[eduVPN-deploy] What is the Shib SP metadata?
Stefan Winter
stefan.winter at restena.lu
Mon Jul 6 12:40:28 CEST 2020
Hi,
what you quote in your example is already part of the default
configuration. I.e. attribute-map.xml contains that snippet already (and
that's why I thought it would be usable out-of-the-box). I also
restarted shibd unnecessarily just in case.
Is there anything else I might need to do?
Greetings,
Stefan Winter
Am 06.07.20 um 12:01 schrieb Anass Chabli:
> Hi,
>
> I think that the configuration of the attribute map for your SP is
> missing.
>
> "The mentioned attributes |persistent-id| and |entitlement| are
> configured in the Shibboleth configuration. Modify/add others as
> required in |/etc/shibboleth/attribute-map.xml|. Do not forget to
> restart Shibboleth if you make any changes to its configuration."
>
> example :
>
> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
>
> <AttributeDecoder xsi:type="ScopedAttributeDecoder"
> caseSensitive="false"/>
>
> </Attribute>
>
> <Attribute
> name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
>
> <AttributeDecoder xsi:type="ScopedAttributeDecoder"
> caseSensitive="false"/>
>
> </Attribute>
>
>
> Cheers,
> Anass
>
>
> Anass CHABLI
> Responsable du Département Sécurité des Services / Head of Security of
> Services Department
> Direction des Services Applicatifs / Digital Services Direction
> RENATER - Rennes
> renater.fr
>
> ------------------------------------------------------------------------
> *De: *"stefan winter" <stefan.winter at restena.lu>
> *À: *"anass chabli" <anass.chabli at renater.fr>
> *Cc: *"eduvpn-deploy" <eduvpn-deploy at list.surfnet.nl>
> *Envoyé: *Lundi 6 Juillet 2020 11:48:56
> *Objet: *Re: [eduVPN-deploy] What is the Shib SP metadata?
>
> Hi,
>
>
> maybe I have one for you :-)
>
>
> Now auth works, and I configured the IdP to send the
> eduPersonPrincipalName to eduVPN.
>
>
> With SAMLtracer, I see that this is actually happening, the relevant
> bit being:
>
> <saml:AttributeStatement> <saml:Attribute
> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >
> <saml:AttributeValue
> xsi:type="xs:string">swinter at education.lu</saml:AttributeValue>
> </saml:Attribute> </saml:AttributeStatement>
>
>
> So this goes through to Shibboleth.
>
>
> Simple-mindedly, I thought I can just change in eduVPN's config.php
> the attribute from "persistent-id" to "eppn" :
>
> 'ShibAuthentication' =>
> array (
> 'userIdAttribute' => 'eppn',
> ),
>
>
> but that results in an error:
>
>
> 400
>
> An error occurred.
>
> |missing request header "eppn"|
>
>
>
> So I guess Shibboleth doesn't pass this on by default - but I don't
> know how to make it change its mind.
>
>
> Any clues?
>
>
> Greetings,
>
>
> Stefan Winter
>
>
>
> Am 06.07.20 um 10:27 schrieb Anass Chabli:
>
> Hello Stefan,
>
> The Shibboleth SP make its own SP metadata available through this URL " https://youreduvpnserver/Shibboleth.sso/Metadata "
>
> Please, feel free to contact me directly, if you need any help on the SAML configuration.
>
> Cheers,
> Anass
>
> ----- Mail original -----
> De: "Stefan Winter via eduVPN-deploy" <eduvpn-deploy at list.surfnet.nl>
> À: eduvpn-deploy at list.surfnet.nl
> Envoyé: Lundi 6 Juillet 2020 10:16:13
> Objet: [eduVPN-deploy] What is the Shib SP metadata?
>
> Hello,
>
>
> I'm currently configuring SAML auth (basic functionality of the eduVPN
> server already works, great!).
>
>
> I notice the documentation is maybe a little thin on this point:
>
>
> "Next: register your SP in your identity federation, or in your IdP."
>
>
> I'd love to - but where does the Shibboleth SP make its own SP metadata
> available so I can transfer it to the IdP? I'Ve never worked with
> Shibboleth before. I imagine there is some kind of status URL like with SSP?
>
>
> Greetings,
>
>
> Stefan Winter
>
>
> _______________________________________________
> eduVPN-deploy mailing list
> eduVPN-deploy at list.surfnet.nl
> https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20200706/4585a6c7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo_renater_signature_mail1.png
Type: image/png
Size: 4976 bytes
Desc: not available
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20200706/4585a6c7/attachment-0001.png>
More information about the eduVPN-deploy
mailing list