Transforms on RemoteUser

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Transforms on RemoteUser

Simon Lundström-2
Heyo!

Just to eradicate my last hope, there isn't a way to use Transforms with
RemoteUser, right?

I want to strip the @REALM from what we get from REMOTE_USER.

I know that RemoteUserInternal has this feature but our setup is not
easily ported to it, sadly.

BR,
- Simon

____________________________________

Simon Lundström
Section for Infrastructure

IT Services
Stockholm University
SE-106 91 Stockholm, Sweden

www.su.se/english/staff-info/it
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Transforms on RemoteUser

Peter Schober
* Simon Lundström <[hidden email]> [2018-05-08 13:53]:
> Just to eradicate my last hope, there isn't a way to use Transforms
> with RemoteUser, right?
>
> I want to strip the @REALM from what we get from REMOTE_USER.

At some point you will pull REMOTE_USER into an attribute definition
with the IDP, no? Other attribute defintions can pull in that value
and free manipulate it?
-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Transforms on RemoteUser

Peter Schober
* Peter Schober <[hidden email]> [2018-05-08 14:32]:
> * Simon Lundström <[hidden email]> [2018-05-08 13:53]:
> > Just to eradicate my last hope, there isn't a way to use Transforms
> > with RemoteUser, right?
> >
> > I want to strip the @REALM from what we get from REMOTE_USER.
>
> At some point you will pull REMOTE_USER into an attribute definition
> with the IDP, no? Other attribute defintions can pull in that value
> and free manipulate it?

Also I'd expect Subject Canonicalization to work just the same,
e.g. the example from SPNEGO:
https://wiki.shibboleth.net/confluence/display/IDP30/SPNEGOAuthnConfiguration#SPNEGOAuthnConfiguration-ConfiguringSubjectCanonicalization

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Transforms on RemoteUser

Simon Lundström-2
In reply to this post by Peter Schober
On Tue, 2018-05-08 at 14:32:16 +0200, Peter Schober wrote:
>* Simon Lundström <[hidden email]> [2018-05-08 13:53]:
>> Just to eradicate my last hope, there isn't a way to use Transforms
>> with RemoteUser, right?
>>
>> I want to strip the @REALM from what we get from REMOTE_USER.
>
>At some point you will pull REMOTE_USER into an attribute definition
>with the IDP, no? Other attribute defintions can pull in that value
>and free manipulate it?

Yes, but that's the least of my concern.

The Username is used within the consent module and other things(?) as a
key. And "simlu" and "[hidden email]" are different keys, which means that
I have to agree to the ToS and consent twice depending on which
authentication mechanism I use.

BR,
- Simon
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Transforms on RemoteUser

Simon Lundström-2
In reply to this post by Peter Schober
On Tue, 2018-05-08 at 14:38:45 +0200, Peter Schober wrote:

>* Peter Schober <[hidden email]> [2018-05-08 14:32]:
>> * Simon Lundström <[hidden email]> [2018-05-08 13:53]:
>> > Just to eradicate my last hope, there isn't a way to use Transforms
>> > with RemoteUser, right?
>> >
>> > I want to strip the @REALM from what we get from REMOTE_USER.
>>
>> At some point you will pull REMOTE_USER into an attribute definition
>> with the IDP, no? Other attribute defintions can pull in that value
>> and free manipulate it?
>
>Also I'd expect Subject Canonicalization to work just the same,
>e.g. the example from SPNEGO:
>https://wiki.shibboleth.net/confluence/display/IDP30/SPNEGOAuthnConfiguration#SPNEGOAuthnConfiguration-ConfiguringSubjectCanonicalization

Sadly, that doesn't work (I have tried it). And I suspect it has
something to do with RemoteUser being an "External" Servlet-thingy.

BR,
- Simon
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Transforms on RemoteUser

Peter Schober
In reply to this post by Simon Lundström-2
* Simon Lundström <[hidden email]> [2018-05-08 15:06]:
> The Username is used within the consent module and other things(?) as a key.
> And "simlu" and "[hidden email]" are different keys, which means that I have to
> agree to the ToS and consent twice depending on which authentication
> mechanism I use.

And the post authn subject c14n from the documentation does not apply
there?

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Transforms on RemoteUser

Cantor, Scott E.
In reply to this post by Simon Lundström-2
> Sadly, that doesn't work (I have tried it). And I suspect it has something to do
> with RemoteUser being an "External" Servlet-thingy.

No, it would work fine.
 
-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Transforms on RemoteUser

Jim Fox
In reply to this post by Simon Lundström-2
>
> Just to eradicate my last hope, there isn't a way to use Transforms with
> RemoteUser, right?
>
> I want to strip the @REALM from what we get from REMOTE_USER.
>

Is this by any chance a REMOTE_USER from Apache's auth_kerb? If so you can strip it with

   KrbLocalUserMapping on

Jim

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Transforms on RemoteUser

Simon Lundström-2
On Tue, 2018-05-08 at 08:14:59 -0700, Jim Fox wrote:

>>
>>Just to eradicate my last hope, there isn't a way to use Transforms
>>with RemoteUser, right?
>>
>>I want to strip the @REALM from what we get from REMOTE_USER.
>>
>
>Is this by any chance a REMOTE_USER from Apache's auth_kerb? If so you can strip it with
>
>  KrbLocalUserMapping on

Ah, that wasn't in the documentation! But as always, read the source = )

I've been thinking about switching to
<https://github.com/modauthgssapi/mod_auth_gssapi/> (GssapiNegotiateOnce
makes it especially tempting and that it doesn't segfault under
pressure).

Thanks!

- Simon
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Transforms on RemoteUser

Simon Lundström-2
In reply to this post by Cantor, Scott E.
On Tue, 2018-05-08 at 13:22:36 +0000, Cantor, Scott wrote:
>> Sadly, that doesn't work (I have tried it). And I suspect it has something to do
>> with RemoteUser being an "External" Servlet-thingy.
>
>No, it would work fine.

Perfect!

I see now that I made two errors:
1, The regex was too greedy so it matched everything instead of just the
username.
2, I didn't troubleshoot enough when a co-worker was having issues (I
was just about to leave so I reverted and never went back to why it
broke). The problem was that the user already had an existing session
where the username already was scoped with the realm and when the IDP
tried to resolve the attributes with a scoped user as uid well it blew
up.

Since this is just test I'll just ask everyone to reset their sessions
and when I do the prod release I'll do it in evening/night when sessions
are bound to expire.

Thanks as always Scott!

BR,
- Simon
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]