Perl 6 - the future is here, just unevenly distributed

IRC log for #shibboleth, 2015-10-01

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
12:07 mckeanbs joined ##shibboleth
14:00 mok__ joined ##shibboleth
14:01 mok__ Are there someone?
14:01 pdurbin mok__: hi
14:01 mok__ great!
14:02 mok__ I am looking for a basic shibboleth SSO configuration using saml2
14:03 mok__ shibboleth as IdP, and from the other site I have passport-saml to use
14:04 pdurbin I've never set up an IdP. I've only worked on the SP side. Maybe mckeanbs can help.
14:05 pdurbin ah so this is some node.js thing: https://github.com/bergie/passport-saml
14:05 mok__ Just a question regaarding SP: but those SPs is the clients that want to get authorized by IdP, right?
14:06 mok__ Yes, I have already check it out. I guess node works right, I have tried it with OpenIdP
14:07 pdurbin I do a lot of testing with http://www.testshib.org
14:07 mok__ I believe the problem is on shibboleth IdP configuration
14:07 mok__ this last is like OpenIdP?
14:08 mok__ is this last like OpenIdP?
14:11 mckeanbs Do you control the idp side?
14:14 mok__ yes mckeanbs, but I am a bit confused. IdP provide the Identity of the users, right? and so, the SP is the node application that want to grant access for a user that are asking for, right?
14:15 mckeanbs Yeah. SP's communicate with IDPs to get user information that they then act upon to allow access to a server, or deny
14:15 mok__ perfect
14:15 mok__ okay, then my SP is the Node application (using passport-saml module)
14:16 mok__ and I know it works, I have tried it with the OpenIdP
14:17 mok__ I am looking for configure shibboleth as OpenIdP does
14:17 mok__ is it possible?
14:17 mckeanbs Of all likelihood, yes. But you need more specifics than that
14:18 pdurbin mok__: you might want to ask at http://shibboleth.net/mailman/listinfo/users
14:19 mok__ what kinds of specifics?
14:21 mckeanbs I suppose to start, what backend you're pulling users from, what SAML assertions look like from it, what you have attributes mapped to, etc
14:24 mok__ users is stored in a ldap
14:26 mok__ at the moment when I try to login, I get the login form, then I digit a correct users credential and then in the callback (Node side) I get this error: Error: SAML provider returned Requester error: An error occurred.
14:27 mok__ Then seems that Shibboleth return me some not correct (or even just missing) data
14:28 mckeanbs I'd take a look at Shibs logs and see what they say
14:44 mok__ just a second....
14:49 mok__ mckeanbs, http://pastebin.com/WqcUy9rx
14:53 mckeanbs Are you on Shib 3 or 2?
14:54 mckeanbs Either way, it looks like you need to configure a custom NameID for it.
15:00 mok__ 3.1.1
15:00 mok__ what is it?
15:01 mok__ where I can configure it?
15:01 mok__ where can I configure it?
15:03 mckeanbs I believe it's saml-nameid.xml
15:04 mckeanbs Since it seems to already specify that in metadata, you shouldn't need anything special in relying-party.xml
15:06 mok__ what should I have to write?
15:07 mok__ Have you an example?
15:11 mckeanbs <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
15:11 mckeanbs p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:eid"
15:11 mckeanbs p:attributeSourceIds="cn" />
15:12 mckeanbs http://shibboleth.1660669.n2.nabble.com/ArcGIS-on-Shib-3-td7616612.html#a7616669
15:12 mckeanbs ^That's  from the discussion I had while trying to figure out doing it for ArcGIS
15:13 mok__ I will try immediately this :-S
15:17 mckeanbs Of course, you'd replace stuff like the sourceid as the attribute you need, the format from eid to something like what you had above, etc
15:25 mok__ mckeanbs, look at this
15:25 mok__ 2015-10-01 17:23:29,587 - WARN [org.opensaml.saml.saml2.binding.security.impl.SAML2AuthnRequestsSignedSecurityHandler:60] - SAMLPeerContext did not contain either a SAMLMetadataContext or a RoleDescriptor, unable to evaluate rule
15:25 mok__ 2015-10-01 17:23:29,587 - WARN [org.opensaml.saml.saml2.binding.security.impl.SAML2AuthnRequestsSignedSecurityHandler:60] - SAMLPeerContext did not contain either a SAMLMetadataContext or a RoleDescriptor, unable to evaluate rule
15:25 mok__ 2015-10-01 17:23:29,591 - WARN [org.opensaml.saml.saml2.binding.security.impl.SAML2AuthnRequestsSignedSecurityHandler:60] - SAMLPeerContext did not contain either a SAMLMetadataContext or a RoleDescriptor, unable to evaluate rule
15:25 mok__ 2015-10-01 17:23:31,261 - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
15:25 mok__ 2015-10-01 17:23:31,261 - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
15:25 mok__ 2015-10-01 17:23:31,262 - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
15:25 mok__ 2015-10-01 17:23:31,871 - INFO [Shibboleth-Audit.SSO:241] - 20151001T152331Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_ad3136a8b7735e3384a7|https://logrnd008.replycloud.prv/idp/shibboleth|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://logrnd008.replycloud.prv/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_ae8aa3b9a9542c149393bad6ba96fd77|m.genova||uid,isMemberOf||
15:25 mok__ 2015-10-01 17:23:31,871 - INFO [Shibboleth-Audit.SSO:241] - 20151001T152331Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_be25d476a426183a3a83|https://logrnd008.replycloud.prv/idp/shibboleth|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://logrnd008.replycloud.prv/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_996d618e7514c896bdbe99e44ff728c5|m.genova||uid,isMemberOf||
15:25 mok__ 2015-10-01 17:23:31,875 - INFO [Shibboleth-Audit.SSO:241] - 20151001T152331Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_18b06ef067da8fd62432|https://logrnd008.replycloud.prv/idp/shibboleth|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://logrnd008.replycloud.prv/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_7661b3ed416fa8802771d662d0b91994|m.genova||uid,isMemberOf||
15:26 mok__ sorry for the wrong past
15:26 mok__ I mean:
15:26 mok__ WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
15:29 mok__ then the bean shoud be like this
15:29 mok__ <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
15:29 mok__ p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
15:29 mok__ p:attributeSourceIds="cn" />
15:30 mok__ ?
15:30 mok__ or maybe Have I to define the emailAddress format?

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary