Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2013-11-06

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:06 MegaMatt joined #openam
04:29 metadaddy___ joined #openam
05:07 aldaris joined #openam
07:16 hos001 joined #openam
08:14 bthalmayr joined #openam
09:23 balo is this the official announcement? http://forgerock.com/new-openam-11-0-meeting-the-rapidly-shifting-needs-of-access-management/
09:27 balo it looks like a pre announcement :) there isn't in the enterprise download list yet
09:34 tsmalmbe1 joined #openam
09:36 aldaris joined #openam
09:40 aldaris I don't think it's an actual announcement yet
11:59 MegaMatt joined #openam
12:41 SteveFerris joined #openam
16:43 pdurbin aldaris: stuff like the "Run Fedlet (SP) initiated Single Sign-On using HTTP Artifact binding" works fine
16:43 aldaris you sound surprised
16:43 pdurbin do I? :)
16:44 pdurbin next will be to point it at the IdP at http://testshib.org
17:35 pdurbin it seems editing files in ~/fedlet isn't enough... that I'll need to unzip fedlet.war, swap in the TestShib IdP metadata, zip it up again, and deploy to tomcat
17:36 aldaris that sounds strange a bit
17:36 aldaris but I don't test fedlet that often
17:37 pdurbin well, if only edit the files in ~/fedlet without touching the war I get "Fedlet or remote Identity Provider metadata is not configured... Click here to create Fedlet configuration automatically."
17:37 pdurbin which I expect the first time
17:37 pdurbin but not after attempting to swap in the TestShib IdP in ~/fedlet
17:38 pdurbin but I need some lunch before I mess with fedlet.war
18:05 MegaMatt So, I don't know much at all about fedlet, .. but I thought maybe the automatic configuration that it does ... like.. grabs the data it needs
18:06 MegaMatt Unless you used like .. that unconfigured fedlet thingie ...
18:07 aldaris1 joined #openam
18:34 pdurbin MegaMatt: I'm using "Create Fedlet" under "Common Tasks"
18:35 pdurbin but you configure the fedlet against the currently running OpenAM IdP instance, which for e is at http://localhost:8080/openam
18:35 pdurbin me*
18:35 aldaris joined #openam
18:35 MegaMatt Ah gotcha
18:36 pdurbin so now the trick is to try to get that fedlet to work with a different IdP
18:36 pdurbin rather than the mother ship where it was created :)
18:36 MegaMatt Yeah, so you probably do have to open it up and swap out the infos
18:36 pdurbin MegaMatt: yeah, let me get some coffee and I'll try that next :)
18:39 pdurbin hmm, actually. some OIOSAML ADFS testing first. back in a bit
18:41 MegaMatt according to this old RFE, the Fedlet does support multiple IDPs .. wonder if that would work for you too, instead
18:41 MegaMatt https://java.net/jira/browse/OPENSSO-4062
18:47 pdurbin MegaMatt: yep, that's my understanding: http://irclog.perlgeek.de/openam/2013-11-05#i_7817287
18:48 MegaMatt Ah yes yes
18:48 MegaMatt I'm slow ;)
19:00 pdurbin MegaMatt: ha! no, no. I'm just glad you're playing along :)
19:09 metadaddy___ joined #openam
19:16 pdurbin hmm. same result when I put the new IdP bits in the conf directory in fedlet.war: "Fedlet or remote Identity Provider metadata is not configured."
19:19 pdurbin so I'm not so sure you can use the OpenAM fedlet with an IdP other than OpenAM
19:20 pdurbin of course, those files in "conf" may be wrong. I'd be happy to post both war files
19:28 MegaMatt Were you able to build your own that went back to OpenAM as the IDP?
19:29 pdurbin MegaMatt: oh sure. that works fine
19:29 MegaMatt Hmm so it shouldn't complain about metadata really.. because how would it know?
19:30 pdurbin dunno
19:30 pdurbin I'm posting my wars at http://dvn-5.hmdc.harvard.edu/tmp/openam/fedlet/
19:30 MegaMatt I'm probably not much help, aldaris knows a lot more ;)
19:32 pdurbin MegaMatt: no worries. here are the changes I made to the war: http://dvn-5.hmdc.harvard.edu/tmp/openam/fedlet/diff.txt
19:33 aldaris joined #openam
19:33 pdurbin I very well could have missed a file or two
19:34 pdurbin or more. I'm new to configuring fedlet. new to all of openam, really
19:36 pdurbin aldaris: any thoughts on this?
19:42 hos001 left #openam
19:43 SteveFerris joined #openam
20:59 aldaris joined #openam
21:00 aldaris pdurbin, you should see something in the logs I would say
21:03 pdurbin aldaris: nothing in catalina.out... should I check elsewhere?
21:05 aldaris there should be a debug folder somwhere
21:05 aldaris I think the FederationConfig file in ~/fedlet should have a setting for debug directory
21:06 pdurbin yeah, when I was first messing around I generated files at ~/fedlet/debug/libSAML (and libSAML2) for example but I don't have those now
21:10 pdurbin aldaris: and you're right, the setting is there
21:10 aldaris you sound surprised :D
21:10 aldaris again ;)
21:10 pdurbin :)
21:10 pdurbin but it doesn't work
21:11 aldaris well have you looked at the debug logs now?
21:11 pdurbin I don't have those now, like I said
21:13 aldaris is the log level on message?
21:13 pdurbin it says com.iplanet.services.debug.level=error
21:13 pdurbin so, no :)
21:13 pdurbin aldaris: thanks
21:18 pdurbin restarted tomcat and I have a debug directory now. nothing obvious in the two files though: libPlugins and libSAML2
21:18 pdurbin BUT
21:18 pdurbin I just realized I never uploaded my SP metadata to TestShib!
21:19 pdurbin (facepalm)
21:19 pdurbin BUT
21:19 pdurbin my metadata is not right
21:19 pdurbin "The file you are attempting to upload is not valid metadata. Please correct any errors and try again." after attempting to upload at http://testshib.org/register.html
21:19 pdurbin this is what I'm trying to upload: https://pdurbin.pagekite.me/fedlet/saml2/jsp/exportmetadata.jsp
21:32 aldaris pdurbin, IIRC the entityID needs to have a restricted format for testshib
21:33 aldaris I would also remove the RoleDescriptor and the XACML descriptor to be on the safe side
21:34 pdurbin hmm. restricted format... I'll have to look that up. thanks
21:34 pdurbin and I'll look at those other items
21:34 aldaris I mean it needs to be a URL or something
21:34 aldaris not just a hostname
21:35 pdurbin aldaris: hmm, well, testshib has always accepted this, for example (not a URL): entityID="dvn-alpha.hmdc.harvard.edu"
21:36 pdurbin I was just looking at https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataCorrectness
21:37 aldaris alrighty, then I remembered incorrectly
21:38 aldaris all these stupid IdPs are keep working slightly differently :D
21:45 pdurbin org.xml.sax.SAXParseException: cvc-elt.4.2: Cannot resolve 'query:AttributeQueryDescriptorType' to a type definition for element 'RoleDescriptor'.
21:45 pdurbin aldaris: bingo. sounds like you're right
21:46 pdurbin that was from: ./xmlsectool.sh --validateSchema --schemaDirectory schemadir2 --inFile ~/fedlet/sp.xml
21:46 pdurbin after downloading http://docs.oasis-open.org/security/saml/v2.0/saml-2.0-os-xsd.zip and unzipping it into that "schemadir2" directory
21:47 pdurbin got that tool at https://wiki.shibboleth.net/confluence/display/SHIB2/XmlSecTool
21:48 pdurbin after seeing "Using the contributed XmlSecTool to check for Schema-validity" at https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataCorrectness#MetadataCorrectness-XmlSecTool
21:49 aldaris nice…
21:49 aldaris well come on then, fix the metadata :)
21:53 pdurbin hmm. took out RoleDescriptor but still the same error when uploading at http://testshib.org/register.html
21:54 pdurbin running the tool again
21:55 pdurbin org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'XACMLAuthzDecisionQueryDescriptor'. One of '{"urn:oasis:names:tc:SAML:2.0:metadata":RoleDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":IDPSSODescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":SPSSODescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":AuthnAuthorityDescriptor,
21:55 pdurbin "urn:oasis:names:tc:SAML:2.0:metadata":AttributeAuthorityDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":PDPDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":Organization, "urn:oasis:names:tc:SAML:2.0:metadata":ContactPerson, "urn:oasis:names:tc:SAML:2.0:metadata":AdditionalMetadataLocation}' is expected.
21:56 pdurbin aldaris: like you said... XACML...
22:00 pdurbin removed XACMLAuthzDecisionQueryDescriptor and...
22:00 pdurbin INFO  XmlSecTool - XML document is schema valid
22:01 pdurbin "schema valid"!
22:01 * pdurbin dances
22:02 pdurbin and http://testshib.org/register.html took it. yay!
22:03 pdurbin of course... I still have the original problem... "Fedlet or remote Identity Provider metadata is not configured." at http://pdurbin.pagekite.me/fedlet/ :(
22:07 pdurbin aldaris: I uploaded my debug directory to here if you'd like to poke around: http://dvn-5.hmdc.harvard.edu/tmp/openam/fedlet/testshib-idp/fedlet-config-dir/fedlet/debug/
22:08 aldaris I'm gonna pass :p
22:08 pdurbin ok
22:08 pdurbin I guess I'm going to give up on getting fedlet working then
22:08 aldaris feeling tired lately
22:08 pdurbin I'll try the normal OpenAM next
22:09 aldaris would be nice if you could just make up your mind at some point :p
22:09 pdurbin aldaris: I didn't even know fedlet was thing until you mentioned it :)
22:39 pdurbin hmm, I'm getting "Invalid cookie domain" when running the initial configurator on a .me site (pdurbin.pagekite.me). worked fine on localhost and dvn-vm2.hmdc.harvard.edu
22:42 pdurbin https://bugster.forgerock.org/jira/browse/OPENAM-1945 says stuff like "The current implementation of the lib can not deal with upcoming '.gmbh' TLD" so I wonder if .me isn't supported or something
23:11 aldaris could be, don't know..
23:17 pdurbin well, pagekite supports CNAMEs so I'll maybe I'll add one, eventually
23:17 pdurbin s/I'll//
23:20 MegaMatt joined #openam
23:24 pdurbin huh. REST API. neat. http://docs.forgerock.org/en/openam/10.0.0/dev-guide/index/chap-rest.html

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary