleth.BasicX509CredentialFactoryBean' available
 ?? at 
net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:377)
Caused by: 
org.springframework.beans.factory.BeanDefinitionStoreException: Invalid 
bean definition with name 'shibboleth.DefaultSigningCredential' defined 
in file [/opt/shibboleth-idp/conf/credentials.xml]: Could not resolve 
parent bean definition 'shibboleth.BasicX509CredentialFactoryBean'; 
nested exception is 
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean 
named 'shibboleth.BasicX509CredentialFactoryBean' available
 ?? at 
org.springframework.beans.factory.support.AbstractBeanFactory.getMergedBeanDefinition(AbstractBeanFactory.java:1431)
Caused by: 
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean 
named 'shibboleth.BasicX509CredentialFactoryBean' available
 ?? at 
org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:874)

-8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<--

I've let the file credentials.xml untouched since it was created by the 
installer script.

My customizations were minimal (I've added the sources of metadata to 
download from which works fine + related used certificates).

I really just wanted to have a clean working installed idp, with 
currently, no customization at all, to enhance it step by step.


-- 
*Pascal Panneels*
System Architect
Belnet - Services
WTC III
Simon Bolivarlaan 30 Boulevard Simon Bolivar
Brussel 1000 Bruxelles
Belgi? - Belgique
T: +32 2 790 33 33
*www.belnet.be <http://www.belnet.be>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230616/b1c0d4d8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4846 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20230616/b1c0d4d8/attachment.p7s>

From cantor.2 at osu.edu  Fri Jun 16 13:52:16 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Fri, 16 Jun 2023 13:52:16 +0000
Subject: No bean named 'shibboleth.BasicX509CredentialFactoryBean'
 available in v4.3.1
In-Reply-To: <7cb703d8-8c01-6a02-1108-af2ee4074ace@belnet.be>
References: <41b5dbef-5c5c-88a4-acda-794b132a4b34@belnet.be>
 <012101d9a04a$317cb220$94761660$@steadingsoftware.com>
 <7cb703d8-8c01-6a02-1108-af2ee4074ace@belnet.be>
Message-ID: <6B9C02F6-0262-4E38-92E6-FF85CF0E0A2D@osu.edu>

And are you using Tomcat?

-- Scott




From pascal.panneels at belnet.be  Fri Jun 16 13:53:56 2023
From: pascal.panneels at belnet.be (Pascal Panneels)
Date: Fri, 16 Jun 2023 15:53:56 +0200
Subject: No bean named 'shibboleth.BasicX509CredentialFactoryBean'
 available in v4.3.1
In-Reply-To: <6B9C02F6-0262-4E38-92E6-FF85CF0E0A2D@osu.edu>
References: <41b5dbef-5c5c-88a4-acda-794b132a4b34@belnet.be>
 <012101d9a04a$317cb220$94761660$@steadingsoftware.com>
 <7cb703d8-8c01-6a02-1108-af2ee4074ace@belnet.be>
 <6B9C02F6-0262-4E38-92E6-FF85CF0E0A2D@osu.edu>
Message-ID: <179aa615-7f04-0c1f-c949-f360cb5dedda@belnet.be>

Le 16/06/2023 ? 15:52, Cantor, Scott a ?crit?:
> And are you using Tomcat?
>
> -- Scott
>
>
>
yes

-- 
*Pascal Panneels*
System Architect
Belnet - Services
WTC III
Simon Bolivarlaan 30 Boulevard Simon Bolivar
Brussel 1000 Bruxelles
Belgi? - Belgique
T: +32 2 790 33 33
*www.belnet.be <http://www.belnet.be>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230616/3becd66a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4846 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20230616/3becd66a/attachment.p7s>

From cantor.2 at osu.edu  Fri Jun 16 13:56:58 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Fri, 16 Jun 2023 13:56:58 +0000
Subject: No bean named 'shibboleth.BasicX509CredentialFactoryBean'
 available in v4.3.1
In-Reply-To: <179aa615-7f04-0c1f-c949-f360cb5dedda@belnet.be>
References: <41b5dbef-5c5c-88a4-acda-794b132a4b34@belnet.be>
 <012101d9a04a$317cb220$94761660$@steadingsoftware.com>
 <7cb703d8-8c01-6a02-1108-af2ee4074ace@belnet.be>
 <6B9C02F6-0262-4E38-92E6-FF85CF0E0A2D@osu.edu>
 <179aa615-7f04-0c1f-c949-f360cb5dedda@belnet.be>
Message-ID: <9F837572-5867-47E7-A487-DC3F07E84008@osu.edu>

>> And are you using Tomcat?
>
> yes

Tomcat is most likely caching jars and corrupting what you're testing.

You said you don't know Java (which itself a prereq for us) but in that event, using the container that is a constant source of exactly this problem instead of the recommended one is possibly worth reconsidering.

-- Scott



From pascal.panneels at belnet.be  Fri Jun 16 14:07:01 2023
From: pascal.panneels at belnet.be (Pascal Panneels)
Date: Fri, 16 Jun 2023 16:07:01 +0200
Subject: No bean named 'shibboleth.BasicX509CredentialFactoryBean'
 available in v4.3.1
In-Reply-To: <9F837572-5867-47E7-A487-DC3F07E84008@osu.edu>
References: <41b5dbef-5c5c-88a4-acda-794b132a4b34@belnet.be>
 <012101d9a04a$317cb220$94761660$@steadingsoftware.com>
 <7cb703d8-8c01-6a02-1108-af2ee4074ace@belnet.be>
 <6B9C02F6-0262-4E38-92E6-FF85CF0E0A2D@osu.edu>
 <179aa615-7f04-0c1f-c949-f360cb5dedda@belnet.be>
 <9F837572-5867-47E7-A487-DC3F07E84008@osu.edu>
Message-ID: <72f48713-2b76-ee03-af68-1ad3813ed19a@belnet.be>

Le 16/06/2023 ? 15:56, Cantor, Scott a ?crit?:
>>> And are you using Tomcat?
>> yes
> Tomcat is most likely caching jars and corrupting what you're testing.
>
> You said you don't know Java (which itself a prereq for us) but in that event, using the container that is a constant source of exactly this problem instead of the recommended one is possibly worth reconsidering.
>
> -- Scott
>
>
ok, I will check how to migrate to Jetty then.

Thank you Scott.

PP

-- 
*Pascal Panneels*
System Architect
Belnet - Services
WTC III
Simon Bolivarlaan 30 Boulevard Simon Bolivar
Brussel 1000 Bruxelles
Belgi? - Belgique
T: +32 2 790 33 33
*www.belnet.be <http://www.belnet.be>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230616/00f00897/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4846 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20230616/00f00897/attachment.p7s>

From cantor.2 at osu.edu  Fri Jun 16 14:26:10 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Fri, 16 Jun 2023 14:26:10 +0000
Subject: No bean named 'shibboleth.BasicX509CredentialFactoryBean'
 available in v4.3.1
In-Reply-To: <72f48713-2b76-ee03-af68-1ad3813ed19a@belnet.be>
References: <41b5dbef-5c5c-88a4-acda-794b132a4b34@belnet.be>
 <012101d9a04a$317cb220$94761660$@steadingsoftware.com>
 <7cb703d8-8c01-6a02-1108-af2ee4074ace@belnet.be>
 <6B9C02F6-0262-4E38-92E6-FF85CF0E0A2D@osu.edu>
 <179aa615-7f04-0c1f-c949-f360cb5dedda@belnet.be>
 <9F837572-5867-47E7-A487-DC3F07E84008@osu.edu>
 <72f48713-2b76-ee03-af68-1ad3813ed19a@belnet.be>
Message-ID: <14726A3E-B457-4D93-B8CC-14221707D339@osu.edu>

Tactically speaking, you just need to clean the thing out. But it will keep happening.

-- Scott




From smathew at hbs.edu  Fri Jun 16 21:15:20 2023
From: smathew at hbs.edu (Mathew, Sunil)
Date: Fri, 16 Jun 2023 21:15:20 +0000
Subject: SLO redirect to site
Message-ID: <SJ0PR03MB65186C8BEA942F618780FA99A858A@SJ0PR03MB6518.namprd03.prod.outlook.com>

Hi All,

We have Shibboleth IdP protected by CAS. When users logout, they are redirected to CAS logout, which redirects the user to Shibboleth IdP logout, which then sends the user back to CAS login page. We have a requirement that needs the users to be redirected back to their site after logout. Can Shibboleth follow the redirect back to their site?

If Shibboleth was able to do a similar redirection upon logout, the service parameter sent to the CAS logout URL could be chained.

e.g.

https://cas.hbs.edu/cas/logout?service=https://sso.hbs.edu/logout?returnUrl=https://www.library.hbs.edu/logout

(pretend everything is URL encoded as needed)

This would log the user out of CAS, then out of SSO, then redirect to the returnUrl.

Thanks for your help.


Regards,
Sunil

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230616/99bbfe5c/attachment.htm>

From lukas.fredriksson at math.su.se  Mon Jun 19 01:50:36 2023
From: lukas.fredriksson at math.su.se (Lukas Fredriksson)
Date: Mon, 19 Jun 2023 01:50:36 +0000
Subject: Error starting shibboleth 3.0.4 on ubuntu 20.04, says we need
 libssl.so.1.0.0
Message-ID: <ea2a29a2fd3248e6b1502d8a1ade94de@math.su.se>

Hi,


As the title says I'm having trouble starting shibboleth since we upgraded to ubuntu 20.04 using shibboleth 3.0.4 installed with apt install.


When running 'systemctl start shibd.service' we get an error. Running 'journalctl -xe' shows the message '/usr/sbin/shibd: error while loading shared libraries: libssl.so.1.0.0: cannot open shared object file: No such file or directory'. I have tried reinstalling shibboleth but the same error occurs. I have included information that 'ubuntu bug' provides.


We can see that shibboleth-sp-utils depends on libxmltooling8 which in turn depends on libssl1.1, but shibd.service asks for version 1.0.0 according to the error message mentioned above, which seems a bit strange.



Is this known for ubuntu 20.04? Should I SWITCHaai instead?


Thanks,

Lukas


DistroRelease: Ubuntu 20.04
Package: shibboleth-sp-utils 3.0.4+dfsg1-1ubuntu0.2
ProcVersionSignature: Ubuntu 5.4.0-149.166-generic 5.4.233
Uname: Linux 5.4.0-149-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.27
Architecture: amd64
CasperMD5CheckResult: skip
InstallationDate: Installed on 2014-03-13 (3374 days ago)
InstallationMedia: Ubuntu-Server 12.04.3 LTS "Precise Pangolin" - Release amd64 (20130820.2)
SourcePackage: shibboleth-sp
UpgradeStatus: Upgraded to focal on 2023-03-23 (77 days ago)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230619/25ecc7b6/attachment.htm>

From peter.schober at univie.ac.at  Mon Jun 19 09:09:29 2023
From: peter.schober at univie.ac.at (Peter Schober)
Date: Mon, 19 Jun 2023 11:09:29 +0200
Subject: Error starting shibboleth 3.0.4 on ubuntu 20.04, says we need
 libssl.so.1.0.0
In-Reply-To: <ea2a29a2fd3248e6b1502d8a1ade94de@math.su.se>
References: <ea2a29a2fd3248e6b1502d8a1ade94de@math.su.se>
Message-ID: <ZJAbSVOsIUF5IIbv@aco.net>

* Lukas Fredriksson via users <users at shibboleth.net> [2023-06-19 03:51]:
> When running 'systemctl start shibd.service' we get an
> error. Running 'journalctl -xe' shows the message '/usr/sbin/shibd:
> error while loading shared libraries: libssl.so.1.0.0: cannot open
> shared object file: No such file or directory'. I have tried
> reinstalling shibboleth but the same error occurs.

Then your system is somehow broken. (Maybe check your apt sources for
stale entries.)  On a fresh Ubuntu 20.04 LTS system installing
libapache2-mod-shib2 pulls in all dependencies and shibd
starts correctly:

$ ldd /usr/sbin/shibd | fgrep ssl
        libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f56a7e30000)

$ dpkg -S /usr/lib/x86_64-linux-gnu/libssl.so.1.1
libssl1.1:amd64: /usr/lib/x86_64-linux-gnu/libssl.so.1.1

$ systemctl status shibd 
? shibd.service - Shibboleth Service Provider Daemon
     Loaded: loaded (/lib/systemd/system/shibd.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-06-19 09:05:13 UTC; 2min 55s ago
       Docs: man:shibd(8)
             https://wiki.shibboleth.net/confluence/display/SP3/Home
   Main PID: 19286 (shibd)
      Tasks: 5 (limit: 618903)
     Memory: 10.0M
        CPU: 43ms
     CGroup: /system.slice/shibd.service
             ??19286 /usr/sbin/shibd -f -F

Jun 19 09:05:13 ubu20 systemd[1]: Starting Shibboleth Service Provider Daemon...
Jun 19 09:05:13 ubu20 systemd[1]: Started Shibboleth Service Provider Daemon.

-peter

From max.spicer at york.ac.uk  Mon Jun 19 13:02:48 2023
From: max.spicer at york.ac.uk (Max Spicer)
Date: Mon, 19 Jun 2023 14:02:48 +0100
Subject: Providing a custom UnknownUsername message with a ldap
 directAuthenticator
Message-ID: <CABbdpz8PtTSP7kdGOeor3uVX5i84mBQaqq=0UEEHzTO_cd1cQQ@mail.gmail.com>

I'm experimenting with the ldap directAuthenticator in order to remove a
redundant search from our current config that uses the
bindSearchAuthenticator.

This seems to work well, but I've found that I am now getting the generic
idp.message ("unidentified error") error when entering an invalid username
at login, instead of the bad-username.message value.

My ldap logs show the following when I try to log in with a non-existent
user:

INFO [net.shibboleth.idp.authn.impl.LDAPCredentialValidator:202]
[B317AAA859732FEA20EE2117476E074A 192.168.1.1] - Credential Validator ldap:
Login by 'foobarfoo' failed
org.ldaptive.LdapException: LDAPException(resultCode=32 (no such object),
errorMessage='no such object', matchedDN='ou=people,dc=example,dc=org',
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb)

I've fixed this by adding "LDAPException(resultCode=32 (no such object)"
as a value for <entry key="UnknownUsername"> in
the shibboleth.authn.Password.ClassifiedMessageMap map
in templates/shibboleth/conf/authn/password-authn-config.xml.

This took a bit of experimentation as I'm not sure how these values are
actually matched against the errors. I originally tried just "no such
object" but this had no effect.

Are the values simple string prefix matches or something else? Is there a
better (more resilient?) way to set up this mapping?

Thanks,

Max Spicer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230619/2140c7a6/attachment.htm>

From lukas.fredriksson at math.su.se  Mon Jun 19 14:46:59 2023
From: lukas.fredriksson at math.su.se (Lukas Fredriksson)
Date: Mon, 19 Jun 2023 14:46:59 +0000
Subject: SV: Error starting shibboleth 3.0.4 on ubuntu 20.04, says we need
 libssl.so.1.0.0
In-Reply-To: <ZJAbSVOsIUF5IIbv@aco.net>
References: <ea2a29a2fd3248e6b1502d8a1ade94de@math.su.se>,
 <ZJAbSVOsIUF5IIbv@aco.net>
Message-ID: <5fead229b9ca44c4a52af2b364ef1c7d@math.su.se>

Thanks for your response!

We have libapache2-mod-shib2 installed and when running the commands we get similar results as you did (included at the end). Still won?t start.


Do you think there could be something with our shib config that cause this? We have tried to find anything but haven?t yet.

Thanks,
Lukas




# ldd /usr/sbin/shibd | fgrep ssl
         libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1
(0x00007fcdbac32000)

# dpkg -S /usr/lib/x86_64-linux-gnu/libssl.so.1.1
libssl1.1:amd64: /usr/lib/x86_64-linux-gnu/libssl.so.1.1

# systemctl start shibd.service
Job for shibd.service failed because the control process exited with error
code.
See "systemctl status shibd.service" and "journalctl -xe" for details.

root at v-test:~# journalctl -xe
-- Support: http://www.ubuntu.com/support
--
-- A stop job for unit shibd.service has finished.
--
-- The job identifier is 6471697 and the job result is done.
jun 19 16:31:41 v-test systemd[1]: Starting Shibboleth Service Provider
Daemon...
-- Subject: A start job for unit shibd.service has begun execution
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- A start job for unit shibd.service has begun execution.
--
-- The job identifier is 6471697.
jun 19 16:31:41 v-test shibd[1762384]: /usr/sbin/shibd: error while
loading shared libraries: libssl.so.1.0.0: cannot open shared object file:
No such file or directory
jun 19 16:31:41 v-test systemd[1]: shibd.service: Main process exited,
code=exited, status=127/n/a

# systemctl status shibd
? shibd.service - Shibboleth Service Provider Daemon
      Loaded: loaded (/lib/systemd/system/shibd.service; enabled; vendor
preset: enabled)
     Drop-In: /etc/systemd/system/shibd.service.d
              ??override.conf
      Active: activating (auto-restart) (Result: exit-code) since Mon
2023-06-19 16:32:12 CEST; 19s ago
        Docs: man:shibd(8)
              https://wiki.shibboleth.net/confluence/display/SP3/Home
     Process: 1762398 ExecStart=/usr/sbin/shibd -f -F (code=exited,
status=127)
    Main PID: 1762398 (code=exited, status=127)

jun 19 16:32:12 v-test systemd[1]: shibd.service: Main process exited,
code=exited, status=127/n/a
jun 19 16:32:12 v-test systemd[1]: shibd.service: Failed with result
'exit-code'.
jun 19 16:32:12 v-test shibd[1762398]: /usr/sbin/shibd: error while
loading shared libraries: libssl.so.1.0.0: cannot open shared object file:
No such file or directory
jun 19 16:32:12 v-test systemd[1]: Failed to start Shibboleth Service
Provider Daemon.

________________________________
Fr?n: users <users-bounces at shibboleth.net> f?r Peter Schober via users <users at shibboleth.net>
Skickat: den 19 juni 2023 11:09:29
Till: users at shibboleth.net
Kopia: Peter Schober
?mne: Re: Error starting shibboleth 3.0.4 on ubuntu 20.04, says we need libssl.so.1.0.0

* Lukas Fredriksson via users <users at shibboleth.net> [2023-06-19 03:51]:
> When running 'systemctl start shibd.service' we get an
> error. Running 'journalctl -xe' shows the message '/usr/sbin/shibd:
> error while loading shared libraries: libssl.so.1.0.0: cannot open
> shared object file: No such file or directory'. I have tried
> reinstalling shibboleth but the same error occurs.

Then your system is somehow broken. (Maybe check your apt sources for
stale entries.)  On a fresh Ubuntu 20.04 LTS system installing
libapache2-mod-shib2 pulls in all dependencies and shibd
starts correctly:

$ ldd /usr/sbin/shibd | fgrep ssl
        libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f56a7e30000)

$ dpkg -S /usr/lib/x86_64-linux-gnu/libssl.so.1.1
libssl1.1:amd64: /usr/lib/x86_64-linux-gnu/libssl.so.1.1

$ systemctl status shibd
? shibd.service - Shibboleth Service Provider Daemon
     Loaded: loaded (/lib/systemd/system/shibd.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-06-19 09:05:13 UTC; 2min 55s ago
       Docs: man:shibd(8)
             https://wiki.shibboleth.net/confluence/display/SP3/Home
   Main PID: 19286 (shibd)
      Tasks: 5 (limit: 618903)
     Memory: 10.0M
        CPU: 43ms
     CGroup: /system.slice/shibd.service
             ??19286 /usr/sbin/shibd -f -F

Jun 19 09:05:13 ubu20 systemd[1]: Starting Shibboleth Service Provider Daemon...
Jun 19 09:05:13 ubu20 systemd[1]: Started Shibboleth Service Provider Daemon.

-peter
--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230619/1822bea0/attachment.htm>

From peter.schober at univie.ac.at  Mon Jun 19 17:24:14 2023
From: peter.schober at univie.ac.at (Peter Schober)
Date: Mon, 19 Jun 2023 19:24:14 +0200
Subject: SV: Error starting shibboleth 3.0.4 on ubuntu 20.04, says we
 need libssl.so.1.0.0
In-Reply-To: <5fead229b9ca44c4a52af2b364ef1c7d@math.su.se>
References: <ea2a29a2fd3248e6b1502d8a1ade94de@math.su.se>
 <ZJAbSVOsIUF5IIbv@aco.net>
 <5fead229b9ca44c4a52af2b364ef1c7d@math.su.se>
Message-ID: <ZJCPPtaJ+pKbd8UG@aco.net>

* Lukas Fredriksson via users <users at shibboleth.net> [2023-06-19 16:47]:
> ? shibd.service - Shibboleth Service Provider Daemon
>       Loaded: loaded (/lib/systemd/system/shibd.service; enabled; vendor preset: enabled)
>      Drop-In: /etc/systemd/system/shibd.service.d
>               ??override.conf

A plain vanilla install on a fresh 20.04 LTS system has no systemd
override. What's the content of yours?

-peter

From lukas.fredriksson at math.su.se  Tue Jun 20 10:09:43 2023
From: lukas.fredriksson at math.su.se (Lukas Fredriksson)
Date: Tue, 20 Jun 2023 10:09:43 +0000
Subject: SV: SV: Error starting shibboleth 3.0.4 on ubuntu 20.04, says we need
 libssl.so.1.0.0
In-Reply-To: <ZJCPPtaJ+pKbd8UG@aco.net>
References: <ea2a29a2fd3248e6b1502d8a1ade94de@math.su.se>
 <ZJAbSVOsIUF5IIbv@aco.net>
 <5fead229b9ca44c4a52af2b364ef1c7d@math.su.se>,<ZJCPPtaJ+pKbd8UG@aco.net>
Message-ID: <df2a582f64364ac78f18fcd88cf6ce50@math.su.se>

Seems like you were right on the money with that one!


The content on the file is:


[Service]
Environment="LD_PRELOAD=/opt/libcurl3/libcurl.so.4.5.0"




After removing it shibboleth started without any issues. I have no idea why that file was there and how it got there, but it's all good now.


Thanks a lot!


// Lukas

________________________________
Fr?n: users <users-bounces at shibboleth.net> f?r Peter Schober via users <users at shibboleth.net>
Skickat: den 19 juni 2023 19:24:14
Till: users at shibboleth.net
Kopia: Peter Schober
?mne: Re: SV: Error starting shibboleth 3.0.4 on ubuntu 20.04, says we need libssl.so.1.0.0

* Lukas Fredriksson via users <users at shibboleth.net> [2023-06-19 16:47]:
> ? shibd.service - Shibboleth Service Provider Daemon
>       Loaded: loaded (/lib/systemd/system/shibd.service; enabled; vendor preset: enabled)
>      Drop-In: /etc/systemd/system/shibd.service.d
>               ??override.conf

A plain vanilla install on a fresh 20.04 LTS system has no systemd
override. What's the content of yours?

-peter
--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230620/422044de/attachment.htm>

From cantor.2 at osu.edu  Tue Jun 20 13:01:02 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Tue, 20 Jun 2023 13:01:02 +0000
Subject: SLO redirect to site
In-Reply-To: <SJ0PR03MB65186C8BEA942F618780FA99A858A@SJ0PR03MB6518.namprd03.prod.outlook.com>
References: <SJ0PR03MB65186C8BEA942F618780FA99A858A@SJ0PR03MB6518.namprd03.prod.outlook.com>
Message-ID: <5424DE02-B8EB-46B5-A5F2-2AF6622A5A90@osu.edu>

With or without proxying, the IdP has never and will never support any return parameters. That would turn it into an open redirector, with no obvious/prcatical means of limiting it.

Logout and proxying do not work together at present either. If we fix that, it will likely involve just blocking logout propagation and the browser would be expected to land on the real IdP in the end.

-- Scott




From cantor.2 at osu.edu  Tue Jun 20 13:03:03 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Tue, 20 Jun 2023 13:03:03 +0000
Subject: Providing a custom UnknownUsername message with a ldap
 directAuthenticator
In-Reply-To: <CABbdpz8PtTSP7kdGOeor3uVX5i84mBQaqq=0UEEHzTO_cd1cQQ@mail.gmail.com>
References: <CABbdpz8PtTSP7kdGOeor3uVX5i84mBQaqq=0UEEHzTO_cd1cQQ@mail.gmail.com>
Message-ID: <C616DC0E-767B-42F4-9310-02FE663D8CC4@osu.edu>

> Are the values simple string prefix matches or something else? Is there a
> better (more resilient?) way to set up this mapping?

It's a "contains" check, nothing more complex than that.

-- Scott




From cantor.2 at osu.edu  Tue Jun 20 13:04:01 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Tue, 20 Jun 2023 13:04:01 +0000
Subject: Providing a custom UnknownUsername message with a ldap
 directAuthenticator
In-Reply-To: <C616DC0E-767B-42F4-9310-02FE663D8CC4@osu.edu>
References: <CABbdpz8PtTSP7kdGOeor3uVX5i84mBQaqq=0UEEHzTO_cd1cQQ@mail.gmail.com>
 <C616DC0E-767B-42F4-9310-02FE663D8CC4@osu.edu>
Message-ID: <87B1769A-EC20-4B0D-ADAC-381C4E7BEAA4@osu.edu>

(Meaning any part of the string in the map can appear inside the message and it will apply that mapping.)

-- Scott



From max.spicer at york.ac.uk  Tue Jun 20 13:48:52 2023
From: max.spicer at york.ac.uk (Max Spicer)
Date: Tue, 20 Jun 2023 14:48:52 +0100
Subject: Providing a custom UnknownUsername message with a ldap
 directAuthenticator
In-Reply-To: <87B1769A-EC20-4B0D-ADAC-381C4E7BEAA4@osu.edu>
References: <CABbdpz8PtTSP7kdGOeor3uVX5i84mBQaqq=0UEEHzTO_cd1cQQ@mail.gmail.com>
 <C616DC0E-767B-42F4-9310-02FE663D8CC4@osu.edu>
 <87B1769A-EC20-4B0D-ADAC-381C4E7BEAA4@osu.edu>
Message-ID: <CABbdpz-GpBewmdMOJ3nFfTK22hpUW8b8_kO8FHDZc_5G5KeZtw@mail.gmail.com>

That's odd. When I set the value as follows, the message did not seem to be
mapped:

<value>no such object</value>

But when I set this, it was:

<value>LDAPException(resultCode=32 (no such object)</value>

Regards,

Max

On Tue, 20 Jun 2023 at 14:04, Cantor, Scott via users <users at shibboleth.net>
wrote:

> (Meaning any part of the string in the map can appear inside the message
> and it will apply that mapping.)
>

-- 
Max Spicer
Identity Systems, IT Services, University of York
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230620/9c25f277/attachment.htm>

From cantor.2 at osu.edu  Tue Jun 20 14:01:57 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Tue, 20 Jun 2023 14:01:57 +0000
Subject: Providing a custom UnknownUsername message with a ldap
 directAuthenticator
In-Reply-To: <CABbdpz-GpBewmdMOJ3nFfTK22hpUW8b8_kO8FHDZc_5G5KeZtw@mail.gmail.com>
References: <CABbdpz8PtTSP7kdGOeor3uVX5i84mBQaqq=0UEEHzTO_cd1cQQ@mail.gmail.com>
 <C616DC0E-767B-42F4-9310-02FE663D8CC4@osu.edu>
 <87B1769A-EC20-4B0D-ADAC-381C4E7BEAA4@osu.edu>
 <CABbdpz-GpBewmdMOJ3nFfTK22hpUW8b8_kO8FHDZc_5G5KeZtw@mail.gmail.com>
Message-ID: <9A135EE9-78D7-44A2-9E15-B3FB187F3A47@osu.edu>

> That's odd. When I set the value as follows, the message did not seem to be
> mapped:

I use partial strings and they definitely work.

-- Scott



From max.spicer at york.ac.uk  Tue Jun 20 14:08:33 2023
From: max.spicer at york.ac.uk (Max Spicer)
Date: Tue, 20 Jun 2023 15:08:33 +0100
Subject: Providing a custom UnknownUsername message with a ldap
 directAuthenticator
In-Reply-To: <9A135EE9-78D7-44A2-9E15-B3FB187F3A47@osu.edu>
References: <CABbdpz8PtTSP7kdGOeor3uVX5i84mBQaqq=0UEEHzTO_cd1cQQ@mail.gmail.com>
 <C616DC0E-767B-42F4-9310-02FE663D8CC4@osu.edu>
 <87B1769A-EC20-4B0D-ADAC-381C4E7BEAA4@osu.edu>
 <CABbdpz-GpBewmdMOJ3nFfTK22hpUW8b8_kO8FHDZc_5G5KeZtw@mail.gmail.com>
 <9A135EE9-78D7-44A2-9E15-B3FB187F3A47@osu.edu>
Message-ID: <CABbdpz_uCwa4D3sJPmy_KbwykVnELgBLVSeA_32ZO0PcJ9e9EA@mail.gmail.com>

Weird. It's far from beyond the realms of possibility that I missed
something.

I'll bear that in mind for next time. The current setup is a stop gap
whilst dealing with an older ldap server in the validator chain anyway. New
servers will return "invalid credentials" regardless.

Cheers,

Max

On Tue, 20 Jun 2023 at 15:02, Cantor, Scott <cantor.2 at osu.edu> wrote:

> > That's odd. When I set the value as follows, the message did not seem to
> be
> > mapped:
>
> I use partial strings and they definitely work.
>
> -- Scott
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230620/f2887d35/attachment.htm>

From cantor.2 at osu.edu  Wed Jun 21 01:08:29 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Wed, 21 Jun 2023 01:08:29 +0000
Subject: Providing a custom UnknownUsername message with a ldap
 directAuthenticator
In-Reply-To: <9A135EE9-78D7-44A2-9E15-B3FB187F3A47@osu.edu>
References: <CABbdpz8PtTSP7kdGOeor3uVX5i84mBQaqq=0UEEHzTO_cd1cQQ@mail.gmail.com>
 <C616DC0E-767B-42F4-9310-02FE663D8CC4@osu.edu>
 <87B1769A-EC20-4B0D-ADAC-381C4E7BEAA4@osu.edu>
 <CABbdpz-GpBewmdMOJ3nFfTK22hpUW8b8_kO8FHDZc_5G5KeZtw@mail.gmail.com>
 <9A135EE9-78D7-44A2-9E15-B3FB187F3A47@osu.edu>
Message-ID: <0A7434AD-8F1A-4B86-A832-F4CB9C2C08C7@osu.edu>

I don't think this is your problem (specifically because using the "whole" string seemed to work), but there is a bug in the released version(s) that causes problems when chains of validators all signal different events.

It generally affects auditing more than anything else but I guess it's possible things are stepping on each other in other areas.

-- Scott



From max.spicer at york.ac.uk  Wed Jun 21 08:06:28 2023
From: max.spicer at york.ac.uk (Max Spicer)
Date: Wed, 21 Jun 2023 09:06:28 +0100
Subject: Providing a custom UnknownUsername message with a ldap
 directAuthenticator
In-Reply-To: <0A7434AD-8F1A-4B86-A832-F4CB9C2C08C7@osu.edu>
References: <CABbdpz8PtTSP7kdGOeor3uVX5i84mBQaqq=0UEEHzTO_cd1cQQ@mail.gmail.com>
 <C616DC0E-767B-42F4-9310-02FE663D8CC4@osu.edu>
 <87B1769A-EC20-4B0D-ADAC-381C4E7BEAA4@osu.edu>
 <CABbdpz-GpBewmdMOJ3nFfTK22hpUW8b8_kO8FHDZc_5G5KeZtw@mail.gmail.com>
 <9A135EE9-78D7-44A2-9E15-B3FB187F3A47@osu.edu>
 <0A7434AD-8F1A-4B86-A832-F4CB9C2C08C7@osu.edu>
Message-ID: <CABbdpz9Bw3XP_WkfxVxhL-DX7ieovDQ1Srkrw_6T-=xhBGHjgw@mail.gmail.com>

We do have a chain of validators and they will be returning different
events so that is certainly possible.

In passing, I've also realised that the logic in our login-error.vm is also
failing to deal with the fact that we have multiple validators that can
return classified errors. We're just
using getClassifiedErrors().iterator().next() as per the sample so
presumably are only looking at the first error. In practice I doubt this
matters as we generally only return a generic "your username or password is
incorrect" message.

Cheers,

Max

On Wed, 21 Jun 2023 at 02:08, Cantor, Scott <cantor.2 at osu.edu> wrote:

> I don't think this is your problem (specifically because using the "whole"
> string seemed to work), but there is a bug in the released version(s) that
> causes problems when chains of validators all signal different events.
>
> It generally affects auditing more than anything else but I guess it's
> possible things are stepping on each other in other areas.
>
> -- Scott
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230621/2595456d/attachment.htm>

From cantor.2 at osu.edu  Wed Jun 21 12:17:44 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Wed, 21 Jun 2023 12:17:44 +0000
Subject: Providing a custom UnknownUsername message with a ldap
 directAuthenticator
In-Reply-To: <CABbdpz9Bw3XP_WkfxVxhL-DX7ieovDQ1Srkrw_6T-=xhBGHjgw@mail.gmail.com>
References: <CABbdpz8PtTSP7kdGOeor3uVX5i84mBQaqq=0UEEHzTO_cd1cQQ@mail.gmail.com>
 <C616DC0E-767B-42F4-9310-02FE663D8CC4@osu.edu>
 <87B1769A-EC20-4B0D-ADAC-381C4E7BEAA4@osu.edu>
 <CABbdpz-GpBewmdMOJ3nFfTK22hpUW8b8_kO8FHDZc_5G5KeZtw@mail.gmail.com>
 <9A135EE9-78D7-44A2-9E15-B3FB187F3A47@osu.edu>
 <0A7434AD-8F1A-4B86-A832-F4CB9C2C08C7@osu.edu>
 <CABbdpz9Bw3XP_WkfxVxhL-DX7ieovDQ1Srkrw_6T-=xhBGHjgw@mail.gmail.com>
Message-ID: <D45F1BBA-0334-414A-A305-35AA32679420@osu.edu>

> In passing, I've also realised that the logic in our login-error.vm is also failing
> to deal with the fact that we have multiple validators that can return
> classified errors.

That logic generally often has to be fine tuned.

> We're just using getClassifiedErrors().iterator().next() as per the sample so
> presumably are only looking at the first error.

That was part of the bug. Among other things, it wasn't ordered, now it is. So the "last" one added will be consistently accessible.

-- Scott



From jeff.chapin at uni.edu  Wed Jun 21 15:16:40 2023
From: jeff.chapin at uni.edu (Jeff Chapin)
Date: Wed, 21 Jun 2023 10:16:40 -0500
Subject: Handling expired/expiring users after upgrading from Shib 3 to Shib 4
Message-ID: <CAHApK_WLvNVFcz8zeWWPjORe98QzLLhNqCaGWw4wwq-7miZV5w@mail.gmail.com>

Prior to upgrading from Shib 3, we had shibboleth set up to handle user
authentication via LDAP, and we retrieved the user expiration date via an
attribute (this attribute was a call to a database, which allowed us to set
the format of the date returned, as well as modify the expiration based on
business rules, and allowed us to treat administratively reset users as
'expired').  The attribute was named 'passwordExpiration' -- and that's the
limit of my notes. Perhaps once I got that attribute populated, it was
simply just used and things just worked.

This was working just fine. I believe we tested this after upgrading to 4.1
and I believe it was working then, but I cannot be 100% sure.

Now that we are on 4.2, users that *should* be considered expired based on
the date, but know the value of the expired password, are allowed in
without being redirected to the password reset page.

I see some discussion on the mailing list (
http://shibboleth.net/pipermail/users/2023-January/053346.html) that
references files we don't have. I have tried changing the format of the
expiration to yyyyMMdd based on that email exchange, but no luck.

I can't seem to find documentation for Shib 4.3 for how to set up expiring
passwords -- any ideas what I seem to be missing?

-- 

Jeff Chapin,

Panther eSports Adviser
Systems/Applications Administrator
ITS-IS, University of Northern Iowa
Phone: 319-273-3162 Email: Jeff.Chapin at uni.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230621/d3820c3a/attachment.htm>

From cantor.2 at osu.edu  Wed Jun 21 16:07:21 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Wed, 21 Jun 2023 16:07:21 +0000
Subject: Handling expired/expiring users after upgrading from Shib 3 to
 Shib 4
In-Reply-To: <CAHApK_WLvNVFcz8zeWWPjORe98QzLLhNqCaGWw4wwq-7miZV5w@mail.gmail.com>
References: <CAHApK_WLvNVFcz8zeWWPjORe98QzLLhNqCaGWw4wwq-7miZV5w@mail.gmail.com>
Message-ID: <4F60E6B4-6B52-43EF-A746-58630E419DAA@osu.edu>

> I can't seem to find documentation for Shib 4.3 for how to set up expiring
> passwords -- any ideas what I seem to be missing?

There are no real changes in this regard, only additional features. You'd have to highlight something specific you don't think works.

Fundamentally, if you want to block people in these cases, that's always been the context-check interceptor.

If you want to "warn but let them on", then that is either the expiring-password interceptor or, more flexibly so probably a better option, the warning interceptor.

Also, don't confuse issues with date formatting with the IdP. V4 uses Java's library, V3 used joda-time. To a limited degree joda-time is still usable if you include it, but getting formatting strings right is a black art and is really a matter of reading javadoc and playing around. My strings were wrong for years even though they mostly worked. They're very hard to get right.

-- Scott



From cantor.2 at osu.edu  Wed Jun 21 16:11:03 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Wed, 21 Jun 2023 16:11:03 +0000
Subject: Handling expired/expiring users after upgrading from Shib 3 to
 Shib 4
In-Reply-To: <4F60E6B4-6B52-43EF-A746-58630E419DAA@osu.edu>
References: <CAHApK_WLvNVFcz8zeWWPjORe98QzLLhNqCaGWw4wwq-7miZV5w@mail.gmail.com>
 <4F60E6B4-6B52-43EF-A746-58630E419DAA@osu.edu>
Message-ID: <8FADA6C9-5828-4DB3-9254-793798D235C7@osu.edu>

Another point I guess...4.3 adds an explicit DateTimeAttributeDefinition, which "isolates" the whole mess of converting inside the resolver and is perhaps a bit easier to play/debug with (e.g. aacli and reloading). That gets you a standard Instant out that the relevant predicate(s) will operate against without having to do the conversion there.

I haven't done that switch myself but I added that so it's an option.

-- Scott



From p.kumar.13 at elsevier.com  Wed Jun 21 17:13:14 2023
From: p.kumar.13 at elsevier.com (Kumar, Prasanth (ELS-LOW))
Date: Wed, 21 Jun 2023 17:13:14 +0000
Subject: Force Re-authentication to the specific identity provider using
 shibboleth SP configuration
Message-ID: <CO1PR08MB67534AD145845466BD04CCCCB05DA@CO1PR08MB6753.namprd08.prod.outlook.com>

Hi All,

We have been using one site or application in shibboleth service provider sp config file. we are make use of this configuration to communicate with multiple  identity provider's.
if you look at the below config changes of shibboleth2.xml SP config file, we are trying to turning on forceAuthn flag to the one specific idp but shibboleth sp Forcing Re-authentication for all the identity provider's.
Is there a way we can turn on forceAuthn flag to the one specific  identity provider? Or Am I missing any other configurations?

<ApplicationOverride id="APPNAME"   entityID=https://AME.uww.edu/shibboleth<https://ame.uww.edu/shibboleth>>
<SSO entityID="https://idp1/shibboleth" discoveryProtocol="SAMLDS">
               SAML2 SAML1
</SSO>
<SSO entityID="https://idp2/shibboleth" forceAuthn="true" discoveryProtocol="SAMLDS">
               SAML2 SAML1
</SSO>

Thanks in advance.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230621/d2c7bf6b/attachment.htm>

From cantor.2 at osu.edu  Wed Jun 21 17:28:10 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Wed, 21 Jun 2023 17:28:10 +0000
Subject: Force Re-authentication to the specific identity provider using
 shibboleth SP configuration
In-Reply-To: <CO1PR08MB67534AD145845466BD04CCCCB05DA@CO1PR08MB6753.namprd08.prod.outlook.com>
References: <CO1PR08MB67534AD145845466BD04CCCCB05DA@CO1PR08MB6753.namprd08.prod.outlook.com>
Message-ID: <8D5A3DFE-23C0-4A61-BFB2-DE7A5531164F@osu.edu>

There is no modern configuration-based way to do that I know of. ForceAuthn can be passed on the URL via a parameter to the /Login endpoint so it can be done dynamically and that's about the only way of it being per-IdP with any ordinary effort at present.

The old way of building manual SessionInitiator chains probably works in theory, but is far outside anything I would be willing to work up as free support at this point.

-- Scott



From dmclaughlin at tech-consortium.com  Thu Jun 22 18:23:44 2023
From: dmclaughlin at tech-consortium.com (Dan McLaughlin)
Date: Thu, 22 Jun 2023 13:23:44 -0500
Subject: Shib Request Env Vars vs Headers using mod_jk vs mod_proxy_http2
Message-ID: <CANi0WjVXAhY3uz4dO5T1h_1xYU8HPu_aeTjoTdWvMOGzDtSBDg@mail.gmail.com>

We've used mod_jk for years and always used request envvars instead of
headers, but due to new security requirements, we need to move to
mod_proxy_http2 over TLS.  In my initial testing, I've only had
success getting attributes over if I use HTTP headers. From my
reading, it seems like that might be the only option. Has anyone else
been able to figure out how to use mod_proxy_http2 without having to
enable ShibUseHeaders?

--

Thanks,

Dan

From dmclaughlin at tech-consortium.com  Thu Jun 22 18:29:02 2023
From: dmclaughlin at tech-consortium.com (Dan McLaughlin)
Date: Thu, 22 Jun 2023 13:29:02 -0500
Subject: Shib Request Env Vars vs Headers using mod_jk vs mod_proxy_http2
In-Reply-To: <CANi0WjVXAhY3uz4dO5T1h_1xYU8HPu_aeTjoTdWvMOGzDtSBDg@mail.gmail.com>
References: <CANi0WjVXAhY3uz4dO5T1h_1xYU8HPu_aeTjoTdWvMOGzDtSBDg@mail.gmail.com>
Message-ID: <CANi0WjWLpr6S7Ek2nAaFX2jdXmdAwT_k7N41CKgu8tcGon=WPA@mail.gmail.com>

...and is it even that big of an issue, seeing as the headers are only
inserted on the backend, which will be encrypted using HTTP2 over TLS.
  I'm guessing it was a bigger concern with AJP seeing as how AJP
isn't encrypted.

--

Thanks,

Dan

On Thu, Jun 22, 2023 at 1:23?PM Dan McLaughlin
<dmclaughlin at tech-consortium.com> wrote:
>
> We've used mod_jk for years and always used request envvars instead of
> headers, but due to new security requirements, we need to move to
> mod_proxy_http2 over TLS.  In my initial testing, I've only had
> success getting attributes over if I use HTTP headers. From my
> reading, it seems like that might be the only option. Has anyone else
> been able to figure out how to use mod_proxy_http2 without having to
> enable ShibUseHeaders?
>
> --
>
> Thanks,
>
> Dan

From cantor.2 at osu.edu  Thu Jun 22 19:12:51 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Thu, 22 Jun 2023 19:12:51 +0000
Subject: Shib Request Env Vars vs Headers using mod_jk vs mod_proxy_http2
In-Reply-To: <CANi0WjVXAhY3uz4dO5T1h_1xYU8HPu_aeTjoTdWvMOGzDtSBDg@mail.gmail.com>
References: <CANi0WjVXAhY3uz4dO5T1h_1xYU8HPu_aeTjoTdWvMOGzDtSBDg@mail.gmail.com>
Message-ID: <C12D96D7-488F-40D6-88BE-D22525F55A24@osu.edu>

Headers are the only option to proxy, but that's on the back-end. You can probably gateway things so that the variables on the proxy aren't headers and use them to set the headers for the final hop.

-- Scott



From m.leonhartsberger at cumulo.at  Thu Jun 22 19:55:54 2023
From: m.leonhartsberger at cumulo.at (Martin Leonhartsberger)
Date: Thu, 22 Jun 2023 19:55:54 +0000
Subject: HelloWorld Plugin Exception
Message-ID: <C78640B3-D4DA-4583-9C0E-90C8204CC173@cumulo.at>

Hi,

Setup: IDP v4.3.1 configured as SAML Proxy with Discovery Service activated.

On trying HelloWorld Plugin, it produces an uncaught Exception. Probably because Upstream Relying Party is unknown prior to discovery, but somehow already expected, or discovery is skipped.
Regular authentication works fine, it is just an issue with the HelloWorld Plugin.
If I disable discovery and pass a single Entity ID for the SAML Flow, the plugin works again.

Thank you!

Best regards,
Martin

2023-06-22 21:49:15,050 - 144.65.16.161 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeAuthenticationContext:222] - Profile Action InitializeAuthenticationContext: Created authentication context: AuthenticationContext{initiationInstant=2023-06-22T19:49:15.050535Z, isPassive=false, forceAuthn=false, requiredName=null, hintedName=null, maxAge=null, potentialFlows=[], activeResults=[], attemptedFlow=null, signaledFlowId=null, authenticationStateMap={}, resultCacheable=true, authenticationResult=null, completionInstant=null}
2023-06-22 21:49:15,051 - 144.65.16.161 - DEBUG [net.shibboleth.idp.authn.impl.InitializeRequestedPrincipalContext:152] - Profile Action InitializeRequestedPrincipalContext: Profile configuration did not supply any default authentication methods
2023-06-22 21:49:15,053 - 144.65.16.161 - DEBUG [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:213] - Profile Action PopulateAuthenticationContext: Installed 2 potential authentication flows into AuthenticationContext
2023-06-22 21:49:15,054 - 144.65.16.161 - DEBUG [net.shibboleth.idp.session.impl.PopulateSessionContext:145] - Profile Action PopulateSessionContext: No session found for client
2023-06-22 21:49:15,057 - 144.65.16.161 - DEBUG [net.shibboleth.idp.authn.impl.InitializeRequestedPrincipalContext:152] - Profile Action InitializeRequestedPrincipalContext: Profile configuration did not supply any default authentication methods
2023-06-22 21:49:15,058 - 144.65.16.161 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByForcedAuthn:57] - Profile Action FilterFlowsByForcedAuthn: Request does not have forced authentication requirement, nothing to do
2023-06-22 21:49:15,058 - 144.65.16.161 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:57] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do
2023-06-22 21:49:15,058 - 144.65.16.161 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:274] - Profile Action SelectAuthenticationFlow: No specific Principals requested
2023-06-22 21:49:15,059 - 144.65.16.161 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:312] - Profile Action SelectAuthenticationFlow: No usable active results available, selecting an inactive flow
2023-06-22 21:49:15,059 - 144.65.16.161 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:369] - Profile Action SelectAuthenticationFlow: Selecting inactive authentication flow authn/SAML
2023-06-22 21:49:15,082 - 144.65.16.161 - ERROR [net.shibboleth.idp.authn:39] - Uncaught runtime exception
net.shibboleth.utilities.java.support.logic.ConstraintViolationException: RelyingPartyConfiguration cannot be null
                at net.shibboleth.utilities.java.support.logic.Constraint.isNotNull(Constraint.java:307)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230622/85a08ea6/attachment.htm>

From cantor.2 at osu.edu  Thu Jun 22 21:30:18 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Thu, 22 Jun 2023 21:30:18 +0000
Subject: HelloWorld Plugin Exception
In-Reply-To: <C78640B3-D4DA-4583-9C0E-90C8204CC173@cumulo.at>
References: <C78640B3-D4DA-4583-9C0E-90C8204CC173@cumulo.at>
Message-ID: <F4FEDF05-E817-4BDE-83F0-5AF03490A7E8@osu.edu>

If you want to file a bug, that's via Jira. It won't be noted here.

-- Scott



From glipscomb at csu.edu.au  Fri Jun 23 05:46:23 2023
From: glipscomb at csu.edu.au (Lipscomb, Gary)
Date: Fri, 23 Jun 2023 05:46:23 +0000
Subject: Metadata Attributes for MFA retrieval in mfa-authn-config.xml script
Message-ID: <331735fa4f5241e891d5fe20cddf4904@csu.edu.au>

Hi all,

IdP 4.3.1

I?m trying to move to using metadata attributes to control which SP?s require MFA instead of currently hard coding in mfa-authn-config.xml

The following are the 2 attributes that I?m using and the MFA flow works for both.

       <saml:Attribute Name=http://shibboleth.net/ns/profiles/defaultAuthenticationMethods
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
          <saml:AttributeValue>https://csu.edu.au/MFA_Required_ALL</saml:AttributeValue>
        </saml:Attribute>

      <saml:Attribute Name=http://shibboleth.net/ns/profiles/defaultAuthenticationMethods
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue>https://csu.edu.au/MFA_Required_StaffOnly</saml:AttributeValue>
      </saml:Attribute>


What I need to do is determine which value is passed into the MFA process and then test the users group membership for the StaffOnly value.
The group membership test is working.
We have some sites where staff require MFA but students don?t.

I?m unable to work out what I need to query to return the value ?https://csu.edu.au/MFA_Required_StaffOnly?
I've tried
           authnRequestedPrincipalContext = Java.type("net.shibboleth.idp.authn.context.RequestedPrincipalContext");
but its not returning the values that I need.


My Javadoc foo is very basic basic .

Can someone point me in the right direction.

Regards

Gary



Gary Lipscomb
Technical Officer, Systems
IT Infrastructure & Security | Division of Information Technology

Charles Sturt University, Bathurst, NSW 2795
Ph: 02 6338 6533
Email: glipscomb at csu.edu.au
csu.edu.au



|   ALBURY-WODONGA   |   BATHURST    |   CANBERRA   |   DUBBO   |   GOULBURN   |   ORANGE   |   PARRAMATTA    |   PORT MACQUARIE   |   WAGGA WAGGA   |

LEGAL NOTICE
This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with Charles Sturt University may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at Charles Sturt University. The views expressed in this email are not necessarily those of Charles Sturt University.
Charles Sturt University in Australia The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 551). Charles Sturt University - TEQSA Provider Identification: PRV12018 (Australian University). CRICOS Provider: 00005F.
Consider the environment before printing this email.

From robertl at jlab.org  Fri Jun 23 13:12:27 2023
From: robertl at jlab.org (Bobby Lawrence)
Date: Fri, 23 Jun 2023 13:12:27 +0000
Subject: Metadata Attributes for MFA retrieval in mfa-authn-config.xml
 script
In-Reply-To: <331735fa4f5241e891d5fe20cddf4904@csu.edu.au>
References: <331735fa4f5241e891d5fe20cddf4904@csu.edu.au>
Message-ID: <SJ0PR09MB93023162E031E430AD57FB28DB23A@SJ0PR09MB9302.namprd09.prod.outlook.com>

Gary - since you are using metadata entry attributes for this, you may want to look into using a custom relying party configuration.  The software provides mechanisms for selecting a specific relying party for SPs that have certain SAML attributes in the EntityAttributes/Extensions metadata element.  Once you do this, you can set a specific authentication context on that relying party to enforce MFA. 
Something like this may work for you in relying-party.xml:

<bean id="mfaRequiredForEveryoneRelyingParty" parent="RelyingPartyByTag">
  <constructor-arg name="candidates">
    <list>
      <bean parent="TagCandidate" c:name="https://csu.edu.au/MFA_Required_ALL" />
    </list>
  </constructor-arg>
  <property name="profileConfigurations">
    <list>
      <bean parent="SAML2.SSO" p:disallowedFeatures-ref="SAML2.SSO.FEATURE_AUTHNCONTEXT">
        <property name="defaultAuthenticationMethods">
          <list>
            <value>https://refeds.org/profile/mfa</value>
          </list>
        </property>
      </bean>
    </list>
  </property>
</bean>

<bean id="mfaRequiredForStaffOnlyRelyingParty" parent="RelyingPartyByTag">
  <constructor-arg name="candidates">
    <list>
      <bean parent="TagCandidate" c:name="https://csu.edu.au/MFA_Required_StaffOnly" />
    </list>
  </constructor-arg>
  <property name="profileConfigurations">
    <list>
      <bean parent="SAML2.SSO" p:disallowedFeatures-ref="SAML2.SSO.FEATURE_AUTHNCONTEXT">
        <property name="defaultAuthenticationMethods">
          <list>
            <value>https://some.custom.authcontext.org/that_you_can_check/in/mfa-config/which_you_can_enforce/for_staff_only</value>
          </list>
        </property>
      </bean>
    </list>
  </property>
</bean>


I've also done something like what you are trying to do with specific AuthnContextClassRef's.  This was a bit trickier as it required the use of some fairly complex MFA scripting to fetch the requested principal context, pull out the specific part of it I was looking for and use that in the attribute resolution.  If you cant get things working with using the metadata attributes, you may want to look into going this route.

--Bobby



-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Lipscomb, Gary via users
Sent: Friday, June 23, 2023 1:46 AM
To: Shib Users <users at shibboleth.net>
Cc: Lipscomb, Gary <glipscomb at csu.edu.au>
Subject: [EXTERNAL] Metadata Attributes for MFA retrieval in mfa-authn-config.xml script

Hi all,

IdP 4.3.1

I?m trying to move to using metadata attributes to control which SP?s require MFA instead of currently hard coding in mfa-authn-config.xml

The following are the 2 attributes that I?m using and the MFA flow works for both.

       <saml:Attribute Name=https://urldefense.proofpoint.com/v2/url?u=http-3A__shibboleth.net_ns_profiles_defaultAuthenticationMethods&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=YbL7Tj_EqBW9abl6xEy1bs2UfpzD0fSGcxiXJeDGwtg&m=v4cz78hOSCpLXPQGhnl0kg4i7BQlyHo2klF3gRLOGO0R-Db2S1sXrsKDBd1o3pq3&s=XBc7tXzKceO-PjHfM7vlPg5lZsS9kh6KhOaWM713vRM&e= 
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
          <saml:AttributeValue>https://urldefense.proofpoint.com/v2/url?u=https-3A__csu.edu.au_MFA-5FRequired-5FALL&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=YbL7Tj_EqBW9abl6xEy1bs2UfpzD0fSGcxiXJeDGwtg&m=v4cz78hOSCpLXPQGhnl0kg4i7BQlyHo2klF3gRLOGO0R-Db2S1sXrsKDBd1o3pq3&s=bWbB4g8Hst-0EwuQhjdQuihVcIDklVNwgVOnDkWfsEs&e= </saml:AttributeValue>
        </saml:Attribute>

      <saml:Attribute Name=https://urldefense.proofpoint.com/v2/url?u=http-3A__shibboleth.net_ns_profiles_defaultAuthenticationMethods&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=YbL7Tj_EqBW9abl6xEy1bs2UfpzD0fSGcxiXJeDGwtg&m=v4cz78hOSCpLXPQGhnl0kg4i7BQlyHo2klF3gRLOGO0R-Db2S1sXrsKDBd1o3pq3&s=XBc7tXzKceO-PjHfM7vlPg5lZsS9kh6KhOaWM713vRM&e= 
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue>https://urldefense.proofpoint.com/v2/url?u=https-3A__csu.edu.au_MFA-5FRequired-5FStaffOnly&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=YbL7Tj_EqBW9abl6xEy1bs2UfpzD0fSGcxiXJeDGwtg&m=v4cz78hOSCpLXPQGhnl0kg4i7BQlyHo2klF3gRLOGO0R-Db2S1sXrsKDBd1o3pq3&s=tOGBLLMbD6b-Tkp0miKKwSaC3xrugNSroMMcBkYmu4E&e= </saml:AttributeValue>
      </saml:Attribute>


What I need to do is determine which value is passed into the MFA process and then test the users group membership for the StaffOnly value.
The group membership test is working.
We have some sites where staff require MFA but students don?t.

I?m unable to work out what I need to query to return the value ?https://urldefense.proofpoint.com/v2/url?u=https-3A__csu.edu.au_MFA-5FRequired-5FStaffOnly&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=YbL7Tj_EqBW9abl6xEy1bs2UfpzD0fSGcxiXJeDGwtg&m=v4cz78hOSCpLXPQGhnl0kg4i7BQlyHo2klF3gRLOGO0R-Db2S1sXrsKDBd1o3pq3&s=tOGBLLMbD6b-Tkp0miKKwSaC3xrugNSroMMcBkYmu4E&e= ?
I've tried
           authnRequestedPrincipalContext = Java.type("net.shibboleth.idp.authn.context.RequestedPrincipalContext");
but its not returning the values that I need.


My Javadoc foo is very basic basic .

Can someone point me in the right direction.

Regards

Gary



Gary Lipscomb
Technical Officer, Systems
IT Infrastructure & Security | Division of Information Technology

Charles Sturt University, Bathurst, NSW 2795
Ph: 02 6338 6533
Email: glipscomb at csu.edu.au
csu.edu.au



|   ALBURY-WODONGA   |   BATHURST    |   CANBERRA   |   DUBBO   |   GOULBURN   |   ORANGE   |   PARRAMATTA    |   PORT MACQUARIE   |   WAGGA WAGGA   |

LEGAL NOTICE
This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with Charles Sturt University may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at Charles Sturt University. The views expressed in this email are not necessarily those of Charles Sturt University.
Charles Sturt University in Australia The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 551). Charles Sturt University - TEQSA Provider Identification: PRV12018 (Australian University). CRICOS Provider: 00005F.
Consider the environment before printing this email.
-- 
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__shibboleth.atlassian.net_wiki_x_ZYEpPw&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=YbL7Tj_EqBW9abl6xEy1bs2UfpzD0fSGcxiXJeDGwtg&m=v4cz78hOSCpLXPQGhnl0kg4i7BQlyHo2klF3gRLOGO0R-Db2S1sXrsKDBd1o3pq3&s=xOxICX52DS1nbQ-M1075E7AUIMzxeZzy1fVFyu5WHAw&e= 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

From cantor.2 at osu.edu  Fri Jun 23 18:46:21 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Fri, 23 Jun 2023 18:46:21 +0000
Subject: Metadata Attributes for MFA retrieval in mfa-authn-config.xml
 script
In-Reply-To: <331735fa4f5241e891d5fe20cddf4904@csu.edu.au>
References: <331735fa4f5241e891d5fe20cddf4904@csu.edu.au>
Message-ID: <3187B3DC-76B2-495E-9063-92450660BFF0@osu.edu>

> I've tried
> authnRequestedPrincipalContext = 
> Java.type("net.shibboleth.idp.authn.context.RequestedPrincipalContext");
> but its not returning the values that I need.

That expression means to store off the class object for that Java class, it has no other functional result.

Pass that into authenticationContext.getSubcontext() and you'll get the RequestedPrincipalContext, which carries the translated information that is derived from the defaultAuthenticationMethods setting.

But the whole point of abstracting the context class values is to let the IdP just do the work when it decides how to do whatever it's doing. Checking for them by hand isn't really something you want to be doing much of.

-- Scott



From rullfig at uic.edu  Mon Jun 26 19:38:20 2023
From: rullfig at uic.edu (Ullfig, Roberto Alfredo)
Date: Mon, 26 Jun 2023 19:38:20 +0000
Subject: IDP 4.3.1 Ubuntu 22.04/Tomcat 9 - No Access to App Subdirectories
Message-ID: <SJ0PR13MB570531F469B7BDD36C57EC33B026A@SJ0PR13MB5705.namprd13.prod.outlook.com>

We're migrating the IDP from Centos 7 to Ubuntu 22.04. The IDP in general works just fine but I get this error when trying to access any file in a subdirectory:

"The origin server did not find a current representation for the target resource or is not willing to disclose that one exists."

For instance we have some images under idp/images that return that error. At first I thought it was related to systemd readwrite restrictions but that doesn't seem to be the case. Has anyone come across this before? Thanks!

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230626/5f25f109/attachment.htm>

From kwessel at illinois.edu  Mon Jun 26 20:11:40 2023
From: kwessel at illinois.edu (Wessel, Keith)
Date: Mon, 26 Jun 2023 20:11:40 +0000
Subject: IDP 4.3.1 Ubuntu 22.04/Tomcat 9 - No Access to App Subdirectories
In-Reply-To: <SJ0PR13MB570531F469B7BDD36C57EC33B026A@SJ0PR13MB5705.namprd13.prod.outlook.com>
References: <SJ0PR13MB570531F469B7BDD36C57EC33B026A@SJ0PR13MB5705.namprd13.prod.outlook.com>
Message-ID: <BN6PR11MB4180D2E51193FB8B5B9656F9CB26A@BN6PR11MB4180.namprd11.prod.outlook.com>

If you're trying to access them at /idp/images, you should put them in edit-webapp/WEB-INF/images and rebuild the war file. Any paths under /dip are taken from contents of the war file.

If you want them in /images, not /idp/images, that needs to be handled by the root app of Tomcat.

Keith


From: users <users-bounces at shibboleth.net> On Behalf Of Ullfig, Roberto Alfredo via users
Sent: Monday, June 26, 2023 2:38 PM
To: Shib Users <users at shibboleth.net>
Cc: Ullfig, Roberto A (UIC) <rullfig at uic.edu>
Subject: IDP 4.3.1 Ubuntu 22.04/Tomcat 9 - No Access to App Subdirectories

We're migrating the IDP from Centos 7 to Ubuntu 22.04. The IDP in general works just fine but I get this error when trying to access any file in a subdirectory:

"The origin server did not find a current representation for the target resource or is not willing to disclose that one exists."

For instance we have some images under idp/images that return that error. At first I thought it was related to systemd readwrite restrictions but that doesn't seem to be the case. Has anyone come across this before? Thanks!

---
Roberto Ullfig - rullfig at uic.edu<mailto:rullfig at uic.edu>
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230626/cb53fa2c/attachment.htm>

From rullfig at uic.edu  Mon Jun 26 20:38:17 2023
From: rullfig at uic.edu (Ullfig, Roberto Alfredo)
Date: Mon, 26 Jun 2023 20:38:17 +0000
Subject: IDP 4.3.1 Ubuntu 22.04/Tomcat 9 - No Access to App Subdirectories
In-Reply-To: <BN6PR11MB4180D2E51193FB8B5B9656F9CB26A@BN6PR11MB4180.namprd11.prod.outlook.com>
References: <SJ0PR13MB570531F469B7BDD36C57EC33B026A@SJ0PR13MB5705.namprd13.prod.outlook.com>
 <BN6PR11MB4180D2E51193FB8B5B9656F9CB26A@BN6PR11MB4180.namprd11.prod.outlook.com>
Message-ID: <SJ0PR13MB5705CDC0CCDE75CC7869C6CFB026A@SJ0PR13MB5705.namprd13.prod.outlook.com>

We have them in /opt/shibboleth-idp/edit-webapp/images/ and that works on the Centos server. Tomcat was installed differently, on Centos it was a downloaded from the Apache web site. On Ubuntu it was installed via apt. Not sure if it matters but with the Apache web install everything ended up in /opt/tomcat (BASE and HOME) while with the apt install that's /var/lib/tomcat9 and /usr/share/tomcat9 respectively

Tried moving them to edit-webapp/WEB-INF/images and got the same error.

I had to add this to the tomcat9 systemd file:

[Service]
ReadWritePaths=/var/log/shibboleth/
ReadWritePaths=/opt/shibboleth-metadata/

otherwise, nothing would get written to the logs so I'm still wondering if this is a systemd issue.

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: Wessel, Keith <kwessel at illinois.edu>
Sent: Monday, June 26, 2023 3:11 PM
To: Shib Users <users at shibboleth.net>
Cc: Ullfig, Roberto Alfredo <rullfig at uic.edu>
Subject: RE: IDP 4.3.1 Ubuntu 22.04/Tomcat 9 - No Access to App Subdirectories


If you?re trying to access them at /idp/images, you should put them in edit-webapp/WEB-INF/images and rebuild the war file. Any paths under /dip are taken from contents of the war file.



If you want them in /images, not /idp/images, that needs to be handled by the root app of Tomcat.



Keith





From: users <users-bounces at shibboleth.net> On Behalf Of Ullfig, Roberto Alfredo via users
Sent: Monday, June 26, 2023 2:38 PM
To: Shib Users <users at shibboleth.net>
Cc: Ullfig, Roberto A (UIC) <rullfig at uic.edu>
Subject: IDP 4.3.1 Ubuntu 22.04/Tomcat 9 - No Access to App Subdirectories



We're migrating the IDP from Centos 7 to Ubuntu 22.04. The IDP in general works just fine but I get this error when trying to access any file in a subdirectory:



"The origin server did not find a current representation for the target resource or is not willing to disclose that one exists."



For instance we have some images under idp/images that return that error. At first I thought it was related to systemd readwrite restrictions but that doesn't seem to be the case. Has anyone come across this before? Thanks!



---

Roberto Ullfig - rullfig at uic.edu<mailto:rullfig at uic.edu>
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230626/d6fb3d34/attachment.htm>

From peter.schober at univie.ac.at  Mon Jun 26 21:21:13 2023
From: peter.schober at univie.ac.at (Peter Schober)
Date: Mon, 26 Jun 2023 23:21:13 +0200
Subject: IDP 4.3.1 Ubuntu 22.04/Tomcat 9 - No Access to App Subdirectories
In-Reply-To: <SJ0PR13MB5705CDC0CCDE75CC7869C6CFB026A@SJ0PR13MB5705.namprd13.prod.outlook.com>
References: <SJ0PR13MB570531F469B7BDD36C57EC33B026A@SJ0PR13MB5705.namprd13.prod.outlook.com>
 <BN6PR11MB4180D2E51193FB8B5B9656F9CB26A@BN6PR11MB4180.namprd11.prod.outlook.com>
 <SJ0PR13MB5705CDC0CCDE75CC7869C6CFB026A@SJ0PR13MB5705.namprd13.prod.outlook.com>
Message-ID: <ZJoBSWeODN1hMDOO@aco.net>

* Ullfig, Roberto Alfredo via users <users at shibboleth.net> [2023-06-26 22:38]:
> Tried moving them to edit-webapp/WEB-INF/images and got the same
> error.

Did you rebuild the war after making any changes to edit-webapp/ ?

> so I'm still wondering if this is a systemd issue.

It's not, you need those entries for write access to paths protected
by default by the distributed systemd configuration in
/lib/systemd/system/tomcat9.service

-peter

From wb626 at pku.edu.cn  Tue Jun 27 09:25:51 2023
From: wb626 at pku.edu.cn (=?UTF-8?B?546L5Y2a?=)
Date: Tue, 27 Jun 2023 17:25:51 +0800 (GMT+08:00)
Subject: what is the trust store used for in the TOTP plugin?
Message-ID: <48ba77fd.5d8c7.188fc2c7472.Coremail.wb626@pku.edu.cn>

Dear Shibboleth Team




I'm going through the TOTP plugin at https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878877/TOTP. 




Thanks for this excellent tool, now I'am able to successfully configure it and read the seeds from a database, looks everything is fine so far. However I doubt what the trust store is actually used for during the installation process? I see a folder credentials\net.shibboleth.idp.plugin.authn.totp is crested and an aes file and an empty backup file in this folder after installation.







Plugin net.shibboleth.idp.plugin.authn.totp: Trust store folder does not exist, creating
Plugin net.shibboleth.idp.plugin.authn.totp: Trust store does not exist, creating
TrustStore does not contain signature 0x378B845402277962
Accept this key:
Signature:      0x378B845402277962
FingerPrint:    DCAA15007BED9DE690CD9523378B845402277962
Username:       Scott Cantor <cantor.2 at osu.edu>
 [yN] y
Installing Plugin net.shibboleth.idp.plugin.authn.totp version 1.0.2







Any One has any idea on this? Thanks in advance!




Wang Bo

Peking University CARSI Team 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230627/c9855445/attachment.htm>

From rdw at steadingsoftware.com  Tue Jun 27 09:59:28 2023
From: rdw at steadingsoftware.com (Rod Widdowson)
Date: Tue, 27 Jun 2023 10:59:28 +0100
Subject: what is the trust store used for in the TOTP plugin?
In-Reply-To: <48ba77fd.5d8c7.188fc2c7472.Coremail.wb626@pku.edu.cn>
References: <48ba77fd.5d8c7.188fc2c7472.Coremail.wb626@pku.edu.cn>
Message-ID: <00fc01d9a8de$11e72f70$35b58e50$@steadingsoftware.com>

> However I doubt what the trust store is actually used for during the installation process?
It is.

>  I see a folder credentials\net.shibboleth.idp.plugin.authn.totp is crested 
> and an aes file and an empty backup file in this folder after installation. 

This is true for all plugins, not just TOTP.

TL;DR: The installer Is making it easier for you to do the right thing about trust.  The details are documented here [1], but I believe that it is worthwhile to be explicit as well.

By way of background, it is very important to the Shibboleth team that our users do not download or install malevolent packages.  For example, we go to significant lengths to validate any jars that we ship as part of the IdP.

When installing a plugin you are in effect downloading a random bit of software of unknown background.  There is a priori no reason to trust this software which could then go on to perform any amount of damage to your systems and your user's identities.

Whilst it is you that has to make the decision as to whether you are prepared to take that risk, the plugin installer provides some support and only allows plugins to be installed if they have passed a (GPG) signature check. Thus you will see that a plugin package consists of the contents (usually .tar.gz file) and a signature over that file (.asc).  

Before the plugin in installed the signature is checked.  This is this stage:

> Accept this key: 
> Signature:      0x378B845402277962 
> FingerPrint:    DCAA15007BED9DE690CD9523378B845402277962 
> Username:       Scott Cantor <cantor.2 at osu.edu> 
>  [yN] 

At  this stage you are expected to check that the signing certificate matches one that you are prepared to trust.  This stage is critical. 

In order that you do not have to go through this stage every time the installer also keeps track of those certificates that have already be accepted (it is in fact a GPG keyring) .  This is per plugin;  having accepted Scott's signature for the TOTP plugin means that you will not be prompted on an update if that update was signed by the same certificate.  If this certificate was used to sign a different plugin you would be prompted again: The fact that you trust Scott to ship TOTP plugins should not mean that you trust him to sign an OIDC plugin.

So we keep a GPG keyring on a per plugin basis and use this to determine whether you trust a signature or whether you need to go through due diligence on it.  This is the file you are seeing in the credentials folder.  If you have a centrally maintained keyring of trusted signatures you can use that (--truststore).

I hope this helps.

[1] https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1294074003/PluginInstallation#GPG-Trust


From rullfig at uic.edu  Tue Jun 27 12:31:48 2023
From: rullfig at uic.edu (Ullfig, Roberto Alfredo)
Date: Tue, 27 Jun 2023 12:31:48 +0000
Subject: IDP 4.3.1 Ubuntu 22.04/Tomcat 9 - No Access to App Subdirectories
In-Reply-To: <ZJoBSWeODN1hMDOO@aco.net>
References: <SJ0PR13MB570531F469B7BDD36C57EC33B026A@SJ0PR13MB5705.namprd13.prod.outlook.com>
 <BN6PR11MB4180D2E51193FB8B5B9656F9CB26A@BN6PR11MB4180.namprd11.prod.outlook.com>
 <SJ0PR13MB5705CDC0CCDE75CC7869C6CFB026A@SJ0PR13MB5705.namprd13.prod.outlook.com>
 <ZJoBSWeODN1hMDOO@aco.net>
Message-ID: <SJ0PR13MB570533DB76862D9738E82169B027A@SJ0PR13MB5705.namprd13.prod.outlook.com>

Yes I reloaded. I've been doing this for over a decade. Do you know where systemd logs denied write access because I can't see that logged anywhere. I only figured out to enable write access to the log from someone else's post. It could be that tomcat is opening the directories R/W even though it doesn't need to write to them.

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Peter Schober via users <users at shibboleth.net>
Sent: Monday, June 26, 2023 4:21 PM
To: users at shibboleth.net <users at shibboleth.net>
Cc: Peter Schober <peter.schober at univie.ac.at>
Subject: Re: IDP 4.3.1 Ubuntu 22.04/Tomcat 9 - No Access to App Subdirectories

* Ullfig, Roberto Alfredo via users <users at shibboleth.net> [2023-06-26 22:38]:
> Tried moving them to edit-webapp/WEB-INF/images and got the same
> error.

Did you rebuild the war after making any changes to edit-webapp/ ?

> so I'm still wondering if this is a systemd issue.

It's not, you need those entries for write access to paths protected
by default by the distributed systemd configuration in
/lib/systemd/system/tomcat9.service

-peter
--
For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=05%7C01%7Crullfig%40uic.edu%7Cb39258f7d4494d33b3a308db768b4bba%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C638234112874927512%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VCQyR9MnReCi7sGZ21qO2pOgYREYaYYt0KzjSRCOEbA%3D&reserved=0<https://shibboleth.atlassian.net/wiki/x/ZYEpPw>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230627/89f0d2ee/attachment.htm>

From peter.schober at univie.ac.at  Tue Jun 27 13:10:08 2023
From: peter.schober at univie.ac.at (Peter Schober)
Date: Tue, 27 Jun 2023 15:10:08 +0200
Subject: IDP 4.3.1 Ubuntu 22.04/Tomcat 9 - No Access to App Subdirectories
In-Reply-To: <SJ0PR13MB570533DB76862D9738E82169B027A@SJ0PR13MB5705.namprd13.prod.outlook.com>
References: <SJ0PR13MB570531F469B7BDD36C57EC33B026A@SJ0PR13MB5705.namprd13.prod.outlook.com>
 <BN6PR11MB4180D2E51193FB8B5B9656F9CB26A@BN6PR11MB4180.namprd11.prod.outlook.com>
 <SJ0PR13MB5705CDC0CCDE75CC7869C6CFB026A@SJ0PR13MB5705.namprd13.prod.outlook.com>
 <ZJoBSWeODN1hMDOO@aco.net>
 <SJ0PR13MB570533DB76862D9738E82169B027A@SJ0PR13MB5705.namprd13.prod.outlook.com>
Message-ID: <ZJrfsNQFg6Vn2GZH@aco.net>

* Ullfig, Roberto Alfredo <rullfig at uic.edu> [2023-06-27 14:31]:
> Yes I reloaded. I've been doing this for over a decade.

You shouldn't feel offended by someone trying to help you fix your problems.
And it's not like the most experienced of admins are incapable of
making simple mistakes. Maybe you're the exception, of course.

> Do you know where systemd logs denied write access because I can't
> see that logged anywhere.

I'm not aware that it does but that doesn't mean anything.
The systemd docs (or code) would tell you. Sorry if you already knew
that as well. (Hard to tell which suggestions are OK and which are not
because you know all that.)

> I only figured out to enable write access to the log from someone
> else's post.

That specific issue only occurs when someone is using a distribution
of Tomcat that's explicitly not supported by the Shibboleth project:

  "We also do not officially support any "packaged" containers provided
  by OS vendors. We do not test on these containers so we cannot
  assess what changes may have been made by the packaging process [...]"
  https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631833/SystemRequirements

I've personally reported about this issue and how to work around it
several times on this list, at least 3 times in 2020 alone, back when
this issue initially came up (by Debian and derivatives introducing
these additional hardening mechanisms in their tomcat packaging):
https://shibboleth.net/pipermail/users/2020-September/047946.html

> It could be that tomcat is opening the directories R/W even though
> it doesn't need to write to them.

I never had to add any ReadWritePaths to make the IDP's default of
/idp/images/ work, which maps to the war in $IDP_HOME/war/idp.war or
an extracted copy thereof, which on Debian & friends would end up in
/var/lib/tomcat9/webapps/idp/ -- and /var/lib/tomcat9/webapps/ is
included in the default ReadWritePaths as distributed by Debian and
derivatives.

So no manual config changes would be needed to make the images
directory of the default IDP distribution work here, IMO.

Not even when putting those images into the ROOT context (which is the
alternative Keith W. suggested and what I'm using myself), outside of
the IDP's war mechanism, which on Debian & friends is in
/var/lib/tomcat9/webapps/ROOT/ and so still included in the default
systemd service's ReadWritePaths as well.

-peter

From rullfig at uic.edu  Tue Jun 27 16:10:34 2023
From: rullfig at uic.edu (Ullfig, Roberto Alfredo)
Date: Tue, 27 Jun 2023 16:10:34 +0000
Subject: IDP 4.3.1 Ubuntu 22.04/Tomcat 9 - No Access to App Subdirectories
In-Reply-To: <ZJrfsNQFg6Vn2GZH@aco.net>
References: <SJ0PR13MB570531F469B7BDD36C57EC33B026A@SJ0PR13MB5705.namprd13.prod.outlook.com>
 <BN6PR11MB4180D2E51193FB8B5B9656F9CB26A@BN6PR11MB4180.namprd11.prod.outlook.com>
 <SJ0PR13MB5705CDC0CCDE75CC7869C6CFB026A@SJ0PR13MB5705.namprd13.prod.outlook.com>
 <ZJoBSWeODN1hMDOO@aco.net>
 <SJ0PR13MB570533DB76862D9738E82169B027A@SJ0PR13MB5705.namprd13.prod.outlook.com>
 <ZJrfsNQFg6Vn2GZH@aco.net>
Message-ID: <SJ0PR13MB5705C37C774208B1E9B813F7B027A@SJ0PR13MB5705.namprd13.prod.outlook.com>

The problem was the lack of a global web.xml in the apt install of tomcat9 from Ubuntu. Copied the file over from the Centos server and everything works fine now. Thanks all!

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Peter Schober via users <users at shibboleth.net>
Sent: Tuesday, June 27, 2023 8:10 AM
To: users at shibboleth.net <users at shibboleth.net>
Cc: Peter Schober <peter.schober at univie.ac.at>
Subject: Re: IDP 4.3.1 Ubuntu 22.04/Tomcat 9 - No Access to App Subdirectories

* Ullfig, Roberto Alfredo <rullfig at uic.edu> [2023-06-27 14:31]:
> Yes I reloaded. I've been doing this for over a decade.

You shouldn't feel offended by someone trying to help you fix your problems.
And it's not like the most experienced of admins are incapable of
making simple mistakes. Maybe you're the exception, of course.

> Do you know where systemd logs denied write access because I can't
> see that logged anywhere.

I'm not aware that it does but that doesn't mean anything.
The systemd docs (or code) would tell you. Sorry if you already knew
that as well. (Hard to tell which suggestions are OK and which are not
because you know all that.)

> I only figured out to enable write access to the log from someone
> else's post.

That specific issue only occurs when someone is using a distribution
of Tomcat that's explicitly not supported by the Shibboleth project:

  "We also do not officially support any "packaged" containers provided
  by OS vendors. We do not test on these containers so we cannot
  assess what changes may have been made by the packaging process [...]"
  https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fspaces%2FIDP4%2Fpages%2F1265631833%2FSystemRequirements&data=05%7C01%7Crullfig%40uic.edu%7C09d4f44a0a3643a7545708db770fdbeb%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C638234682231538613%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NasfwYdBwvKydRisvCIor2wRU6pDISslfwFU%2BLprL4U%3D&reserved=0<https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631833/SystemRequirements>

I've personally reported about this issue and how to work around it
several times on this list, at least 3 times in 2020 alone, back when
this issue initially came up (by Debian and derivatives introducing
these additional hardening mechanisms in their tomcat packaging):
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.net%2Fpipermail%2Fusers%2F2020-September%2F047946.html&data=05%7C01%7Crullfig%40uic.edu%7C09d4f44a0a3643a7545708db770fdbeb%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C638234682231538613%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=qddoClJsBnybMFcLSPYfSYkJFWLQ6vbcHX4rrXnQkaI%3D&reserved=0<https://shibboleth.net/pipermail/users/2020-September/047946.html>

> It could be that tomcat is opening the directories R/W even though
> it doesn't need to write to them.

I never had to add any ReadWritePaths to make the IDP's default of
/idp/images/ work, which maps to the war in $IDP_HOME/war/idp.war or
an extracted copy thereof, which on Debian & friends would end up in
/var/lib/tomcat9/webapps/idp/ -- and /var/lib/tomcat9/webapps/ is
included in the default ReadWritePaths as distributed by Debian and
derivatives.

So no manual config changes would be needed to make the images
directory of the default IDP distribution work here, IMO.

Not even when putting those images into the ROOT context (which is the
alternative Keith W. suggested and what I'm using myself), outside of
the IDP's war mechanism, which on Debian & friends is in
/var/lib/tomcat9/webapps/ROOT/ and so still included in the default
systemd service's ReadWritePaths as well.

-peter
--
For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=05%7C01%7Crullfig%40uic.edu%7C09d4f44a0a3643a7545708db770fdbeb%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C638234682231538613%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xRKQL6eqjTRhrbrkeFEMntgtT2qkAZEuQ2F%2BX2caUCg%3D&reserved=0<https://shibboleth.atlassian.net/wiki/x/ZYEpPw>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230627/6ede507e/attachment.htm>

From cantor.2 at osu.edu  Tue Jun 27 16:15:25 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Tue, 27 Jun 2023 16:15:25 +0000
Subject: IDP 4.3.1 Ubuntu 22.04/Tomcat 9 - No Access to App Subdirectories
In-Reply-To: <SJ0PR13MB5705C37C774208B1E9B813F7B027A@SJ0PR13MB5705.namprd13.prod.outlook.com>
References: <SJ0PR13MB570531F469B7BDD36C57EC33B026A@SJ0PR13MB5705.namprd13.prod.outlook.com>
 <BN6PR11MB4180D2E51193FB8B5B9656F9CB26A@BN6PR11MB4180.namprd11.prod.outlook.com>
 <SJ0PR13MB5705CDC0CCDE75CC7869C6CFB026A@SJ0PR13MB5705.namprd13.prod.outlook.com>
 <ZJoBSWeODN1hMDOO@aco.net>
 <SJ0PR13MB570533DB76862D9738E82169B027A@SJ0PR13MB5705.namprd13.prod.outlook.com>
 <ZJrfsNQFg6Vn2GZH@aco.net>
 <SJ0PR13MB5705C37C774208B1E9B813F7B027A@SJ0PR13MB5705.namprd13.prod.outlook.com>
Message-ID: <635D68B8-08ED-4BD9-88EC-EDC7F0527DA4@osu.edu>

> The problem was the lack of a global web. xml in the apt install of tomcat9 
> from Ubuntu.

Which is why we don't support packaged containers.

Java software is not manageable with common Linux packaging systems. Starting with the fact that you can't upgrade it while it's running without torching it.

-- Scott



From timo at timo-brunn.de  Tue Jun 27 18:22:29 2023
From: timo at timo-brunn.de (Timo Brunn)
Date: Tue, 27 Jun 2023 20:22:29 +0200
Subject: Shibboleth IDP 4 SSL Keystore error
Message-ID: <9c679f23-ba0b-c6de-997f-daf11607270b@timo-brunn.de>

Hi,

Im currently having trouble supplying an self-signed SSL Certificate to 
a shibboleth IDP:

Im generating the self-signed certificate using:

/keytool -genkeypair -alias jetty -validity 365 -keyalg RSA -keysize 
2048 -keystore /opt/shibboleth-idp/idp-userfacing.p12 -storetype pkcs12

/My idp.ini is setup to use the default keystore.

Starting jetty i get the following error:

Exception in thread "main" java.io.IOException: keystore password was 
incorrect
at 
java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)

I double and triple checked the keystore password and it is correct. 
Keytool is able to open the store
I even tried using the default password but that still doesn't work.

Using Shibboleth IDP 4.3.1
Jetty 10.0.15
Corretto-17.0.7.7.1

I hope someone can help me out here.

-- 
Mit freundlichen Gr??en/Best Regards
*Timo Brunn*

Website: timo-brunn.de <https://timo-brunn.de>
/Um ihre Echtheit zu best?tigen, wurde diese E-Mail digital signiert.
To prove its authenticity, this E-Mail has been digitally signed./
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230627/b5667eab/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4488 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20230627/b5667eab/attachment.p7s>

From wb626 at pku.edu.cn  Wed Jun 28 01:55:30 2023
From: wb626 at pku.edu.cn (=?UTF-8?B?546L5Y2a?=)
Date: Wed, 28 Jun 2023 09:55:30 +0800 (GMT+08:00)
Subject: what is the trust store used for in the TOTP plugin?
In-Reply-To: <00fc01d9a8de$11e72f70$35b58e50$@steadingsoftware.com>
References: <48ba77fd.5d8c7.188fc2c7472.Coremail.wb626@pku.edu.cn>
 <00fc01d9a8de$11e72f70$35b58e50$@steadingsoftware.com>
Message-ID: <666a9123.5b9a5.188ffb68104.Coremail.wb626@pku.edu.cn>

Dear Rod,

Thanks for the answer, it's very clear, my problem is solved.

Wang Bo
Peking University CARSI Team


> -----????-----
> ???: "Rod Widdowson" <rdw at steadingsoftware.com>
> ????: 2023-06-27 17:59:28 (???)
> ???: "'Shib Users'" <users at shibboleth.net>
> ??: "'??'" <wb626 at pku.edu.cn>
> ??: RE: what is the trust store used for in the TOTP plugin?
> 
> > However I doubt what the trust store is actually used for during the installation process?
> It is.
> 
> >  I see a folder credentials\net.shibboleth.idp.plugin.authn.totp is crested 
> > and an aes file and an empty backup file in this folder after installation. 
> 
> This is true for all plugins, not just TOTP.
> 
> TL;DR: The installer Is making it easier for you to do the right thing about trust.  The details are documented here [1], but I believe that it is worthwhile to be explicit as well.
> 
> By way of background, it is very important to the Shibboleth team that our users do not download or install malevolent packages.  For example, we go to significant lengths to validate any jars that we ship as part of the IdP.
> 
> When installing a plugin you are in effect downloading a random bit of software of unknown background.  There is a priori no reason to trust this software which could then go on to perform any amount of damage to your systems and your user's identities.
> 
> Whilst it is you that has to make the decision as to whether you are prepared to take that risk, the plugin installer provides some support and only allows plugins to be installed if they have passed a (GPG) signature check. Thus you will see that a plugin package consists of the contents (usually .tar.gz file) and a signature over that file (.asc).  
> 
> Before the plugin in installed the signature is checked.  This is this stage:
> 
> > Accept this key: 
> > Signature:      0x378B845402277962 
> > FingerPrint:    DCAA15007BED9DE690CD9523378B845402277962 
> > Username:       Scott Cantor <cantor.2 at osu.edu> 
> >  [yN] 
> 
> At  this stage you are expected to check that the signing certificate matches one that you are prepared to trust.  This stage is critical. 
> 
> In order that you do not have to go through this stage every time the installer also keeps track of those certificates that have already be accepted (it is in fact a GPG keyring) .  This is per plugin;  having accepted Scott's signature for the TOTP plugin means that you will not be prompted on an update if that update was signed by the same certificate.  If this certificate was used to sign a different plugin you would be prompted again: The fact that you trust Scott to ship TOTP plugins should not mean that you trust him to sign an OIDC plugin.
> 
> So we keep a GPG keyring on a per plugin basis and use this to determine whether you trust a signature or whether you need to go through due diligence on it.  This is the file you are seeing in the credentials folder.  If you have a centrally maintained keyring of trusted signatures you can use that (--truststore).
> 
> I hope this helps.
> 
> [1] https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1294074003/PluginInstallation#GPG-Trust

From jeff.chapin at uni.edu  Wed Jun 28 18:40:08 2023
From: jeff.chapin at uni.edu (Jeff Chapin)
Date: Wed, 28 Jun 2023 13:40:08 -0500
Subject: Handling expired/expiring users after upgrading from Shib 3 to
 Shib 4
In-Reply-To: <8FADA6C9-5828-4DB3-9254-793798D235C7@osu.edu>
References: <CAHApK_WLvNVFcz8zeWWPjORe98QzLLhNqCaGWw4wwq-7miZV5w@mail.gmail.com>
 <4F60E6B4-6B52-43EF-A746-58630E419DAA@osu.edu>
 <8FADA6C9-5828-4DB3-9254-793798D235C7@osu.edu>
Message-ID: <CAHApK_VxEoUibGuk29dK0wwdGL8m9gVFaCHorYEsns_BQz4S0w@mail.gmail.com>

So I think I found three pieces of information that are relevant:
1) I misspoke, we are not on 4.3, we are on 4.2
2) I had not enabled the ExpiringPasswords module
3) When we had expirations working, we were using an external authenticator
(we were authing Shib off an existing CAS install), but where it is not
working, we are using the Password authenticator with an ldap server.

After some poking around, it looks like the ExpiringPasswordIntercept is
not firing when we use ldap authentication -- I have an install that is
still using CAS authentication, and if I run the command to enable the
ExpiringPassword intercept, and restart, it is catching the expired
password as expected.

Is there some way to get the ldap login flow to use the passwordExpiring
IDP Attribute? Or preferably to get the ExpiringPasswordIntercept to work
with Password auth?

Thanks for your time!

On Wed, Jun 21, 2023 at 11:11?AM Cantor, Scott <cantor.2 at osu.edu> wrote:

> Another point I guess...4.3 adds an explicit DateTimeAttributeDefinition,
> which "isolates" the whole mess of converting inside the resolver and is
> perhaps a bit easier to play/debug with (e.g. aacli and reloading). That
> gets you a standard Instant out that the relevant predicate(s) will operate
> against without having to do the conversion there.
>
> I haven't done that switch myself but I added that so it's an option.
>
> -- Scott
>
>
>

-- 

Jeff Chapin,

Panther eSports Adviser
Systems/Applications Administrator
ITS-IS, University of Northern Iowa
Phone: 319-273-3162 Email: Jeff.Chapin at uni.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230628/ae89e0f6/attachment.htm>

From cantor.2 at osu.edu  Wed Jun 28 19:40:28 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Wed, 28 Jun 2023 19:40:28 +0000
Subject: Handling expired/expiring users after upgrading from Shib 3 to
 Shib 4
In-Reply-To: <CAHApK_VxEoUibGuk29dK0wwdGL8m9gVFaCHorYEsns_BQz4S0w@mail.gmail.com>
References: <CAHApK_WLvNVFcz8zeWWPjORe98QzLLhNqCaGWw4wwq-7miZV5w@mail.gmail.com>
 <4F60E6B4-6B52-43EF-A746-58630E419DAA@osu.edu>
 <8FADA6C9-5828-4DB3-9254-793798D235C7@osu.edu>
 <CAHApK_VxEoUibGuk29dK0wwdGL8m9gVFaCHorYEsns_BQz4S0w@mail.gmail.com>
Message-ID: <D279B0E7-30AC-4C9E-B29F-5F2FFCCD0015@osu.edu>

> Is there some way to get the ldap login flow to use the passwordExpiring IDP
> Attribute? Or preferably to get the ExpiringPasswordIntercept to work with
> Password auth?

Login flows do not have any relationship to interceptors in that sense. The interceptors that run are based on the postAuthenticationFlows profile setting, which is something controlled based on relying party configuration and/or metadata, and has no connection back to how authentication is done in most cases. (*)

-- Scott

(*) An exotic Predicate could be coded up to examine authentication state to decide how to respond but that?s after the interceptor is running, not part of deciding whether to run.


From jeff.chapin at uni.edu  Wed Jun 28 19:45:58 2023
From: jeff.chapin at uni.edu (Jeff Chapin)
Date: Wed, 28 Jun 2023 14:45:58 -0500
Subject: Handling expired/expiring users after upgrading from Shib 3 to
 Shib 4
In-Reply-To: <D279B0E7-30AC-4C9E-B29F-5F2FFCCD0015@osu.edu>
References: <CAHApK_WLvNVFcz8zeWWPjORe98QzLLhNqCaGWw4wwq-7miZV5w@mail.gmail.com>
 <4F60E6B4-6B52-43EF-A746-58630E419DAA@osu.edu>
 <8FADA6C9-5828-4DB3-9254-793798D235C7@osu.edu>
 <CAHApK_VxEoUibGuk29dK0wwdGL8m9gVFaCHorYEsns_BQz4S0w@mail.gmail.com>
 <D279B0E7-30AC-4C9E-B29F-5F2FFCCD0015@osu.edu>
Message-ID: <CAHApK_U6OpsJq8Mi291Vukq+V-M3z4aQx9i5RFrWYTT4oyeQSw@mail.gmail.com>

Ok, I think I may be using the wrong terminology.

Is it wrong of me to expect the ExpiringPasswordIntercept to function, even
if we are using LDAP authentication? I would have thought that the
authentication method would be independent.

Jeff

On Wed, Jun 28, 2023 at 2:40?PM Cantor, Scott <cantor.2 at osu.edu> wrote:

> > Is there some way to get the ldap login flow to use the passwordExpiring
> IDP
> > Attribute? Or preferably to get the ExpiringPasswordIntercept to work
> with
> > Password auth?
>
> Login flows do not have any relationship to interceptors in that sense.
> The interceptors that run are based on the postAuthenticationFlows profile
> setting, which is something controlled based on relying party configuration
> and/or metadata, and has no connection back to how authentication is done
> in most cases. (*)
>
> -- Scott
>
> (*) An exotic Predicate could be coded up to examine authentication state
> to decide how to respond but that?s after the interceptor is running, not
> part of deciding whether to run.
>
>

-- 

Jeff Chapin,

Panther eSports Adviser
Systems/Applications Administrator
ITS-IS, University of Northern Iowa
Phone: 319-273-3162 Email: Jeff.Chapin at uni.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230628/e6e51ea4/attachment.htm>

From cantor.2 at osu.edu  Wed Jun 28 19:52:22 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Wed, 28 Jun 2023 19:52:22 +0000
Subject: Handling expired/expiring users after upgrading from Shib 3 to
 Shib 4
In-Reply-To: <CAHApK_U6OpsJq8Mi291Vukq+V-M3z4aQx9i5RFrWYTT4oyeQSw@mail.gmail.com>
References: <CAHApK_WLvNVFcz8zeWWPjORe98QzLLhNqCaGWw4wwq-7miZV5w@mail.gmail.com>
 <4F60E6B4-6B52-43EF-A746-58630E419DAA@osu.edu>
 <8FADA6C9-5828-4DB3-9254-793798D235C7@osu.edu>
 <CAHApK_VxEoUibGuk29dK0wwdGL8m9gVFaCHorYEsns_BQz4S0w@mail.gmail.com>
 <D279B0E7-30AC-4C9E-B29F-5F2FFCCD0015@osu.edu>
 <CAHApK_U6OpsJq8Mi291Vukq+V-M3z4aQx9i5RFrWYTT4oyeQSw@mail.gmail.com>
Message-ID: <040B5543-5511-401B-9D9D-712758A346C0@osu.edu>

> Is it wrong of me to expect the ExpiringPasswordIntercept to function, even
> if we are using LDAP authentication? I would have thought that the
> authentication method would be independent. 

It is, that's what I was saying.

-- Scott





From cyang at fullerton.edu  Fri Jun 30 20:03:16 2023
From: cyang at fullerton.edu (Yang, Charles)
Date: Fri, 30 Jun 2023 20:03:16 +0000
Subject: Shibboleth v4.1.0 upgrade failure with DuoOIDC plugin for Universal
 Prompt support
Message-ID: <SJ0PR08MB761948D642E79DAD16656B71A32AA@SJ0PR08MB7619.namprd08.prod.outlook.com>

Issue:
??????Shibboleth failed to boot. Jetty log presented this message.
================================================================
WARN [org.eclipse.jetty.webapp.WebAppContext:533] - Failed startup of context o.e.j.w.WebAppContext at 305a0c5f{Shibboleth Identity Pr
ovider,/idp,[file:///opt/jetty/temp/jetty-127_0_0_1-8008-idp_war-_idp-any-11747669412705206324/webinf/, jar:file:///opt/shibboleth-idp/war/idp.war!/],UNAVAIL
ABLE}{/opt/shibboleth-idp/war/idp.war}
org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition with name 'shibboleth.AvailableAuthenticationFlows' defined in null:
Could not resolve placeholder 'idp.authn.DuoOIDC.subjectDecorator' in value "#{getObject('%{idp.authn.DuoOIDC.subjectDecorator}'.trim())}"; nested exception
is java.lang.IllegalArgumentException: Could not resolve placeholder 'idp.authn.DuoOIDC.subjectDecorator' in value "#{getObject('%{idp.authn.DuoOIDC.subjectD
ecorator}'.trim())}".......

Caused by: java.lang.IllegalArgumentException: Could not resolve placeholder 'idp.authn.DuoOIDC.subjectDecorator' in value "#{getObject('%{idp.authn.DuoOIDC.subjectDecorator}'.trim())}"
================================================================

System versioning history: v3.3.3 -> v3.4.7 -> v3.4.8 -> v4.0.1(starting version) -> v4.1.0

Plugin installed:
bin]# ./plugin.sh -l
Plugin: net.shibboleth.oidc.common      Current Version: 1.1.0
Plugin: net.shibboleth.idp.plugin.authn.duo.nimbus      Current Version: 1.0.0

Module states:
bin]# ./module.sh -l
Module: idp.oidc.common.1 [ENABLED]  <=== this is enabled after I installed it ..
Module: idp.authn.DuoOIDC [ENABLED]  <=== this is enabled after I installed it ..
Module: idp.authn.Duo [ENABLED]
Module: idp.authn.External [ENABLED]
Module: idp.authn.Function [ENABLED]
Module: idp.authn.IPAddress [ENABLED]
Module: idp.authn.MFA [ENABLED]
Module: idp.authn.Password [ENABLED]
Module: idp.authn.RemoteUser [ENABLED]
Module: idp.authn.RemoteUserInternal [ENABLED]
Module: idp.authn.SPNEGO [ENABLED]
Module: idp.authn.X509 [DISABLED]
Module: idp.authn.Demo [DISABLED]
Module: idp.admin.Hello [DISABLED]
Module: idp.admin.UnlockKeys [ENABLED]
Module: idp.intercept.Consent [ENABLED]
Module: idp.intercept.ContextCheck [ENABLED]
Module: idp.intercept.ExpiringPassword [ENABLED]
Module: idp.intercept.Impersonate [ENABLED]
Module: idp.intercept.Warning [DISABLED]
Module: idp.profile.CAS [ENABLED]

Jetty version: 9.4.35.v20201120

Java version:
jetty]# java -version
openjdk version "11.0.14.1" 2022-02-08 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.14.1+1-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.14.1+1-LTS, mixed mode, sharing)

Steps followed:
??????https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631513/Upgrading
??????https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1374027959/DuoOIDCAuthnConfiguration

authn/DuoOIDC Flow Descriptor XML is added in conf/authn/general-authn.xml --> https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1374027959/DuoOIDCAuthnConfiguration#General-Configuration


Working workaround(which allows Jetty to boot properly and Shibboleth v4.1.0 working):

Manual removal of this line in "Flow Descriptor XML"
p:subjectDecorator-ref="#{getObject('%{idp.authn.DuoOIDC.subjectDecorator}'.trim())}"

Other attempts:

I have tried performing this upgrade path: v4.0.1-> v4.1.0 -> v4.3.1.
with v4.3.1 in place, I add both "oidc.common" and "duo.nimbus" plugins to its latest release version.

I got the same result.

Questions:

is this a known issue for an upgraded Shib system ?
Would the workaround post any issue with DuoOIDC functionalities ?
What am I missing from the upgrade process ? user error ?


Thank you for your time !


Chuck Yang

System Analyst, Infrastructure Services
Division of Information Technology

P: 657-278-5624
800 N. State College Blvd. Fullerton, CA
http://www.fullerton.edu/it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230630/9f9912b3/attachment.htm>

From cantor.2 at osu.edu  Fri Jun 30 20:35:38 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Fri, 30 Jun 2023 20:35:38 +0000
Subject: Shibboleth v4.1.0 upgrade failure with DuoOIDC plugin for
 Universal Prompt support
In-Reply-To: <SJ0PR08MB761948D642E79DAD16656B71A32AA@SJ0PR08MB7619.namprd08.prod.outlook.com>
References: <SJ0PR08MB761948D642E79DAD16656B71A32AA@SJ0PR08MB7619.namprd08.prod.outlook.com>
Message-ID: <2114CF67-EDA0-4859-B824-8C0E13E11673@osu.edu>

I checked history and there's no version of the plugin with this bug. The property reference in the source tree is properly backstopped with a default.

> authn/DuoOIDC Flow Descriptor XML is added in conf/authn/general->authn.xml --

Why are you doing that step? There shouldn't be anything suggesting you need to do that under any normal conditions, if something says to do that, we probably need to correct it.

The bug is a mistake in the XML posted in that section of the documentation, so you're following an unnecessary step and the step happens to contain the error.

The underlying definition doesn't have the bug, which is why nobody has noted it. 

-- Scott









From cantor.2 at osu.edu  Fri Jun 30 20:45:10 2023
From: cantor.2 at osu.edu (Cantor, Scott)
Date: Fri, 30 Jun 2023 20:45:10 +0000
Subject: Shibboleth v4.1.0 upgrade failure with DuoOIDC plugin for
 Universal Prompt support
In-Reply-To: <2114CF67-EDA0-4859-B824-8C0E13E11673@osu.edu>
References: <SJ0PR08MB761948D642E79DAD16656B71A32AA@SJ0PR08MB7619.namprd08.prod.outlook.com>
 <2114CF67-EDA0-4859-B824-8C0E13E11673@osu.edu>
Message-ID: <B9A76C0E-62E6-4BC0-8802-0D207521EC08@osu.edu>

Docs are fixed (all the flow topics contained the same example bug).

-- Scott