Perl 6 - the future is here, just unevenly distributed

IRC log for #shibboleth, 2015-10-05

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
12:04 mckeanbs joined ##shibboleth
13:24 mok_ joined ##shibboleth
13:32 mok_ helo
13:32 mok_ hello! :-D
13:33 * pdurbin waves
13:40 mok_ I'm trying to config the logout process. I have added the endpoint in the idp-metadata.xml. When I am tring to call the url to logout I get the following error: Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/logout is not available for relying party configuration shibboleth.UnverifiedRelyingParty.  Looking on internet I have seen I should configure something in the relyingParty but it is referring at the shib
13:40 mok_ version 2.5 instead 3.1.1 which I have
13:41 mok_ in the idp-metadata.xml I have added this line:
13:41 mok_ <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://logrnd008.replycloud.prv/idp/profile/SAML2/Redirect/SLO"/>
14:04 pdurbin mok_: doesn't work?
14:04 mok_ nope
14:05 mok_ this is the error
14:05 mok_ Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/logout is not available for relying party configuration shibboleth.UnverifiedRelyingParty
14:06 mok_ Warning actually
14:07 mok_ graphically I got this message
14:07 mok_ Web Login Service - Unsupported Request
14:07 mok_ The application you have accessed is not registered for use with this service.
14:14 mckeanbs That's a sign that something is off in the metadata
14:14 mckeanbs Is there an entityid for that in the metadata?
14:30 mok_ mckeanbs, In the idp-metadata.xml there is just one tag
14:31 mok_ <EntityDescriptor  xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://hist/idp/shibboleth">
16:01 mckeanbs Ah, ok
16:01 mckeanbs Well, you might need to look at the relying-party and explicitly allow them.
16:04 mok_ mckeanbs, I already have something in the relying-party file..
16:04 mok_ <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
16:04 mok_ <property name="profileConfigurations">
16:04 mok_ <list>
16:04 mok_ <ref bean="SAML2.Logout" />
16:04 mok_ that are referring to the relying-party-system.xml file
16:05 mok_ that contain this
16:05 mok_ <bean id="SAML2.Logout"
16:05 mok_ class="net.shibboleth.idp.saml.saml2.profile.config.SingleLogoutProfileConfiguration"
16:05 mok_ p:artifactConfiguration-ref="shibboleth.DefaultArtifactConfiguration"
16:05 mok_ p:inboundInterceptorFlows="security-policy/saml2-slo"
16:05 mok_ p:encryptionOptional="%{idp.encryption.optional:false}" />
16:05 mckeanbs Sorry, I'm thinking the wrong thing. You likely need to allow it explicitly in attribute-filter
16:07 mok_ really? its a bit strange... what exactly, would looks like that?
16:31 mckeanbs lemme find an example
16:31 mok_ mckeanbs, thanks :)
16:33 mckeanbs <afp:AttributeFilterPolicy id="releaseToprovider">
16:33 mckeanbs <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://myurlhere" />
16:33 mckeanbs <afp:AttributeRule attributeID="cn">
16:33 mckeanbs <afp:PermitValueRule xsi:type="basic:ANY" />
16:33 mckeanbs </afp:AttributeRule>
16:33 mckeanbs <afp:AttributeRule attributeID="sn">
16:33 mckeanbs <afp:PermitValueRule xsi:type="basic:ANY" />
16:33 mckeanbs </afp:AttributeRule>
16:33 mckeanbs <afp:AttributeRule attributeID="jmuuniqueid">
16:33 mckeanbs <afp:PermitValueRule xsi:type="basic:ANY" />
16:33 mckeanbs </afp:AttributeRule>
16:33 mckeanbs </afp:AttributeFilterPolicy>
16:33 mckeanbs There's an example pulled out of ours
16:34 mckeanbs You likely need to just add them in there, if I had to guess
16:35 mok_ I already have some in that file
16:35 mok_ that actually are the variables that are returned to the SP
16:35 mok_ <afp:AttributeFilterPolicy id="releaseAuthToAnyone">
16:35 mok_ <afp:PolicyRequirementRule xsi:type="basic:ANY"/>
16:35 mok_ <afp:AttributeRule attributeID="uid">
16:35 mok_ <afp:PermitValueRule xsi:type="basic:ANY"/>
16:35 mok_ </afp:AttributeRule>
16:35 mok_ <afp:AttributeRule attributeID="isMemberOf">
16:35 mok_ <afp:PermitValueRule xsi:type="basic:ANY"/>
16:35 mok_ </afp:AttributeRule>
16:35 mok_ <afp:AttributeRule attributeID="email">
16:35 mok_ <afp:PermitValueRule xsi:type="basic:ANY"/>
16:35 mok_ </afp:AttributeRule>
16:35 mok_ </afp:AttributeFilterPolicy>
16:37 mok_ So, I should need to add this:
16:37 mok_ <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://host/idp/profile/SAML2/Redirect/SLO" />
16:37 mok_ in that way?
16:38 mok_ I am a bit confused...
16:46 mok_ mckeanbs, I had to go now
16:46 mok_ let meet tomorrow.
16:46 mok_ Good bye!

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary