Perl 6 - the future is here, just unevenly distributed

IRC log for #shibboleth, 2016-03-08

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
13:07 mckeanbs joined ##shibboleth
14:11 misilot to get attributes to release on a SP I have to make sure they are in attribute-map.xml correct? And is there a way to just allow all attributes it finds in the attribute-policy.xml? I think that is what is causing me issues why I am getting no attributes. I get attributes on testshib, so I know they are being created
14:21 pdurbin misilot: I just tell me users to let all the attrbutes through: http://guides.dataverse.org/en/4.2.4/insta​llation/shibboleth.html#attribute-map-xml
14:23 misilot thanks pdurbin so I shouldn't need to touch attribute-policy at all?
14:31 pdurbin misilot: hmm. dunno. what's it for? I've never used it.
14:32 misilot i thought I found references in trying to figure out why I don't get attributes to that file
14:53 misilot mhmm so I can login but still no attributes. I removed the AJP prefix as I wasn't getting even the blank arrays with a $_SERVER dump
15:12 misilot How do I make sure   REMOTE_USER="eppn" is being filled from the IdP?
15:19 misilot http://pastebin.com/NXiJQzN0 this is from my transaction.log on the SP
15:20 misilot though this is in my shibd.log  WARN Shibboleth.AttributeResolver.Query [3]: no SAML 2 AttributeAuthority role found in metadata
15:37 pdurbin misilot: you *might* find this helpful: https://github.com/dvn/shibpo​c/tree/master/java/shibsppoc
15:48 misilot thanks pdurbin i will take a look
15:51 misilot is it possible to update the metadata on a SP?
15:52 misilot nevermind it actually changed when I modified the metadata.xml
16:29 misilot Is there a way to make https://sp-host/Shibboleth.sso/Metadata get regenerated after metadata.xml has been updated and the shibd service has restarted?
16:30 mckeanbs joined ##shibboleth
16:44 pdurbin misilot: you might need to restart apache too. not sure
18:36 misilot thanks pdurbin and mckeanbs for the help
18:37 pdurbin oh sure
18:39 misilot are there any shibboleth idp managmenet tools available for managing SP's and such? Just curious whats out there.
18:40 mckeanbs None that I'm aware of
18:55 pdurbin misilot: what would the tool do?
18:57 misilot pdurbin: not sure, possibly allow submission of SP metadata/keys to the idp so they can be added to the idp for authorization?
18:57 misilot trying to build a workflow of how I would go about managing entityID's for SP's and making sure everything is kept up to date and such when adding new services
18:58 misilot just getting into Shibboleth. I have been a user of CAS where I am (not the management side of it), but since the library where I am is implementing Shibboleth just trying to figure out the best way to go about doing it is
19:03 pdurbin that reminds me of an internal tool I heard about
19:07 mckeanbs The official answer to that problem is to join a federation and have a decent default attribute release policy
19:08 mckeanbs Of course, many SPs won't join a federation, so there will probably always be ones you have to add separately
19:12 misilot Ok thanks. Not sure if it would make sense if main campus IT here wanted to start using Shibboleth as well as CAS to either transition our services to them or to create a Federation between the Library and IT
19:14 misilot Also does it make sense to have multiple IdP's setup, to provide redundant access? Would I more likely have the 2-3 configured identically behind an HA and the traffic just goes to a backend in either an active-active RR type or an active-backup?
19:15 mckeanbs I suppose that depends on your infrastructure. If they're real hardware boxes, that'd be a good idea. If they're a VM and you have your VMware hosts sufficiently redundant, it might be a non-issue with things like vmotion
19:24 pdurbin mckeanbs: lots of internal apps won't be part of any federation. But I see your point about best practices with regard to which attributes should be used.
19:27 mckeanbs pdurbin: Yeah, very true. We're still having the conversation here on what default attribute policy we want to do. It's not merely a technical discussion, as with many things Shibboleth
19:29 pdurbin with OAuth you can just start letting your users log in via Google or Facebook or whatever. no red tape :)
19:31 mckeanbs Heh, yeah, that's what many SPs are looking at doing.
19:32 mckeanbs A lot of the reason it can be such a pain to manage Shibboleth is because, even with Federations, lots of people want to play by their own rules.
20:19 pdurbin or at least Google or Facebook's rules :)
20:21 mckeanbs Yeah...  InCommon for example excepts so much variance in attributes. I really wish they'd just say, "This is our standard"
20:22 mckeanbs accepts*
20:23 pdurbin mckeanbs: I assume you've seen https://www.incommon.org/fede​ration/attributesummary.html
20:25 mckeanbs I have, but unfortunately it's more of a "This is what is common" than a "This is what we standardize on"
20:33 pdurbin oh
20:37 mckeanbs Yeah, not always fun. :p
20:38 pdurbin :)

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary