Perl 6 - the future is here, just unevenly distributed

IRC log for #shibboleth, 2015-08-28

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
01:47 ilbot3 joined ##shibboleth
12:04 mckeanbs joined ##shibboleth
13:15 Cheezehead joined ##shibboleth
13:31 Cheezehead so quiet
13:45 mckeanbs Yeah, discussion usually happens on the mailing list
13:48 Cheezehead tried the mailings, never got any useful answers
13:51 Cheezehead are you guys tying everything off AD on the backend?
13:57 mckeanbs That's what the IDPs I setup here have done, yeah
13:57 mckeanbs I also got working test environments off other ldap servers
14:00 Cheezehead are you guys doing any mappings to custom attributes in AD?
14:03 Cheezehead trying to pull in the eduPersonAffiliation with the source of 1.2.840.113556.1.2.430
14:05 mckeanbs In our case it's pulled from an attribute in AD called the same thing
14:05 Cheezehead ok
14:06 mckeanbs I do know we have some custom attributes, so hard to say there.
14:07 Cheezehead that's what I was getting from the list, extend the schema and add the value vs using the software to pull in the custom entry. In our case the data is already in AD for some Exchange Distribution groups. didn't really see the point in loading the same value multiple times into AD
14:08 mckeanbs Makes sense. Though sometimes you'll have to do something custom for parties.
14:08 mckeanbs ArcGIS for example wanted the nameid passed as "firstname lastname"
14:09 mckeanbs So literally had Shibboleth take the cn and sn I think it was and combine them with a space in the middle
14:09 Cheezehead Ya, outputting a concatenated student id for a SAS package international ed is using
14:10 mckeanbs Even though there are SAML attributes they could have used. :p
14:35 Cheezehead figured it out
14:38 Cheezehead had the wrong value for the sourceAttributeID
14:43 mckeanbs Ah, cool that you figured it out
14:54 Cheezehead 9 months later LOL
17:21 mckeanbs Heh, well, as an organization we're only recently starting to work more on getting SAML2 implemented, so there's that. haha
17:22 Cheezehead tried doing adfs outside of the incommon affilliation due to HA support but that didn't go far, most 3rd parties have supported shib only.
17:24 mckeanbs More and more stuff is moving to it
17:27 Cheezehead might look into it, would need to stand up a second idp before i'd consider moving any of the more critical services to it
17:29 Cheezehead have you guys moved to v3 yet?
17:29 mckeanbs Our main InCommon one, yes. We have a major SP that's on a V2 server still, but plans are set to move it to v3, and I have a test server up for it
19:01 jawatio joined ##shibboleth
19:02 jawatio Oh Ubuntu 14. When I run "service shibd start" I get "unable to run config check as user" and "xercesc_3_1::NumberFormatException" .. But no errors in the logs.. I cant figure out why it wont start
19:08 Cheezehead hmm
19:08 Cheezehead new install?
19:12 Cheezehead sudo service shibd start
19:12 jawatio Yes its a brand new OS and Shibby install
19:13 jawatio Iv tried starting the service with and without "sudo". but get same result
19:13 Cheezehead something's not right in the config file
19:13 jawatio Indeed.. cant find the issue though
19:14 jawatio I also tried "shibd -check -t" and it said something about "/etc/shibboleth/heck"
19:15 Cheezehead did you specify your config location with the -c option?
19:16 jawatio no. not in the instructions
19:17 Cheezehead something like
19:17 Cheezehead shibd -t -c /etc/shibboleth/shibboleth2.xml
19:18 jawatio Okay Ill give that a try.. just updated console.logger to DEBUG .. hoping more details will print
19:19 jawatio I get the same error. DEBUG does make more print out. but non is useful. its all the normal expected startup messages.. none are error/fatal
19:22 jawatio So comparing the logged messages to my working windows instance.. "INFO OpenSAML.MetadataProvider.XML : reload thread started...running when signaled" is the last matching message..
19:23 jawatio "Shibboleth.Application : building AttributeExtractor of type XML..." is the next message in windows.. Im going to review attribute-map.xml .. I deleted everything but the ones I needed.. guess that was not a good idea
19:24 Cheezehead check over the config files with an XML editor....usually a comma or something really dumb laying around where it's not suppose to be
19:25 jawatio Well it was a good idea, but I was wrong. default files. same message
19:26 Cheezehead i'll usually pull up the config with notepad++ with it set for XML.....look for where the colors are messed up
19:26 jawatio I see the last XML file in the logs is "(/etc/shibboleth/idp-metadata.xml)" .. but this one is the exact same on all SPs
19:26 jawatio Yeah there is no XML formatting issues
19:27 jawatio Is there any ways to get more details on where the  'xercesc_3_1::NumberFormatException' happens?
19:28 Cheezehead hmm
19:28 Cheezehead you sure libxerces is installed?
19:30 jawatio http://packages.ubuntu.com/tr​usty/web/libapache2-mod-shib2 This is the deb repo package Im using.. it auto installed , but I also tried installing "libxerces-c3.1" but it said it was already installed
19:34 jawatio Set XMLTooling to DEBUG logging... It looks like it fully processes idp-metadata.xml without error.. I see it long reading the last AttributeService element
19:39 Cheezehead not sure
19:39 Cheezehead running everything on server 2012 here
19:39 Cheezehead mckeanbs is running on linux I think
19:40 jawatio Has to be some config.. I just fully reinstalled the OS and "libapache2-mod-shib2", did "service shibd restart" with no setting changes.. It started ...
19:43 jawatio Oddly enough it HAS to be our IdPs metadata file.. I added just <MetadataProvider type="XML" file="idp-metadata.xml"/> .. now getting that error.. very odd though. works on all our other SPs.. non are Shibby Ubuntu though
19:44 jawatio copied over the idp-metadata.xml file as well. just incase that wasnt implied :P
19:45 Cheezehead why not pull it?
19:46 Cheezehead <MetadataProvider type="XML" uri="https://shibidp-1.mydom.edu/idp/shibboleth" backingFilePath="mydom-metadata.xml" reloadInterval="7200" />
19:46 jawatio I'll give it a try, but thats the file we are using
19:47 Cheezehead that way it updates as your idp updates
19:48 jawatio backingFilePath="mydom-metadata.xml", is that how the SP will locally name it?
19:48 Cheezehead replace mydom with whatever your domain is
19:48 Cheezehead basically it forces a cached copy of the metadata on your server to automatically refresh every 2hrs
19:49 jawatio Took it longer to show the messages. but it got the Number exception ..
19:54 jawatio http://pastebin.com/hWSBtYs1 This is the XML it is processing .. I removed the Certs and changed domain .. everything else is the same
19:55 jawatio As far as XMLTooling shows. it reads the file.. but Im guessing thats before it processes with Xerces
19:57 Cheezehead syntax looks ok
19:59 Cheezehead whats your shibboleth2.xml file look like?
20:00 jawatio http://pastebin.com/bUgdNX5Z This is was Ubuntu installed with the package.. only diff is what you requested to try.. Using URL for MetaProvider
20:03 Cheezehead metadataprovider assuming you have the fqdn for your metadata source
20:03 Cheezehead also the references are on 8080....all of mine are standard https
20:03 jawatio I do, and I have confirmed the server can see it via the domain
20:04 jawatio Right now the IdP is on 8080 and 8443 .. no Apache in front of it
20:04 Cheezehead ok
20:04 Cheezehead for applicationdefaults I have signing="false"
20:04 jawatio we are just setting it all up.. We first do 8080 during config process. once it works we switch to https
20:04 Cheezehead but am handling the sessions a bit different:  <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false"                          handlerSSL="true" cookieProps="https">
20:05 jawatio Yeah soon as its confirmed working that is similar to how we set it up
20:08 Cheezehead looks like in the logs a fatal or error level event that should point to the specific issue...should be within 3 lines of the "unable to run config check as user"
20:09 jawatio What you mean?
20:10 jawatio None of Shibboleth logs contain any log level other than INFO DEBUG and WARN
20:12 Cheezehead shibd_warn.log
20:12 Cheezehead and shibd.log
20:13 jawatio _warn just has WARN about https .. and shibd.log is pretty standard http://pastebin.com/SBLx3v8e
20:14 jawatio Do you know if maybe Xerces has its own log?
20:14 Cheezehead nope
20:14 Cheezehead you sure it's installed?
20:14 jawatio Si
20:14 Cheezehead hrm
20:14 Cheezehead donno
20:15 Cheezehead usually been a set it and forget it product most of the time for me
20:15 jawatio Same actually
20:16 jawatio But this is DEB install.. not RPM
20:16 jawatio Employer wont let us use CentOS .. RedHat not any option because its not free lol
20:19 Cheezehead hmm
20:19 Cheezehead last ubuntu sp install we did just via apt-get
20:21 jawatio yeah that the one Im using .. its SP 2.5.2
21:18 Cheezehead left ##shibboleth

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary