<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div>Hi, </div><div><br data-mce-bogus="1"></div><div>I think that the configuration of the attribute map for your SP is missing. </div><div><br data-mce-bogus="1"></div><div>"<span style="font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: #24292e; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; background-color: #ffffff; float: none; display: inline !important;" data-mce-style="font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: #24292e; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; background-color: #ffffff; float: none; display: inline !important;">The mentioned attributes<span class="Apple-converted-space"> </span></span><code style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; box-sizing: border-box; font-family: SFMono-Regular, Consolas, 'Liberation Mono', Menlo, monospace; font-size: 13.600000381469727px; padding: 0.2em 0.4em; margin: 0px; background-color: rgba(27, 31, 35, 0.05); border-top-left-radius: 6px; border-top-right-radius: 6px; border-bottom-right-radius: 6px; border-bottom-left-radius: 6px; caret-color: #24292e; color: #24292e;" data-mce-style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; box-sizing: border-box; font-family: SFMono-Regular, Consolas, 'Liberation Mono', Menlo, monospace; font-size: 13.600000381469727px; padding: 0.2em 0.4em; margin: 0px; background-color: rgba(27, 31, 35, 0.05); border-top-left-radius: 6px; border-top-right-radius: 6px; border-bottom-right-radius: 6px; border-bottom-left-radius: 6px; caret-color: #24292e; color: #24292e;">persistent-id</code><span style="font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: #24292e; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; background-color: #ffffff; float: none; display: inline !important;" data-mce-style="font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: #24292e; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; background-color: #ffffff; float: none; display: inline !important;"><span class="Apple-converted-space"> </span>and<span class="Apple-converted-space"> </span></span><code style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; box-sizing: border-box; font-family: SFMono-Regular, Consolas, 'Liberation Mono', Menlo, monospace; font-size: 13.600000381469727px; padding: 0.2em 0.4em; margin: 0px; background-color: rgba(27, 31, 35, 0.05); border-top-left-radius: 6px; border-top-right-radius: 6px; border-bottom-right-radius: 6px; border-bottom-left-radius: 6px; caret-color: #24292e; color: #24292e;" data-mce-style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; box-sizing: border-box; font-family: SFMono-Regular, Consolas, 'Liberation Mono', Menlo, monospace; font-size: 13.600000381469727px; padding: 0.2em 0.4em; margin: 0px; background-color: rgba(27, 31, 35, 0.05); border-top-left-radius: 6px; border-top-right-radius: 6px; border-bottom-right-radius: 6px; border-bottom-left-radius: 6px; caret-color: #24292e; color: #24292e;">entitlement</code><span style="font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: #24292e; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; background-color: #ffffff; float: none; display: inline !important;" data-mce-style="font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: #24292e; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; background-color: #ffffff; float: none; display: inline !important;"><span class="Apple-converted-space"> </span>are configured in the Shibboleth configuration. Modify/add others as required in<span class="Apple-converted-space"> </span></span><code style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; box-sizing: border-box; font-family: SFMono-Regular, Consolas, 'Liberation Mono', Menlo, monospace; font-size: 13.600000381469727px; padding: 0.2em 0.4em; margin: 0px; background-color: rgba(27, 31, 35, 0.05); border-top-left-radius: 6px; border-top-right-radius: 6px; border-bottom-right-radius: 6px; border-bottom-left-radius: 6px; caret-color: #24292e; color: #24292e;" data-mce-style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; box-sizing: border-box; font-family: SFMono-Regular, Consolas, 'Liberation Mono', Menlo, monospace; font-size: 13.600000381469727px; padding: 0.2em 0.4em; margin: 0px; background-color: rgba(27, 31, 35, 0.05); border-top-left-radius: 6px; border-top-right-radius: 6px; border-bottom-right-radius: 6px; border-bottom-left-radius: 6px; caret-color: #24292e; color: #24292e;">/etc/shibboleth/attribute-map.xml</code><span style="font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: #24292e; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; background-color: #ffffff; float: none; display: inline !important;" data-mce-style="font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: #24292e; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; background-color: #ffffff; float: none; display: inline !important;">. Do not forget to restart Shibboleth if you make any changes to its configuration."</span></div><div><div style="clear: both;" data-mce-style="clear: both;"><br data-mce-bogus="1"></div><div style="clear: both;" data-mce-style="clear: both;">example :</div><div style="clear: both;" data-mce-style="clear: both;"><p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; color: rgb(0, 0, 0);" data-mce-style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; color: #000000;"><span style="font-variant-ligatures: no-common-ligatures;" data-mce-style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span><Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn"></span></p><p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; color: rgb(0, 0, 0);" data-mce-style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; color: #000000;"><span style="font-variant-ligatures: no-common-ligatures;" data-mce-style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span><AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/></span></p><p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; color: rgb(0, 0, 0);" data-mce-style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; color: #000000;"><span style="font-variant-ligatures: no-common-ligatures;" data-mce-style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span></Attribute></span></p><p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; color: rgb(0, 0, 0);" data-mce-style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; color: #000000;"><span style="font-variant-ligatures: no-common-ligatures;" data-mce-style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span><Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn"></span></p><p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; color: rgb(0, 0, 0);" data-mce-style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; color: #000000;"><span style="font-variant-ligatures: no-common-ligatures;" data-mce-style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span><AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/></span></p><p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; color: rgb(0, 0, 0);" data-mce-style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; color: #000000;"><span style="font-variant-ligatures: no-common-ligatures;" data-mce-style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span></Attribute></span></p></div> </div><div>Cheers, </div><div>Anass</div><div><br></div><div data-marker="__SIG_PRE__"><div><div><img src="cid:b144f37b710732ce24b72fcb9ca84f2e2adc489c@zimbra" data-mce-src="https://webmail.renater.fr/home/anass.chabli@renater.fr/Briefcase/logo_renater_signature_mail1.png" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 14px;" doc="Briefcase/logo_renater_signature_mail1.png"><br><span style="color: rgb(16, 66, 122); font-family: "Arial Black"; font-size: small;">Anass CHABLI</span><br><span style="color: rgb(0, 0, 128);"><span style="caret-color: rgb(0, 0, 0); color: rgb(16, 66, 122); font-family: verdana, helvetica, sans-serif; font-size: small;">Responsable du Département Sécurité des Services / Head of Security of Services Department</span></span></div><div><span style="color: rgb(0, 0, 128);"><span style="caret-color: rgb(0, 0, 0); color: rgb(16, 66, 122); font-family: verdana, helvetica, sans-serif; font-size: small;">Direction des Services Applicatifs / Digital Services Direction</span></span></div><div><span style="color: rgb(0, 0, 128);"><span style="caret-color: rgb(0, 0, 0); color: rgb(16, 66, 122); font-family: verdana, helvetica, sans-serif; font-size: small;">RENATER - Rennes</span></span></div><div><span style="color: rgb(0, 0, 128);"><span style="caret-color: rgb(0, 0, 0); color: rgb(16, 66, 122); font-family: verdana, helvetica, sans-serif; font-size: small;">renater.fr</span></span></div></div></div><div><br></div><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><b>De: </b>"stefan winter" <stefan.winter@restena.lu><br><b>À: </b>"anass chabli" <anass.chabli@renater.fr><br><b>Cc: </b>"eduvpn-deploy" <eduvpn-deploy@list.surfnet.nl><br><b>Envoyé: </b>Lundi 6 Juillet 2020 11:48:56<br><b>Objet: </b>Re: [eduVPN-deploy] What is the Shib SP metadata?<br></div><div><br></div><div data-marker="__QUOTED_TEXT__"><p>Hi,</p>
<p><br>
</p>
<p>maybe I have one for you :-)</p>
<p><br>
</p>
<p>Now auth works, and I configured the IdP to send the
eduPersonPrincipalName to eduVPN.</p>
<p><br>
</p>
<p>With SAMLtracer, I see that this is actually happening, the
relevant bit being:</p>
<p><span class="hljs-tag"><<span class="hljs-name">saml:AttributeStatement</span>></span>
<span class="hljs-tag"><<span class="hljs-name">saml:Attribute</span>
<span class="hljs-attr">Name</span>=<span class="hljs-string"><a class="moz-txt-link-rfc2396E" href="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" target="_blank">"urn:oid:1.3.6.1.4.1.5923.1.1.1.6"</a></span>
<span class="hljs-attr">NameFormat</span>=<span class="hljs-string"><a class="moz-txt-link-rfc2396E" href="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" target="_blank">"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"</a></span>
></span> <span class="hljs-tag"><<span class="hljs-name">saml:AttributeValue</span>
<span class="hljs-attr">xsi:type</span>=<span class="hljs-string">"xs:string"</span>></span><a class="moz-txt-link-abbreviated" href="mailto:swinter@education.lu" target="_blank">swinter@education.lu</a><span class="hljs-tag"></<span class="hljs-name">saml:AttributeValue</span>></span>
<span class="hljs-tag"></<span class="hljs-name">saml:Attribute</span>></span>
<span class="hljs-tag"></<span class="hljs-name">saml:AttributeStatement</span>></span></p>
<p><span class="hljs-tag"><br>
</span></p>
<p><span class="hljs-tag">So this goes through to Shibboleth.</span></p>
<p><span class="hljs-tag"><br>
</span></p>
<p><span class="hljs-tag">Simple-mindedly, I thought I can just
change in eduVPN's config.php the attribute from "persistent-id"
to "eppn" :</span></p>
<p><span class="hljs-tag"> 'ShibAuthentication' => <br>
array (<br>
'userIdAttribute' => 'eppn',<br>
),<br>
</span></p>
<p><span class="hljs-tag"><br>
</span></p>
<p><span class="hljs-tag">but that results in an error:</span></p>
<p><br>
<span class="hljs-tag"> </span></p>
<h2>400</h2>
<p>An error occurred.</p>
<p class="error"> <code>missing request header "eppn"</code> </p>
<p><br>
</p>
<p><br>
</p>
<p>So I guess Shibboleth doesn't pass this on by default - but I
don't know how to make it change its mind.</p>
<p><br>
</p>
<p>Any clues?</p>
<p><br>
</p>
<p>Greetings,</p>
<p><br>
</p>
<p>Stefan Winter<br>
</p>
<p><span class="hljs-tag"><br>
</span></p>
<p><br>
</p>
<div class="moz-cite-prefix">Am 06.07.20 um 10:27 schrieb Anass
Chabli:<br>
</div>
<blockquote cite="mid:557916743.13808.1594024021353.JavaMail.zimbra@renater.fr">
<pre class="moz-quote-pre">Hello Stefan,
The Shibboleth SP make its own SP metadata available through this URL <a class="moz-txt-link-rfc2396E" href="https://youreduvpnserver/Shibboleth.sso/Metadata" target="_blank">" https://youreduvpnserver/Shibboleth.sso/Metadata "</a>
Please, feel free to contact me directly, if you need any help on the SAML configuration.
Cheers,
Anass
----- Mail original -----
De: "Stefan Winter via eduVPN-deploy" <a class="moz-txt-link-rfc2396E" href="mailto:eduvpn-deploy@list.surfnet.nl" target="_blank"><eduvpn-deploy@list.surfnet.nl></a>
À: <a class="moz-txt-link-abbreviated" href="mailto:eduvpn-deploy@list.surfnet.nl" target="_blank">eduvpn-deploy@list.surfnet.nl</a>
Envoyé: Lundi 6 Juillet 2020 10:16:13
Objet: [eduVPN-deploy] What is the Shib SP metadata?
Hello,
I'm currently configuring SAML auth (basic functionality of the eduVPN
server already works, great!).
I notice the documentation is maybe a little thin on this point:
"Next: register your SP in your identity federation, or in your IdP."
I'd love to - but where does the Shibboleth SP make its own SP metadata
available so I can transfer it to the IdP? I'Ve never worked with
Shibboleth before. I imagine there is some kind of status URL like with SSP?
Greetings,
Stefan Winter
_______________________________________________
eduVPN-deploy mailing list
<a class="moz-txt-link-abbreviated" href="mailto:eduVPN-deploy@list.surfnet.nl" target="_blank">eduVPN-deploy@list.surfnet.nl</a>
<a class="moz-txt-link-freetext" href="https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy" target="_blank">https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy</a>
</pre>
</blockquote><br></div></div></body></html>