Shibboleth SP3 is not doing POST

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth SP3 is not doing POST

uraikwar
We have an SP initiated SSO setup for our product which combines Shibboleth SP3 and PingFed IDP. Everything works fine. We are using Shibboleth v3.0.2. Now there is a change in requirement, we need to a show massage to User before redirecting to IPD login page and after successful authentication before redirecting to originating product URL. As per Shibboleth SP3 documentation at https://wiki.shibboleth.net/confluence/display/SP3/ConfigurationFileSummary. It seems that customizing bindingTemplate.html and postTemplate.html can solve my problem. However, it needed to change SAML artifact binding to use POST rather than a redirect. As per documentation found at https://wiki.shibboleth.net/confluence/display/SP3/SSO, postArtifact="true" can change the behaviour. However, doing these changes in shibboleth2.xml, there is no change in behaviour. Still, SP is doing a redirect to IDP and bindingTemplate.html & postTemplate.html not coming in picture. This is my shibboleth2.xml-
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
	clockSkew="180">
    <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
    <ApplicationDefaults entityID="PLM-QA-TYPE"
        REMOTE_USER="uid eppn subject-id pairwise-id persistent-id"
        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="false" cookieProps="http" postTemplate="postTemplate.html">
			<SSO entityID="https://entityid.com" postArtifact="true" template="bindingTemplate.html"   
                 discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF" > 
              SAML2
            </SSO> 
            <Logout>SAML2 Local</Logout>
            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>
        <Errors supportContact="root@localhost"
            helpLocation="/about.html"
            styleSheet="/shibboleth-sp/main.css"/>
		<MetadataProvider type="XML" validate="true" path="idp-metadata.xml"/>
        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
        <CredentialResolver type="File" use="signing"
            key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
        <CredentialResolver type="File" use="encryption"
            key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
    </ApplicationDefaults>
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
Here, I added postTemplate="postTemplate.html" and postArtifact="true" template="bindingTemplate.html" over existing configuration. Can someone help me to identify, what wrong I am doing? Thanks in advance.

Sent from the Shibboleth - Users mailing list archive at Nabble.com.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 is not doing POST

Mak, Steve

Add this to your <SSO> element:  outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

 

This assumes that the IdP metadata you have has an HTTP-POST SSO Service.

 

From: users <[hidden email]> on behalf of uraikwar <[hidden email]>
Reply-To: Shib Users <[hidden email]>
Date: Thursday, March 26, 2020 at 05:57
To: "[hidden email]" <[hidden email]>
Subject: Shibboleth SP3 is not doing POST

 

We have an SP initiated SSO setup for our product which combines Shibboleth SP3 and PingFed IDP. Everything works fine. We are using Shibboleth v3.0.2. Now there is a change in requirement, we need to a show massage to User before redirecting to IPD login page and after successful authentication before redirecting to originating product URL. As per Shibboleth SP3 documentation at https://wiki.shibboleth.net/confluence/display/SP3/ConfigurationFileSummary. It seems that customizing bindingTemplate.html and postTemplate.html can solve my problem. However, it needed to change SAML artifact binding to use POST rather than a redirect. As per documentation found at https://wiki.shibboleth.net/confluence/display/SP3/SSO, postArtifact="true" can change the behaviour. However, doing these changes in shibboleth2.xml, there is no change in behaviour. Still, SP is doing a redirect to IDP and bindingTemplate.html & postTemplate.html not coming in picture. This is my shibboleth2.xml-

<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
        clockSkew="180">
    <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
    <ApplicationDefaults entityID="PLM-QA-TYPE"
        REMOTE_USER="uid eppn subject-id pairwise-id persistent-id"
        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="false" cookieProps="http" postTemplate="postTemplate.html">
                       <SSO entityID="https://entityid.com" postArtifact="true" template="bindingTemplate.html"   
                 discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF" > 
              SAML2
            </SSO> 
            <Logout>SAML2 Local</Logout>
            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>
        <Errors supportContact="root@localhost"
            helpLocation="/about.html"
            styleSheet="/shibboleth-sp/main.css"/>
               <MetadataProvider type="XML" validate="true" path="idp-metadata.xml"/>
        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
        <CredentialResolver type="File" use="signing"
            key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
        <CredentialResolver type="File" use="encryption"
            key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
    </ApplicationDefaults>
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>

Here, I added postTemplate="postTemplate.html" and postArtifact="true" template="bindingTemplate.html" over existing configuration. Can someone help me to identify, what wrong I am doing? Thanks in advance.


Sent from the Shibboleth - Users mailing list archive at Nabble.com.


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 is not doing POST

Cantor, Scott E.
In reply to this post by uraikwar
On 3/26/20, 5:57 AM, "users on behalf of uraikwar" <[hidden email] on behalf of [hidden email]> wrote:

> However, doing these changes in shibboleth2.xml, there is no change in behaviour. Still, SP is doing a redirect to IDP and > bindingTemplate.htm & postTemplate.html not coming in picture. This is my shibboleth2.xml-

Since those settings work, the explanation in general tends to be that whatever you think your configuration is, it's not.

I also don't think the feature you're using is the right approach. If you need this level of control you should be controlling session startup yourself in your application.

For the return side, it's absolutely not the right way to do it, there's already a sessionHook feature that can allow arbitrary content to be invoked on the way back in prior to the session being established, so that's how you do that half of the problem.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 is not doing POST

Cantor, Scott E.
On 3/26/20, 9:31 AM, "users on behalf of Cantor, Scott" <[hidden email] on behalf of [hidden email]> wrote:

> Since those settings work, the explanation in general tends to be that whatever you think your configuration is, it's not.

Actually, I found the bug on this, it was fixed in 3.0.4:
https://issues.shibboleth.net/jira/browse/SSPCPP-848

So, it didn't in fact work, until then.

My other comments stand, this is not the intended use of the feature and definitely isn't the right way to handle it on the inbound side.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 is not doing POST

uraikwar
In reply to this post by Mak, Steve
Thanks a lot, Steve, It worked. Now SP is doing a POST. However, still, postTemplate.html is not getting hit after authentication.
 <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="false" cookieProps="http" postData="ss:mem" postTemplate="postTemplate.html">
I added postData="ss:mem", but no luck.

Sent from the Shibboleth - Users mailing list archive at Nabble.com.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 is not doing POST

Cantor, Scott E.
On 3/26/20, 10:39 AM, "users on behalf of uraikwar" <[hidden email] on behalf of [hidden email]> wrote:

> However, still, postTemplate.html is not getting hit after authentication.

Because that isn't used for that purpose, that's for POST data recovery. As I told you, that is not how to do this, sessionHook is.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 is not doing POST

uraikwar
Thanks, Scott. I got your point. Thanks for giving me the direction. If I failed to use sessionHook, I will again bother you.

Sent from the Shibboleth - Users mailing list archive at Nabble.com.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 is not doing POST

uraikwar
Hi Scott, I tried sessionHook. However, I am not sure I am using it correctly. Following the changes I made:
   <ApplicationDefaults entityID="enity-TYPE"
        REMOTE_USER="uid eppn subject-id pairwise-id persistent-id"
        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"
		sessionHook="/Shibboleth.sso/myTemplate">
<Handler type="AttributeChecker" Location="/myTemplate" template="myTemplate.html" attributes="AN_INVALID_ATTRIBUTE" flushSession="true"/>
Our requirement is to always display HTML page after successful login. Currently, the HTML page is displayed only when I provide an "AN_INVALID_ATTRIBUTE". In case of valid attribute there is a redirect from sessionHook url to return location. Am I doing it correctly? Thanks in advance.

Sent from the Shibboleth - Users mailing list archive at Nabble.com.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 is not doing POST

Peter Schober
* uraikwar <[hidden email]> [2020-03-27 12:03]:
> Hi *Scott*,I tried *sessionHook*. However, I am not sure I am using it
> correctly. Following the changes I made: Our requirement is to always
> display HTML page after successful login. Currently, the HTML page is
> displayed only when I provide an /"AN_INVALID_ATTRIBUTE"/. In case of valid
> attribute there is a /redirect/ from /sessionHook /url to /return /location.
> Am I doing it correctly? Thanks in advance.

How exactly are you using it? The above sounds like you're using the
built-in AttrChecker as sessionHook. But you can also use your own
code as sessionHook which by definition can do anything you want.
-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 is not doing POST

uraikwar
Peter Schober wrote
> * uraikwar &lt;

> umesh.raikwar@

> &gt; [2020-03-27 12:03]:
>> Hi *Scott*,I tried *sessionHook*. However, I am not sure I am using it
>> correctly. Following the changes I made: Our requirement is to always
>> display HTML page after successful login. Currently, the HTML page is
>> displayed only when I provide an /"AN_INVALID_ATTRIBUTE"/. In case of
>> valid
>> attribute there is a /redirect/ from /sessionHook /url to /return
>> /location.
>> Am I doing it correctly? Thanks in advance.
>
> How exactly are you using it? The above sounds like you're using the
> built-in AttrChecker as sessionHook. But you can also use your own
> code as sessionHook which by definition can do anything you want.
> -peter
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to

> users-unsubscribe@


Can you guide me on how to use my own code as sessionHook?



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 is not doing POST

Peter Schober
* uraikwar <[hidden email]> [2020-03-27 12:36]:
> Can you guide me on how to use my own code as sessionHook?

<ApplicationDefaults
  sessionHook="/your/own/code.php" ...>

Then in your/own/code.php you do whatever you want.
To send the subject on you redirect them to the value of the 'return'
query parameter, as explained in the documentation.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 is not doing POST

uraikwar
Peter Schober wrote
* uraikwar <[hidden email]> [2020-03-27 12:36]: > Can you guide me on how to use my own code as sessionHook? Then in your/own/code.php you do whatever you want. To send the subject on you redirect them to the value of the 'return' query parameter, as explained in the documentation. -peter -- For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg To unsubscribe from this list send an email to [hidden email]
Thanks a lot, Peter.

Sent from the Shibboleth - Users mailing list archive at Nabble.com.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]