[eduVPN-deploy] What is the Shib SP metadata?
Anass Chabli
anass.chabli at renater.fr
Mon Jul 6 15:04:26 CEST 2020
Hi Stefan,
Could you have a look at the shibboleth SP log files, to check if the attribute is well parsed by the SP ?
Otherwise I don't know why the error is raised by the app, maybe François will have more information on that.
Cheers,
Anass
De: "stefan winter" <stefan.winter at restena.lu>
À: "anass chabli" <anass.chabli at renater.fr>
Cc: "eduvpn-deploy" <eduvpn-deploy at list.surfnet.nl>
Envoyé: Lundi 6 Juillet 2020 12:40:28
Objet: Re: [eduVPN-deploy] What is the Shib SP metadata?
Hi,
what you quote in your example is already part of the default configuration. I.e. attribute-map.xml contains that snippet already (and that's why I thought it would be usable out-of-the-box). I also restarted shibd unnecessarily just in case.
Is there anything else I might need to do?
Greetings,
Stefan Winter
Am 06.07.20 um 12:01 schrieb Anass Chabli:
Hi,
I think that the configuration of the attribute map for your SP is missing.
" The mentioned attributes persistent-id and entitlement are configured in the Shibboleth configuration. Modify/add others as required in /etc/shibboleth/attribute-map.xml . Do not forget to restart Shibboleth if you make any changes to its configuration."
example :
<Attribute name= [ urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | "urn:oid:1.3.6.1.4.1.5923.1.1.1.6" ] id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name= [ urn:mace:dir:attribute-def:eduPersonPrincipalName | "urn:mace:dir:attribute-def:eduPersonPrincipalName" ] id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
Cheers,
Anass
Anass CHABLI
Responsable du Département Sécurité des Services / Head of Security of Services Department
Direction des Services Applicatifs / Digital Services Direction
RENATER - Rennes
renater.fr
De: "stefan winter" [ mailto:stefan.winter at restena.lu | <stefan.winter at restena.lu> ]
À: "anass chabli" [ mailto:anass.chabli at renater.fr | <anass.chabli at renater.fr> ]
Cc: "eduvpn-deploy" [ mailto:eduvpn-deploy at list.surfnet.nl | <eduvpn-deploy at list.surfnet.nl> ]
Envoyé: Lundi 6 Juillet 2020 11:48:56
Objet: Re: [eduVPN-deploy] What is the Shib SP metadata?
Hi,
maybe I have one for you :-)
Now auth works, and I configured the IdP to send the eduPersonPrincipalName to eduVPN.
With SAMLtracer, I see that this is actually happening, the relevant bit being:
< saml:AttributeStatement > < saml:Attribute Name = [ urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | "urn:oid:1.3.6.1.4.1.5923.1.1.1.6" ] NameFormat = [ urn:oasis:names:tc:SAML:2.0:attrname-format:uri | "urn:oasis:names:tc:SAML:2.0:attrname-format:uri" ] > < saml:AttributeValue xsi:type = "xs:string" > [ mailto:swinter at education.lu | swinter at education.lu ] </ saml:AttributeValue > </ saml:Attribute > </ saml:AttributeStatement >
So this goes through to Shibboleth.
Simple-mindedly, I thought I can just change in eduVPN's config.php the attribute from "persistent-id" to "eppn" :
'ShibAuthentication' =>
array (
'userIdAttribute' => 'eppn',
),
but that results in an error:
400
An error occurred.
missing request header "eppn"
So I guess Shibboleth doesn't pass this on by default - but I don't know how to make it change its mind.
Any clues?
Greetings,
Stefan Winter
Am 06.07.20 um 10:27 schrieb Anass Chabli:
BQ_BEGIN
Hello Stefan,
The Shibboleth SP make its own SP metadata available through this URL [ https://youreduvpnserver/Shibboleth.sso/Metadata | " https://youreduvpnserver/Shibboleth.sso/Metadata " ] Please, feel free to contact me directly, if you need any help on the SAML configuration.
Cheers,
Anass
----- Mail original -----
De: "Stefan Winter via eduVPN-deploy" [ mailto:eduvpn-deploy at list.surfnet.nl | <eduvpn-deploy at list.surfnet.nl> ] À: [ mailto:eduvpn-deploy at list.surfnet.nl | eduvpn-deploy at list.surfnet.nl ] Envoyé: Lundi 6 Juillet 2020 10:16:13
Objet: [eduVPN-deploy] What is the Shib SP metadata?
Hello,
I'm currently configuring SAML auth (basic functionality of the eduVPN
server already works, great!).
I notice the documentation is maybe a little thin on this point:
"Next: register your SP in your identity federation, or in your IdP."
I'd love to - but where does the Shibboleth SP make its own SP metadata
available so I can transfer it to the IdP? I'Ve never worked with
Shibboleth before. I imagine there is some kind of status URL like with SSP?
Greetings,
Stefan Winter
_______________________________________________
eduVPN-deploy mailing list [ mailto:eduVPN-deploy at list.surfnet.nl | eduVPN-deploy at list.surfnet.nl ] [ https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy | https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy ]
BQ_END
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20200706/d5b68ec3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo_renater_signature_mail1.png
Type: image/png
Size: 4976 bytes
Desc: not available
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20200706/d5b68ec3/attachment-0001.png>
More information about the eduVPN-deploy
mailing list