Perl 6 - the future is here, just unevenly distributed

IRC log for #shibboleth, 2013-08-11

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
06:45 testt joined ##shibboleth
06:45 rkeene joined ##shibboleth
06:46 rkeene I've created a simple SAML Identity Provider (always returns success with a username "anonymous").  I was attempting to use "testshib" to verify that it works, but it always returns an XML error.  I've verified that my XML is well-formed and also validates against the XSDs.  Is there anyone here who could test it out and let me know if they see an issue ?
06:47 rkeene https://mail.oc9.org/saml/idp.xml  is the metadata
12:12 pdurbin oh, maybe. but I just woke up. and mostly I've been testing the Service Provider side with testshib: https://github.com/dvn/shibpoc
14:14 rkeene I have an identity provider, not a service provider
14:19 pdurbin yeah
14:24 rkeene It seems like it should be valid :-P
14:25 pdurbin rkeene: maybe send the error to the shib mailing list
14:27 rkeene I'm not a big fan of lists, especially if I have to sign-up :-P
14:31 rkeene And also the error I get is pretty meaningless
14:32 rkeene xmltooling::XMLParserException at (https://sp.testshib.org/Shibboleth.sso/SAML2/POST)
14:33 pdurbin hmm. well formed but trouble parsing
14:33 pdurbin the full error and stacktrace would be helpful
14:34 rkeene Indeed, but this is all I get from testshib.org
14:34 pdurbin no no, they have logging
14:35 rkeene But I have no way to get their logs
14:35 pdurbin rkeene: https://idp.testshib.org/cgi-bin/idplog.c​gi?lines=150&logname=idp-process.log via https://www.testshib.org/test.html
14:37 rkeene It seems like that would be logs for testing a service provider, not an identity provider
14:38 pdurbin oh
14:38 pdurbin no logs for testing an IdP?
14:38 rkeene Here's what I'm doing:  1. Go to: https://sp.testshib.org/; 2. Enter "faa1b979-d496-489c-bcb4-8574800a1870"; 3. Click "Go!"; 4. Enjoy the error
14:39 rkeene When I click the "shibd.log" button, it takes me to a blank page
14:40 pdurbin rkeene: you're replacing your.host.here with your host, I assume
14:40 rkeene "your.host.here" ?
14:41 rkeene On step #2 ?  No, I put in: faa1b979-d496-489c-bcb4-8574800a1870
14:41 rkeene Since that's the entityID of my identity provider
14:41 pdurbin https://sp.testshib.org/ says https://your.host.here/idp/shibboleth
14:42 pdurbin before you hit Go
14:42 rkeene Yes, I get rid of that and put in my entityID (faa1b979-d496-489c-bcb4-8574800a1870)
14:42 pdurbin why?
14:42 pdurbin you'll need to enter your host
14:42 rkeene It then sends me to my web server (https://mail.oc9.org/saml/?SAMLRequest=....) which processes the request
14:42 rkeene Because the instructions said to enter in the entityID of my identity provider
14:43 pdurbin maybe they should be edited
14:43 pdurbin I'd pay attention to your.host.here
14:43 rkeene That part is working (as you can verify for yourself by trying it -- you'll notice it redirects you to https://mail.oc9.org/saml/?SAMLRequest=.... briefly, where my javascript immediately redirects you back as directed )
14:44 rkeene If I do that it fails much sooner (since it can't locate my identity provider)
14:45 pdurbin rkeene: oc9.org is your domain?
14:45 rkeene Yes
14:45 pdurbin ok. hmm
14:45 pdurbin how does testshib know about faa1b979-d496-489c-bcb4-8574800a1870?
14:46 rkeene Before you can test an identity provider you have to upload the identity provider metadata ( https://mail.oc9.org/saml/idp.xml ), which includes the entityID and the service URL
14:46 pdurbin ah, ok
14:47 pdurbin rkeene: should you enter https://mail.oc9.org/idp/saml instead?
14:48 rkeene Enter it where ?
14:48 pdurbin at https://sp.testshib.org/
14:48 rkeene If I do that, it never fetches anything from my web server
14:49 pdurbin hmm
14:49 rkeene (And that's not a valid URL)
14:49 pdurbin oh :)
14:49 rkeene If it helps at all, I'm not using Shibboleth as my identity provider (I wrote it)
14:50 pdurbin gotcha
14:50 pdurbin probably the testshib folks understand what's going on
14:51 pdurbin maybe you could link them to this conversation
14:52 rkeene I will just setup my own Shibboleth service provider and see what it can tell me
14:53 pdurbin good idea
14:53 rkeene It's too bad you aren't running one already, you could link to my identity provider and tell me what error you get
14:53 rkeene shibboleth is compiling now
14:54 pdurbin rkeene: we re-purposed the vm mentioned in https://github.com/dvn/shibpoc :(
14:54 pdurbin but I'll need to set it up again in a few weeks/months. when i pick up the project again
14:54 pdurbin so far, I had only pointed it at testshib. would like to test against other IdPs
14:55 rkeene It probably won't exist for much longer -- it's just a test for a larger scope project.  I'm integrating something at work and want to make sure my SAML implementation is correct before letting the other side know it's ready to go.
14:56 pdurbin oh well
14:56 pdurbin timing is everything :)
14:57 rkeene That's what she said
17:53 pdurbin rkeene: "faa1b979-d496-489c-bcb4-8574800a1870 is definitely not a valid entityID, for what it's worth.  Parsing that apparently makes the SP error out entirely at the outset. Anyway, you couldn't see the logs because the file permissions on the Shibboleth logging directory got borked again.  Displaying the SP's logs online should work now." --a testshib guy
17:56 * pdurbin is a little bothered by "That's what she said"
21:38 rkeene Take it, take it, it's fine.
21:43 rkeene If I change the UUID into a URI, the metadata parser rejects it
21:59 rkeene Ah, because I also changed the ID attribute to match the entityID, which cannot be a URN
22:04 rkeene Hmm, does the SAMLResponse not get deflated ?
22:31 rkeene Apparently not -- there we go, my IdP now successfully validates !
22:31 rkeene Thanks for all your help
22:54 pdurbin rkeene: oh sure
22:54 pdurbin thank the testshib guy :)
22:55 rkeene Yes, that was *VERY* helpful
22:55 pdurbin if only we could get more people to hang out here :)

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary