How to pass attribute through proxy

[Qian, Yi]

Hello,

 

I have

‘simplesaml.attributes’ => true,

‘attributes’ => array(‘displayName’,’uid’,’telephoneNumber’,’mail’),

in saml20-sp-remote.php and I have

               'authproc' => array(

                              50 => array(

                                             'class' => 'core:AttributeMap',

                                             'uid' => 'uid',

                              'displayName' => 'displayName',

                              'telephoneNumber' => 'telephoneNumber',

                              'mail' => 'mail',

                              ),

               ),

in saml20-idp-hosted.php, saml20-idp-remote.php and authsources.php.

 

In my Shib IdP log assertion has all the attributes in. But Shib SP side does not receive anything.

 

I used core:attributeCopy, core:attributeAdd, none of the descriptions seems to just do attribute release.

 

Thanks

Yi

 

 

[Patrick Radtke]

Is Shibd sending the attributes as OIDs? Or as the friendly names you are using in your config?

The attributeLimit authproc is enabled by default on the SSP Idp part of the proxy. If you don't define any requested attributes it will pass through all of them. If you define the requested attributes (like you are doing) then it will filter. If the names don't match (oid vs friendly name) then you don't get anything.

[Qian, Yi]

Yes, Since this is my initial attribute releasing test, all the attributes are standard, released as OID, please see the log file at the bottom. I changed my metadata to

               'authproc' => array(

                              50 => array(

                                             'class' => 'core:AttributeLimit',

                              ),

It is the same result, no attribute on Shibboleth SP side received

 

s:10:"Attributes";a:7:{s:33:"urn:oid:0.9.2342.19200300.100.1.1";a:1:{i:0;s:5:"yqian";}

s:32:"urn:oid:1.3.6.1.4.1.5923.1.1.1.1";a:3:{i:0;s:6:"Member";i:1;s:5:"Staff";i:2;s:8:"Employee";}

s:32:"urn:oid:1.3.6.1.4.1.5923.1.1.1.9";a:3:{i:0;s:13:"Mem...@ku.edu";i:1;s:12:"St...@ku.edu";i:2;s:15:"Empl...@ku.edu";}

s:16:"urn:oid:2.5.4.20";a:1:{i:0;s:15:"+1 785 864 0402";}

s:33:"urn:oid:0.9.2342.19200300.100.1.3";a:1:{i:0;s:12:"yq...@ku.edu";}

s:33:"urn:oid:1.3.6.1.4.1.5923.1.1.1.10";a:1:{i:0;O:11:"DOMNodeList":0:{}}

s:33:"urn:oid:2.16.840.1.113730.3.1.241";a:1:{i:0;s:7:"Yi Qian";}}

s:11:"LogoutState";a:4:{s:16:"saml:logout:Type";s:5:"saml2";

s:15:"saml:logout:IdP";s:46:"https://shibidptstwb1.cc.ku.edu/idp/shibboleth";

s:18:"saml:logout:NameID";a:4:

               {s:5:"Value";s:256:"3G3IQKSV363W4LWA6LYDRKGDIBVTXQTA46T3EL6QQWMQXC5PRAQAAEVABXBSWQE7IUV5AEKQQUGITZE2KXOA7B7D6POTJJ5LYEQFETFRPVT3YQRVSZK73HJEIMFUYBL7KIQT3QSBNUNQERUZ3MFZGAJQPK34DRE5RYAGGJGJ3TODENAGDIWCIOJXJHA2KX7WVGW2YRQCKGCPPMBGLOWDWTSGRYUCIIKKTCVO2QLKJFQ3DVPAMPZUU2XCNUGMWDTE";

               s:13:"NameQualifier";s:46:"https://shibidptstwb1.cc.ku.edu/idp/shibboleth";

               s:15:"SPNameQualifier";s:41:"https://ssp-proxy.qa.ku.edu/simplesamlphp";

               s:6:"Format";s:51:"urn:oasis:names:tc:SAML:2.0:nameid-format:transient";

               }

s:24:"saml:logout:SessionIndex";s:33:"_e7a411d9cd683f893477fee1107f0cd7";}

s:14:"saml:sp:NameID";a:4:

