Trouble with SP Attributes

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Trouble with SP Attributes

George Glessner

I am having a hard time being able to call the SP Attributes in one of my classic ASP pages. Right now we do not send any attributes over the IDP but I should still be able to get some information such as Shib-Identity-Provider. Below is the result of my Shibboleth.sso/Session.

 

Miscellaneous

Session Expiration (barring inactivity): 479 minute(s)

Client Address: 127.0.0.1

SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol

Identity Provider: [identity providers information]

Authentication Time: 2018-06-28T18:36:33.553Z

Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Authentication Context Decl: (none)

 

Attributes

 

 

Here is my RequestMapper:

 

    <RequestMapper type="Native">

        <RequestMap>

            <!--

            The example requires a session for documents in /secure on the containing host with http and

            https on the default ports. Note that the name and port in the <Host> elements MUST match

            Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.

            -->

            <Host name="george-oxygen.seitrakker.com" scheme="http" port="8080">

                <Path name="intranet" authType="shibboleth" requireSession="true"/>

            </Host>

            <!-- Example of a second vhost mapped to a different applicationId. -->

            <!--

            <Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>

            -->

        </RequestMap>

    </RequestMapper>

 

 

The way I understand, is that anything under the intranet folder should require a session? So if I were to call Request("HTTP_SHIB_IDENTITY_PROVIDER") in a file in the intranet folder, I should be able to get that value? I may be totally misunderstanding this part.


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Trouble with SP Attributes

Peter Schober
* George Glessner <[hidden email]> [2018-06-28 20:44]:

>     <RequestMapper type="Native">
>         <RequestMap>
>             <!--
>             The example requires a session for documents in /secure on the containing host with http and
>             https on the default ports. Note that the name and port in the <Host> elements MUST match
>             Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.
>             -->
>             <Host name="george-oxygen.seitrakker.com" scheme="http" port="8080">
>                 <Path name="intranet" authType="shibboleth" requireSession="true"/>
>             </Host>
>             <!-- Example of a second vhost mapped to a different applicationId. -->
>             <!--
>             <Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>
>             -->
>         </RequestMap>
>     </RequestMapper>
>
> The way I understand, is that anything under the intranet folder
> should require a session? So if I were to call
> Request("HTTP_SHIB_IDENTITY_PROVIDER") in a file in the intranet
> folder, I should be able to get that value?

If that's the right API call to use (I don't know ASP), then yes.
Provided the rest of the config even works, e.g. are getting
redirected to the IDP if you're accessing
http://george-oxygen.seitrakker.com:8080/intranet with a "fresh"
browser? If not see "SP does not protect" in the Common Problems
section of the wiki.
Also pay attention to the comment above about IIS Site names.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Trouble with SP Attributes

George Glessner
I get redirected to the IDP when I go to http://george-oxygen.seitrakker.com:8080/intranet but say I enter in http://george-oxygen.seitrakker.com:8080/intranet/images/test.jpg I do not get prompted by the IDP to enter my credentials. Both my host name and site name are identical in <ISAPI> and <RequestMap>.

-----Original Message-----
From: users <[hidden email]> On Behalf Of Peter Schober
Sent: Thursday, June 28, 2018 3:06 PM
To: [hidden email]
Subject: Re: Trouble with SP Attributes

* George Glessner <[hidden email]> [2018-06-28 20:44]:

>     <RequestMapper type="Native">
>         <RequestMap>
>             <!--
>             The example requires a session for documents in /secure on the containing host with http and
>             https on the default ports. Note that the name and port in the <Host> elements MUST match
>             Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.
>             -->
>             <Host name="george-oxygen.seitrakker.com" scheme="http" port="8080">
>                 <Path name="intranet" authType="shibboleth" requireSession="true"/>
>             </Host>
>             <!-- Example of a second vhost mapped to a different applicationId. -->
>             <!--
>             <Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>
>             -->
>         </RequestMap>
>     </RequestMapper>
>
> The way I understand, is that anything under the intranet folder
> should require a session? So if I were to call
> Request("HTTP_SHIB_IDENTITY_PROVIDER") in a file in the intranet
> folder, I should be able to get that value?

If that's the right API call to use (I don't know ASP), then yes.
Provided the rest of the config even works, e.g. are getting redirected to the IDP if you're accessing http://george-oxygen.seitrakker.com:8080/intranet with a "fresh"
browser? If not see "SP does not protect" in the Common Problems section of the wiki.
Also pay attention to the comment above about IIS Site names.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Trouble with SP Attributes

Cantor, Scott E.
On IIS the safeHeaderNames option will collapse the punctuation in the header names, the wiki discusses that. Don't know that that's your issue, but it's possible.

Dump your headers with a loop and you'll know what's there or not.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]