Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2013-12-05

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:31 pdurbin aldaris: http://blogs.forgerock.org/petermajor/2013/12/setting-up-java-fedlet-with-shibboleth-idp/ looks great! thanks!
00:32 aldaris hope you find it useful
00:50 pdurbin aldaris: someday, probably. I'm switching gears from SAML to working on search. But I'll include a link to your blog post in my summary of the state of the SAML project
07:29 SteveF_ joined #openam
10:12 aldaris joined #openam
10:31 aldaris joined #openam
10:46 aldaris Good morning folks
11:52 MegaMatt joined #openam
12:35 hos001 joined #openam
13:11 asyd morniung
13:11 aldaris bit late for that now :p
13:19 pdurbin aldaris: I noticed you wrote "Since now the XML has two EntityDescriptor root elements, you should only keep the one made for the IdP (i.e. the one that has the “https://idp.testshib.org/idp/shibboleth” entityID), and remove the other."
13:19 pdurbin ... and I noted a similar workaround for OIOSAML here: OIOSAML SP demo authenticating against the IdP from testshib.org - http://shibboleth.net/pipermail/users/2013-October/012558.html
13:19 pdurbin where I said, "I suppose this should be reported as a bug against OIOSAML"
13:20 pdurbin is this a bug in OpenAM? the fact that the IdP metadata from TestShib needs to be tweaked?
13:23 aldaris can be considered as a bug I guess
13:23 aldaris IIRC the fedlet expects only one EntityDescriptor for the IdP in the one file, and that's why it didn't work
13:24 pdurbin ok. on the shib list I had written this: OIOSAML might not be respecting "2.3 Root Elements" of http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf which states: "A SAML metadata instance describes either a single entity or multiple entities. In the former case, the root element MUST be <EntityDescriptor>. In the latter case, the root element MUST be <EntitiesDescriptor>."
13:24 pdurbin so what testshib is doing seems to be valid according to the spec
13:25 aldaris That's not spec violation IMHO
13:25 aldaris that just describes how the metadata should look like
13:25 aldaris not how it should be processed
13:26 pdurbin I'm saying testshib has not violated the spec
13:26 aldaris I'm not saying that either
13:26 pdurbin ok :)
13:26 aldaris that metadata is clearly valid
13:29 pdurbin in working with SAML I've been a little surprised how often I have to tweak the metadata from an IdP before I can use it. In a different case with OIOSAML, I had to swap the order of the encryption and signing KeyDescriptor's under IDPSSODescriptor: https://github.com/IQSS/dvn/wiki/configuring-ADFS-relying-party
13:29 pdurbin so a different problem, but I expected I'd be able to use IdP metadata "as-is" without modification
13:30 aldaris that sounds a stupid requirement
13:31 pdurbin stupid to expect that I don't have to hack on IdP metadata to make it work?
13:31 pdurbin too many negatives there
13:31 aldaris stupid to expect metadata keydescriptors in a given order
13:33 pdurbin oh, yes. I think it's a bug. It may be fixed already. There's a post about it on the OIOSAML forum - "Problems with ADFS 2.0 as IdP against OIOSAML SP" http://digitaliser.dk/forum/1075627
13:34 aldaris but ADFS generates invalid metadata in the first place, so with AM you have to change the order of elements as well (because the XML schema is not being followed by ADFS)
13:34 aldaris but that's not for the keydescriptor elements obviously
13:34 pdurbin interesting
13:34 pdurbin I haven't tried OpenAM with ADFS
13:34 aldaris plus the ADFS metadata contains all protocol shit
13:35 aldaris so you have SAML metadata and WS-Fed metadata in the same file
13:35 aldaris that's rather odd for me
13:35 aldaris but don't know if that's really valid or not
13:36 pdurbin yeah. no idea
15:03 bthalmayr joined #openam
15:29 MegaMatt BTW, glad this channel is logged now - it was helpful :)
15:31 pdurbin +1
15:31 ForgeRock joined #openam
15:32 pdurbin MegaMatt: I started making a list of places that log IRC channels: http://wiki.greptilian.com/irc/logging
15:32 MegaMatt nice, I see that this chan is under that irclog.perlgeek.de
15:37 Salbertelli joined #openam
15:41 Salbertelli Very Kewl, Matt ! http://wiki.greptilian.com/irc/logging
15:41 MegaMatt That's pdurbin's link :) but yes.. Welcome Salbertelli :D
15:42 aldaris indeed, welcome on IRC ;)
15:42 Salbertelli Thank you  :D  Glad to be here
15:45 MegaMatt I always forget the command to list the tids on TOP in linux
15:45 MegaMatt I'm used to Solaris :/
15:45 MegaMatt I think it's maybe -H or something
15:46 aldaris top -H sounds about right I think, bthalmayr knows probably from the top of his head :p
15:46 MegaMatt yeah, I'll look at the man page yet again :D
15:48 bthalmayr top -H is the way to go
15:49 MegaMatt top -H toggles though,.. freaking linux
15:51 bthalmayr top -H -c?
15:52 MegaMatt c is another toggle!
15:53 MegaMatt Not that it matters too much though, linux PID = TID anyhow
15:53 bthalmayr yes
15:55 bthalmayr If you just want to gather the thread ids once ' top -H  -n 1 -b'
15:56 MegaMatt Fun, .. handy.. prstatty ;)
16:35 aldaris guess top -H doesn't work on Mac, sigh
16:39 MegaMatt top on mac by default shows the TID, I think
16:40 MegaMatt maybe not
16:54 MegaMatt guh that was an interesting read.. looking for tid on mac ... finally find sc_usage has a THRD# output
17:03 jjpp_ joined #openam
17:27 Zendron joined #openam
17:36 Zendron Hello! Guys I did some experiments configuring the openam and I had to reset all configurations. I configured again all necessary properties but I have only one point, always when I access my application I receive 403 after a correct login. I'm using J2EE_POLICY as a agent filter. Do you know where I set the permission to access the '/*' from my FQDN? If I set to SSO_ONLY all works!
17:39 MegaMatt OpenAM 11? What policys do you have in place?
17:41 Zendron Yes, OpenAM 11 and I'm working with J2EE Policy Agent 3.1 for JBoss AS 7 with local configurations!
17:42 MegaMatt So are you really accessing /something or just / ?
17:44 MegaMatt and did you try setting the agent debug level to all?
17:44 Zendron Oh!! Thanks the debug kkkk just one minuto to see the log!
17:46 Zendron AmFilter: Error while delegating to inbound handler: J2EE Local Auth Task Handler, access will be denied
17:47 MegaMatt http://bugster.forgerock.org/jira/browse/OPENAM-1735   then maybe?
17:48 MegaMatt try the latest agent instead of 3.1
17:49 Zendron It was working before I change some options on OpenAM!
17:50 MegaMatt Change the options back then! ;)
17:50 Zendron I'm reading your link, lets see
17:51 Zendron This is the problem kkkkk, my coworker from infrastructure try some host rules there! Then...
17:54 MegaMatt oops, I really meant to link http://bugster.forgerock.org/jira/browse/OPENAM-2195
17:54 MegaMatt but I followed the url at the bottom of that one
17:54 MegaMatt and must have copied it by mistake
17:54 MegaMatt Don't know if you have a null request or not though
17:56 aldaris there is also OPENAM-2753 for JBoss 7
17:56 Zendron Lets see!
17:57 Zendron Im reading thge 2195
19:38 aldaris joined #openam
19:42 hos001 left #openam
19:44 bthalmayr joined #openam
19:49 Zendron I found MegaMatt and @aldaris, it was my web.xml, my co-worker will kill me now! I inserted my filter before some other filters then my application does not know what to do! I wrote my filter after the others filtersm, then it works! Sorry guys my mistake!
19:50 MegaMatt Oh good :D
19:50 Zendron kkkkkkk
20:59 aldaris joined #openam
21:31 aldaris joined #openam
21:59 aldaris joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary