User login on a website using Shibboleth without a browser

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

User login on a website using Shibboleth without a browser

Benito van der Zander
Hi,

when you are a user of a website using Shibboleth, the login is straightforward. You click the login button on the website in the browser, are redirected to Shibboleth, enter your login data, and are then redirected back to the webpage.

But I would like to automate that login without a browser, almost like in a bash script.

Now handling the first redirection is simple, it is 302-status in this case. Then send the POST request with the login data. Zero issues there, and it is the same for all users.

But how do you handle the second redirection back to the webpage? What different kinds of redirects are used by SAML2/Shibboleth? In the browser there seems to be a javascript performing the redirection, but that cannot be used by scripts.
Some Shibboleths have a <button> to click, and sometimes that button is actually a <input type=select> element. Sometimes there are different buttons, one aborting everything. I think I saw a link once.
Is there a list of all possible redirects used by Shibboleth? (the real issue is that my Shibboleth password has expired, so I cannot see anything past the login form, but a solution for all Shibboleths better than one for a specific Shibboleth anyways)


Bye,
Benito

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: User login on a website using Shibboleth without a browser

Rod Widdowson
> But I would like to automate that login without a browser, almost like in a bash script.

Hmmm.

You need to be aware, if you are not already that Shibboleth SP and IdP and both implementations (_Very_ complete implementations) of a several standardized profiles based upon several standardized protocols and formats.

Screen scraping and reverse engineering that is going to be painful and fragile.

You need to research SAML fully (There's some stuff in Wikipedia which AIUI were heavily edited by one of the contributors to this list) and read and understand the standards (they are all up on oasis-open.org)  Use a Shibboleth SP and IdP to help your understanding.  If you really want a non-browser profile you need to consider ECP.

Armed with that you will know the answer to most of your questions, but it is a learning cliff.

But we are sort of jumping to an implementation question ("gluing wings on a pig").  What are you trying to achieve?

/Rod

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: User login on a website using Shibboleth without a browser

Tom Scavo
In reply to this post by Benito van der Zander
On Sat, Apr 28, 2018 at 6:59 PM, Benito van der Zander
<[hidden email]> wrote:
>
> I would like to automate that login without a browser, almost like in a
> bash script.

I've done this (in bash, no less) but unless you own the IdP, you're
stopped dead in your tracks at the login page. Rod's question is spot
on: What are trying to do?

Tom
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: User login on a website using Shibboleth without a browser

Timo Tunturi
In reply to this post by Benito van der Zander
On 29/04/2018 1.59, Benito van der Zander wrote:
> when you are a user of a website using Shibboleth, the login is
> straightforward. You click the login button on the website in the
> browser, are redirected to Shibboleth, enter your login data, and are
> then redirected back to the webpage.
>
> But I would like to automate that login without a browser, almost like
> in a bash script.

FWIW people in our Uni use phantomjs to script Shibboleth IdP -logins to
various services for monitoring purposes. I have not done any work with
phantomjs so I cannot give you any more details about that.

Timo Tunturi / Aalto University IT Services
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: User login on a website using Shibboleth without a browser

Benito van der Zander
Hi,

You need to research SAML fully (There's some stuff in Wikipedia which AIUI were heavily edited by one of the contributors to this list) and read and understand the standards (they are all up on oasis-open.org)  Use a Shibboleth SP and IdP to help your understanding.  If you really want a non-browser profile you need to consider ECP.


Woah, so many abbreviations
 

I was more looking for the HTML generated by the most popular Shibboleths. i do not need to understand what it means. Wikipedia shows a <form> element with SAMLResponse and RelayState <input>, that is good, but I have seen it already.

An _eventId_proceed input element is also very popular. Most Shibboleths I looked at have an _eventId_proceed and fail without  it, even though it has an empty value.


I just realized I was only using input elements to build the request, not considering how the form was submitted.
There is at least one Shibboleth that has a <button name="_eventId_proceed" .../> in the HTML. Now I search for that button, too, might fix my problem, but I cannot know.

One can also create submit buttons using  <input type="image">. Does anyone use that with Shibboleth?

Rod's question is spot
on: What are trying to do?
Full disclosure: I wrote an app VideLibri that scrapes the webpage of libraries to show the lend books and warn about the due date. Late fees can become really expensive when you return the books too late.

Some university libraries have two separate logins, one for non-students and one for students that redirects to the Shibboleth of the university.

I can login with a non-student account (at some libraries) and see that everything works perfectly, but the students say they cannot login and I must fix it. The library says they do not want an app and will not help. And the university has not replied at all, yet.



FWIW people in our Uni use phantomjs to script Shibboleth IdP -logins to various services for monitoring purposes.

I think such a framework is too heavy. Mobile apps need to use minimal resources. I already wrote a small HTML parser for this, now I just need to find the HTML.

Cheers,
Benito 



Am 30.04.2018 um 09:12 schrieb Timo Tunturi:
On 29/04/2018 1.59, Benito van der Zander wrote:
when you are a user of a website using Shibboleth, the login is straightforward. You click the login button on the website in the browser, are redirected to Shibboleth, enter your login data, and are then redirected back to the webpage.

But I would like to automate that login without a browser, almost like in a bash script.

FWIW people in our Uni use phantomjs to script Shibboleth IdP -logins to various services for monitoring purposes. I have not done any work with phantomjs so I cannot give you any more details about that.

Timo Tunturi / Aalto University IT Services


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: User login on a website using Shibboleth without a browser

Cantor, Scott E.
> Woah, so many abbreviations

If you want to ask questions, a good way to be ignored afterward is to complain that you don't want or need to understand the answer.

> I was more looking for the HTML generated by the most popular Shibboleths.
> i do not need to understand what it means. Wikipedia shows a <form>
> element with SAMLResponse and RelayState <input>, that is good, but I
> have seen it already.

What you're doing is not supported. The interactions that are involved are proprietary and undocumented, they exist solely to support browsers. The only SAML profile that supports non-browser clients is the ECP variant that is SOAP based.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: User login on a website using Shibboleth without a browser

Benito van der Zander
What you're doing is not supported. The interactions that are involved are proprietary and undocumented, they exist solely to support browsers. 

 So we need to start documenting them. Could fill an implementation wiki

Everyone who has a Shibboleth needs to post the HTML plz.

I found another publicly accessible Shibboleth and the button is <input type="submit" name="confirm" value="Akzeptieren" />. A classic submit button, just be careful not to pick the reset button

Best,
Benito 



Am 30.04.2018 um 15:12 schrieb Cantor, Scott:
Woah, so many abbreviations
If you want to ask questions, a good way to be ignored afterward is to complain that you don't want or need to understand the answer.

I was more looking for the HTML generated by the most popular Shibboleths.
i do not need to understand what it means. Wikipedia shows a <form>
element with SAMLResponse and RelayState <input>, that is good, but I
have seen it already.
What you're doing is not supported. The interactions that are involved are proprietary and undocumented, they exist solely to support browsers. The only SAML profile that supports non-browser clients is the ECP variant that is SOAP based.

-- Scott



--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: User login on a website using Shibboleth without a browser

Peter Schober
In reply to this post by Benito van der Zander
* Benito van der Zander <[hidden email]> [2018-04-29 01:00]:
> But I would like to automate that login without a browser, almost
> like in a bash script.

For use with your own IDP? You mean simething lime Jim's webisoget?
https://staff.washington.edu/fox/webisoget/

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: User login on a website using Shibboleth without a browser

Peter Schober
In reply to this post by Benito van der Zander
* Benito van der Zander <[hidden email]> [2018-04-30 23:56]:
> Everyone who has a Shibboleth needs to post the HTML plz.

You're joking, I hope.

> I found another publicly accessible Shibboleth and the button is
> <input type="submit" name="confirm" value="Akzeptieren" />. A
> classic submit button, just be careful not to pick the reset button

What are you trying to do specifically? Script all the IDPs in the
world (or in Germany)? And why would you limit whatever you're doing
to the Shibboleth implementation of a SAML IDP, and not to all SAML
IDPs that conform to the specification?

Are you trying to create a non-browser application and forcing it to
use the SAML browser-profile? (If so why not use the non-browser SAML
profile created for that specific purpose, called ECP? The shib wiki
even has contributed BASH and Python ECP command line clients:
https://wiki.shibboleth.net/confluence/display/SHIB2/Contributions)

There are thousands of SAML IDPs in the world (what you probably meant
when you talk about "Shibboleth" or "Shibboleths") and several hundred
in Germany alone. The HTML they will generate for differnt web
browsers to consume is none of your business, really.  And it will
always vary and in more unexpected ways than what you'll be able to
script around. So don't do that.

(Also your "I found another publicly accessible Shibboleth" seems to
suggest you haven't looked to closely, as there are almost 3000 SAML
easily reachable IDPs in the academic sector in case one wanted to
study the variances of their login pages -- to the extent that can
even be done, some may vary the output taking into account who/what is
asking, making any such endeavors futile.)

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: User login on a website using Shibboleth without a browser

William Eubank
Seems like maybe you are looking for something like CAS offers?  A REST API?  CAS can do saml2 as well.


-W


On Thu, May 3, 2018 at 7:51 AM, Peter Schober <[hidden email]> wrote:
* Benito van der Zander <[hidden email]> [2018-04-30 23:56]:
> Everyone who has a Shibboleth needs to post the HTML plz.

You're joking, I hope.

> I found another publicly accessible Shibboleth and the button is
> <input type="submit" name="confirm" value="Akzeptieren" />. A
> classic submit button, just be careful not to pick the reset button

What are you trying to do specifically? Script all the IDPs in the
world (or in Germany)? And why would you limit whatever you're doing
to the Shibboleth implementation of a SAML IDP, and not to all SAML
IDPs that conform to the specification?

Are you trying to create a non-browser application and forcing it to
use the SAML browser-profile? (If so why not use the non-browser SAML
profile created for that specific purpose, called ECP? The shib wiki
even has contributed BASH and Python ECP command line clients:
https://wiki.shibboleth.net/confluence/display/SHIB2/Contributions)

There are thousands of SAML IDPs in the world (what you probably meant
when you talk about "Shibboleth" or "Shibboleths") and several hundred
in Germany alone. The HTML they will generate for differnt web
browsers to consume is none of your business, really.  And it will
always vary and in more unexpected ways than what you'll be able to
script around. So don't do that.

(Also your "I found another publicly accessible Shibboleth" seems to
suggest you haven't looked to closely, as there are almost 3000 SAML
easily reachable IDPs in the academic sector in case one wanted to
study the variances of their login pages -- to the extent that can
even be done, some may vary the output taking into account who/what is
asking, making any such endeavors futile.)

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]



--
William Eubank
Sr Software Development Lead
VBRH, C-2A
Office of Information Technology (OIT)
University of Alabama in Huntsville
256-824-5375
[hidden email]

“The only thing worse than a problem without a solution is a solution that does not address a problem.”



 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: User login on a website using Shibboleth without a browser

Peter Schober
* William Eubank <[hidden email]> [2018-05-03 16:00]:
> Seems like maybe you are looking for something like CAS offers?  A REST
> API?  CAS can do saml2 as well.

And Shibboleth speaks CAS, and supports ECP.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: User login on a website using Shibboleth without a browser

Benito van der Zander
Hi Peter,


For use with your own IDP? 

Someone's IDP

You mean simething lime Jim's webisoget?
https://staff.washington.edu/fox/webisoget/

Very similar.

There it says:

If the page text contains a meta refresh, and its time delay is zero, the redirection will be followed.

I had that rule, too. But now I noticed one of the pages have a meta element in a noscript element and you must not follow that redirection, or you end up on a page telling you to turn on JavaScript.


Everyone who has a Shibboleth needs to post the HTML plz.
You're joking, I hope.


It would really help

The HTML that was just posted by Dave Dole is nice. That is just like the HTML my app was handling so far. The submit input has no name, so I could ignore it...
 
What are you trying to do specifically? Script all the IDPs in the
world (or in Germany)? 

Just login in at half a dozen universities

But I do not know which implementation they use, so it is more reliable to implement it for all Shibboleths. When it works for all Shibboleths, it is most likely that it works for the relevant ones as well.

And why would you limit whatever you're doing
to the Shibboleth implementation of a SAML IDP, and not to all SAML
IDPs that conform to the specification?

Because I do not know if they implement the specification correctly, only that people can use their webpage. And after the login I need to scrape the data from the proprietary library OPAC system, and I do not know how that system handles these kinds of login, I only know Shibboleth redirects to that system.

(Also your "I found another publicly accessible Shibboleth" seems to
suggest you haven't looked to closely, as there are almost 3000 SAML
easily reachable IDPs in the academic sector in case one wanted to
study the variances of their login pages -- to the extent that can
even be done, some may vary the output taking into account who/what is
asking, making any such endeavors futile.)

