<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Hi,</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">with some live debugging help from
Chris Phillipps (thanks!) I was able to solve this.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">The problem was that our federation
does not assert any shibmd:Scope constraints. The eppn was scoped,
but Shibboleth by default ignores it unless it finds its
shibmd:Scope constraint and the actual value matches.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">So, Shibboleth dropped the eppn on
receipt, and from the POV of eduVPN, the IdP never actually sent
an eppn, so it couldn't possibly use it.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">The solution was, of course, to relax
the Shibboleth checks regarding Scope checking. I could do that
without compromising security because the eduVPN server connects
to only exactly one IdP, and that is under the control of the same
person that administers eduVPN, i.e. yours truly.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Greetings,</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Stefan Winter<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Am 06.07.20 um 15:04 schrieb Anass
Chabli:<br>
</div>
<blockquote type="cite"
cite="mid:1261429663.22565.1594040666801.JavaMail.zimbra@renater.fr">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div style="font-family: arial, helvetica, sans-serif; font-size:
12pt; color: #000000">
<div>Hi Stefan, </div>
<div><br data-mce-bogus="1">
</div>
<div>Could you have a look at the shibboleth SP log files, to
check if the attribute is well parsed by the SP ?</div>
<div><br data-mce-bogus="1">
</div>
<div>Otherwise I don't know why the error is raised by the app,
maybe François will have more information on that.<br
data-mce-bogus="1">
</div>
<div><br data-mce-bogus="1">
</div>
<div><span style="font-size: 12pt;">Cheers, </span></div>
<div><span style="font-size: 12pt;">Anass </span><br>
</div>
<hr id="zwchr" data-marker="__DIVIDER__">
<div data-marker="__HEADERS__"><b>De: </b>"stefan winter"
<a class="moz-txt-link-rfc2396E" href="mailto:stefan.winter@restena.lu"><stefan.winter@restena.lu></a><br>
<b>À: </b>"anass chabli" <a class="moz-txt-link-rfc2396E" href="mailto:anass.chabli@renater.fr"><anass.chabli@renater.fr></a><br>
<b>Cc: </b>"eduvpn-deploy"
<a class="moz-txt-link-rfc2396E" href="mailto:eduvpn-deploy@list.surfnet.nl"><eduvpn-deploy@list.surfnet.nl></a><br>
<b>Envoyé: </b>Lundi 6 Juillet 2020 12:40:28<br>
<b>Objet: </b>Re: [eduVPN-deploy] What is the Shib SP
metadata?<br>
</div>
<div><br>
</div>
<div data-marker="__QUOTED_TEXT__">
<p>Hi,</p>
<p><br>
</p>
<p>what you quote in your example is already part of the
default configuration. I.e. attribute-map.xml contains that
snippet already (and that's why I thought it would be usable
out-of-the-box). I also restarted shibd unnecessarily just
in case.<br>
</p>
<p><br>
</p>
<p>Is there anything else I might need to do? <br>
</p>
<p><br>
</p>
<p>Greetings,</p>
<p><br>
</p>
<p>Stefan Winter</p>
<p><br>
</p>
<div class="moz-cite-prefix">Am 06.07.20 um 12:01 schrieb
Anass Chabli:<br>
</div>
<blockquote
cite="mid:1485950006.17944.1594029712324.JavaMail.zimbra@renater.fr">
<div style="font-family: arial, helvetica, sans-serif;
font-size: 12pt; color: #000000">
<div>Hi, </div>
<div><br>
</div>
<div>I think that the configuration of the attribute map
for your SP is missing. </div>
<div><br>
</div>
<div>"<span style="font-size: 16px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px; text-decoration: none;
caret-color: #24292e; color: #24292e; font-family:
-apple-system, BlinkMacSystemFont, 'Segoe UI',
Helvetica, Arial, sans-serif, 'Apple Color Emoji',
'Segoe UI Emoji'; background-color: #ffffff; float:
none; display: inline !important;">The mentioned
attributes<span class="Apple-converted-space"> </span></span><code
style="font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows:
auto; word-spacing: 0px; -webkit-text-size-adjust:
auto; -webkit-text-stroke-width: 0px; text-decoration:
none; box-sizing: border-box; font-family:
SFMono-Regular, Consolas, 'Liberation Mono', Menlo,
monospace; font-size: 13.600000381469727px; padding:
0.2em 0.4em; margin: 0px; background-color: ;
border-top-left-radius: 6px; border-top-right-radius:
6px; border-bottom-right-radius: 6px;
border-bottom-left-radius: 6px; caret-color: #24292e;
color: #24292e;">persistent-id</code><span
style="font-size: 16px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px; text-decoration: none;
caret-color: #24292e; color: #24292e; font-family:
-apple-system, BlinkMacSystemFont, 'Segoe UI',
Helvetica, Arial, sans-serif, 'Apple Color Emoji',
'Segoe UI Emoji'; background-color: #ffffff; float:
none; display: inline !important;"><span
class="Apple-converted-space"> </span>and<span
class="Apple-converted-space"> </span></span><code
style="font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows:
auto; word-spacing: 0px; -webkit-text-size-adjust:
auto; -webkit-text-stroke-width: 0px; text-decoration:
none; box-sizing: border-box; font-family:
SFMono-Regular, Consolas, 'Liberation Mono', Menlo,
monospace; font-size: 13.600000381469727px; padding:
0.2em 0.4em; margin: 0px; background-color: ;
border-top-left-radius: 6px; border-top-right-radius:
6px; border-bottom-right-radius: 6px;
border-bottom-left-radius: 6px; caret-color: #24292e;
color: #24292e;">entitlement</code><span
style="font-size: 16px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px; text-decoration: none;
caret-color: #24292e; color: #24292e; font-family:
-apple-system, BlinkMacSystemFont, 'Segoe UI',
Helvetica, Arial, sans-serif, 'Apple Color Emoji',
'Segoe UI Emoji'; background-color: #ffffff; float:
none; display: inline !important;"><span
class="Apple-converted-space"> </span>are configured
in the Shibboleth configuration. Modify/add others as
required in<span class="Apple-converted-space"> </span></span><code
style="font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows:
auto; word-spacing: 0px; -webkit-text-size-adjust:
auto; -webkit-text-stroke-width: 0px; text-decoration:
none; box-sizing: border-box; font-family:
SFMono-Regular, Consolas, 'Liberation Mono', Menlo,
monospace; font-size: 13.600000381469727px; padding:
0.2em 0.4em; margin: 0px; background-color: ;
border-top-left-radius: 6px; border-top-right-radius:
6px; border-bottom-right-radius: 6px;
border-bottom-left-radius: 6px; caret-color: #24292e;
color: #24292e;">/etc/shibboleth/attribute-map.xml</code><span
style="font-size: 16px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px; text-decoration: none;
caret-color: #24292e; color: #24292e; font-family:
-apple-system, BlinkMacSystemFont, 'Segoe UI',
Helvetica, Arial, sans-serif, 'Apple Color Emoji',
'Segoe UI Emoji'; background-color: #ffffff; float:
none; display: inline !important;">. Do not forget to
restart Shibboleth if you make any changes to its
configuration."</span></div>
<div>
<div style="clear: both;"><br>
</div>
<div style="clear: both;">example :</div>
<div style="clear: both;">
<p style="margin: 0px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
font-stretch: normal; font-size: 11px; line-height:
normal; font-family: Menlo; color: rgb(0, 0, 0);"><span
style="font-variant-ligatures:
no-common-ligatures;"><span
class="Apple-converted-space"> </span><Attribute
name=<a class="moz-txt-link-rfc2396E"
href="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
target="_blank" moz-do-not-send="true">"urn:oid:1.3.6.1.4.1.5923.1.1.1.6"</a>
id="eppn"></span></p>
<p style="margin: 0px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
font-stretch: normal; font-size: 11px; line-height:
normal; font-family: Menlo; color: rgb(0, 0, 0);"><span
style="font-variant-ligatures:
no-common-ligatures;"><span
class="Apple-converted-space"> </span><AttributeDecoder
xsi:type="ScopedAttributeDecoder"
caseSensitive="false"/></span></p>
<p style="margin: 0px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
font-stretch: normal; font-size: 11px; line-height:
normal; font-family: Menlo; color: rgb(0, 0, 0);"><span
style="font-variant-ligatures:
no-common-ligatures;"><span
class="Apple-converted-space"> </span></Attribute></span></p>
<p style="margin: 0px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
font-stretch: normal; font-size: 11px; line-height:
normal; font-family: Menlo; color: rgb(0, 0, 0);"><span
style="font-variant-ligatures:
no-common-ligatures;"><span
class="Apple-converted-space"> </span><Attribute
name=<a class="moz-txt-link-rfc2396E"
href="urn:mace:dir:attribute-def:eduPersonPrincipalName"
target="_blank" moz-do-not-send="true">"urn:mace:dir:attribute-def:eduPersonPrincipalName"</a>
id="eppn"></span></p>
<p style="margin: 0px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
font-stretch: normal; font-size: 11px; line-height:
normal; font-family: Menlo; color: rgb(0, 0, 0);"><span
style="font-variant-ligatures:
no-common-ligatures;"><span
class="Apple-converted-space"> </span><AttributeDecoder
xsi:type="ScopedAttributeDecoder"
caseSensitive="false"/></span></p>
<p style="margin: 0px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
font-stretch: normal; font-size: 11px; line-height:
normal; font-family: Menlo; color: rgb(0, 0, 0);"><span
style="font-variant-ligatures:
no-common-ligatures;"><span
class="Apple-converted-space"> </span></Attribute></span></p>
</div>
</div>
<div>Cheers, </div>
<div>Anass</div>
<div><br>
</div>
<div>
<div>
<div><img src="cid:part3.81830DBF.496E1E99@restena.lu"
data-mce-src="https://webmail.renater.fr/home/anass.chabli@renater.fr/Briefcase/logo_renater_signature_mail1.png"
style="font-family: Verdana, Arial, Helvetica,
sans-serif; font-size: 14px;" class=""><br>
<span style="color: rgb(16, 66, 122); font-family:
"Arial Black"; font-size: small;">Anass
CHABLI</span><br>
<span style="color: rgb(0, 0, 128);"><span
style="caret-color: rgb(0, 0, 0); color: rgb(16,
66, 122); font-family: verdana, helvetica,
sans-serif; font-size: small;">Responsable du
Département Sécurité des Services / Head of
Security of Services Department</span></span></div>
<div><span style="color: rgb(0, 0, 128);"><span
style="caret-color: rgb(0, 0, 0); color: rgb(16,
66, 122); font-family: verdana, helvetica,
sans-serif; font-size: small;">Direction des
Services Applicatifs / Digital Services
Direction</span></span></div>
<div><span style="color: rgb(0, 0, 128);"><span
style="caret-color: rgb(0, 0, 0); color: rgb(16,
66, 122); font-family: verdana, helvetica,
sans-serif; font-size: small;">RENATER - Rennes</span></span></div>
<div><span style="color: rgb(0, 0, 128);"><span
style="caret-color: rgb(0, 0, 0); color: rgb(16,
66, 122); font-family: verdana, helvetica,
sans-serif; font-size: small;">renater.fr</span></span></div>
</div>
</div>
<div><br>
</div>
<hr id="zwchr">
<div><b>De: </b>"stefan winter" <a
class="moz-txt-link-rfc2396E"
href="mailto:stefan.winter@restena.lu" target="_blank"
moz-do-not-send="true"><stefan.winter@restena.lu></a><br>
<b>À: </b>"anass chabli" <a
class="moz-txt-link-rfc2396E"
href="mailto:anass.chabli@renater.fr" target="_blank"
moz-do-not-send="true"><anass.chabli@renater.fr></a><br>
<b>Cc: </b>"eduvpn-deploy" <a
class="moz-txt-link-rfc2396E"
href="mailto:eduvpn-deploy@list.surfnet.nl"
target="_blank" moz-do-not-send="true"><eduvpn-deploy@list.surfnet.nl></a><br>
<b>Envoyé: </b>Lundi 6 Juillet 2020 11:48:56<br>
<b>Objet: </b>Re: [eduVPN-deploy] What is the Shib SP
metadata?<br>
</div>
<div><br>
</div>
<div>
<p>Hi,</p>
<p><br>
</p>
<p>maybe I have one for you :-)</p>
<p><br>
</p>
<p>Now auth works, and I configured the IdP to send the
eduPersonPrincipalName to eduVPN.</p>
<p><br>
</p>
<p>With SAMLtracer, I see that this is actually
happening, the relevant bit being:</p>
<p><span class="hljs-tag"><<span class="hljs-name">saml:AttributeStatement</span>></span>
<span class="hljs-tag"><<span class="hljs-name">saml:Attribute</span>
<span class="hljs-attr">Name</span>=<span
class="hljs-string"><a
class="moz-txt-link-rfc2396E"
href="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
target="_blank" moz-do-not-send="true">"urn:oid:1.3.6.1.4.1.5923.1.1.1.6"</a></span>
<span class="hljs-attr">NameFormat</span>=<span
class="hljs-string"><a
class="moz-txt-link-rfc2396E"
href="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
target="_blank" moz-do-not-send="true">"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"</a></span>
></span> <span class="hljs-tag"><<span
class="hljs-name">saml:AttributeValue</span> <span
class="hljs-attr">xsi:type</span>=<span
class="hljs-string">"xs:string"</span>></span><a
class="moz-txt-link-abbreviated"
href="mailto:swinter@education.lu" target="_blank"
moz-do-not-send="true">swinter@education.lu</a><span
class="hljs-tag"></<span class="hljs-name">saml:AttributeValue</span>></span>
<span class="hljs-tag"></<span class="hljs-name">saml:Attribute</span>></span>
<span class="hljs-tag"></<span class="hljs-name">saml:AttributeStatement</span>></span></p>
<p><span class="hljs-tag"><br>
</span></p>
<p><span class="hljs-tag">So this goes through to
Shibboleth.</span></p>
<p><span class="hljs-tag"><br>
</span></p>
<p><span class="hljs-tag">Simple-mindedly, I thought I
can just change in eduVPN's config.php the attribute
from "persistent-id" to "eppn" :</span></p>
<p><span class="hljs-tag"> 'ShibAuthentication' => <br>
array (<br>
'userIdAttribute' => 'eppn',<br>
),<br>
</span></p>
<p><span class="hljs-tag"><br>
</span></p>
<p><span class="hljs-tag">but that results in an error:</span></p>
<p><br>
<span class="hljs-tag"> </span></p>
<h2>400</h2>
<p>An error occurred.</p>
<p class="error"> <code>missing request header "eppn"</code>
</p>
<p><br>
</p>
<p><br>
</p>
<p>So I guess Shibboleth doesn't pass this on by default
- but I don't know how to make it change its mind.</p>
<p><br>
</p>
<p>Any clues?</p>
<p><br>
</p>
<p>Greetings,</p>
<p><br>
</p>
<p>Stefan Winter<br>
</p>
<p><span class="hljs-tag"><br>
</span></p>
<p><br>
</p>
<div class="moz-cite-prefix">Am 06.07.20 um 10:27
schrieb Anass Chabli:<br>
</div>
<blockquote
cite="mid:557916743.13808.1594024021353.JavaMail.zimbra@renater.fr">
<pre class="moz-quote-pre">Hello Stefan,
The Shibboleth SP make its own SP metadata available through this URL <a class="moz-txt-link-rfc2396E" href="https://youreduvpnserver/Shibboleth.sso/Metadata" target="_blank" moz-do-not-send="true">" https://youreduvpnserver/Shibboleth.sso/Metadata "</a>
Please, feel free to contact me directly, if you need any help on the SAML configuration.
Cheers,
Anass
----- Mail original -----
De: "Stefan Winter via eduVPN-deploy" <a class="moz-txt-link-rfc2396E" href="mailto:eduvpn-deploy@list.surfnet.nl" target="_blank" moz-do-not-send="true"><eduvpn-deploy@list.surfnet.nl></a>
À: <a class="moz-txt-link-abbreviated" href="mailto:eduvpn-deploy@list.surfnet.nl" target="_blank" moz-do-not-send="true">eduvpn-deploy@list.surfnet.nl</a>
Envoyé: Lundi 6 Juillet 2020 10:16:13
Objet: [eduVPN-deploy] What is the Shib SP metadata?
Hello,
I'm currently configuring SAML auth (basic functionality of the eduVPN
server already works, great!).
I notice the documentation is maybe a little thin on this point:
"Next: register your SP in your identity federation, or in your IdP."
I'd love to - but where does the Shibboleth SP make its own SP metadata
available so I can transfer it to the IdP? I'Ve never worked with
Shibboleth before. I imagine there is some kind of status URL like with SSP?
Greetings,
Stefan Winter
_______________________________________________
eduVPN-deploy mailing list
<a class="moz-txt-link-abbreviated" href="mailto:eduVPN-deploy@list.surfnet.nl" target="_blank" moz-do-not-send="true">eduVPN-deploy@list.surfnet.nl</a>
<a class="moz-txt-link-freetext" href="https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy" target="_blank" moz-do-not-send="true">https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy</a>
</pre>
</blockquote>
<br>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</blockquote>
<p><br>
</p>
</body>
</html>