               {

               s:5:"Value";s:256:"3G3IQKSV363W4LWA6LYDRKGDIBVTXQTA46T3EL6QQWMQXC5PRAQAAEVABXBSWQE7IUV5AEKQQUGITZE2KXOA7B7D6POTJJ5LYEQFETFRPVT3YQRVSZK73HJEIMFUYBL7KIQT3QSBNUNQERUZ3MFZGAJQPK34DRE5RYAGGJGJ3TODENAGDIWCIOJXJHA2KX7WVGW2YRQCKGCPPMBGLOWDWTSGRYUCIIKKTCVO2QLKJFQ3DVPAMPZUU2XCNUGMWDTE";

               s:13:"NameQualifier";s:46:"https://shibidptstwb1.cc.ku.edu/idp/shibboleth";

               s:15:"SPNameQualifier";s:41:"https://ssp-proxy.qa.ku.edu/simplesamlphp";

               s:6:"Format";s:51:"urn:oasis:names:tc:SAML:2.0:nameid-format:transient";

               }

s:9:"Authority";

s:10:"default-sp";

s:12:"AuthnInstant";i:1481555672;

s:6:"Expire";i:1481584472;

s:13:"RawAttributes";a:1:

               {s:33:"urn:oid:1.3.6.1.4.1.5923.1.1.1.10";a:1:

                              {i:0;C:29:"SAML2\XML\saml\AttributeValue":446:

                                             {s:437:"

                                             <saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"

                                               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">

                                                            <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"

                                                             NameQualifier="https://shibidptstwb1.cc.ku.edu/idp/shibboleth"

                                                             SPNameQualifier="https://ssp-proxy.qa.ku.edu/simplesamlphp">

                                                                           hd1lx7xRl6UWtF6EVIUxcj49ObU=

                                                            </saml2:NameID>

                                             </saml2:AttributeValue>";

[Patrick Radtke]

On Mon, Dec 12, 2016 at 8:35 AM, Qian, Yi <yq...@ku.edu> wrote:
> Yes, Since this is my initial attribute releasing test, all the attributes
> are standard, released as OID

Okay. So the attributes are in OID format but you defined the SP
request attributes using friendly names. SSP IdP is filtering out all
the attributes that weren't requested, and since the attributes all
have OID names none of them match the requested attributes and they
all get filtered.

You should define the attributes in saml20-sp-remote.php as OIDs.

Or if you actually want them as friendly names then you can add something like

'authproc' => array(
40 => array(
'class' => 'core:AttributeMap',
'oid2name',
),
),

to your saml20-sp-remote.php to convert the names to friendly names
proir to the attribute limit module/authproc running.

-Patrick

[Qian, Yi]

In my saml20-sp-remote.php, I have settings like this
'simplesaml.attributes' => true,

'attributes' => array('displayName','uid','telephoneNumber','mail'),

'authproc' => array(
40 => array(
'class' => 'core:AttributeMap',
'oid2name',
),
),

And also I tried this
'simplesaml.attributes' => true,
'attributes' => array('urn:oid:2.16.840.1.113730.3.1.241', 'urn:oid:0.9.2342.19200300.100.1.1','urn:oid:2.5.4.20','urn:oid:0.9.2342.19200300.100.1.3'),

But none of them worked

-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com] On Behalf Of Patrick Radtke
Sent: Monday, December 12, 2016 11:37 AM
To: Qian, Yi <yq...@ku.edu>
Cc: SimpleSAMLphp <simple...@googlegroups.com>
Subject: Re: How to pass attribute through proxy

--
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

[Patrick Radtke]

Can you post your authsources.php and saml20-idp-hosted.php?
Did you add any authproc stuff to saml20-idp-remote.php (or however
you included your shibboleth idp)?

[Qian, Yi]

Yes, I have this in the saml20-idp-remote.php too
'authproc' => array(
50 => array(
'class' => 'core:AttributeLimit',
),
),

And attached all the configuration file I worked

-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com] On Behalf Of Patrick Radtke
Sent: Monday, December 12, 2016 8:47 PM
To: SimpleSAMLphp <simple...@googlegroups.com>
Subject: Re: How to pass attribute through proxy

[Patrick Radtke]

What happens if when you test the authentication source directly?

I think with this url.

https://ssp-proxy.qa.ku.edu/simplesamlphp/module.php/core/authenticate.php?as=default-sp

Does it display attributes?

[Qian, Yi]

The SimpleSamlPhp is actually in the server with totally different name, I had to change the URL, but result is exciting, I see the attributes, please see the screenshot attached

-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com] On Behalf Of Patrick Radtke
Sent: Tuesday, December 13, 2016 11:47 AM
To: SimpleSAMLphp <simple...@googlegroups.com>
Subject: Re: How to pass attribute through proxy

[Patrick Radtke]

On Tue, Dec 13, 2016 at 10:00 AM, Qian, Yi <yq...@ku.edu> wrote:
> The SimpleSamlPhp is actually in the server with totally different name, I had to change the URL, but result is exciting, I see the attributes, please see the screenshot attached

That is good. I'm surprised they did not get displayed as OIDs (based
on what the config looked like). Do you have other authprocs
configured in your config.php?
Just as a sanity check, can you confirm with SAML tracer firefox
plugin that no attributes are getting sent to the shibboleth SP?

[Qian, Yi]

I got it working without knowing why. Here is what I did is add following authproc in all the metadata file
'authproc' => array(
40 => array(
'class' => 'core:AttributeMap',
'urn:oid:0.9.2342.19200300.100.1.1' => 'urn:oid:0.9.2342.19200300.100.1.1'
),
),

What I missed before is I did not add this in sp-remote.

It does not look alright even it works, since I had to modify shib SP attribute mapping to receive the uid, but with my limited SimpleSamlPhp knowledge, I can't figure out, I tried to use AttributeLimit everywhere in the authproc, it didn't work. Could any experts shed some lights on how to do it the correct way

-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com] On Behalf Of Patrick Radtke
Sent: Tuesday, December 13, 2016 5:51 PM
To: SimpleSAMLphp <simple...@googlegroups.com>
Subject: Re: How to pass attribute through proxy

[Patrick Radtke]

Well, I think part of the problem is that your authproc configuration
is way more complicated than it needs to be. You shouldn't need to add
them to all the different files.

I understand you are trying to proxy a bunch of IdPs to an SP. But I
don't understand what you are trying to accomplish with the authproc
filters. Can you please explain what you are trying to achieve by
using them?

[Qian, Yi]

Thanks Patrick for all the help. I know I overcomplicated it due to my very limited knowledge of SimpleSamlPhp.

Yes, that is exactly what I am trying to archive, proxy our internal IdPs to outside vendor SP through SimpleSamlPhp proxy and release student ID from internal IdPs to outside vendor SP. Our IdPs are all Shibboleth IdP, donot know vendor SP, I set up Shibboleth SP internal to test the set up.

I am trying to let SimpleSamlPhp proxy pass through the attribute from Shibboleth IdP to Shibboleth SP. If I can get attribute through without using authproc, that is definitely better

-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com] On Behalf Of Patrick Radtke
Sent: Thursday, December 15, 2016 12:48 PM
To: SimpleSAMLphp <simple...@googlegroups.com>
Subject: Re: How to pass attribute through proxy

[Patrick Radtke]

If you remove the authproc stuff that you have added to all those
files, and remove the 'attributes' key/values from
saml20-sp-remote.php then the proxy shouldn't be removing any
attributes. You can use the 'authenticate as' url to confirm the Proxy
SP side receives attributes and the SAML Tracer firefox plugin to
confirm that your proxy Idp side does indeed send attributes.

At this point, once you have things working, you can decide if you
want to limit the attributes.

We do this with:

in our authsources.php . We make sure attributes are converted to OIDs

'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),

You can then use that 'authenticate as' url to test logging into the
proxy. The attriubutes should be listed as oids. This sets is for the
'SP' side of your proxy.

You can then decide how you want to limit data on the IdP side of your proxy.
The attribute limit filter runs at priority 50 (in config.php) and if
the end target SP metadata (not your proxy SP metadata) lists the
expected attributes then it will filter based on those (string match).

Here is an example from one of out saml20-sp-remote.php files (it was
generated using a metadata converter hence the 0 => syntax )

'attributes' =>
array (
0 => 'urn:oid:2.5.4.3',
1 => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.1',
2 => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6',
3 => 'urn:oid:2.5.4.42',
4 => 'urn:oid:0.9.2342.19200300.100.1.3',
5 => 'urn:oid:2.5.4.10',
6 => 'urn:oid:2.5.4.4',
),

and then the IDP side of our proxy limits the release to just those attributes.

-Patrick

[Qian, Yi]

Thanks again, yes, you are right, I do not need any of the authproc at all, I removed all the authproc from all the configs. Attributes just flow freely from my Shib IdP through SimpleSamlPhp proxy to my Shib SP!

-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com] On Behalf Of Patrick Radtke
Sent: Thursday, December 15, 2016 7:38 PM
To: SimpleSAMLphp <simple...@googlegroups.com>
Subject: Re: How to pass attribute through proxy