Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2017-02-21

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
01:23 aldaris joined #openam
01:24 aldaris joined #openam
01:25 aldaris joined #openam
01:25 aldaris joined #openam
01:26 aldaris joined #openam
01:27 aldaris joined #openam
01:28 aldaris joined #openam
07:20 aldaris joined #openam
07:51 KermitTheFragger joined #openam
08:19 aldaris joined #openam
10:21 aldaris joined #openam
11:56 MegaMatt joined #openam
12:05 aldaris joined #openam
13:05 aldaris joined #openam
13:25 sam__ joined #openam
13:25 sam__ hi all
13:25 sam__ hi  @aldaris
13:25 aldaris hi there
13:26 sam__ @aldaris: i need your help
13:26 sam__ to fix a error in SAML
13:27 sam__ its a client issue and an urgent need too
13:28 aldaris well strictly speaking that is your problem so far
13:28 aldaris I can try to help, but it's not like I have an SLA or something
13:31 sam__ thanks for that aldaris. client uses shiboleth as SP and ADFS as IDP
13:32 aldaris hah
13:32 aldaris how is this openam related?
13:32 asyd :))
13:33 * asyd cooks pop-corn
13:33 sam__ i think you are expert in SAML too. the issue is: saml request's destination and saml response issuer not matching..
13:34 MegaMatt this-gun-b-good.gif
13:34 aldaris the issuer of a response is not the same thing as the destination of an AuthnRequest
13:34 aldaris they are not meant to be the same
13:34 sam__ as a result we are facing looping behaviour during login
13:35 aldaris they have relation to each other, yes, but they are not the same
13:35 aldaris the only way you can have looping is that if the shibboleth sp restarts the flow upon receiving an erroneous response, that sounds a bit dodgy
13:37 sam__ then how to solve this issue..
13:38 aldaris lol
13:39 aldaris you give me a vague description of a problem, and now you expect me to return a step-by-step guide to fix it?
13:40 sam__ sorry if i miss any detail..
13:41 sam__ can u specify what info is needed for this issue ?
13:43 aldaris like error messages from logs? like example saml responses that are considered invalid? like SAML metadata from the entities involved?
13:51 sam__ FYI, the saml response is successful for first time after that i can see only saml request in log
15:09 sam__ https://gist.github.com/anonymous/7b5d21cd69e7d579949ae912ae780558
15:09 sam__ aldaris: r u there ? thats a sample log
15:10 sam__ from SP
15:10 sam__ and sorry for the delay..
15:10 sam__ this has both request and response
15:11 aldaris the SAML response is missing like half of it?
15:11 aldaris and is not valid XML currently?
15:11 sam__ will get u..
15:25 sam__ https://gist.github.com/anonymous/585482e15dccef433a2295357c902d12
15:25 sam__ pls chk this
15:26 sam__ i have modified domain names for confidentiality..
15:26 sam__ aldaris: r u able to get that log ?
15:29 sam__ is that log enough ?
15:30 aldaris yes, just crying above my keyboard as the host names in the response are not masked the same way as in the request. One would assume that www.yyyyyyyy would be consistently present in both, but hey, I'm a magician
15:30 aldaris so what error are you getting after shibboleth successfully decoded the saml response?
15:31 aldaris so far all I can see is that your adfs has successfully issued an assertion
15:51 sam__ 2017-01-18 15:03:22 DEBUG XMLTooling.XMLObject [11]: caching DOM for XMLObject (document is bound) 2017-01-18 15:03:22 DEBUG XMLTooling.StorageService [11]: inserted record (_b8bc09ca227e16bdce97e5ce4363558b5853e5) in context (_b75e7c62ea97016cf0bafd15a842d174) with expiration (1484773402) 2017-01-18 15:03:22 INFO Shibboleth.SessionCache [11]: new session created: ID (_b75e7c62ea97016cf0bafd15a842d174) IdP (https://sso.yyyyyyyy/zzzz
15:51 sam__ this is the response
15:57 sam__ https://gist.github.com/anonymous/36a29a5b33e0ae556f41369af89e6f1f
15:57 sam__ a formatted log
15:58 aldaris well, at this stage I would suggest to reach out to shibboleth community
16:01 aldaris1 joined #openam
17:05 aldaris joined #openam
19:00 aldaris joined #openam
20:36 aldaris joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary