Perl 6 - the future is here, just unevenly distributed

IRC log for #shibboleth, 2013-10-08

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
01:46 _ilbot joined ##shibboleth
07:25 pdurbin joined ##shibboleth
09:18 jpn joined ##shibboleth
10:12 jpn joined ##shibboleth
14:13 pdurbin sanman: any experience setting up an SP?
14:29 sanman pdurbin, yes, I have quite a bit of experience
14:30 pdurbin sanman: so I set up an SP at https://dvn-vm2.hmdc.harvard.edu/secure/
14:30 sanman pdurbin: I'm currently running OpenAM as my IdP and Shibboleth as my SP
14:30 pdurbin ah, cool. I'm in #openam too :)
14:31 pdurbin but my SP (like yours) is Shibboleth
14:31 sanman on the shibboleth wiki there is a version number referenced for the IdP and ECP support
14:31 pdurbin for now my SP is "native" SP: https://wiki.shibboleth.net/confluence​/display/SHIB2/NativeSPGettingStarted
14:32 sanman I'm just wondering if maybe there's something else in the config that I'm missing to enable ECP
14:32 sanman my grand plan here is to write a PAM module for linux that uses SAML-ECP
14:32 sanman I want it for cloud machines
14:32 * pdurbin looks at https://wiki.shibboleth.net/​confluence/display/SHIB2/ECP
14:32 pdurbin "Enhanced Client or Proxy"
14:33 sanman For corporations that have large SAML deployments (like mine does) it makes a lot of sense to try to integrate your linux accounts in the cloud into your existing SAML infrastructure
14:33 sanman but in my opinion, for this to be done correctly I really need to use the ECP profile
14:34 sanman otherwise I would be writing a bunch of code to interact with HTML login forms
14:34 sanman and I would probably only support a few IdP login pages
14:34 pdurbin yeah, not limited to a browser sounds great
14:34 pdurbin sanman: so... getting back to my SP... :)
14:34 sanman yeah, it just seems that the ECP profile hasn't caught on in a big way yet
14:34 sanman sure
14:35 pdurbin I have my SP pointed at an IdP (that I don't run)
14:35 pdurbin if you click the harvard link above (my SP) you'll get redirected to https://adfs.medlab.harvard.edu which is the IdP
14:35 pdurbin it all works fine
14:35 sanman ahh, ADFS
14:35 pdurbin but the IdP guys tells me he's sending me attributes
14:35 pdurbin and I'd like to see them
14:36 sanman have you looked at your SAML assertions that come back?
14:36 pdurbin either with the native SP or a Java SP: https://wiki.shibboleth.net/confluen​ce/display/SHIB2/NativeSPJavaInstall
14:36 sanman there's a great firefox plugin I use to look at them
14:36 pdurbin huh. nice
14:36 sanman it's just called SAML tracer
14:36 pdurbin https://addons.mozilla.org/en-​US/firefox/addon/saml-tracer/
14:37 pdurbin that must be it
14:43 pdurbin sanman: the plugin is doing stuff (thanks!) but I don't see attributes. I'll check with my IdP guy
14:43 pdurbin sanman: what if I wanted to try to get at the attributes from Java. any tips for that?
14:46 pdurbin (or the native SP, I guess)
14:49 sanman pdurbin: I'm actually just getting there myself
14:49 pdurbin sanman: ah. no worries :)
14:49 sanman pdurbin: this has been kind of an adventure for me
14:50 sanman pdurbin: I've done a lot of SAML work, but never done any development with it before
14:50 pdurbin gotcha
18:15 pdurbin sanman: so the fix is to add SSO ECP="true" ?
18:42 pdurbin sanman: the firefox plugin is interesting but I can't see the attributes because they are (apparently) encrypted within the "EncryptedAssertion" element
20:36 sanman pdurbin: yeah, I added ECP="true" to the SSO element and I'm getting back a valid authn request from the SP now
20:37 sanman now my problem is that when I post the authn request to the IdP I get an error: "SPSSOFederate.initiateECPRequest: spEntityID is null, realm is /"
20:38 pdurbin hmm
20:38 pdurbin I have all kinds of problems ;)
20:38 sanman pdurbin: I'm reading through the code and it looks like the spEntityID is supposed to be passed in as a param in the URL
20:38 pdurbin but I'm kind of getting this to work: https://wiki.shibboleth.net/confluen​ce/display/SHIB2/NativeSPJavaInstall
20:40 sanman that sounds pretty interesting
20:40 pdurbin sanman: here are my notes: https://docs.google.com/document/d/17jP8k7yZJDcp​9GqKRbhPBuX5gHt6iZCNCxRPyvX-w7o/edit?usp=sharing
20:41 sanman one thing I've been wondering about is how can you let a backend application server know the username of the person accessing your app, but this seems to answer that question
20:41 pdurbin oh sure I bet it's in the logs
20:43 sanman it looks like apache will add REMOTE_USER to the request headers when it forwards traffic to the app server
20:43 sanman I actually have a big implementation using Oracle Access Manager inside my company and it does the same thing
20:44 sanman it passes REMOTE_USER back to our weblogic servers so the apps running in there know the username
20:44 pdurbin hmm. ok
20:44 pdurbin in my config: REMOTE_USER="eppn"
20:48 pdurbin sanman: another openam guy: http://irclog.greptilian.co​m/javaee/2013-10-08#i_28917
21:42 sanman I'm starting to wonder if I'm hitting a bug in the OpenAM ECP code
21:44 sanman it looks like the method com.sun.identity.saml2.profile.S​PSSOFederate.initiateECPRequest is supposed to pass in the realm name in the variable metaAlias
21:44 sanman then over in SAML2MetaManager.getEntityByMetaAlias(), that method is supposed to look up the entityID based on your realm name
21:46 sanman but that method seems to be returning null rather than a String containing the entityID
22:25 pdurbin the lookup probably failed. not found, so null

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary