unable to capture eppn information from SAML2/POST at SP

classic Classic list List threaded Threaded
33 messages Options
12
Reply | Threaded
Open this post in threaded view
|

unable to capture eppn information from SAML2/POST at SP

O'Quinn, Dennis

Hi, having trouble figuring out how to map the desired value from the SAMLResponse in Shibboleth.

 

I have my IdP returning:

<SAMLResponse>

.

.

.

        <saml:Assertion ID="teAnsub-RcnQBOVPwdN_64zAz62" IssueInstant="2018-06-11T17:56:31.648Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

            <saml:Issuer>https://devsaml.homedepot.com</saml:Issuer>

            <saml:Subject>

                <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">dxo5ic1</saml:NameID>

                <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                    <saml:SubjectConfirmationData Recipient="https://sascloud.homedepot.com/Shibboleth.sso/SAML2/POST" NotOnOrAfter="2018-06-11T18:11:31.648Z" InResponseTo="_0aa24f12eb976fcc40d3cfd08077b0d3"/>

                </saml:SubjectConfirmation>

            </saml:Subject>

            <saml:Conditions NotBefore="2018-06-11T17:46:31.648Z" NotOnOrAfter="2018-06-11T18:11:31.648Z">

                <saml:AudienceRestriction>

                    <saml:Audience>https://sascloud.homedepot.com/shibboleth</saml:Audience>

                </saml:AudienceRestriction>

            </saml:Conditions>

            <saml:AuthnStatement SessionIndex="teAnsub-RcnQBOVPwdN_64zAz62" AuthnInstant="2018-06-11T17:56:31.648Z">

                <saml:AuthnContext>

                    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>

                </saml:AuthnContext>

            </saml:AuthnStatement>

            <saml:AttributeStatement>

******************************************************************************************************************************

                <saml:Attribute Name="eppn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                    <saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">dxo5ic1</saml:AttributeValue>

                </saml:Attribute>

******************************************************************************************************************************

            </saml:AttributeStatement>

        </saml:Assertion>

    </samlp:Response>

</SAMLResponse>

 

I have tried numerous mapping statements in my attribute-map.xml, but, I can get nothing trapped and recorded in the transaction log as ‘cached’ nor is my application detecting the information I am hoping to pass to it.

 

I have simplified my attribute map to the following:

<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map"

    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xsi:schemaLocation="urn:mace:shibboleth:2.0:attribute-map

    /usr/share/xml/shibboleth/shibboleth-2.0-attribute-map.xsd"

    REMOTE_USER="eppn">

 

    <Attribute name="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="eppn">

<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="true"/>

    </Attribute>

</Attributes>

 

Can someone advise me on what I am missing here and why I can’t seem to trap the eppn value (which I am hoping will populate REMOTE_USER in the headers)….

 

NOTE: I am using the following in my Apache conf to rewrite the header from REMOTE_USER to x-Remote-User for the application….

<Location /SASLogon/login>

  AuthType shibboleth

  ShibRequestSetting requireSession 1

  require valid-user

  RewriteEngine On

  RewriteCond %{LA-U:REMOTE_USER} (.+)

  RewriteRule . - [E=RU:%1]

  RequestHeader set X-Remote-User "%{RU}e" env=RU

</Location>

 

Thanks in advance, Dennis

 

Dennis O’Quinn | EDW Infrastructure Engineering | NAE115H @ 2250 MTC

The Home Depot | Marietta Technology Center | 2250 Newmarket Parkway | Marietta, GA  30067

(: Direct: 470.689.4513 | Cell: 470.658.1183 | Internal: 24513

*: [hidden email]

cid:image002.jpg@01D3A171.22570120

We make a living by what we get , We make a life by what we give.

P  Please consider the environment before printing this email.

 

 

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: unable to capture eppn information from SAML2/POST at SP

Cantor, Scott E.
> I have simplified my attribute map to the following:
>
> <Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map"
>     REMOTE_USER="eppn">

I'm pretty sure that's "broken" rather than simplified, I don't see REMOTE_USER in the schema and didn't think it was a valid setting. Depends whether you tell it to validate that particular bit of XML or not, but if you did it wouldn't load and would log that at startup. Otherwise I would guess it should be ok, but that isn't where REMOTE_USER is determined, that's set in shibboleth2.xml

So my guess would be you are validating (which is what the default shipping settings do) and that would be the most likely problem.

The rule itself looks fine such as it is, though that certainly is not eduPersonPrincipalName as defined by the relevant authority over what that attribute means. I wouldn't advise using the "eppn" shorthand just out of sheer avoidance of confusion if you use it for something you're making up locally, but it's your decision.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: unable to capture eppn information from SAML2/POST at SP

Peter Schober
In reply to this post by O'Quinn, Dennis
* O'Quinn, Dennis <[hidden email]> [2018-06-11 20:19]:
>                 <saml:Attribute Name="eppn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                     <saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">dxo5ic1</saml:AttributeValue>
>                 </saml:Attribute>

1. "eppn" is not the correct name (that would be
"urn:oid:1.3.6.1.4.1.5923.1.1.1.6"), at least if you meant
http://macedir.org/specs/eduperson/#eduPersonPrincipalName

2. Also, "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" is not
the correct nameformat to use, it should be
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri".

(1 and 2 according to
http://macedir.org/docs/internet2-mace-dir-saml-attributes-latest.pdf )

3. eduPersonPrincipalName is defined to be scoped, as in
"[hidden email]", so the attribute value is also wrong.

So Name wrong, NameFormat wrong, AttributeValue wrong.
Other than that it's technically correct, i.e., it's valid SAML, but
it will not interoperate with anyone.

> <Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map"
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>     xsi:schemaLocation="urn:mace:shibboleth:2.0:attribute-map
>     /usr/share/xml/shibboleth/shibboleth-2.0-attribute-map.xsd"
>     REMOTE_USER="eppn">

The attribute map has no REMOTE_USER XML attribute, you're mixing that
up with the shibboleth2.xml config file. Did you try The Fine
Documentation?

> <Attribute name="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="eppn">
>   <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="true"/>
> </Attribute>

No. You put the nameformat in the "name" parameter (XML attribute).
Also the attribute your IDP sends is not scoped, so the scoped decode
would through it out, if it ever matched (which it doesn't).

> NOTE: I am using the following in my Apache conf to rewrite the
> header from REMOTE_USER to x-Remote-User for the application....

What kind of application using what technology? You shouldn't need to
put attributes into Request Headers.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: unable to capture eppn information from SAML2/POST at SP

Domingues, Michael D
In reply to this post by O'Quinn, Dennis

Hi Dennis,


The "name" attribute on the entry in your attribute-map.xml file needs to exactly match what the desired attribute is being encoded as in the SAML assertion. In the config listed below, you're encoding the attribute as "eppn" but trying to capture it as "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified".


Michael


From: users <[hidden email]> on behalf of O'Quinn, Dennis <[hidden email]>
Sent: Monday, June 11, 2018 1:17:36 PM
To: Shib Users
Subject: unable to capture eppn information from SAML2/POST at SP
 

Hi, having trouble figuring out how to map the desired value from the SAMLResponse in Shibboleth.

 

I have my IdP returning:

<SAMLResponse>

.

.

.

        <saml:Assertion ID="teAnsub-RcnQBOVPwdN_64zAz62" IssueInstant="2018-06-11T17:56:31.648Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

            <saml:Issuer>https://devsaml.homedepot.com</saml:Issuer>

            <saml:Subject>

                <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">dxo5ic1</saml:NameID>

                <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                    <saml:SubjectConfirmationData Recipient="https://sascloud.homedepot.com/Shibboleth.sso/SAML2/POST" NotOnOrAfter="2018-06-11T18:11:31.648Z" InResponseTo="_0aa24f12eb976fcc40d3cfd08077b0d3"/>

                </saml:SubjectConfirmation>

            </saml:Subject>

            <saml:Conditions NotBefore="2018-06-11T17:46:31.648Z" NotOnOrAfter="2018-06-11T18:11:31.648Z">

                <saml:AudienceRestriction>

                    <saml:Audience>https://sascloud.homedepot.com/shibboleth</saml:Audience>

                </saml:AudienceRestriction>

            </saml:Conditions>

            <saml:AuthnStatement SessionIndex="teAnsub-RcnQBOVPwdN_64zAz62" AuthnInstant="2018-06-11T17:56:31.648Z">

                <saml:AuthnContext>

                    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>

                </saml:AuthnContext>

            </saml:AuthnStatement>

            <saml:AttributeStatement>

******************************************************************************************************************************

                <saml:Attribute Name="eppn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                    <saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">dxo5ic1</saml:AttributeValue>

                </saml:Attribute>

******************************************************************************************************************************

            </saml:AttributeStatement>

        </saml:Assertion>

    </samlp:Response>

</SAMLResponse>

 

I have tried numerous mapping statements in my attribute-map.xml, but, I can get nothing trapped and recorded in the transaction log as ‘cached’ nor is my application detecting the information I am hoping to pass to it.

 

I have simplified my attribute map to the following:

<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map"

    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xsi:schemaLocation="urn:mace:shibboleth:2.0:attribute-map

    /usr/share/xml/shibboleth/shibboleth-2.0-attribute-map.xsd"

    REMOTE_USER="eppn">

 

    <Attribute name="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="eppn">

<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="true"/>

    </Attribute>

</Attributes>

 

Can someone advise me on what I am missing here and why I can’t seem to trap the eppn value (which I am hoping will populate REMOTE_USER in the headers)….

 

NOTE: I am using the following in my Apache conf to rewrite the header from REMOTE_USER to x-Remote-User for the application….

<Location /SASLogon/login>

  AuthType shibboleth

  ShibRequestSetting requireSession 1

  require valid-user

  RewriteEngine On

  RewriteCond %{LA-U:REMOTE_USER} (.+)

  RewriteRule . - [E=RU:%1]

  RequestHeader set X-Remote-User "%{RU}e" env=RU

</Location>

 

Thanks in advance, Dennis

 

Dennis O’Quinn | EDW Infrastructure Engineering | NAE115H @ 2250 MTC

The Home Depot | Marietta Technology Center | 2250 Newmarket Parkway | Marietta, GA  30067

(: Direct: 470.689.4513 | Cell: 470.658.1183 | Internal: 24513

*: [hidden email]

cid:image002.jpg@01D3A171.22570120

We make a living by what we get , We make a life by what we give.

P  Please consider the environment before printing this email.

 

 

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: unable to capture eppn information from SAML2/POST at SP

Cantor, Scott E.
In reply to this post by Peter Schober
> No. You put the nameformat in the "name" parameter (XML attribute).

Read too fast myself, so the rule is in fact not what was intended. Using name="eppn" id="eppn" would basically work to hack in that particular rule (an absent nameFormat in the rule will match "unspecified").

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: unable to capture eppn information from SAML2/POST at SP

Peter Schober
In reply to this post by Domingues, Michael D
* Domingues, Michael D <[hidden email]> [2018-06-11 20:32]:
> The "name" attribute on the entry in your attribute-map.xml file
> needs to exactly match what the desired attribute is being encoded
> as in the SAML assertion. In the config listed below, you're
> encoding the attribute as "eppn" but trying to capture it as
> "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified".

He still needs to set the nameformat to unspecified since the SP
defaults to uri naming.

Of course the attribute is completely and utterly broken as any
attribute ever could be (cf my previous mail), so I'd rather fix it at
the IDP. If done correctly by the IDP the SP will Just Work.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: unable to capture eppn information from SAML2/POST at SP

Cantor, Scott E.
> He still needs to set the nameformat to unspecified since the SP defaults to uri
> naming.

I hacked in "unspecified" matching a while back, it just got too painful to constantly hear the bitching about it. At least I thought I did...

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: unable to capture eppn information from SAML2/POST at SP

O'Quinn, Dennis
In reply to this post by Peter Schober
HI Peter, thanks, I probably should have specified, I am working from the SP end, I have little control over the IdP...  2 different entities....  That said,

NOTE: we are not an educational entity, does the 'edu' prefix on all this stuff = "education"?  and if so, I did not realize that this was significant.  I assumed all the references to eduTHIS and eduTHAT were just artifacts from the environment in which SAML/Shibboleth was primarily used vs. something we had to code our values to....

So:
> 1. "eppn" is not the correct name (that would be "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"), at least if you meant https://urldefense.proofpoint.com/v2/url?u=http-3A__macedir.org_specs_eduperson_- 
>      23eduPersonPrincipalName&d=DwICAg&c=MtgQEAMQGqekjTjiAhkudQ&r=mn6DeBt1nj8Oqx06pdIK0_n5EfK6FeVHgdjBNpchyro&m=vo-2vYcvJvuFFUpNTu9XBjeEqA0RTgNsbUAG2JN1cTg&s=rYb6YKQeocsmrSw2fsmhLwyQ9VMq1sdUVzFapKS6GRw&e=

Are you saying I need to go back to my IdP team and have them convert that attribute to
>                 <saml:Attribute Name=" urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat=" urn:oasis:names:tc:SAML:2.0:attrname-format:uri ">
>                     <saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">dxo5ic1</saml:AttributeValue>
>                 </saml:Attribute>

>  3. eduPersonPrincipalName is defined to be scoped, as in "[hidden email]", so the attribute value is also wrong.

*now* I know what 'eppn' stands for... Thanks for that.  However, we are not looking for an email address in return, we are only looking for the users LDAP ID (in this particular example the string 'dxo5ic1') and or intent is to have the REMOTE_USER field in the headers to be populated with that value.

> <Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map"
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>     xsi:schemaLocation="urn:mace:shibboleth:2.0:attribute-map
>     /usr/share/xml/shibboleth/shibboleth-2.0-attribute-map.xsd"
>     REMOTE_USER="eppn">

I got the above from a page similar to https://wiki.shibboleth.net/confluence/pages/viewpage.action?pageId=4358911 (only it did not say 'you are viewing an old version of the page' at the top as this one does....  I could not find the first page where I initially got this info)...

>  The attribute map has no REMOTE_USER XML attribute, you're mixing that up with the shibboleth2.xml config file. Did you try The Fine Documentation?

Not sure what 'The Fine Documentation' is....  But, I am consuming a *lot* of time going through what documentation there is.

> No. You put the nameformat in the "name" parameter (XML attribute).
> Also the attribute your IDP sends is not scoped, so the scoped decode would through it out, if it ever matched (which it doesn't).

This was the name format specified by my IdP.  I am trying to work what he is sending me.  

>  What kind of application using what technology? You shouldn't need to put attributes into Request Headers.

It is what is required and documented for the application.  I am bound by that....

Thanks, Dennis
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: unable to capture eppn information from SAML2/POST at SP

O'Quinn, Dennis
In reply to this post by Cantor, Scott E.
>  Read too fast myself, so the rule is in fact not what was intended. Using name="eppn" id="eppn" would basically work to hack in that particular rule (an absent nameFormat in the rule will match "unspecified").

K, for a quick and dirty test, will try setting my map to be eppn for both name and id....  

Thanks, Dennis
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: unable to capture eppn information from SAML2/POST at SP

Cantor, Scott E.
In reply to this post by O'Quinn, Dennis
> NOTE: we are not an educational entity, does the 'edu' prefix on all this stuff =
> "education"?

Yes, but the attribute itself is just a thing, it either matches your intended purpose or not. You shouldn't call a vegetable a fruit, but you don't have to be a member of the Fruit Association to use the fruit.

The "id" values inside the SP are just that, internal, but it just breeds confusion to use names that have meaning to people who look at these configs and mean something different.

> Are you saying I need to go back to my IdP team and have them convert that
> attribute to

He's saying don't call it EPPN if you don't do that, because it isn't.

> *now* I know what 'eppn' stands for... Thanks for that.  However, we are not
> looking for an email address in return, we are only looking for the users LDAP
> ID (in this particular example the string 'dxo5ic1') and or intent is to have the
> REMOTE_USER field in the headers to be populated with that value.

For non-federated use internally, the uid attribute in LDAP, for which there may or may not be an example rule in the config, would be a reasonable choice to use.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: unable to capture eppn information from SAML2/POST at SP

Alan Buxey
In reply to this post by O'Quinn, Dennis
>*now* I know what 'eppn' stands for... Thanks for that.  However, we >are not looking for an email address

Just to note, yes, it may contain a domain as it's a scoped value but it's not an email address. Is it may look like one ... And indeed it may even be one due to local id formats but EPPN should never be construed as an email address

alan

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: unable to capture eppn information from SAML2/POST at SP

O'Quinn, Dennis
In reply to this post by Cantor, Scott E.
Well, I have made it this far now...

2018-06-11 16:28:45 DEBUG Shibboleth.AttributeDecoder.String [1]: decoding SimpleAttribute (eppn) from SAML 2 Attribute (eppn) with 1 value(s)
2018-06-11 16:28:45 DEBUG Shibboleth.AttributeFilter [1]: filtering 1 attribute(s) from (https://devsaml.homedepot.com)
2018-06-11 16:28:45 DEBUG Shibboleth.AttributeFilter [1]: applying filtering rule(s) for attribute (eppn) from (https://devsaml.homedepot.com)
2018-06-11 16:28:45 WARN Shibboleth.AttributeFilter [1]: removed value at position (0) of attribute (eppn) from (https://devsaml.homedepot.com)
2018-06-11 16:28:45 WARN Shibboleth.AttributeFilter [1]: no values left, removing attribute (eppn) from (https://devsaml.homedepot.com)

The attribute map I am using to get this is....
   <Attribute name="eppn" id="eppn">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>

So, now on to figuring out the filters....

-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Monday, June 11, 2018 2:34 PM
To: Shib Users <[hidden email]>
Subject: [EXTERNAL] RE: unable to capture eppn information from SAML2/POST at SP

> No. You put the nameformat in the "name" parameter (XML attribute).

Read too fast myself, so the rule is in fact not what was intended. Using name="eppn" id="eppn" would basically work to hack in that particular rule (an absent nameFormat in the rule will match "unspecified").

-- Scott

--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=MtgQEAMQGqekjTjiAhkudQ&r=mn6DeBt1nj8Oqx06pdIK0_n5EfK6FeVHgdjBNpchyro&m=EqgCqa3GK9ZMhqG6SmG14-xhAuM8EjiHF7wuN1gaR94&s=EdKLuPQ9vljOXHBr3KgsVyxy8jyalGjrDPLeo-RKuWs&e=
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: unable to capture eppn information from SAML2/POST at SP

O'Quinn, Dennis
OK, I made it here pretty quick, but, I can't see that my application is getting the info it needs...  

From shibd.log
2018-06-11 17:31:27 DEBUG Shibboleth.AttributeDecoder.String [2]: decoding SimpleAttribute (eppn) from SAML 2 Attribute (eppn) with 1 value(s)
2018-06-11 17:31:27 DEBUG Shibboleth.AttributeFilter [2]: filtering 1 attribute(s) from (https://devsaml.homedepot.com)
2018-06-11 17:31:27 DEBUG Shibboleth.AttributeFilter [2]: applying filtering rule(s) for attribute (eppn) from (https://devsaml.homedepot.com)
2018-06-11 17:31:27 DEBUG Shibboleth.SSO.SAML2 [2]: resolving attributes...

From transaction.log
2018-06-11 17:31:27 INFO Shibboleth-TRANSACTION [2]: New session (ID: _2ca710ada158b75ab7fd70e18b57dbcf) with (applicationId: default) for principal from (IdP: https://devsaml.homedepot.com) at (ClientAddress: 130.211.3.65) with (NameIdentifier: dxo5ic1) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: l68aji3AUrXNW89kOzA6koEhwvE)
2018-06-11 17:31:27 INFO Shibboleth-TRANSACTION [2]: Cached the following attributes with session (ID: _2ca710ada158b75ab7fd70e18b57dbcf) for (applicationId: default) {
2018-06-11 17:31:27 INFO Shibboleth-TRANSACTION [2]:    eppn (1 values)
2018-06-11 17:31:27 INFO Shibboleth-TRANSACTION [2]: }


how can I see the 'value' being stored in eppn?  Also, how can I troubleshoot the REMOTE_USER variable on the session ????  per my session statement in shibboleth2.xml, it *should* be getting set by eppn (?)....

<ApplicationDefaults entityID="https://sascloud.homedepot.com/shibboleth"
                         REMOTE_USER="eppn persistent-id targeted-id eduPersonPrincipalName">


I am seeing the following session information....
Miscellaneous
Session Expiration (barring inactivity): 479 minute(s)
Client Address: 130.211.3.65
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Identity Provider: https://devsaml.homedepot.com
Authentication Time: 2018-06-11T21:31:28.202Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: (none)

Attributes
eppn: 1 value(s)


However, I cannot find a way to 'see' the value in the eppn variable nor whether that value was propagated to the REMOTE_USER variable (which I suspect didn't happen since I am still not getting the expected response in my application)....

Thanks, Dennis



-----Original Message-----
From: users <[hidden email]> On Behalf Of O'Quinn, Dennis
Sent: Monday, June 11, 2018 4:45 PM
To: Shib Users <[hidden email]>
Subject: [EXTERNAL] RE: unable to capture eppn information from SAML2/POST at SP

Well, I have made it this far now...

2018-06-11 16:28:45 DEBUG Shibboleth.AttributeDecoder.String [1]: decoding SimpleAttribute (eppn) from SAML 2 Attribute (eppn) with 1 value(s)
2018-06-11 16:28:45 DEBUG Shibboleth.AttributeFilter [1]: filtering 1 attribute(s) from (https://devsaml.homedepot.com)
2018-06-11 16:28:45 DEBUG Shibboleth.AttributeFilter [1]: applying filtering rule(s) for attribute (eppn) from (https://devsaml.homedepot.com)
2018-06-11 16:28:45 WARN Shibboleth.AttributeFilter [1]: removed value at position (0) of attribute (eppn) from (https://devsaml.homedepot.com)
2018-06-11 16:28:45 WARN Shibboleth.AttributeFilter [1]: no values left, removing attribute (eppn) from (https://devsaml.homedepot.com)

The attribute map I am using to get this is....
   <Attribute name="eppn" id="eppn">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>

So, now on to figuring out the filters....

-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Monday, June 11, 2018 2:34 PM
To: Shib Users <[hidden email]>
Subject: [EXTERNAL] RE: unable to capture eppn information from SAML2/POST at SP

> No. You put the nameformat in the "name" parameter (XML attribute).

Read too fast myself, so the rule is in fact not what was intended. Using name="eppn" id="eppn" would basically work to hack in that particular rule (an absent nameFormat in the rule will match "unspecified").

-- Scott

--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=MtgQEAMQGqekjTjiAhkudQ&r=mn6DeBt1nj8Oqx06pdIK0_n5EfK6FeVHgdjBNpchyro&m=EqgCqa3GK9ZMhqG6SmG14-xhAuM8EjiHF7wuN1gaR94&s=EdKLuPQ9vljOXHBr3KgsVyxy8jyalGjrDPLeo-RKuWs&e=
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=MtgQEAMQGqekjTjiAhkudQ&r=mn6DeBt1nj8Oqx06pdIK0_n5EfK6FeVHgdjBNpchyro&m=z9HC5h8KllBowKeZrAiogvY2Y05wILbEEykzXHqIHeE&s=Kour3E02LOo_kcWj4MS5ORr9qs6Z_UVijPURGoRiGeY&e=
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: unable to capture eppn information from SAML2/POST at SP

Brent Putman



On 6/11/18 5:36 PM, O'Quinn, Dennis wrote:
Attributes
eppn: 1 value(s)


However, I cannot find a way to 'see' the value in the eppn variable


On the Session handler in shibboleth2.xml, add the boolean attribute:

<Handler type="Session" Location="/Session" showAttributeValues="true"/>

as documented here:

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPHandler#NativeSPHandler-SessionHandler



 nor whether that value was propagated to the REMOTE_USER variable (which I suspect didn't happen since I am still not getting the expected response in my application)....

To check REMOTE_USER or any other variable, just use a simple CGI script which prints the environment variables.

But basically check that the appropriate config in shibboleth2.xml is correct:

    <ApplicationDefaults entityID="https://sp.test.middleware.georgetown.edu/shibboleth"
                         REMOTE_USER="eppn persistent-id targeted-id">

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: unable to capture eppn information from SAML2/POST at SP

O'Quinn, Dennis

Thank you sir…  Right there in the file with a setting of false…  Sorry to ask such a simple question, but, I am drowning in the Shibboleth documentation, and sometimes when I look at something that is what I want, I can’t recognize if for lack of knowing what I am looking at…

 

Thanks again, Dennis

 

Dennis O’Quinn | EDW Infrastructure Engineering | NAE115H @ 2250 MTC

The Home Depot | Marietta Technology Center | 2250 Newmarket Parkway | Marietta, GA  30067

(: Direct: 470.689.4513 | Cell: 470.658.1183 | Internal: 24513

*: [hidden email]

 

 

 

From: users <[hidden email]> On Behalf Of Brent Putman
Sent: Monday, June 11, 2018 5:46 PM
To: Shib Users <[hidden email]>
Subject: [EXTERNAL] Re: unable to capture eppn information from SAML2/POST at SP

 

 

 

On 6/11/18 5:36 PM, O'Quinn, Dennis wrote:

 
Attributes
eppn: 1 value(s)
 
 
However, I cannot find a way to 'see' the value in the eppn variable



On the Session handler in shibboleth2.xml, add the boolean attribute:

<Handler type="Session" Location="/Session" showAttributeValues="true"/>

as documented here:

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPHandler#NativeSPHandler-SessionHandler




 nor whether that value was propagated to the REMOTE_USER variable (which I suspect didn't happen since I am still not getting the expected response in my application)....


To check REMOTE_USER or any other variable, just use a simple CGI script which prints the environment variables.

But basically check that the appropriate config in shibboleth2.xml is correct:

    <ApplicationDefaults entityID="https://sp.test.middleware.georgetown.edu/shibboleth"
                         REMOTE_USER="eppn persistent-id targeted-id">


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: unable to capture eppn information from SAML2/POST at SP

Cantor, Scott E.
In reply to this post by O'Quinn, Dennis
On 6/11/18, 4:45 PM, "users on behalf of O'Quinn, Dennis" <[hidden email] on behalf of [hidden email]> wrote:

> So, now on to figuring out the filters....

Don't call it eppn and you won't trip the policy that the SP imposes for the attribute called eppn, which is supposed to be eduPersonPrincipalName. That's a reason why I advised you rename it.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: unable to capture eppn information from SAML2/POST at SP

O'Quinn, Dennis
>  Don't call it eppn and you won't trip the policy that the SP imposes for the attribute called eppn, which is supposed to be eduPersonPrincipalName. That's a reason why I advised you rename it.

Thanks, but, not sure how to apply that guidance.  This is what the IdP is sending me.  Are you saying I can override that someway and 'change' it to eduPersonPrincipalName?


BTW, Much of the documentation I am reading out there seems to imply that the configuration is being done by 'one' entity with access to "both" IdP and SP configurations and logs simultaneously.

That is not the case for our environment.  I take it that his is much of my problem in working through all these issues?

Thanks again, Dennis



-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Monday, June 11, 2018 5:59 PM
To: Shib Users <[hidden email]>
Subject: [EXTERNAL] Re: unable to capture eppn information from SAML2/POST at SP

On 6/11/18, 4:45 PM, "users on behalf of O'Quinn, Dennis" <[hidden email] on behalf of [hidden email]> wrote:

> So, now on to figuring out the filters....

Don't call it eppn and you won't trip the policy that the SP imposes for the attribute called eppn, which is supposed to be eduPersonPrincipalName. That's a reason why I advised you rename it.

-- Scott


--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=MtgQEAMQGqekjTjiAhkudQ&r=mn6DeBt1nj8Oqx06pdIK0_n5EfK6FeVHgdjBNpchyro&m=9ALmRSaERLaUdVCT8luLcN-SuwbzD3OdFTV4fF7_OIo&s=4aH1xQw3_48iDsR8e4wGDDkLqBSVNUILbkslB2USFrM&e=
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: unable to capture eppn information from SAML2/POST at SP

Cantor, Scott E.
On 6/11/18, 6:13 PM, "users on behalf of O'Quinn, Dennis" <[hidden email] on behalf of [hidden email]> wrote:

> Thanks, but, not sure how to apply that guidance.  This is what the IdP is sending me.  Are you saying I can override that
> someway and 'change' it to eduPersonPrincipalName?

I didn't say "change it to eduPersonPrincipalName", I said the oppposite.

I'm referring to the local name the SP assigns it, which is the part in the id attribute in the mapping rule, not the part in the name attribute in the rule. The fact that they're the same is adding to the confusion, as is the fact that the IdP is using a simple string for an attribute name, as is the fact that it seems to have picked an inappropriate and confusing name to use.

It's a bit of a mess from beginning to end, but you at least have control of your end to "untangle" it a bit so that at least you have garbage in -> slightly less garbage out, and can avoid triggering default settings you aren't intending to use.

Another way to say it would be that if you want to essentially start with a "clean" attribute map of non-eduPerson/etc. data, it's best to clear out the filter policy also and just start clean with both. The defaults line up so dumping one of them will cause problems if you don't dump the other.
 
> BTW, Much of the documentation I am reading out there seems to imply that the configuration is being done by 'one'
> entity with access to "both" IdP and SP configurations and logs simultaneously.

No, not really. The defaults assume practices and rigor that aren't common to enterprises, and all software tends to document how things are meant to work more than how to work around things, that's simply natural.

> That is not the case for our environment.  I take it that his is much of my problem in working through all these issues?

Your problem is rooted in a bad decision at the IdP, which creates work and confusion at the SP, to some degree, and then you happened to make a poor choice at the SP, which is the part I'm referring to changing.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: unable to capture eppn information from SAML2/POST at SP

Cantor, Scott E.
On 6/11/18, 6:29 PM, "users on behalf of Cantor, Scott" <[hidden email] on behalf of [hidden email]> wrote:

> BTW, Much of the documentation I am reading out there seems to imply that the configuration is being done by 'one'
> entity with access to "both" IdP and SP configurations and logs simultaneously.

What I said notwithstanding, certainly it is true that it's impossible  to test and operate an SP effectively without an IdP, and if you don't control *an* IdP, you will pay for it. That doesn't imply you control every IdP you work with, but if you try and run an SP without one, you'll fail in various ways eventually simply due to lack of robust testing. SSO systems have two halves and you either run both or you eventually pay for it in reliability. You can't wish that need away.

(The best choice of a simple one-off IdP is not something I can really answer. I doubt a Shibboleth IdP is a good choice for most as it's more than one would need, but I don't have to answer that question since my primary OSU role is running one, so my gap these days is the opposite, having control over SPs to test with.)

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: unable to capture eppn information from SAML2/POST at SP

Peter Schober
In reply to this post by Brent Putman
* Brent Putman <[hidden email]> [2018-06-11 23:47]:
> >  nor whether that value was propagated to the REMOTE_USER variable
> (which I suspect didn't happen since I am still not getting the
> expected response in my application)....
>
> To check REMOTE_USER or any other variable, just use a simple CGI
> script which prints the environment variables.

FYI, Apache httpd logs the value of REMOTE_USER with every line in its
access log. No CGI required.

I haven't yet seen that the OP changed the internal id of the
attribute to something other than "eppn" or alternatively changed the
default attribute-policy.xml: As I've explained in detail what is
being sent here is NOT eppn, so the built-in checks from the SP will
reject that.
Unless either the id is changed in the attribute-map.xml (and again in
the REMOTE_USER precedence list) or the attribute-policy.xml is
changed for "eppn" from the ScopiingRule reference to permitAny.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
12