[eduVPN-deploy] What is the Shib SP metadata?

Stefan Winter stefan.winter at restena.lu
Mon Jul 6 15:43:23 CEST 2020 

Hi,

with some live debugging help from Chris Phillipps (thanks!) I was able
to solve this.

The problem was that our federation does not assert any shibmd:Scope
constraints. The eppn was scoped, but Shibboleth by default ignores it
unless it finds its shibmd:Scope constraint and the actual value matches.

So, Shibboleth dropped the eppn on receipt, and from the POV of eduVPN,
the IdP never actually sent an eppn, so it couldn't possibly use it.

The solution was, of course, to relax the Shibboleth checks regarding
Scope checking. I could do that without compromising security because
the eduVPN server connects to only exactly one IdP, and that is under
the control of the same person that administers eduVPN, i.e. yours truly.

Greetings,

Stefan Winter

Am 06.07.20 um 15:04 schrieb Anass Chabli:
> Hi Stefan, 
>
> Could you have a look at the shibboleth SP log files, to check if the
> attribute is well parsed by the SP ?
>
> Otherwise I don't know why the error is raised by the app, maybe
> François will have more information on that.
>
> Cheers,
> Anass 
> ------------------------------------------------------------------------
> *De: *"stefan winter" <stefan.winter at restena.lu>
> *À: *"anass chabli" <anass.chabli at renater.fr>
> *Cc: *"eduvpn-deploy" <eduvpn-deploy at list.surfnet.nl>
> *Envoyé: *Lundi 6 Juillet 2020 12:40:28
> *Objet: *Re: [eduVPN-deploy] What is the Shib SP metadata?
>
> Hi,
>
>
> what you quote in your example is already part of the default
> configuration. I.e. attribute-map.xml contains that snippet already
> (and that's why I thought it would be usable out-of-the-box). I also
> restarted shibd unnecessarily just in case.
>
>
> Is there anything else I might need to do?
>
>
> Greetings,
>
>
> Stefan Winter
>
>
> Am 06.07.20 um 12:01 schrieb Anass Chabli:
>
>     Hi, 
>
>     I think that the configuration of the attribute map for your SP is
>     missing. 
>
>     "The mentioned attributes |persistent-id| and |entitlement| are
>     configured in the Shibboleth configuration. Modify/add others as
>     required in |/etc/shibboleth/attribute-map.xml|. Do not forget to
>     restart Shibboleth if you make any changes to its configuration."
>
>     example :
>
>         <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
>
>             <AttributeDecoder xsi:type="ScopedAttributeDecoder"
>     caseSensitive="false"/>
>
>         </Attribute>
>
>         <Attribute
>     name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
>
>             <AttributeDecoder xsi:type="ScopedAttributeDecoder"
>     caseSensitive="false"/>
>
>         </Attribute>
>
>      
>     Cheers, 
>     Anass
>
>
>     Anass CHABLI
>     Responsable du Département Sécurité des Services / Head of
>     Security of Services Department
>     Direction des Services Applicatifs / Digital Services Direction
>     RENATER - Rennes
>     renater.fr
>
>     ------------------------------------------------------------------------
>     *De: *"stefan winter" <stefan.winter at restena.lu>
>     *À: *"anass chabli" <anass.chabli at renater.fr>
>     *Cc: *"eduvpn-deploy" <eduvpn-deploy at list.surfnet.nl>
>     *Envoyé: *Lundi 6 Juillet 2020 11:48:56
>     *Objet: *Re: [eduVPN-deploy] What is the Shib SP metadata?
>
>     Hi,
>
>
>     maybe I have one for you :-)
>
>
>     Now auth works, and I configured the IdP to send the
>     eduPersonPrincipalName to eduVPN.
>
>
>     With SAMLtracer, I see that this is actually happening, the
>     relevant bit being:
>
>     <saml:AttributeStatement> <saml:Attribute
>     Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
>     NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >
>     <saml:AttributeValue
>     xsi:type="xs:string">swinter at education.lu</saml:AttributeValue>
>     </saml:Attribute> </saml:AttributeStatement>
>
>
>     So this goes through to Shibboleth.
>
>
>     Simple-mindedly, I thought I can just change in eduVPN's
>     config.php the attribute from "persistent-id" to "eppn" :
>
>       'ShibAuthentication' =>
>       array (
>         'userIdAttribute' => 'eppn',
>       ),
>
>
>     but that results in an error:
>
>
>         400
>
>     An error occurred.
>
>     |missing request header "eppn"|
>
>
>
>     So I guess Shibboleth doesn't pass this on by default - but I
>     don't know how to make it change its mind.
>
>
>     Any clues?
>
>
>     Greetings,
>
>
>     Stefan Winter
>
>
>
>     Am 06.07.20 um 10:27 schrieb Anass Chabli:
>
>         Hello Stefan, 
>
>         The Shibboleth SP make its own SP metadata available through this URL " https://youreduvpnserver/Shibboleth.sso/Metadata "
>
>         Please, feel free to contact me directly, if you need any help on the SAML configuration.
>
>         Cheers,
>         Anass
>
>         ----- Mail original -----
>         De: "Stefan Winter via eduVPN-deploy" <eduvpn-deploy at list.surfnet.nl>
>         À: eduvpn-deploy at list.surfnet.nl
>         Envoyé: Lundi 6 Juillet 2020 10:16:13
>         Objet: [eduVPN-deploy] What is the Shib SP metadata?
>
>         Hello,
>
>
>         I'm currently configuring SAML auth (basic functionality of the eduVPN
>         server already works, great!).
>
>
>         I notice the documentation is maybe a little thin on this point:
>
>
>         "Next: register your SP in your identity federation, or in your IdP."
>
>
>         I'd love to - but where does the Shibboleth SP make its own SP metadata
>         available so I can transfer it to the IdP? I'Ve never worked with
>         Shibboleth before. I imagine there is some kind of status URL like with SSP?
>
>
>         Greetings,
>
>
>         Stefan Winter
>
>
>         _______________________________________________
>         eduVPN-deploy mailing list
>         eduVPN-deploy at list.surfnet.nl
>         https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20200706/e4abafc1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo_renater_signature_mail1.png
Type: image/png
Size: 4976 bytes
Desc: not available
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20200706/e4abafc1/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20200706/e4abafc1/attachment-0001.sig>

More information about the eduVPN-deploy mailing list