<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi,</p>
<p><br>
</p>
<p>what you quote in your example is already part of the default
configuration. I.e. attribute-map.xml contains that snippet
already (and that's why I thought it would be usable
out-of-the-box). I also restarted shibd unnecessarily just in
case.<br>
</p>
<p><br>
</p>
<p>Is there anything else I might need to do? <br>
</p>
<p><br>
</p>
<p>Greetings,</p>
<p><br>
</p>
<p>Stefan Winter</p>
<p><br>
</p>
<div class="moz-cite-prefix">Am 06.07.20 um 12:01 schrieb Anass
Chabli:<br>
</div>
<blockquote type="cite"
cite="mid:1485950006.17944.1594029712324.JavaMail.zimbra@renater.fr">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div style="font-family: arial, helvetica, sans-serif; font-size:
12pt; color: #000000">
<div>Hi, </div>
<div><br data-mce-bogus="1">
</div>
<div>I think that the configuration of the attribute map for
your SP is missing. </div>
<div><br data-mce-bogus="1">
</div>
<div>"<span style="font-size: 16px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-size-adjust:
auto; -webkit-text-stroke-width: 0px; text-decoration: none;
caret-color: #24292e; color: #24292e; font-family:
-apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica,
Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji';
background-color: #ffffff; float: none; display: inline
!important;" data-mce-style="font-size: 16px; font-style:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-size-adjust:
auto; -webkit-text-stroke-width: 0px; text-decoration: none;
caret-color: #24292e; color: #24292e; font-family:
-apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica,
Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji';
background-color: #ffffff; float: none; display: inline
!important;">The mentioned attributes<span
class="Apple-converted-space"> </span></span><code
style="font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans: auto;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width:
0px; text-decoration: none; box-sizing: border-box;
font-family: SFMono-Regular, Consolas, 'Liberation Mono',
Menlo, monospace; font-size: 13.600000381469727px; padding:
0.2em 0.4em; margin: 0px; background-color: rgba(27, 31, 35,
0.05); border-top-left-radius: 6px; border-top-right-radius:
6px; border-bottom-right-radius: 6px;
border-bottom-left-radius: 6px; caret-color: #24292e; color:
#24292e;" data-mce-style="font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-size-adjust:
auto; -webkit-text-stroke-width: 0px; text-decoration: none;
box-sizing: border-box; font-family: SFMono-Regular,
Consolas, 'Liberation Mono', Menlo, monospace; font-size:
13.600000381469727px; padding: 0.2em 0.4em; margin: 0px;
background-color: rgba(27, 31, 35, 0.05);
border-top-left-radius: 6px; border-top-right-radius: 6px;
border-bottom-right-radius: 6px; border-bottom-left-radius:
6px; caret-color: #24292e; color: #24292e;">persistent-id</code><span
style="font-size: 16px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-size-adjust:
auto; -webkit-text-stroke-width: 0px; text-decoration: none;
caret-color: #24292e; color: #24292e; font-family:
-apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica,
Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji';
background-color: #ffffff; float: none; display: inline
!important;" data-mce-style="font-size: 16px; font-style:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-size-adjust:
auto; -webkit-text-stroke-width: 0px; text-decoration: none;
caret-color: #24292e; color: #24292e; font-family:
-apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica,
Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji';
background-color: #ffffff; float: none; display: inline
!important;"><span class="Apple-converted-space"> </span>and<span
class="Apple-converted-space"> </span></span><code
style="font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans: auto;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width:
0px; text-decoration: none; box-sizing: border-box;
font-family: SFMono-Regular, Consolas, 'Liberation Mono',
Menlo, monospace; font-size: 13.600000381469727px; padding:
0.2em 0.4em; margin: 0px; background-color: rgba(27, 31, 35,
0.05); border-top-left-radius: 6px; border-top-right-radius:
6px; border-bottom-right-radius: 6px;
border-bottom-left-radius: 6px; caret-color: #24292e; color:
#24292e;" data-mce-style="font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-size-adjust:
auto; -webkit-text-stroke-width: 0px; text-decoration: none;
box-sizing: border-box; font-family: SFMono-Regular,
Consolas, 'Liberation Mono', Menlo, monospace; font-size:
13.600000381469727px; padding: 0.2em 0.4em; margin: 0px;
background-color: rgba(27, 31, 35, 0.05);
border-top-left-radius: 6px; border-top-right-radius: 6px;
border-bottom-right-radius: 6px; border-bottom-left-radius:
6px; caret-color: #24292e; color: #24292e;">entitlement</code><span
style="font-size: 16px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-size-adjust:
auto; -webkit-text-stroke-width: 0px; text-decoration: none;
caret-color: #24292e; color: #24292e; font-family:
-apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica,
Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji';
background-color: #ffffff; float: none; display: inline
!important;" data-mce-style="font-size: 16px; font-style:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-size-adjust:
auto; -webkit-text-stroke-width: 0px; text-decoration: none;
caret-color: #24292e; color: #24292e; font-family:
-apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica,
Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji';
background-color: #ffffff; float: none; display: inline
!important;"><span class="Apple-converted-space"> </span>are
configured in the Shibboleth configuration. Modify/add
others as required in<span class="Apple-converted-space"> </span></span><code
style="font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans: auto;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width:
0px; text-decoration: none; box-sizing: border-box;
font-family: SFMono-Regular, Consolas, 'Liberation Mono',
Menlo, monospace; font-size: 13.600000381469727px; padding:
0.2em 0.4em; margin: 0px; background-color: rgba(27, 31, 35,
0.05); border-top-left-radius: 6px; border-top-right-radius:
6px; border-bottom-right-radius: 6px;
border-bottom-left-radius: 6px; caret-color: #24292e; color:
#24292e;" data-mce-style="font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-size-adjust:
auto; -webkit-text-stroke-width: 0px; text-decoration: none;
box-sizing: border-box; font-family: SFMono-Regular,
Consolas, 'Liberation Mono', Menlo, monospace; font-size:
13.600000381469727px; padding: 0.2em 0.4em; margin: 0px;
background-color: rgba(27, 31, 35, 0.05);
border-top-left-radius: 6px; border-top-right-radius: 6px;
border-bottom-right-radius: 6px; border-bottom-left-radius:
6px; caret-color: #24292e; color: #24292e;">/etc/shibboleth/attribute-map.xml</code><span
style="font-size: 16px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-size-adjust:
auto; -webkit-text-stroke-width: 0px; text-decoration: none;
caret-color: #24292e; color: #24292e; font-family:
-apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica,
Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji';
background-color: #ffffff; float: none; display: inline
!important;" data-mce-style="font-size: 16px; font-style:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-size-adjust:
auto; -webkit-text-stroke-width: 0px; text-decoration: none;
caret-color: #24292e; color: #24292e; font-family:
-apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica,
Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji';
background-color: #ffffff; float: none; display: inline
!important;">. Do not forget to restart Shibboleth if you
make any changes to its configuration."</span></div>
<div>
<div style="clear: both;" data-mce-style="clear: both;"><br
data-mce-bogus="1">
</div>
<div style="clear: both;" data-mce-style="clear: both;">example
:</div>
<div style="clear: both;" data-mce-style="clear: both;">
<p style="margin: 0px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
font-stretch: normal; font-size: 11px; line-height:
normal; font-family: Menlo; color: rgb(0, 0, 0);"
data-mce-style="margin: 0px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
font-stretch: normal; font-size: 11px; line-height:
normal; font-family: Menlo; color: #000000;"><span
style="font-variant-ligatures: no-common-ligatures;"
data-mce-style="font-variant-ligatures:
no-common-ligatures;"><span
class="Apple-converted-space"> </span><Attribute
name=<a class="moz-txt-link-rfc2396E" href="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">"urn:oid:1.3.6.1.4.1.5923.1.1.1.6"</a> id="eppn"></span></p>
<p style="margin: 0px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
font-stretch: normal; font-size: 11px; line-height:
normal; font-family: Menlo; color: rgb(0, 0, 0);"
data-mce-style="margin: 0px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
font-stretch: normal; font-size: 11px; line-height:
normal; font-family: Menlo; color: #000000;"><span
style="font-variant-ligatures: no-common-ligatures;"
data-mce-style="font-variant-ligatures:
no-common-ligatures;"><span
class="Apple-converted-space"> </span><AttributeDecoder
xsi:type="ScopedAttributeDecoder"
caseSensitive="false"/></span></p>
<p style="margin: 0px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
font-stretch: normal; font-size: 11px; line-height:
normal; font-family: Menlo; color: rgb(0, 0, 0);"
data-mce-style="margin: 0px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
font-stretch: normal; font-size: 11px; line-height:
normal; font-family: Menlo; color: #000000;"><span
style="font-variant-ligatures: no-common-ligatures;"
data-mce-style="font-variant-ligatures:
no-common-ligatures;"><span
class="Apple-converted-space"> </span></Attribute></span></p>
<p style="margin: 0px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
font-stretch: normal; font-size: 11px; line-height:
normal; font-family: Menlo; color: rgb(0, 0, 0);"
data-mce-style="margin: 0px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
font-stretch: normal; font-size: 11px; line-height:
normal; font-family: Menlo; color: #000000;"><span
style="font-variant-ligatures: no-common-ligatures;"
data-mce-style="font-variant-ligatures:
no-common-ligatures;"><span
class="Apple-converted-space"> </span><Attribute
name=<a class="moz-txt-link-rfc2396E" href="urn:mace:dir:attribute-def:eduPersonPrincipalName">"urn:mace:dir:attribute-def:eduPersonPrincipalName"</a>
id="eppn"></span></p>
<p style="margin: 0px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
font-stretch: normal; font-size: 11px; line-height:
normal; font-family: Menlo; color: rgb(0, 0, 0);"
data-mce-style="margin: 0px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
font-stretch: normal; font-size: 11px; line-height:
normal; font-family: Menlo; color: #000000;"><span
style="font-variant-ligatures: no-common-ligatures;"
data-mce-style="font-variant-ligatures:
no-common-ligatures;"><span
class="Apple-converted-space"> </span><AttributeDecoder
xsi:type="ScopedAttributeDecoder"
caseSensitive="false"/></span></p>
<p style="margin: 0px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
font-stretch: normal; font-size: 11px; line-height:
normal; font-family: Menlo; color: rgb(0, 0, 0);"
data-mce-style="margin: 0px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
font-stretch: normal; font-size: 11px; line-height:
normal; font-family: Menlo; color: #000000;"><span
style="font-variant-ligatures: no-common-ligatures;"
data-mce-style="font-variant-ligatures:
no-common-ligatures;"><span
class="Apple-converted-space"> </span></Attribute></span></p>
</div>
</div>
<div>Cheers, </div>
<div>Anass</div>
<div><br>
</div>
<div data-marker="__SIG_PRE__">
<div>
<div><img src="cid:part1.999DA9BD.D677E477@restena.lu"
data-mce-src="https://webmail.renater.fr/home/anass.chabli@renater.fr/Briefcase/logo_renater_signature_mail1.png"
style="font-family: Verdana, Arial, Helvetica,
sans-serif; font-size: 14px;"
doc="Briefcase/logo_renater_signature_mail1.png"
class=""><br>
<span style="color: rgb(16, 66, 122); font-family:
"Arial Black"; font-size: small;">Anass CHABLI</span><br>
<span style="color: rgb(0, 0, 128);"><span
style="caret-color: rgb(0, 0, 0); color: rgb(16, 66,
122); font-family: verdana, helvetica, sans-serif;
font-size: small;">Responsable du Département Sécurité
des Services / Head of Security of Services Department</span></span></div>
<div><span style="color: rgb(0, 0, 128);"><span
style="caret-color: rgb(0, 0, 0); color: rgb(16, 66,
122); font-family: verdana, helvetica, sans-serif;
font-size: small;">Direction des Services Applicatifs
/ Digital Services Direction</span></span></div>
<div><span style="color: rgb(0, 0, 128);"><span
style="caret-color: rgb(0, 0, 0); color: rgb(16, 66,
122); font-family: verdana, helvetica, sans-serif;
font-size: small;">RENATER - Rennes</span></span></div>
<div><span style="color: rgb(0, 0, 128);"><span
style="caret-color: rgb(0, 0, 0); color: rgb(16, 66,
122); font-family: verdana, helvetica, sans-serif;
font-size: small;">renater.fr</span></span></div>
</div>
</div>
<div><br>
</div>
<hr id="zwchr" data-marker="__DIVIDER__">
<div data-marker="__HEADERS__"><b>De: </b>"stefan winter"
<a class="moz-txt-link-rfc2396E" href="mailto:stefan.winter@restena.lu"><stefan.winter@restena.lu></a><br>
<b>À: </b>"anass chabli" <a class="moz-txt-link-rfc2396E" href="mailto:anass.chabli@renater.fr"><anass.chabli@renater.fr></a><br>
<b>Cc: </b>"eduvpn-deploy"
<a class="moz-txt-link-rfc2396E" href="mailto:eduvpn-deploy@list.surfnet.nl"><eduvpn-deploy@list.surfnet.nl></a><br>
<b>Envoyé: </b>Lundi 6 Juillet 2020 11:48:56<br>
<b>Objet: </b>Re: [eduVPN-deploy] What is the Shib SP
metadata?<br>
</div>
<div><br>
</div>
<div data-marker="__QUOTED_TEXT__">
<p>Hi,</p>
<p><br>
</p>
<p>maybe I have one for you :-)</p>
<p><br>
</p>
<p>Now auth works, and I configured the IdP to send the
eduPersonPrincipalName to eduVPN.</p>
<p><br>
</p>
<p>With SAMLtracer, I see that this is actually happening, the
relevant bit being:</p>
<p><span class="hljs-tag"><<span class="hljs-name">saml:AttributeStatement</span>></span>
<span class="hljs-tag"><<span class="hljs-name">saml:Attribute</span>
<span class="hljs-attr">Name</span>=<span
class="hljs-string"><a class="moz-txt-link-rfc2396E"
href="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
target="_blank" moz-do-not-send="true">"urn:oid:1.3.6.1.4.1.5923.1.1.1.6"</a></span>
<span class="hljs-attr">NameFormat</span>=<span
class="hljs-string"><a class="moz-txt-link-rfc2396E"
href="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
target="_blank" moz-do-not-send="true">"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"</a></span>
></span> <span class="hljs-tag"><<span
class="hljs-name">saml:AttributeValue</span> <span
class="hljs-attr">xsi:type</span>=<span
class="hljs-string">"xs:string"</span>></span><a
class="moz-txt-link-abbreviated"
href="mailto:swinter@education.lu" target="_blank"
moz-do-not-send="true">swinter@education.lu</a><span
class="hljs-tag"></<span class="hljs-name">saml:AttributeValue</span>></span>
<span class="hljs-tag"></<span class="hljs-name">saml:Attribute</span>></span>
<span class="hljs-tag"></<span class="hljs-name">saml:AttributeStatement</span>></span></p>
<p><span class="hljs-tag"><br>
</span></p>
<p><span class="hljs-tag">So this goes through to Shibboleth.</span></p>
<p><span class="hljs-tag"><br>
</span></p>
<p><span class="hljs-tag">Simple-mindedly, I thought I can
just change in eduVPN's config.php the attribute from
"persistent-id" to "eppn" :</span></p>
<p><span class="hljs-tag"> 'ShibAuthentication' => <br>
array (<br>
'userIdAttribute' => 'eppn',<br>
),<br>
</span></p>
<p><span class="hljs-tag"><br>
</span></p>
<p><span class="hljs-tag">but that results in an error:</span></p>
<p><br>
<span class="hljs-tag"> </span></p>
<h2>400</h2>
<p>An error occurred.</p>
<p class="error"> <code>missing request header "eppn"</code>
</p>
<p><br>
</p>
<p><br>
</p>
<p>So I guess Shibboleth doesn't pass this on by default - but
I don't know how to make it change its mind.</p>
<p><br>
</p>
<p>Any clues?</p>
<p><br>
</p>
<p>Greetings,</p>
<p><br>
</p>
<p>Stefan Winter<br>
</p>
<p><span class="hljs-tag"><br>
</span></p>
<p><br>
</p>
<div class="moz-cite-prefix">Am 06.07.20 um 10:27 schrieb
Anass Chabli:<br>
</div>
<blockquote
cite="mid:557916743.13808.1594024021353.JavaMail.zimbra@renater.fr">
<pre class="moz-quote-pre">Hello Stefan,
The Shibboleth SP make its own SP metadata available through this URL <a class="moz-txt-link-rfc2396E" href="https://youreduvpnserver/Shibboleth.sso/Metadata" target="_blank" moz-do-not-send="true">" https://youreduvpnserver/Shibboleth.sso/Metadata "</a>
Please, feel free to contact me directly, if you need any help on the SAML configuration.
Cheers,
Anass
----- Mail original -----
De: "Stefan Winter via eduVPN-deploy" <a class="moz-txt-link-rfc2396E" href="mailto:eduvpn-deploy@list.surfnet.nl" target="_blank" moz-do-not-send="true"><eduvpn-deploy@list.surfnet.nl></a>
À: <a class="moz-txt-link-abbreviated" href="mailto:eduvpn-deploy@list.surfnet.nl" target="_blank" moz-do-not-send="true">eduvpn-deploy@list.surfnet.nl</a>
Envoyé: Lundi 6 Juillet 2020 10:16:13
Objet: [eduVPN-deploy] What is the Shib SP metadata?
Hello,
I'm currently configuring SAML auth (basic functionality of the eduVPN
server already works, great!).
I notice the documentation is maybe a little thin on this point:
"Next: register your SP in your identity federation, or in your IdP."
I'd love to - but where does the Shibboleth SP make its own SP metadata
available so I can transfer it to the IdP? I'Ve never worked with
Shibboleth before. I imagine there is some kind of status URL like with SSP?
Greetings,
Stefan Winter
_______________________________________________
eduVPN-deploy mailing list
<a class="moz-txt-link-abbreviated" href="mailto:eduVPN-deploy@list.surfnet.nl" target="_blank" moz-do-not-send="true">eduVPN-deploy@list.surfnet.nl</a>
<a class="moz-txt-link-freetext" href="https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy" target="_blank" moz-do-not-send="true">https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy</a>
</pre>
</blockquote>
<br>
</div>
</div>
</blockquote>
</body>
</html>