Perl 6 - the future is here, just unevenly distributed

IRC log for #shibboleth, 2016-03-09

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
02:49 ilbot3 joined ##shibboleth
07:38 ga-dd joined ##shibboleth
13:03 mckeanbs joined ##shibboleth
15:00 misilot So for every SP the metadata from the IdP has to be copied to the SP and the metadata from the SP has to be saved to the IdP and added to the metadata directory and the metadata-providers.xml file?
15:03 mckeanbs Yep, metadata is the foundation for SAML based federations.
15:04 misilot ok thanks :)
15:05 mckeanbs Now, that said, it's also common to have Shibboleth download the metadata from a URL on a regular basis, which would also go in metadata-providers
15:08 misilot would it just download from the SP's Shibboleth.sso/Metadata endpoint?
15:09 mckeanbs That's one way to handle it, yes
15:12 misilot I know with the idp/metadata endpoint the example idp-metadata.xml contains the warning that: "This is example metadata only. Do *NOT* supply it as is without review,
15:12 misilot and do *NOT* provide it in real time to your partners." so wasn't sure if the same warning applied
15:14 mckeanbs The main thing they're getting at with that is that you may not want to expose everything in it, like attribute services.
15:14 misilot ah, so there would be another metadata file that is more complete that you could give the SP's. The one that is shown via idp/shibboleth doesn't need to match the one actually used then?
15:15 pdurbin misilot: this is why I'm being asked to register https://dataverse.harvard.edu at https://incommon.org/federati​on/info/all-entities.html#SPs ... so that institutions like MIT or wherever can just get https://dataverse.harvard.e​du/Shibboleth.sso/Metadata from the InCommon feed.
15:15 mckeanbs Well, for example, what InCommon lists for us as metadata doesn't completely match the actual metadata on the box.
15:16 mckeanbs You generally want to be conservative about endpoints and stuff that you expose, for maintenance reasons and such.
15:16 mckeanbs That was a lesson I learned fairly recently, when we finally upgraded our metadata to include SAML2.
15:17 mckeanbs InCommon advised to leave out singlelogout and attributeservice endpoints, since they weren't needed and could cause headaches later
15:18 misilot so kind of keep AttributeService Binding="... out of the public metadata but provide it to the SP's so they can look up attributes
15:19 mckeanbs Well, really SPs likely don't need it
15:19 mckeanbs What you see there is full metadata for everything Shibboleth can do. But what you actually need for a functional federation is just a subset of that.
15:20 mckeanbs Our metadata for example only has SingleSignOn endpoints, with an old attributeservice endpoint just because we have to support SAML1 until the last SP switches to 2, then we won't have one published at all.
15:21 mckeanbs If you want to see what I mean, you can get the metadata: http://md.incommon.org/InCo​mmon/InCommon-metadata.xml
15:21 mckeanbs And look for ours, James Madison University
15:24 mckeanbs You'll notice it's a good bit less than what Shibboleth produces out of the box. :)
15:24 misilot yup
15:26 misilot a lot less
15:31 mckeanbs Yeah. I initially thought every bit of it was needed, and was going to publish that. Though InCommon suggested we remove a lot of it since it wasn't actually needed. So I only learned that a few weeks ago
15:32 misilot So you don't even need the extra metadata for local SP's that don't talk to InCommon?
15:33 mckeanbs Likely not, unless they have special requirements
15:33 misilot ah ok. I can always try and find out :)
15:34 misilot waiting for Spacewalk to update so I can install the SP software on a couple of test systems
15:36 mckeanbs You're wise to have test systems for that.
15:38 misilot All this work to get Shibboleth for 1 service right now. I just don't think it is managable long term to require students to create accounts to submit Thesis & Disserations electronically. Would rather use our Single Account, but do not know enough about the Play framework to write the CAS code, so Shibboleth it is :)
15:40 misilot But I see other uses for it so it hopefully will grow
15:42 mckeanbs If it's anything like here, it will, a lot. haha
15:43 misilot The main authentication here is CAS and has been for a few years, but there are just some products at least in the library that I know support Shibboleth but not CAS so if I can do away with students creating separate accounts the better
15:51 pdurbin misilot: do you like Play? A guy at work gave a talk on it: http://www.slideshare.net/MichaelBa​rSinai/playful-eye-for-the-jee-guy
15:53 misilot pdurbin: I don't do much with developing it. We are using Vireo (https://github.com/TexasDigitalLibrary/Vireo) which uses play
15:53 misilot it doesn't seem bad, but we do most of our web development with PHP right now
15:54 pdurbin ah, and Vireo is in Java rather than Scala. ok
17:26 mckeanbs joined ##shibboleth
17:31 misilot joined ##shibboleth
18:42 kgodey joined ##shibboleth
18:43 kgodey hi, I'm having some trouble testing my SAML SP against the TestShib IdP and I was wondering if anyone could help me with it
18:44 kgodey I'm using python-social-auth to set up my SP, and TestShib shows me the login page and successfully redirects to auth complete page
18:45 kgodey but it hangs there
18:46 kgodey I've traced the problem to the initialization of the python bindings to xmlsec within the python-saml library, but I'm not sure why it's hanging
18:47 mckeanbs If you're using RHEL or similar, maybe selinux is barking?
19:10 kgodey I'm on Ubuntu
19:11 kgodey 14.04
19:11 kgodey also when I try to initialize xmlsec within the python shell, it works fine
19:12 kgodey let me know if there's any other information I can provide too
19:12 kgodey I figured out the problem by making copies of all the functions within the python-saml library and adding a ton of logs
19:19 mckeanbs Can't say I know much about it other than wild speculation. I mostly work with the IDP
19:22 kgodey at this point, I'll take wild speculation, I've tried everything I could think of
19:29 mckeanbs Perhaps permissions related?
19:29 mckeanbs If python is getting called by the apache user, for example, does it have rights to the files being operated on?
20:03 pdurbin kgodey: I can tell you that the Shib SP works fine the with TestShib IdP but I have no idea about some SP written in Python.
20:04 kgodey mckeanbs: thanks, that's a good thing to check
20:05 kgodey pdurbin: thanks, I'm pretty sure the SP works, it's used by other projects (like open edX)
20:06 pdurbin ok. I know some edX people
20:12 kgodey the issue actually seems to be with the python-saml library
20:12 kgodey or more probably I'm doing something stupid and I don't know what it is
20:57 kgodey okay after some further digging it seems that the SAML response that TestShib is returning is not valid XML
20:57 kgodey it's cutting off
20:58 kgodey why would that be happening?
21:00 kgodey here's the response: https://gist.github.com/kg​odey/63d23dc3ff2e5e959df5
21:08 mckeanbs Might be testshib. It's not unheard of for it to have issues
21:09 mckeanbs Though, that said, the mailing list isn't mentioning much
21:10 mckeanbs I know they normally let you see the logs from testshib, perhaps it would say something about it?
21:11 pdurbin kgodey: you're sure that your code or a library you're using isn't cutting off the XML, it sounds like.
21:17 kgodey pdurbin: you're right, it was a limitation of the logging library, the XML response is fine
21:18 pdurbin phew
21:18 mckeanbs BTW kgodey, for troubleshooting, you might wanna get SAML tracer
21:19 mckeanbs I've found it to be very helpful when I've been troubleshooting SAML related stuff
21:24 kgodey mckeanbs: that looks great, thanks!
21:25 mckeanbs You're welcome. :)
21:27 kgodey I ran the response through this validator: https://www.samltool.com/validate_response.php
21:28 kgodey it says:
21:28 kgodey Timing issues (please check your clock settings)
21:28 kgodey A valid SubjectConfirmation was not found on this Response
21:28 mckeanbs That looks very useful...  definitely bookmarking that
21:28 mckeanbs Yeah, the system times on the IDP and SP need to agree, and be synced from something reliable
21:29 mckeanbs I've had logins from SP's stop working because their time was so off.
21:31 kgodey I'll check that
21:31 kgodey I don't know what the SubjectConfirmation error means either.
21:32 mckeanbs That one I'm not sure on.
21:43 mckeanbs joined ##shibboleth
22:36 kgodey I've tried a few more requests, the validator says that both are valid.

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary