[Shib-Users] Fwd: EZproxy and Shibboleth
David Langenberg
From: Chris Zagar <za...@usefulutilities.com>
Date: Thu, Jun 30, 2011 at 6:17 PM
Subject: RE: EZproxy and Shibboleth
To: David Langenberg <da...@uchicago.edu>
David,
I have identified the problem. Perhaps you are familiar with the logistics at play.
The EZproxy support expects the response to have a signature outside the encrypted area, whereas your response has the signature inside the encrypted area. Do you happen to know if this was a change in 2.2?
For what it is worth, when I relaxed the outer signature requirement in my testing copy, everything else came through exactly as expected.
Now that I have the information, I will share it back to OCLC. Any details you might have on this bit would be greatly appreciated to flesh this out.
Chris
From: David Langenberg [mailto:da...@uchicago.edu]
Sent: Thursday, June 30, 2011 4:20 PM
To: Chris Zagar
Subject: Re: EZproxy and Shibboleth
That's perfect. Attached, please find the metadata for the 2.3.0 IdP. I see that your CNetID has been successfully created, so you should be good to go.
Dave
--
================================
David Langenberg
Identity Management
The University of Chicago
================================
--
================================
David Langenberg
Identity Management
The University of Chicago
================================
--
================================
David Langenberg
Identity Management
The University of Chicago
================================
Chad La Joie
assertion in the response by default. At the time this was done in
order to facilitate the delegation work the UChicago was involved in.
I'd recommend just creating a custom relying party definition for
EZProxy and changing the signing response/assertion options as
documented in the wiki. At least until they fix their SP.
On 7/1/11 12:19 AM, David Langenberg wrote:
> Hi All,
>
> Anybody know why or what may have led to the condition described here
> between IdP 2.1.x and 2.3.0? This is the root cause of why EZ Proxy doesn't
> work with IdP 2.3.0. Now, I'm not blaming the Shib developers here for
> breaking EZ Proxy, but it would be nice to know why the response from the
> IdP changed across versions.
>
> Thanks,
>
> Dave
>
> ---------- Forwarded message ----------
> From: Chris Zagar <za...@usefulutilities.com>
> Date: Thu, Jun 30, 2011 at 6:17 PM
> Subject: RE: EZproxy and Shibboleth
> To: David Langenberg <da...@uchicago.edu>
>
>
> David,****
>
> ** **
>
> I have identified the problem. Perhaps you are familiar with the logistics
> at play.****
>
> ** **
>
> The EZproxy support expects the response to have a signature outside the
> encrypted area, whereas your response has the signature inside the encrypted
> area. Do you happen to know if this was a change in 2.2?****
>
> ** **
>
> For what it is worth, when I relaxed the outer signature requirement in my
> testing copy, everything else came through exactly as expected.****
>
> ** **
>
> Now that I have the information, I will share it back to OCLC. Any details
> you might have on this bit would be greatly appreciated to flesh this out.**
> **
>
> ** **
>
> Chris****
>
> ** **
>
> *From:* David Langenberg [mailto:da...@uchicago.edu]
> *Sent:* Thursday, June 30, 2011 4:20 PM
>
> *To:* Chris Zagar
> *Subject:* Re: EZproxy and Shibboleth****
>
> ** **
>
> That's perfect. Attached, please find the metadata for the 2.3.0 IdP. I
> see that your CNetID has been successfully created, so you should be good to
> go.****
>
> ** **
>
> Dave****
>
>
>
--
Chad La Joie
http://itumi.biz
trusted identities, delivered
Rhys Smith
R.
--
----------------------------------------------------------------------
Dr Rhys Smith e: sm...@cardiff.ac.uk
Engineering Consultant: Identity & Access Management (GPG:0xDE2F024C)
Information Services,
Cardiff University, t: +44 (0) 29 2087 0126
39-41 Park Place, Cardiff, f: +44 (0) 29 2087 4285
CF10 3BB, United Kingdom. m: +44 (0) 7968 087 821
----------------------------------------------------------------------
Lukas Hämmerle
> For anyone interested in this - OCLC are planning on fixing this in
> v5.5 of EZproxy, currently scheduled for release in september.
Currently a lot of IdP installations are (hopefully) updated to 2.3.2.
So, we just noted that this will cause headache with EZProxy (or maybe
just some versions of it).
Since the default behavior of the IdP regarding message signing and
nameId signing changed in one of the more recent versions, EZProxy
cannot accept these assertions anymnore where the <Assertion> element is
signed and where the NameIdentifier is unencrypted.
EZProxy then complains: "Inter-institutional access failure"
In the messages.txt of EZProxy one finds entries like
"SAMLVerifySignature signature failed verification"
or
"No NameIdentifier in assertion"
The reason for this problem seems to be that EZProxy requires the SAML
Response element to be signed and the NameIdentifier to be encrypted as
this was the case with Shibboleth IdP 2.0 and 2.1 (I think).
I found out about this thanks to this post:
> http://markmail.org/message/7qzvsnj7v3xwuajg?q=simplesaml+ezproxy+nameid&page=1&refer=3da776hfonssrg3z
To solve this issue on the IdP side (until a new version of EZProxy is
released), we added the following <RelyingParty> element to the IdP's
relying-party.xml:
-----------------------8<-----------------------------
<rp:RelyingParty id="### EZProxy entityID ###"
provider="### IdP entityID ###"
defaultSigningCredentialRef="IdPCredential">
<rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
encryptAssertions="never"
encryptNameIds="always"
signResponses="always"/>
</rp:RelyingParty>
-----------------------8<-----------------------------
This seems to have worked for two Identity Provider using 2.3.2 and
EZproxy 5.3.0 GA. I'm not yet sure whether the
'encryptAssertions="never"' is needed.
Kind Regards
Lukas
--
SWITCH
Serving Swiss Universities
--------------------------
Lukas Hämmerle, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 64, fax +41 44 268 15 68
lukas.h...@switch.ch, http://www.switch.ch
--
To unsubscribe from this group, send email to
users+un...@shibboleth.net
Cantor, Scott E.
>
>Since the default behavior of the IdP regarding message signing and
>nameId signing changed in one of the more recent versions, EZProxy
>cannot accept these assertions anymnore where the <Assertion> element is
>signed and where the NameIdentifier is unencrypted.
Yes, but your defaults are yours. If you upgrade, you shouldn't ordinarily
be changing the defaults unless you take extra steps (and presumably test
them). New installs of course will probably have an issue with it.
Upgrading should be:
- unpack new tree
- copy over changes to webapp files (I *really* hate this, but it's being
addressed)
- ./install.sh
- restart and test
If something breaks, I'd scream bloody murder.
-- Scott
Steven Carmody
>
> To solve this issue on the IdP side (until a new version of EZProxy is
> released),
I've heard that OCLC plans to include a fix for this problem in an EZP
release scheduled for this September.
Lukas Hämmerle
> be changing the defaults unless you take extra steps (and presumably test
> them).
True :-) We currently use (and recommend using) a DefaultRelyingParty
element without explicit options like:
-----------------------8<-----------------------------
<rp:DefaultRelyingParty [...] >
<rp:ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
<rp:ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
[...]
</rp:DefaultRelyingParty>
-----------------------8<-----------------------------
So, we are relying on the Shibboleth defaults. Therefore, we are
affected in this case...
Kind Regards
Lukas
--
SWITCH
Serving Swiss Universities
--------------------------
Lukas Hämmerle, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 64, fax +41 44 268 15 68
lukas.h...@switch.ch, http://www.switch.ch
--