[eduVPN-deploy] What is the Shib SP metadata?

Anass Chabli anass.chabli at renater.fr
Mon Jul 6 12:01:52 CEST 2020 

Hi, 

I think that the configuration of the attribute map for your SP is missing. 

" The mentioned attributes persistent-id and entitlement are configured in the Shibboleth configuration. Modify/add others as required in /etc/shibboleth/attribute-map.xml . Do not forget to restart Shibboleth if you make any changes to its configuration." 

example : 


<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn"> 

<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/> 

</Attribute> 

<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn"> 

<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/> 

</Attribute> 
Cheers, 
Anass 


Anass CHABLI 
Responsable du Département Sécurité des Services / Head of Security of Services Department 
Direction des Services Applicatifs / Digital Services Direction 
RENATER - Rennes 
renater.fr 


De: "stefan winter" <stefan.winter at restena.lu> 
À: "anass chabli" <anass.chabli at renater.fr> 
Cc: "eduvpn-deploy" <eduvpn-deploy at list.surfnet.nl> 
Envoyé: Lundi 6 Juillet 2020 11:48:56 
Objet: Re: [eduVPN-deploy] What is the Shib SP metadata? 



Hi, 




maybe I have one for you :-) 




Now auth works, and I configured the IdP to send the eduPersonPrincipalName to eduVPN. 




With SAMLtracer, I see that this is actually happening, the relevant bit being: 

< saml:AttributeStatement > < saml:Attribute Name = [ urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | "urn:oid:1.3.6.1.4.1.5923.1.1.1.6" ] NameFormat = [ urn:oasis:names:tc:SAML:2.0:attrname-format:uri | "urn:oasis:names:tc:SAML:2.0:attrname-format:uri" ] > < saml:AttributeValue xsi:type = "xs:string" > [ mailto:swinter at education.lu | swinter at education.lu ] </ saml:AttributeValue > </ saml:Attribute > </ saml:AttributeStatement > 




So this goes through to Shibboleth. 




Simple-mindedly, I thought I can just change in eduVPN's config.php the attribute from "persistent-id" to "eppn" : 

'ShibAuthentication' => 
array ( 
'userIdAttribute' => 'eppn', 
), 





but that results in an error: 


400 


An error occurred. 

missing request header "eppn" 







So I guess Shibboleth doesn't pass this on by default - but I don't know how to make it change its mind. 




Any clues? 




Greetings, 




Stefan Winter 






Am 06.07.20 um 10:27 schrieb Anass Chabli: 



Hello Stefan, 

The Shibboleth SP make its own SP metadata available through this URL [ https://youreduvpnserver/Shibboleth.sso/Metadata | " https://youreduvpnserver/Shibboleth.sso/Metadata " ] Please, feel free to contact me directly, if you need any help on the SAML configuration.

Cheers,
Anass

----- Mail original -----
De: "Stefan Winter via eduVPN-deploy" [ mailto:eduvpn-deploy at list.surfnet.nl | <eduvpn-deploy at list.surfnet.nl> ] À: [ mailto:eduvpn-deploy at list.surfnet.nl | eduvpn-deploy at list.surfnet.nl ] Envoyé: Lundi 6 Juillet 2020 10:16:13
Objet: [eduVPN-deploy] What is the Shib SP metadata?

Hello,


I'm currently configuring SAML auth (basic functionality of the eduVPN
server already works, great!).


I notice the documentation is maybe a little thin on this point:


"Next: register your SP in your identity federation, or in your IdP."


I'd love to - but where does the Shibboleth SP make its own SP metadata
available so I can transfer it to the IdP? I'Ve never worked with
Shibboleth before. I imagine there is some kind of status URL like with SSP?


Greetings,


Stefan Winter


_______________________________________________
eduVPN-deploy mailing list [ mailto:eduVPN-deploy at list.surfnet.nl | eduVPN-deploy at list.surfnet.nl ] [ https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy | https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy ] 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20200706/12b329b8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo_renater_signature_mail1.png
Type: image/png
Size: 4976 bytes
Desc: not available
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20200706/12b329b8/attachment-0001.png>

More information about the eduVPN-deploy mailing list