MetadataProvider

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

MetadataProvider

ls Lidz
I'm following the process to update metadata via following example - v3.3.0

Will the metadata backingFile be updated on IdP startup --- if the metadataURL version changes?

Where is the frequency set to check the metadataURL for updates?

https://github.internet2.edu/TIER/gs17-provisioning-demo/blob/master/shib-idp/customized-shibboleth-idp/conf/metadata-providers.xml

<!-- Canvas -->

<!-- <MetadataProvider id="canvas" 

                  xsi:type="FileBackedHTTPMetadataProvider"

                  xmlns="urn:mace:shibboleth:2.0:metadata

                  metadataURL="https://tier.instructure.com/saml_meta_data

                  backingFile="%{idp.home}/metadata/canvas-metadata-bak.xml" /> -->


Thanks.


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: MetadataProvider

Cantor, Scott E.
On 7/12/17, 6:53 PM, "users on behalf of ls Lidz" <[hidden email] on behalf of [hidden email]> wrote:

> I'm following the process to update metadata via following example - v3.3.0

The example is wrong in a variety of respects that are covered practically on a weekly basis. You don't load metadata blindly from a service with no verification.

> Will the metadata backingFile be updated on IdP startup --- if the metadataURL version changes?

There is no "version" of the URL so I don't know what you're asking exactly.

> Where is the frequency set to check the metadataURL for updates?

There is extensive documentation on all the settings in the wiki.
 
-- Scott




--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: MetadataProvider

ls Lidz
>> Will the metadata backingFile be updated on IdP startup --- if the metadataURL version changes?

>There is no "version" of the URL so I don't know what you're asking exactly.

If data in metadataURL is changed?

Thanks.

On Wed, Jul 12, 2017 at 4:06 PM, Cantor, Scott <[hidden email]> wrote:
On 7/12/17, 6:53 PM, "users on behalf of ls Lidz" <[hidden email] on behalf of [hidden email]> wrote:

> I'm following the process to update metadata via following example - v3.3.0

The example is wrong in a variety of respects that are covered practically on a weekly basis. You don't load metadata blindly from a service with no verification.

> Will the metadata backingFile be updated on IdP startup --- if the metadataURL version changes?

There is no "version" of the URL so I don't know what you're asking exactly.

> Where is the frequency set to check the metadataURL for updates?

There is extensive documentation on all the settings in the wiki.

-- Scott




--
To unsubscribe from this list send an email to [hidden email]


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: MetadataProvider

Jann Malenkoff
Yes -- I believe the default is 3 hours....

On Wed, Jul 12, 2017 at 4:42 PM, ls Lidz <[hidden email]> wrote:
>> Will the metadata backingFile be updated on IdP startup --- if the metadataURL version changes?

>There is no "version" of the URL so I don't know what you're asking exactly.

If data in metadataURL is changed?

Thanks.

On Wed, Jul 12, 2017 at 4:06 PM, Cantor, Scott <[hidden email]> wrote:
On 7/12/17, 6:53 PM, "users on behalf of ls Lidz" <[hidden email] on behalf of [hidden email]> wrote:

> I'm following the process to update metadata via following example - v3.3.0

The example is wrong in a variety of respects that are covered practically on a weekly basis. You don't load metadata blindly from a service with no verification.

> Will the metadata backingFile be updated on IdP startup --- if the metadataURL version changes?

There is no "version" of the URL so I don't know what you're asking exactly.

> Where is the frequency set to check the metadataURL for updates?

There is extensive documentation on all the settings in the wiki.

-- Scott




--
To unsubscribe from this list send an email to [hidden email]


--
To unsubscribe from this list send an email to [hidden email]


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Duo in Shib 3.3

Clayton
In reply to this post by ls Lidz
I'm trying to setup Duo in our Shib test env.

In the simplest configuration, what triggers Shib to use its Duo client?
It's probably in the   documentation for DuoAuthnConfiguration, but I don't see it.

Thanks in advance,
--Clayton

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Duo in Shib 3.3

Losen, Stephen C. (scl)-2

Hi Clayton,

You need to configure Multi Factor Authn (MFA).  You probably want it to run Password Authn first and then run Duo.   And of course you must configure Duo.  If the IDP is currently  running Password directly, then run MFA instead.

Stephen C. Losen

ITS - Systems and Storage

University of Virginia

[hidden email]    434-924-0640

 

From: users [mailto:[hidden email]] On Behalf Of Clayton
Sent: Friday, June 22, 2018 1:10 PM
To: [hidden email]
Subject: Duo in Shib 3.3

 

I'm trying to setup Duo in our Shib test env.

 

In the simplest configuration, what triggers Shib to use its Duo client?

It's probably in the   documentation for DuoAuthnConfiguration, but I don't see it.

 

Thanks in advance,

--Clayton


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Duo in Shib 3.3

Cantor, Scott E.
On 6/22/18, 2:13 PM, "users on behalf of Losen, Stephen C. (scl)" <[hidden email] on behalf of [hidden email]> wrote:

> You need to configure Multi Factor Authn (MFA).  You probably want it to run Password Authn first and then run Duo.  
> And of course you must configure Duo.  If the IDP is currently  running Password directly, then run MFA instead.

Relevant material being [1].

The reason you don't see the "big picture" in the Duo topic is that Duo isn't a stand-alone solution, it's a single factor, not MFA. That tells you how to configure Duo to work but not how to combine it with other factors, and that's what most people want to do.

The default examples for MFA that the software ships with are more than a simple use case for just running Password+Duo actually require but they're easily reducible to that. The Duo flow will automatically make use of the identity produced by the Password flow if that's the use case and there's nothing much to configure for that to work.

-- Scott

[1] https://wiki.shibboleth.net/confluence/display/IDP30/MultiFactorAuthnConfiguration

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Duo in Shib 3.3

Clayton
Thanks all.
The need to configure MFA so that it can require multiple authentication tokens makes perfect sense.  
In my case it'll require both the regular password auth and auth from Duo.


Looking at the ShibbolethSSOConfig and the SAML2SSOConfig I see some syntax that I don't understand:


Examples of defaultAuthenticationMethods property
<!-- NOTE: these example.org constants are examples and are not suitable for real use. -->
<bean id="MFASAML2Principal" parent="shibboleth.SAML2AuthnContextClassRef"
        c:_0="http://example.org/ac/classes/mfa" />
<bean id="MFASAML1Principal" parent="shibboleth.SAML1AuthenticationMethod"
        c:_0="http://example.org/ac/classes/mfa" />


What is up with "c:_0"?  I see a thread mostly between Brandon McKean and Scott from Mar 2017 where Brandon seems to use "c:classRef" instead.  That thread's especially interesting to me because he was trying to do exactly what I am.

Also, out of curiosity, are "MFASAML2Principal" and "MFASAML1Principal" set in stone? Or could I use any string for this if I added it to the right config files?

--Clayton


"Shib Users users-at-shibboleth.net |Shib|" <[hidden email]> on Friday, June 22, 2018 at 2:20 PM -0400 wrote:
On 6/22/18, 2:13 PM, "users on behalf of Losen, Stephen C. (scl)"  wrote:

> You need to configure Multi Factor Authn (MFA). You probably want it to run Password Authn first and then run Duo.
> And of course you must configure Duo. If the IDP is currently running Password directly, then run MFA instead.

Relevant material being [1].

The reason you don't see the "big picture" in the Duo topic is that Duo isn't a stand-alone solution, it's a single factor, not MFA. That tells you how to configure Duo to work but not how to combine it with other factors, and that's what most people want to do.

The default examples for MFA that the software ships with are more than a simple use case for just running Password+Duo actually require but they're easily reducible to that. The Duo flow will automatically make use of the identity produced by the Password flow if that's the use case and there's nothing much to configure for that to work.

-- Scott

[1] https://wiki.shibboleth.net/confluence/display/IDP30/MultiFactorAuthnConfiguration

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg



--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Duo in Shib 3.3

Clayton
In reply to this post by Cantor, Scott E.
I never got to the point of triggering Duo for every SP - I found the setting that let's us enable it per-SP which is where I was trying to go in the first place.

In relying-party.xml there's this section:
         <util:list id="shibboleth.RelyingPartyOverrides">

Within it there's a bean for each SP for which you want to override defaults.
The part in red is what made-it-go for me

<bean parent="RelyingPartyByName" c:relyingPartyIds="#{{'http://the.sp.com/theirSPEntityID'}}">
           <property name="profileConfigurations">
               <list>
                   <bean parent="SAML2.SSO" p:encryptAssertions="true" p:encryptNameIDs="true" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:OurCustomFormat1" p:authenticationFlows="#{{'MFA'}}">
                   </bean>
               </list>
           </property>
</bean>

It's all there in Shib3's Relying Party documentation.

I think the examples I was looking at achieved this a different way.  They were defining "MFASAML2Principal" beans and then referencing them in different places.  I don't understand the advantage of going that route.  More re-usable objects I guess? Maybe useful if you're also expecting some SP's to request MFA occaisonally?

--Clayton



Clayton Burton on Friday, June 22, 2018 at 3:48 PM -0400 wrote:
Thanks all.
The need to configure MFA so that it can require multiple authentication tokens makes perfect sense.  
In my case it'll require both the regular password auth and auth from Duo.


Looking at the ShibbolethSSOConfig and the SAML2SSOConfig I see some syntax that I don't understand:


Examples of defaultAuthenticationMethods property
<!-- NOTE: these example.org constants are examples and are not suitable for real use. -->
<bean id="MFASAML2Principal" parent="shibboleth.SAML2AuthnContextClassRef"
        c:_0="http://example.org/ac/classes/mfa" />
<bean id="MFASAML1Principal" parent="shibboleth.SAML1AuthenticationMethod"
        c:_0="http://example.org/ac/classes/mfa" />


What is up with "c:_0"?  I see a thread mostly between Brandon McKean and Scott from Mar 2017 where Brandon seems to use "c:classRef" instead.  That thread's especially interesting to me because he was trying to do exactly what I am.

Also, out of curiosity, are "MFASAML2Principal" and "MFASAML1Principal" set in stone? Or could I use any string for this if I added it to the right config files?

--Clayton


"Shib Users users-at-shibboleth.net |Shib|" <[hidden email]> on Friday, June 22, 2018 at 2:20 PM -0400 wrote:
On 6/22/18, 2:13 PM, "users on behalf of Losen, Stephen C. (scl)"  wrote:

> You need to configure Multi Factor Authn (MFA). You probably want it to run Password Authn first and then run Duo.
> And of course you must configure Duo. If the IDP is currently running Password directly, then run MFA instead.

Relevant material being [1].

The reason you don't see the "big picture" in the Duo topic is that Duo isn't a stand-alone solution, it's a single factor, not MFA. That tells you how to configure Duo to work but not how to combine it with other factors, and that's what most people want to do.

The default examples for MFA that the software ships with are more than a simple use case for just running Password+Duo actually require but they're easily reducible to that. The Duo flow will automatically make use of the identity produced by the Password flow if that's the use case and there's nothing much to configure for that to work.

-- Scott

[1] https://wiki.shibboleth.net/confluence/display/IDP30/MultiFactorAuthnConfiguration

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg




--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Duo in Shib 3.3

Cantor, Scott E.
In reply to this post by Clayton
On 6/22/18, 3:45 PM, "users on behalf of Clayton" <[hidden email] on behalf of [hidden email]> wrote:

> I see some syntax that I don't understand:

Your questions all pertain to Spring wiring syntax, and that's all somethiing you have to pick up through documentation and experience.

https://wiki.shibboleth.net/confluence/display/IDP30/SpringConfiguration

There is no shortcut for just reading the bean wiring documentation in the Spring docs, which that links to, and using the existing wiring as reinforcement for the documentation. And you have to know at least a little Java to begin with, that's just the price of entry among many others.
 
-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Duo in Shib 3.3

Cantor, Scott E.
In reply to this post by Clayton
On 6/22/18, 5:13 PM, "users on behalf of Clayton" <[hidden email] on behalf of [hidden email]> wrote:

> I never got to the point of triggering Duo for every SP - I found the setting that let's us enable it per-SP
> which is where I was trying to go in the first place.

The MFA flow orchestrates all that, the system operates by abstracting the whole concept into a set of Principal objects that represent the service's requirements and a set of parallel objects (in general-auth.xml) that represent the results of each login method, and matches them up at runtime to decide whether something is "enough" or not.

Password produces its set of objects and Duo its set, and if a service requires something the Password flow doesn't provide, the MFA flow is able to script the system to force Duo to be used when required and not otherwise.

> I think the examples I was looking at achieved this a different way.  They were defining "MFASAML2Principal"
>  beans and then referencing them in different places.  I don't understand the advantage of going that route.  More re-
> usable objects I guess? Maybe useful if you're also expecting some SP's to request MFA occaisonally?

That's one of the big reasons, yes. And because the system gets tied up in knots very fast if you try and enable both Password and MFA at the same time and rely on that sort of trick to get the right thing to run. Lots of failure modes will do things you don't expect and it will not end up broken in the end, but not in ways you're going to understand or notice just doing simple testing.

You don't touch that property under normal use, defaultAuthenticationMethods is the property that triggers explicit behavior for a service through the use of custom principals to represent what a service needs and what a method provides, and that's what all the examples follow.
 
-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Duo in Shib 3.3

Cantor, Scott E.
> That's one of the big reasons, yes. And because the system gets tied up in knots very fast if you try and enable both
> Password and MFA at the same time and rely on that sort of trick to get the right thing to run. Lots of failure modes will > do things you don't expect and it will not end up broken in the end, but not in ways you're going to understand or notice
> just doing simple testing.

That should say "will end up broken..." obviously.

The primary problem with it is the fall-through nature of the system when multiple login flows are enabled, it will tend to just try whatever's next in the list. The MFA flow is generally meant to be enabled by itself and used to direct which actual methods run rather than enabled together with others; it's a replacement for what the IdP does internally to choose methods rather than a supplement.

That in turn is what makes it problematic to do the selection process the way you're describing.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

what's relying-party bean attribute "c:_0"?

Clayton
In reply to this post by Clayton
Can someone explain what "_0" is in this part of this comment from my relying-party.xml file?

   <!-- NOTE: these example.org constants are examples and are not suitable for real use.
    <bean id="MFASAML2Principal" parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://example.org/shibboleth/ac/classes/mfa" />
   <bean id="MFASAML1Principal" parent="shibboleth.SAML1AuthenticationMethod"
       c:_0="http://example.org/ac/classes/mfa" />
   -->


Also, why define MFAPrincipal beans for both SAML1 & SAML2?
The example from the MFA config page defines just the one. (I assume that page is about relying-party.xml - I don't see that explictly stated there)


Thanks in advance!

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: what's relying-party bean attribute "c:_0"?

Cantor, Scott E.
On 6/27/18, 5:50 PM, "users on behalf of Clayton" <[hidden email] on behalf of [hidden email]> wrote:

> Can someone explain what "_0"
>  is in this part of this comment from my relying-party.xml file?

Specifying a class constructor argument by position (zero-based) when creating an object.

I pointed you to the wiki topic on Spring that links to the important chapter in their documentation. You're going to have to read it to be successful with this, the IdP configuration is based on knowing the basics of using Spring, full stop.

> Also, why define MFAPrincipal beans for both SAML1 & SAML2?

Completeness of illustration.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: what's relying-party bean attribute "c:_0"?

Kunal Shah
Scott,

Can you please send that wiki link for Spring?

Thanks
Kunal 

On 28-Jun-2018, at 4:28 AM, Cantor, Scott <[hidden email]> wrote:

I pointed you to the wiki topic on Spring that links to the important chapter in their documentation. You're going to have to read it to be successful with this, the IdP configuration is based on knowing the basics of using Spring, full stop.


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: what's relying-party bean attribute "c:_0"?

Cantor, Scott E.
> Can you please send that wiki link for Spring?

It's right in the documentation under Configuration, one of the first topics.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: what's relying-party bean attribute "c:_0"?

Clayton
The link Scott sent me earlier is:

Thanks Scott.  Knowing that that syntax is a Spring-thing just what I was looking for.

--Clayton

"Shib Users users-at-shibboleth.net |Shib|" <[hidden email]> on Thursday, June 28, 2018 at 9:56 AM -0400 wrote:
> Can you please send that wiki link for Spring?

It's right in the documentation under Configuration, one of the first topics.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg



--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]