[Shib-Users] isPassive wiki page and sample script
Lukas Haemmerle
http://groups.google.com/group/shibboleth-users/browse_thread/thread/1b249ccb42b1b5c7/5323d95639b9a019?lnk=gst&q=workflow+in+shibboleth#5323d95639b9a019
So, I played around a bit and created a JavaScript that should
facilitate the usage of this feature. It should be very easy to embed in
a page, e.g. a home page of a portal.
The only thing that then has to be done is to add a redirectErrors
option in the shibboleth2.xml Error element to point to the same page
where the script is embedded in. And in addition it of course also makes
sense to lazy protect the same page so that Shibboleth attribute can be
used.
Script and some further details are available here:
https://spaces.internet2.edu/display/SHIB2/isPassive
If you want to test it, first go to:
https://kelimutu.switch.ch/aai/
Login using the default "AAI Demo Home Organization"
Now you should have a valid session for this Identity Provider
Then go to:
https://dieng.switch.ch/?somevar=blah
If you have a look at the web browser requests (e.g. with Firefox's Live
HTTP Headers extension), you will notice that you were redirected
several times and eventually are logged in (it should say "Hello
Demouser") automatically without any user interaction.
If you close your browser and directly access again
https://dieng.switch.ch/?somevar=blah , you are redirected as well but
no error should be displayed and you also shouldn't be authenticated
this time. This is of course because you don't have a session yet at the
IdP and any user interaction is forbidden with isPassive.
I haven't tested this in a production environment yet, so it could be
that there are some cases where the script won't work as expected.
Lukas
--
SWITCH
Serving Swiss Universities
--------------------------
Lukas Haemmerle, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 64, fax +41 44 268 15 68
lukas.h...@switch.ch, http://www.switch.ch
Scott Cantor
> option in the shibboleth2.xml Error element to point to the same page
> where the script is embedded in. And in addition it of course also makes
> sense to lazy protect the same page so that Shibboleth attribute can be
> used.
This is great, thanks.
FWIW, remember that the next release will include the ability to ignore that
error code without having to redirect every error to a script:
https://spaces.internet2.edu/display/SHIB2/NativeSPAssertionConsumerService
-- Scott
Peter Schober
> FWIW, remember that the next release will include the ability to ignore that
> error code without having to redirect every error to a script:
>
>https://spaces.internet2.edu/display/SHIB2/NativeSPAssertionConsumerService
Good to know. That would haved saved me catching all the errorTexts,
errorTypes, etc. and rethrowing them elsewhere, just to check for
status:NoPassive.
-peter
Zhang, Xiaoling
I found this very useful. However, I have a question on it. Is it true
that in order to use it, I need to have DS (see statement
window.location = "/Shibboleth.sso/DS?isPassive=true&target=" +
encodeURIComponent(window.location);)? I placed the script in an asp
page which does response.write only. The page in a browser shows below
error:
shibsp::ConfigurationException
The system encountered an error at Wed Mar 04 15:06:51 2009
To report this problem, please contact the site administrator at
root@localhost.
Please include the following message in any email:
shibsp::ConfigurationException at (http://myhost/Shibboleth.sso/DS)
Shibboleth handler invoked at an unconfigured location.
My SP (2.1) doesn't have DS. It talks to an IdP 1.3. How can I get this
fixed?
Thank you.
Xiaoling Zhang
Peter Schober
> My SP (2.1) doesn't have DS. It talks to an IdP 1.3. How can I get
> this fixed?
While you could also use the isPassive request parameter on other
supported session initiators (e.g. the
https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator#NativeSPSessionInitiator-SAML2SessionInitiator%28ProtocolHandler%29 )
and simply forget about the SAMLDS session initiator, I don't see what
using isPassive is for when used together with a 1.3 IdP which does
not support SAML2 (so will not respect isPassive if there is no
session at the IdP)?
cheers,
-peter
--
peter....@univie.ac.at - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140
Zhang, Xiaoling
I did exactly as on page
https://spaces.internet2.edu/display/SHIB2/isPassive for my application
testApp (under SP A). Then I logged in to another application under SP B
(SP A and SP B talk to the same IdP 1.3) to get a session generated with
IdP. Then I typed in the URL of the page with isPassive in testApp and
got that error. Logs from IdP and SP don't have useful information.
I guess I didn't understand isPassive completely. From the last sentence
on page https://spaces.internet2.edu/display/SHIB2/isPassive, I thought
isPassive can be used if IdP is 1.3.
Thanks.
Xiaoling
Scott Cantor
> Hi Lukas,
>
> I found this very useful. However, I have a question on it. Is it true
> that in order to use it, I need to have DS (see statement
No.
> shibsp::ConfigurationException at (http://myhost/Shibboleth.sso/DS)
>
> Shibboleth handler invoked at an unconfigured location.
That's not talking about a DS, it's talking about the handler locaton "/DS",
which you obviously have nothing listening on. Most people should use /Login
for their initiator, whether it's configured to use a DS, a WAYF, or
nothing.
> My SP (2.1) doesn't have DS. It talks to an IdP 1.3. How can I get this
> fixed?
As already mentioned, that's a non-starter, there is no such possibility.
-- Scott
Lukas Haemmerle
> I found this very useful.
Thx :)
> shibsp::ConfigurationException at (http://myhost/Shibboleth.sso/DS)
>
> Shibboleth handler invoked at an unconfigured location.
>
> My SP (2.1) doesn't have DS. It talks to an IdP 1.3. How can I get this
> fixed?
Try replacing the handler to /Shibboleth.sso/Login or
/Shibboleth.sso/WAYF This should work as well I guess.
Lukas
--
SWITCH
Serving Swiss Universities
--------------------------
Lukas Haemmerle, Software Engineer, Net Services
Zhang, Xiaoling
Thanks for your help.
I have a question on your demo apps. If I first try https://dieng.switch.ch/?somevar=blah <https://dieng.switch.ch/?somevar=blah> then on the same browser try https://kelimutu.switch.ch/aai/ and then close the browser and try https://dieng.switch.ch/?somevar=blah <https://dieng.switch.ch/?somevar=blah> on a new browser, I got what's expected.
However, when I try these sites in this order: 1. https://dieng.switch.ch/?somevar=blah <https://dieng.switch.ch/?somevar=blah> , 2. https://kelimutu.switch.ch/aai/ <https://kelimutu.switch.ch/aai/> , and 3. https://dieng.switch.ch/?somevar=blah <https://dieng.switch.ch/?somevar=blah> (always on the same browser session), I didn't seem to get to protected content of page https://dieng.switch.ch/?somevar=blah <https://dieng.switch.ch/?somevar=blah> at step 3 -- no shibsession cookie under domain dieng and "Hello demouser" didn't show up (I guess "Hello demouser" here is protected content). My understanding on isPassive is, after user accesses two apps under two SPs this way, he should have shib sessions with both SPs.
Thanks for your time.
Xiaoling
________________________________
From: Lukas Haemmerle [mailto:lukas.h...@switch.ch]
Hi Xiaoling
Thx :)
Lukas
lukas.h...@switch.ch, http://www.switch.ch <http://www.switch.ch/>
Lukas Haemmerle
> However, when I try these sites in this order: 1.
> https://dieng.switch.ch/?somevar=blah
> <https://dieng.switch.ch/?somevar=blah> , 2.
> https://kelimutu.switch.ch/aai/ <https://kelimutu.switch.ch/aai/> ,
> and 3. https://dieng.switch.ch/?somevar=blah
> <https://dieng.switch.ch/?somevar=blah> (always on the same browser
> session), I didn't seem to get to protected content of page
> https://dieng.switch.ch/?somevar=blah
> <https://dieng.switch.ch/?somevar=blah> at step 3 -- no shibsession
> cookie under domain dieng and "Hello demouser" didn't show up (I
> guess "Hello demouser" here is protected content). My understanding
> on isPassive is, after user accesses two apps under two SPs this way,
> he should have shib sessions with both SPs.
Yes, that is true. The reason for this is that the sample isProxy
javascript sets a cookie during step 1.
When you access https://dieng.switch.ch/?somevar=blah the script
initiates all the isPassive stuff and tries to log you in. But because
you don't have yet a session at the IdP, it just brings you
(unauthenticated) back to https://dieng.switch.ch/?somevar=blah
(therefore no "Hello demouser").
In order to prevent the web browser from looping through all this again,
the script also sets a cookie that lets it recognize whether a user has
already gone through all the isPassiv stuff.
When you then access in step 2 the protected resource on
kelimutu.switch.ch and authenticate, this cannot be noticed by
dieng.switch.ch. Therefore, dieng.switch.ch doesn't know that in step 3
the user actually could be logged in and the cookie prevents the web
browser from going through the whole isPassive loop again. Unless one
would define a (short) timeout for the cookie, there is hardly any way
to get this scenario to work so that a user in step 3 also sees the
"Hello demouser" message and is authenticated.
Hope this explanation helps you understanding the issue here :)
Cheers
Zhang, Xiaoling
________________________________
From: Lukas Haemmerle [mailto:lukas.h...@switch.ch]
Sent: Thu 3/26/2009 6:41 AM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] isPassive wiki page and sample script
Hi Xiaoling
Cheers
Lukas
lukas.h...@switch.ch, http://www.switch.ch <http://www.switch.ch/>