Equifax SP and Shibboleth IDP

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Equifax SP and Shibboleth IDP

Zico
 Hi,

Have been trying to configure Equifax with Shibboleth but haven't been able to achieve much success. Anyone configured Equifax with Shibboleth IDP so far?

My initial issue is: I don't see any attribute being released from IDP side OR it's inside `CipherData` snippet. Playing with "idp.encryption.optional == true" and relying party isn't helping much to decipher that CipherData snippet.

--
Best,
Zico

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Equifax SP and Shibboleth IDP

Peter Schober
* Zico <[hidden email]> [2019-11-25 17:36]:
> My initial issue is: I don't see any attribute being released from IDP side
> OR it's inside `CipherData` snippet. Playing with "idp.encryption.optional
> == true" and relying party isn't helping much to decipher that CipherData
> snippet.

That's not how you'd find out what your own IDP sends. You'd use:

* aacli, to simulate what would be going out, and/or

* your own log files, tuned as needed, e.g. by setting
  <logger name="PROTOCOL_MESSAGE" level="DEBUG" />
  and reloading your logging config (or waiting 10 min for it to
  become active).

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Equifax SP and Shibboleth IDP

Zico
Thanks Peter. 

Interesting thing is ... my log was in DEBUG and there wasn't any "<saml2:AttributeStatement> ..... </saml2:AttributeStatement>" snippet there. 
But when I replaced their supplied metadata with InCommon published one.... IDP started sending attribute to SPs. 

So far, I used to know that it's IDP which actually make decision on sending / not sending attributes to SP but seems like SP has a big part here in this transaction as well. Never seen this before! 

 

On Mon, Nov 25, 2019 at 10:45 AM Peter Schober <[hidden email]> wrote:
* Zico <[hidden email]> [2019-11-25 17:36]:
> My initial issue is: I don't see any attribute being released from IDP side
> OR it's inside `CipherData` snippet. Playing with "idp.encryption.optional
> == true" and relying party isn't helping much to decipher that CipherData
> snippet.

That's not how you'd find out what your own IDP sends. You'd use:

* aacli, to simulate what would be going out, and/or

* your own log files, tuned as needed, e.g. by setting
  <logger name="PROTOCOL_MESSAGE" level="DEBUG" />
  and reloading your logging config (or waiting 10 min for it to
  become active).

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
Best,
Zico

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Equifax SP and Shibboleth IDP

Peter Schober
* Zico <[hidden email]> [2019-11-26 07:49]:
> So far, I used to know that it's IDP which actually make decision on
> sending / not sending attributes to SP but seems like SP has a big part
> here in this transaction as well. Never seen this before!

Depending on the configuration of your IDP (which you don't mention)
the IDP can take SP metadata into account when releasing attributes or
selecting NameID formats.

SAML metadata is the sole basis for attribute release in some of the
largest and most wide-spread uses of SAML today (such as InCommon and
its interational peers, in some of those federations more than in
others).

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]