<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <p>Hi,</p>

    <p><br>

    </p>

    <p>maybe I have one for you :-)</p>

    <p><br>

    </p>

    <p>Now auth works, and I configured the IdP to send the

      eduPersonPrincipalName to eduVPN.</p>

    <p><br>

    </p>

    <p>With SAMLtracer, I see that this is actually happening, the

      relevant bit being:</p>

    <p><span class="hljs-tag">&lt;<span class="hljs-name">saml:AttributeStatement</span>&gt;</span>

      <span class="hljs-tag">&lt;<span class="hljs-name">saml:Attribute</span>

        <span class="hljs-attr">Name</span>=<span class="hljs-string"><a class="moz-txt-link-rfc2396E" href="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">"urn:oid:1.3.6.1.4.1.5923.1.1.1.6"</a></span>

        <span class="hljs-attr">NameFormat</span>=<span

          class="hljs-string"><a class="moz-txt-link-rfc2396E" href="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"</a></span>

        &gt;</span> <span class="hljs-tag">&lt;<span class="hljs-name">saml:AttributeValue</span>

        <span class="hljs-attr">xsi:type</span>=<span

          class="hljs-string">"xs:string"</span>&gt;</span><a class="moz-txt-link-abbreviated" href="mailto:swinter@education.lu">swinter@education.lu</a><span

        class="hljs-tag">&lt;/<span class="hljs-name">saml:AttributeValue</span>&gt;</span>

      <span class="hljs-tag">&lt;/<span class="hljs-name">saml:Attribute</span>&gt;</span>

      <span class="hljs-tag">&lt;/<span class="hljs-name">saml:AttributeStatement</span>&gt;</span></p>

    <p><span class="hljs-tag"><br>

      </span></p>

    <p><span class="hljs-tag">So this goes through to Shibboleth.</span></p>

    <p><span class="hljs-tag"><br>

      </span></p>

    <p><span class="hljs-tag">Simple-mindedly, I thought I can just

        change in eduVPN's config.php the attribute from "persistent-id"

        to "eppn" :</span></p>

    <p><span class="hljs-tag">  'ShibAuthentication' =&gt; <br>

          array (<br>

            'userIdAttribute' =&gt; 'eppn',<br>

          ),<br>

      </span></p>

    <p><span class="hljs-tag"><br>

      </span></p>

    <p><span class="hljs-tag">but that results in an error:</span></p>

    <p><br>

      <span class="hljs-tag"> </span></p>

    <h2>400</h2>

    <p>An error occurred.</p>

    <p class="error"> <code>missing request header "eppn"</code> </p>

    <p><br>

    </p>

    <p><br>

    </p>

    <p>So I guess Shibboleth doesn't pass this on by default - but I

      don't know how to make it change its mind.</p>

    <p><br>

    </p>

    <p>Any clues?</p>

    <p><br>

    </p>

    <p>Greetings,</p>

    <p><br>

    </p>

    <p>Stefan Winter<br>

    </p>

    <p><span class="hljs-tag"><br>

      </span></p>

    <p><br>

    </p>

    <div class="moz-cite-prefix">Am 06.07.20 um 10:27 schrieb Anass

      Chabli:<br>

    </div>

    <blockquote type="cite"

      cite="mid:557916743.13808.1594024021353.JavaMail.zimbra@renater.fr">

      <pre class="moz-quote-pre" wrap="">Hello Stefan, 

The Shibboleth SP make its own SP metadata available through this URL <a class="moz-txt-link-rfc2396E" href="https://youreduvpnserver/Shibboleth.sso/Metadata">" https://youreduvpnserver/Shibboleth.sso/Metadata "</a>

Please, feel free to contact me directly, if you need any help on the SAML configuration.

Cheers,

Anass

----- Mail original -----

De: "Stefan Winter via eduVPN-deploy" <a class="moz-txt-link-rfc2396E" href="mailto:eduvpn-deploy@list.surfnet.nl">&lt;eduvpn-deploy@list.surfnet.nl&gt;</a>

À: <a class="moz-txt-link-abbreviated" href="mailto:eduvpn-deploy@list.surfnet.nl">eduvpn-deploy@list.surfnet.nl</a>

Envoyé: Lundi 6 Juillet 2020 10:16:13

Objet: [eduVPN-deploy] What is the Shib SP metadata?

Hello,

I'm currently configuring SAML auth (basic functionality of the eduVPN

server already works, great!).

I notice the documentation is maybe a little thin on this point:

"Next: register your SP in your identity federation, or in your IdP."

I'd love to - but where does the Shibboleth SP make its own SP metadata

available so I can transfer it to the IdP? I'Ve never worked with

Shibboleth before. I imagine there is some kind of status URL like with SSP?

Greetings,

Stefan Winter

_______________________________________________

eduVPN-deploy mailing list

<a class="moz-txt-link-abbreviated" href="mailto:eduVPN-deploy@list.surfnet.nl">eduVPN-deploy@list.surfnet.nl</a>

<a class="moz-txt-link-freetext" href="https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy">https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy</a>

</pre>

    </blockquote>

  </body>

</html>