[eduVPN-deploy] What is the Shib SP metadata?

Stefan Winter stefan.winter at restena.lu
Mon Jul 6 12:40:28 CEST 2020 

Hi,


what you quote in your example is already part of the default
configuration. I.e. attribute-map.xml contains that snippet already (and
that's why I thought it would be usable out-of-the-box). I also
restarted shibd unnecessarily just in case.


Is there anything else I might need to do?


Greetings,


Stefan Winter


Am 06.07.20 um 12:01 schrieb Anass Chabli:
> Hi, 
>
> I think that the configuration of the attribute map for your SP is
> missing. 
>
> "The mentioned attributes |persistent-id| and |entitlement| are
> configured in the Shibboleth configuration. Modify/add others as
> required in |/etc/shibboleth/attribute-map.xml|. Do not forget to
> restart Shibboleth if you make any changes to its configuration."
>
> example :
>
>     <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
>
>         <AttributeDecoder xsi:type="ScopedAttributeDecoder"
> caseSensitive="false"/>
>
>     </Attribute>
>
>     <Attribute
> name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
>
>         <AttributeDecoder xsi:type="ScopedAttributeDecoder"
> caseSensitive="false"/>
>
>     </Attribute>
>
>  
> Cheers, 
> Anass
>
>
> Anass CHABLI
> Responsable du Département Sécurité des Services / Head of Security of
> Services Department
> Direction des Services Applicatifs / Digital Services Direction
> RENATER - Rennes
> renater.fr
>
> ------------------------------------------------------------------------
> *De: *"stefan winter" <stefan.winter at restena.lu>
> *À: *"anass chabli" <anass.chabli at renater.fr>
> *Cc: *"eduvpn-deploy" <eduvpn-deploy at list.surfnet.nl>
> *Envoyé: *Lundi 6 Juillet 2020 11:48:56
> *Objet: *Re: [eduVPN-deploy] What is the Shib SP metadata?
>
> Hi,
>
>
> maybe I have one for you :-)
>
>
> Now auth works, and I configured the IdP to send the
> eduPersonPrincipalName to eduVPN.
>
>
> With SAMLtracer, I see that this is actually happening, the relevant
> bit being:
>
> <saml:AttributeStatement> <saml:Attribute
> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >
> <saml:AttributeValue
> xsi:type="xs:string">swinter at education.lu</saml:AttributeValue>
> </saml:Attribute> </saml:AttributeStatement>
>
>
> So this goes through to Shibboleth.
>
>
> Simple-mindedly, I thought I can just change in eduVPN's config.php
> the attribute from "persistent-id" to "eppn" :
>
>   'ShibAuthentication' =>
>   array (
>     'userIdAttribute' => 'eppn',
>   ),
>
>
> but that results in an error:
>
>
>     400
>
> An error occurred.
>
> |missing request header "eppn"|
>
>
>
> So I guess Shibboleth doesn't pass this on by default - but I don't
> know how to make it change its mind.
>
>
> Any clues?
>
>
> Greetings,
>
>
> Stefan Winter
>
>
>
> Am 06.07.20 um 10:27 schrieb Anass Chabli:
>
>     Hello Stefan, 
>
>     The Shibboleth SP make its own SP metadata available through this URL " https://youreduvpnserver/Shibboleth.sso/Metadata "
>
>     Please, feel free to contact me directly, if you need any help on the SAML configuration.
>
>     Cheers,
>     Anass
>
>     ----- Mail original -----
>     De: "Stefan Winter via eduVPN-deploy" <eduvpn-deploy at list.surfnet.nl>
>     À: eduvpn-deploy at list.surfnet.nl
>     Envoyé: Lundi 6 Juillet 2020 10:16:13
>     Objet: [eduVPN-deploy] What is the Shib SP metadata?
>
>     Hello,
>
>
>     I'm currently configuring SAML auth (basic functionality of the eduVPN
>     server already works, great!).
>
>
>     I notice the documentation is maybe a little thin on this point:
>
>
>     "Next: register your SP in your identity federation, or in your IdP."
>
>
>     I'd love to - but where does the Shibboleth SP make its own SP metadata
>     available so I can transfer it to the IdP? I'Ve never worked with
>     Shibboleth before. I imagine there is some kind of status URL like with SSP?
>
>
>     Greetings,
>
>
>     Stefan Winter
>
>
>     _______________________________________________
>     eduVPN-deploy mailing list
>     eduVPN-deploy at list.surfnet.nl
>     https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20200706/4585a6c7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo_renater_signature_mail1.png
Type: image/png
Size: 4976 bytes
Desc: not available
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20200706/4585a6c7/attachment-0001.png>

More information about the eduVPN-deploy mailing list