Publicly accessible with a public _password_, e.g. https://www.switch.ch/aai/demo/

The login pages themselves can be handled by a four line script, the question is what happens after the login.
 

Cheers,
Benito 



Am 03.05.2018 um 17:27 schrieb Peter Schober:
* William Eubank [hidden email] [2018-05-03 16:00]:
Seems like maybe you are looking for something like CAS offers?  A REST
API?  CAS can do saml2 as well.
And Shibboleth speaks CAS, and supports ECP.

-peter


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: User login on a website using Shibboleth without a browser

Peter Schober
* Benito van der Zander <[hidden email]> [2018-05-05 15:06]:
> >What are you trying to do specifically? Script all the IDPs in the
> >world (or in Germany)?
>
> Just login in at half a dozen universities

In the context of this list that's not nearly sufficiently specific
for anyone to suggest anything. So far the only thing to say is what
you're doing is certainly wrong.

> But I do not know which implementation they use, so it is more
> reliable to implement it for all Shibboleths. When it works for all
> Shibboleths, it is most likely that it works for the relevant ones
> as well.

What are "Shibboleths"? SAML 2.0 IDPs running the Shibboleth
implementation? Or SAML 2.0 IDPs in general?
If you "do not know which implementation they use" then clearly the
latter, which makes all of this off-topic for this list.

I'd suggest use of the saml-dev list provided by OASIS instead, but
you should be prepared for more "use ECP", since it was created
specifically for non-browser HTTP clients, which is what you're asking
about.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: User login on a website using Shibboleth without a browser

Joseph Fischetti
As others have said, using the ECP endpoint would really be the right way to
handle this, but since it doesn't seem like you have any control of the
IDP's in question... that's not an option for you.

Below is [the relevant code from] a bash script that logs in to a service
provider via a specified idp.  A successful login to the SP would produce a
cookie for the service provider's entityID in /tmp/sessioncookies.  I use it
for monitoring whether or not our shibboleth authentication is working to a
given service provider.

In short, if you curl the idp initiated login url with valid credentials,
you'll get (among other things) the SAML Response, which needs to be
formatted and posted to a service provider. No need to find login buttons or
parse html with the given solution.

There's probably better ways to do this, and your mileage may vary...

#log into the auth page using idp initiated login with test credentials,
save the cookies to a local file
curl --cookie-jar /tmp/sessioncookies -k -u USERNAME:PASSWORD -o
/tmp/login.html
"IDPURL/idp/profile/SAML2/Unsolicited/SSO?providerId=https://$entityID"

#Create a file for the SAML Response, which will be passed to the SP page in
a post.  Format is SAMLResponse=XXXXXXXX
echo "SAMLResponse=" > /tmp/validsession.data
cat /tmp/login.html | awk 'match($0, /value=\".*\"\/>/) {print substr($0,
RSTART+7, RLENGTH-10)}' | grep -v "Continue" >> /tmp/validsession.data

#Formatting of the response has plus signs, and those need to be replaced
with %2B
sed -i -e 's/\+/\%2B/g' /tmp/validsession.data

#Post the saml response to the SP, use the same cookie jar
curl -L -b /tmp/sessioncookies --cookie-jar /tmp/sessioncookies -i -X POST
-o /tmp/successtmp.html https://$entityID/Shibboleth.sso/SAML2/POST
--data-binary "@/tmp/validsession.data"

Joe Fischetti
Linux System Administrator
Marist College

E-mail: [hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: User login on a website using Shibboleth without a browser

Luis Rodríguez Fernández
Hello Benito,

Joseph Fischetti solution should work for you. CERN linux folks implementing something very similar[1].  However keep in mind that this is a hack. ECP should be the way to go. 

> Just login in a half of dozen universities 

This statement makes me think that you are building some kind of test benchmarks. Some people (me included) use apache jmeter for this purpose [2]

Hope it helps,

Luis 


2018-05-07 15:49 GMT+02:00 Joseph Fischetti <[hidden email]>:
As others have said, using the ECP endpoint would really be the right way to
handle this, but since it doesn't seem like you have any control of the
IDP's in question... that's not an option for you.

Below is [the relevant code from] a bash script that logs in to a service
provider via a specified idp.  A successful login to the SP would produce a
cookie for the service provider's entityID in /tmp/sessioncookies.  I use it
for monitoring whether or not our shibboleth authentication is working to a
given service provider.

In short, if you curl the idp initiated login url with valid credentials,
you'll get (among other things) the SAML Response, which needs to be
formatted and posted to a service provider. No need to find login buttons or
parse html with the given solution.

There's probably better ways to do this, and your mileage may vary...

#log into the auth page using idp initiated login with test credentials,
save the cookies to a local file
curl --cookie-jar /tmp/sessioncookies -k -u USERNAME:PASSWORD -o
/tmp/login.html
"IDPURL/idp/profile/SAML2/Unsolicited/SSO?providerId=https://$entityID"

#Create a file for the SAML Response, which will be passed to the SP page in
a post.  Format is SAMLResponse=XXXXXXXX
echo "SAMLResponse=" > /tmp/validsession.data
cat /tmp/login.html | awk 'match($0, /value=\".*\"\/>/) {print substr($0,
RSTART+7, RLENGTH-10)}' | grep -v "Continue" >> /tmp/validsession.data

#Formatting of the response has plus signs, and those need to be replaced
with %2B
sed -i -e 's/\+/\%2B/g' /tmp/validsession.data

#Post the saml response to the SP, use the same cookie jar
curl -L -b /tmp/sessioncookies --cookie-jar /tmp/sessioncookies -i -X POST
-o /tmp/successtmp.html https://$entityID/Shibboleth.sso/SAML2/POST
--data-binary "@/tmp/validsession.data"

Joe Fischetti
Linux System Administrator
Marist College

E-mail: [hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]



--

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: User login on a website using Shibboleth without a browser

Peter Schober
* Luis Rodríguez Fernández <[hidden email]> [2018-05-07 18:26]:
> > Just login in a half of dozen universities
>
> This statement makes me think that you are building some kind of test
> benchmarks. Some people (me included) use apache jmeter for this purpose [2]

http://shibboleth.net/pipermail/users/2018-April/040229.html
I.e., it's an interface to multiple/arbitrary library systems based
on its own webscraping framework. So no amount of "You're doing it
wrong" or suggestion of alternative tooling will have any effect.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: User login on a website using Shibboleth without a browser

Benito van der Zander
In reply to this post by Joseph Fischetti
Hi Joseph,

What are "Shibboleths"? 

SAML 2.0 IDPs running the Shibboleth
implementation? Or SAML 2.0 IDPs in general?

The website says Shibboleth a dozen times and never mentions SAML in the text, so I guess it is the former.


curl --cookie-jar /tmp/sessioncookies -k -u USERNAME:PASSWORD -o
 

An HTTP authentication? I did not know Shibboleth looks at the headers

"IDPURL/idp/profile/SAML2/Unsolicited/SSO?providerId=https://$entityID"

And I do not know what an entityID is :/

cat /tmp/login.html | awk 'match($0, /value=\".*\"\/>/) {print substr($0,
RSTART+7, RLENGTH-10)}' | grep -v "Continue" >> /tmp/validsession.data

But this seems to need to parse the HTML, too. With my framework I could get this value with pattern matching <input name="SAMLResponse" value="{.}"/>, but I do know if such a server needs any other values

Cheers,
Benito 



Am 07.05.2018 um 15:49 schrieb Joseph Fischetti:
As others have said, using the ECP endpoint would really be the right way to
handle this, but since it doesn't seem like you have any control of the
IDP's in question... that's not an option for you.

Below is [the relevant code from] a bash script that logs in to a service
provider via a specified idp.  A successful login to the SP would produce a
cookie for the service provider's entityID in /tmp/sessioncookies.  I use it
for monitoring whether or not our shibboleth authentication is working to a
given service provider.

In short, if you curl the idp initiated login url with valid credentials,
you'll get (among other things) the SAML Response, which needs to be
formatted and posted to a service provider. No need to find login buttons or
parse html with the given solution.

There's probably better ways to do this, and your mileage may vary... 

#log into the auth page using idp initiated login with test credentials,
save the cookies to a local file
curl --cookie-jar /tmp/sessioncookies -k -u USERNAME:PASSWORD -o
/tmp/login.html
"IDPURL/idp/profile/SAML2/Unsolicited/SSO?providerId=https://$entityID"

#Create a file for the SAML Response, which will be passed to the SP page in
a post.  Format is SAMLResponse=XXXXXXXX
echo "SAMLResponse=" > /tmp/validsession.data
cat /tmp/login.html | awk 'match($0, /value=\".*\"\/>/) {print substr($0,
RSTART+7, RLENGTH-10)}' | grep -v "Continue" >> /tmp/validsession.data

#Formatting of the response has plus signs, and those need to be replaced
with %2B
sed -i -e 's/\+/\%2B/g' /tmp/validsession.data

#Post the saml response to the SP, use the same cookie jar
curl -L -b /tmp/sessioncookies --cookie-jar /tmp/sessioncookies -i -X POST
-o /tmp/successtmp.html https://$entityID/Shibboleth.sso/SAML2/POST
--data-binary "@/tmp/validsession.data"

Joe Fischetti
Linux System Administrator
Marist College

E-mail: [hidden email]





--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: User login on a website using Shibboleth without a browser

Benito van der Zander

But this seems to need to parse the HTML, too. With my framework I could get this value with pattern matching <input name="SAMLResponse" value="{.}"/>, but I do know if such a server needs any other values

but I do NOT know if such a server needs any other values

sorry


Am 10.05.2018 um 01:17 schrieb Benito van der Zander:
Hi Joseph,

What are "Shibboleths"? 

SAML 2.0 IDPs running the Shibboleth
implementation? Or SAML 2.0 IDPs in general?

The website says Shibboleth a dozen times and never mentions SAML in the text, so I guess it is the former.


curl --cookie-jar /tmp/sessioncookies -k -u USERNAME:PASSWORD -o
  An HTTP authentication? I did not know Shibboleth looks at the headers

"IDPURL/idp/profile/SAML2/Unsolicited/SSO?providerId=https://$entityID"

And I do not know what an entityID is :/

cat /tmp/login.html | awk 'match($0, /value=\".*\"\/>/) {print substr($0,
RSTART+7, RLENGTH-10)}' | grep -v "Continue" >> /tmp/validsession.data

But this seems to need to parse the HTML, too. With my framework I could get this value with pattern matching <input name="SAMLResponse" value="{.}"/>, but I do know if such a server needs any other values

Cheers,
Benito 



Am 07.05.2018 um 15:49 schrieb Joseph Fischetti:
As others have said, using the ECP endpoint would really be the right way to
handle this, but since it doesn't seem like you have any control of the
IDP's in question... that's not an option for you.

Below is [the relevant code from] a bash script that logs in to a service
provider via a specified idp.  A successful login to the SP would produce a
cookie for the service provider's entityID in /tmp/sessioncookies.  I use it
for monitoring whether or not our shibboleth authentication is working to a
given service provider.

In short, if you curl the idp initiated login url with valid credentials,
you'll get (among other things) the SAML Response, which needs to be
formatted and posted to a service provider. No need to find login buttons or
parse html with the given solution.

There's probably better ways to do this, and your mileage may vary... 

#log into the auth page using idp initiated login with test credentials,
save the cookies to a local file
curl --cookie-jar /tmp/sessioncookies -k -u USERNAME:PASSWORD -o
/tmp/login.html
"IDPURL/idp/profile/SAML2/Unsolicited/SSO?providerId=https://$entityID"

#Create a file for the SAML Response, which will be passed to the SP page in
a post.  Format is SAMLResponse=XXXXXXXX
echo "SAMLResponse=" > /tmp/validsession.data
cat /tmp/login.html | awk 'match($0, /value=\".*\"\/>/) {print substr($0,
RSTART+7, RLENGTH-10)}' | grep -v "Continue" >> /tmp/validsession.data

#Formatting of the response has plus signs, and those need to be replaced
with %2B
sed -i -e 's/\+/\%2B/g' /tmp/validsession.data

#Post the saml response to the SP, use the same cookie jar
curl -L -b /tmp/sessioncookies --cookie-jar /tmp/sessioncookies -i -X POST
-o /tmp/successtmp.html https://$entityID/Shibboleth.sso/SAML2/POST
--data-binary "@/tmp/validsession.data"

Joe Fischetti
Linux System Administrator
Marist College

E-mail: [hidden email]








--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: User login on a website using Shibboleth without a browser

Peter Schober
In reply to this post by Benito van der Zander
* Benito van der Zander <[hidden email]> [2018-05-10 01:18]:
> > "IDPURL/idp/profile/SAML2/Unsolicited/SSO?providerId=https://$entityID"
>
> And I do not know what an entityID is :/

Here the unique identifier (a URI) of the SAML Service Provider to be accessed.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]