Perl 6 - the future is here, just unevenly distributed

IRC log for #shibboleth, 2015-07-22

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
12:04 mckeanbs joined ##shibboleth
16:36 jawatio joined ##shibboleth
16:37 jawatio Id like to talk to someone about the NameID value returned in a SAML response. Im getting a base64 like value
16:40 mckeanbs In what context? Are you running an IDP/SP, and what are you wanting to produce?
16:41 mckeanbs Also, versions?
16:41 jawatio Im using the latest Shibboleth IdP .. and my SP is the latest Picketlink
16:42 jawatio On the Java side, when I do getUserPrincipal().getName() .. Its the base64'ish value (Its crypted but not sure with what) .. instead of the email I expected \
16:47 jawatio Is this value a crypted hash of the users email? I noticed its used in the Cookie generated by the IdP, and the value is the same from session to session
18:56 jawatio joined ##shibboleth
18:56 jawatio Is it possible to decode the SAML2 Transient NameID
18:57 mckeanbs I've never managed. What is it you're trying to do? Have the nameid be something else?
18:58 jawatio I cant identify who logged in on my SP
18:59 mckeanbs Oh, I wouldn't look at nameid then
18:59 mckeanbs Turn on debug logging of the SP and look in the decrypted assertion
18:59 mckeanbs That'll show you everything
18:59 jawatio I see the assertion fine, but Picketlink gets the User Principal from this value
19:00 jawatio The shib docs say, "opaque - whether a relying party can positively identify" .. which Opaque is one of the marks for transient ...... how can I enact on this claim to positively identify
19:01 mckeanbs Wait, if they got that value, wouldn't you be the IDP?
19:01 jawatio IdP gets the requested NameIDFormat , which will ignore if its not configured to use that kind
19:02 mckeanbs It sounds like you're running the IDP and you need to have a nameid be in the format that the SP requires.
19:03 jawatio no, not at all. I have no control over the IdP
19:04 mckeanbs So people from Picketlink are logging into your service?
19:05 jawatio Picketlink is the framework I am using to implement a SP within WildFly
19:07 mckeanbs Ah, ok. So you're trying to tie Shibboleth SP into your application, and to derive the nameid from transient during operation?
19:09 jawatio My application is a WAR deployed on WildFly using PicketLink SP connecting to a Shibboleth IdP. All I am trying to do is know who logged in
19:13 mckeanbs Ok, that makes sense. I would see if PicketLink has some sort of debug logging to show that information.
19:15 jawatio It does, it shows me the base64 string Iv been asking how to process
19:15 jawatio :|
19:15 mckeanbs It won't show the decrypted assertion anywhere?
19:16 jawatio I have already requested the IdP provide me the value in Persistent or undefined format, but thats not an option. they tell me they use Transient to enforce better security
19:17 mckeanbs I mean Shibboleth's SP for example will show decrypted assertions, that show you all you need. I'd be surprised if any SP wouldn't have that ability
19:17 jawatio The assetrtion has already been decrypted, I see the entire message, roles and everything. problem is. the username "email in this case", is in the NameID value, thats encoded in some way .. its crypted with something because when I process the base64 it get nothing, or some processors show me a "secret asdlfjsdjfa;sldkjfa;s" value
19:18 jawatio I cant say this any other way, the assertion is decrypted
19:20 mckeanbs So the username/email isn't in the assertion at all? Just the NameID?
19:20 jawatio <saml2:NameID Format="urn:oasis:names:tc:SAM​L:2.0:nameid-format:transient" NameQualifier="{the IdP}" SPNameQualifier="{my app SP}">{some hash I removed}</saml2:NameID>
19:20 jawatio NameId is where the username/email goes
19:23 mckeanbs My suspicion is that you'd want that from the attributes it sends instead of nameid, but I admit I only have experience in configuring the Shib IDP to specially pass the nameid in a different format to satisfy them not knowing how to do the same.
19:26 jawatio IdP provider stated they will not config these values to be in the attribute section. all Im told is because of security concerns
19:27 jawatio they have instructed me I have EVERYTHING I need to get a complete solution. the only thing Im missing is correctly identifying the user logged in
19:30 mckeanbs That doesn't make sense to me...  I think they mean the exact opposite.
19:30 mckeanbs That said I'd check the mailing list. They would probably provide better guidance than I
19:33 jawatio I know they meant what they said. Another team (not part of this company, nor do I have contact with them) has already completed their side of the top level project. Their application works fine, its getting the exact same formatted response

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary