required attributes for idemauth sp
47 views
Skip to first unread message
Richard Sand
Oct 24, 2011, 2:45:34 AM10/24/11
to idemauth-users
Hi all - I am struggling to set up Joomla and idemauth as SP. After I
complete the federation flow, I end up on the login page with the
message "Username and password do not match or you do not have an
account yet.".
In my assertion I'm sending the username as the subject name, e.g. I
send 'rsand' and my Joomla account username is also called 'rsand'. I
also put username as an attribute of the assertion, as well as the
attributes Full Name and email.
I think I'm just missing a step here on how to ensure that my IdP is
sending the content in the assertion that idemauth needs to establish
the user session. Can anyone point me in the right direction?
Best regards,
Richard
complete the federation flow, I end up on the login page with the
message "Username and password do not match or you do not have an
account yet.".
In my assertion I'm sending the username as the subject name, e.g. I
send 'rsand' and my Joomla account username is also called 'rsand'. I
also put username as an attribute of the assertion, as well as the
attributes Full Name and email.
I think I'm just missing a step here on how to ensure that my IdP is
sending the content in the assertion that idemauth needs to establish
the user session. Can anyone point me in the right direction?
Best regards,
Richard
Stefano Gargiulo
Oct 24, 2011, 9:45:30 AM10/24/11
to idemaut...@googlegroups.com
Hi.
the session mapping is done by the plugin, so configure it in plugins->authentication->idemauth. Don't modify the saml assertion subject: as you can see in the plugin configuration you have to use saml2.0 assertion attributes for the session mapping so you can configure for instance edupersonprincipalname to be the username and urn:oid:0.1.2 to be the mail (pay attention: joomla requires a valid email here).
PS.
Due to the joomla structure you cannot have a local user with the same username and email of a federated one, so let idemauth create it using a new username and email in the assertion (ensure to not have a local user with local password with same ids in joomla db)
2011/10/24 Richard Sand <richar...@ihg.com>
--
Hai ricevuto questo messaggio in quanto sei iscritto al gruppo
Gruppo "idemauth" di Google Gruppi.
Per mandare un messaggio a questo gruppo, invia una email a
idemaut...@googlegroups.com
Per annullare l'iscrizione a questo gruppo, invia un'email a
idemauth-user...@googlegroups.com
Per maggiori opzioni, visita questo gruppo all'indirizzo
http://groups.google.it/group/idemauth-users?hl=it
Download idemauth: http://dev.garr.it/idemauth
File a bug: http://code.google.com/p/idemauth/
Richard Sand
Oct 24, 2011, 11:30:03 AM10/24/11
to idemauth-users
Hi Stefano,
Is it possible for you to post a sample assertion that works for
Joomla? I can't seem to get past this point. I'm sending an
assertional with a transient ID, and the username, e-mail, givenname,
and sn specified as attributes by their urn. I've made sure that the
username I'm sending doesn't already exist in the Joomla database.
Here is what I'm sending (I trimmed the signature):
[10/24/2011][11:27:08][4968][3832][d0b21731-babdfec2-935bf20d-
e6ae2085-178cbaac-7d][SSO.java][sendSAMLResponse][SAML2 Single Sign-On
Service sending SAML Response: <Response
xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://
fedman.ihg.sand.ttg.lan:444/components/com_idemauth/simplesamlphp/www/
module.php/saml/sp/saml2-acs.php/idemauth-sp"
ID="_ff6f9175cca40d743c34bdbfaea5a2d969fc"
InResponseTo="_b7ceeb4889257bc6ceb9c15a795819f418c63e6e40"
IssueInstant="2011-10-24T15:27:08Z" Version="2.0">
<ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">fedmanidp</
ns1:Issuer>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/
>
</Status>
<ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_b7a429cc086cad72766436568c21c27b60da"
IssueInstant="2011-10-24T15:27:08Z" Version="2.0">
<ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:entity">fedmanidp</ns2:Issuer><ds:Signature xmlns:ds="http://
www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-
exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-
sha1"/>
<ds:Reference URI="#_b7a429cc086cad72766436568c21c27b60da">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-
signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>pf1sg7FdCX4cI4ej+uryIO9/4vI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
...
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<ns2:Subject>
<ns2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:transient">_74b5848da57de9c96ef5b7a853a82439701a</ns2:NameID>
<ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer">
<ns2:SubjectConfirmationData
InResponseTo="_b7ceeb4889257bc6ceb9c15a795819f418c63e6e40"
NotOnOrAfter="2011-10-24T15:28:37Z" Recipient="https://
fedman.ihg.sand.ttg.lan:444/components/com_idemauth/simplesamlphp/www/
module.php/saml/sp/saml2-acs.php/idemauth-sp"/>
</ns2:SubjectConfirmation>
</ns2:Subject>
<ns2:Conditions NotBefore="2011-10-24T15:26:37Z"
NotOnOrAfter="2011-10-24T15:28:37Z">
<ns2:AudienceRestriction>
<ns2:Audience>https://fedman.ihg.sand.ttg.lan:444/
joomla/</ns2:Audience>
</ns2:AudienceRestriction>
</ns2:Conditions>
<ns2:AuthnStatement AuthnInstant="2011-10-24T15:27:07Z"
SessionIndex="luOtJhKJ7jmLECuoH/i3plIR7wc=GeJdVg=="
SessionNotOnOrAfter="2011-10-24T15:28:37Z">
<ns2:AuthnContext>
<ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:Password</ns2:AuthnContextClassRef>
</ns2:AuthnContext>
</ns2:AuthnStatement>
<ns2:AttributeStatement>
<ns2:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<ns2:AttributeValue>testuser3</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="urn:oid:2.5.4.42"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<ns2:AttributeValue>Test</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<ns2:AttributeValue>test....@ihg-qa.com</
ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="urn:oid:2.5.4.4"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<ns2:AttributeValue>User Three</ns2:AttributeValue>
</ns2:Attribute>
</ns2:AttributeStatement>
</ns2:Assertion>
</Response>
Thanks for your help!
Best regards,
Richard
On Oct 24, 9:45 am, Stefano Gargiulo <rastr...@gmail.com> wrote:
> Hi.
>
> the session mapping is done by the plugin, so configure it in
> plugins->authentication->idemauth. Don't modify the saml assertion subject:
> as you can see in the plugin configuration you have to use saml2.0 assertion
> attributes for the session mapping so you can configure for instance
> edupersonprincipalname to be the username and urn:oid:0.1.2 to be the mail
> (pay attention: joomla requires a valid email here).
>
> PS.
> Due to the joomla structure you cannot have a local user with the same
> username and email of a federated one, so let idemauth create it using a new
> username and email in the assertion (ensure to not have a local user with
> local password with same ids in joomla db)
>
> 2011/10/24 Richard Sand <richard.s...@ihg.com>
>
> - Show quoted text -
Is it possible for you to post a sample assertion that works for
Joomla? I can't seem to get past this point. I'm sending an
assertional with a transient ID, and the username, e-mail, givenname,
and sn specified as attributes by their urn. I've made sure that the
username I'm sending doesn't already exist in the Joomla database.
Here is what I'm sending (I trimmed the signature):
[10/24/2011][11:27:08][4968][3832][d0b21731-babdfec2-935bf20d-
e6ae2085-178cbaac-7d][SSO.java][sendSAMLResponse][SAML2 Single Sign-On
Service sending SAML Response: <Response
xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://
fedman.ihg.sand.ttg.lan:444/components/com_idemauth/simplesamlphp/www/
module.php/saml/sp/saml2-acs.php/idemauth-sp"
ID="_ff6f9175cca40d743c34bdbfaea5a2d969fc"
InResponseTo="_b7ceeb4889257bc6ceb9c15a795819f418c63e6e40"
IssueInstant="2011-10-24T15:27:08Z" Version="2.0">
<ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">fedmanidp</
ns1:Issuer>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/
>
</Status>
<ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_b7a429cc086cad72766436568c21c27b60da"
IssueInstant="2011-10-24T15:27:08Z" Version="2.0">
<ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:entity">fedmanidp</ns2:Issuer><ds:Signature xmlns:ds="http://
www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-
exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-
sha1"/>
<ds:Reference URI="#_b7a429cc086cad72766436568c21c27b60da">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-
signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>pf1sg7FdCX4cI4ej+uryIO9/4vI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
...
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<ns2:Subject>
<ns2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:transient">_74b5848da57de9c96ef5b7a853a82439701a</ns2:NameID>
<ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer">
<ns2:SubjectConfirmationData
InResponseTo="_b7ceeb4889257bc6ceb9c15a795819f418c63e6e40"
NotOnOrAfter="2011-10-24T15:28:37Z" Recipient="https://
fedman.ihg.sand.ttg.lan:444/components/com_idemauth/simplesamlphp/www/
module.php/saml/sp/saml2-acs.php/idemauth-sp"/>
</ns2:SubjectConfirmation>
</ns2:Subject>
<ns2:Conditions NotBefore="2011-10-24T15:26:37Z"
NotOnOrAfter="2011-10-24T15:28:37Z">
<ns2:AudienceRestriction>
<ns2:Audience>https://fedman.ihg.sand.ttg.lan:444/
joomla/</ns2:Audience>
</ns2:AudienceRestriction>
</ns2:Conditions>
<ns2:AuthnStatement AuthnInstant="2011-10-24T15:27:07Z"
SessionIndex="luOtJhKJ7jmLECuoH/i3plIR7wc=GeJdVg=="
SessionNotOnOrAfter="2011-10-24T15:28:37Z">
<ns2:AuthnContext>
<ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:Password</ns2:AuthnContextClassRef>
</ns2:AuthnContext>
</ns2:AuthnStatement>
<ns2:AttributeStatement>
<ns2:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<ns2:AttributeValue>testuser3</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="urn:oid:2.5.4.42"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<ns2:AttributeValue>Test</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<ns2:AttributeValue>test....@ihg-qa.com</
ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="urn:oid:2.5.4.4"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<ns2:AttributeValue>User Three</ns2:AttributeValue>
</ns2:Attribute>
</ns2:AttributeStatement>
</ns2:Assertion>
</Response>
Thanks for your help!
Best regards,
Richard
On Oct 24, 9:45 am, Stefano Gargiulo <rastr...@gmail.com> wrote:
> Hi.
>
> the session mapping is done by the plugin, so configure it in
> plugins->authentication->idemauth. Don't modify the saml assertion subject:
> as you can see in the plugin configuration you have to use saml2.0 assertion
> attributes for the session mapping so you can configure for instance
> edupersonprincipalname to be the username and urn:oid:0.1.2 to be the mail
> (pay attention: joomla requires a valid email here).
>
> PS.
> Due to the joomla structure you cannot have a local user with the same
> username and email of a federated one, so let idemauth create it using a new
> username and email in the assertion (ensure to not have a local user with
> local password with same ids in joomla db)
>
>
>
>
> > Hi all - I am struggling to set up Joomla and idemauth as SP. After I
> > complete the federation flow, I end up on the login page with the
> > message "Username and password do not match or you do not have an
> > account yet.".
>
> > In my assertion I'm sending the username as the subject name, e.g. I
> > send 'rsand' and my Joomla account username is also called 'rsand'. I
> > also put username as an attribute of the assertion, as well as the
> > attributes Full Name and email.
>
> > I think I'm just missing a step here on how to ensure that my IdP is
> > sending the content in the assertion that idemauth needs to establish
> > the user session. Can anyone point me in the right direction?
>
> > Best regards,
>
> > Richard
>
> > --
> > Hai ricevuto questo messaggio in quanto sei iscritto al gruppo
> > Gruppo "idemauth" di Google Gruppi.
> > Per mandare un messaggio a questo gruppo, invia una email a
> > idemaut...@googlegroups.com
> > Per annullare l'iscrizione a questo gruppo, invia un'email a
> > idemauth-user...@googlegroups.com
> > Per maggiori opzioni, visita questo gruppo all'indirizzo
> >http://groups.google.it/group/idemauth-users?hl=it
>
> > Download idemauth:http://dev.garr.it/idemauth
> > File a bug:http://code.google.com/p/idemauth/- Hide quoted text -
>
>
> > Hi all - I am struggling to set up Joomla and idemauth as SP. After I
> > complete the federation flow, I end up on the login page with the
> > message "Username and password do not match or you do not have an
> > account yet.".
>
> > In my assertion I'm sending the username as the subject name, e.g. I
> > send 'rsand' and my Joomla account username is also called 'rsand'. I
> > also put username as an attribute of the assertion, as well as the
> > attributes Full Name and email.
>
> > I think I'm just missing a step here on how to ensure that my IdP is
> > sending the content in the assertion that idemauth needs to establish
> > the user session. Can anyone point me in the right direction?
>
> > Best regards,
>
> > Richard
>
> > --
> > Hai ricevuto questo messaggio in quanto sei iscritto al gruppo
> > Gruppo "idemauth" di Google Gruppi.
> > Per mandare un messaggio a questo gruppo, invia una email a
> > idemaut...@googlegroups.com
> > Per annullare l'iscrizione a questo gruppo, invia un'email a
> > idemauth-user...@googlegroups.com
> > Per maggiori opzioni, visita questo gruppo all'indirizzo
> >http://groups.google.it/group/idemauth-users?hl=it
>
> > Download idemauth:http://dev.garr.it/idemauth
>
> - Show quoted text -
Stefano Gargiulo
Oct 24, 2011, 12:12:09 PM10/24/11
to idemaut...@googlegroups.com
It works with any Shibboleth and SimpleSAMLphp IdP default configuration generated assertions, your assertion also seems to look fine, but maybe there's something unsupported by the embedded simpleSAMLphp?
2011/10/24 Richard Sand <richar...@ihg.com>
Richard Sand
Oct 24, 2011, 3:43:47 PM10/24/11
to idemauth-users
Hi Stefano,
Thanks so much for your help. I got past that problem - I was signing
the assertion element whereas simplesamlphp wants the response element
signed.
I'm 99% there but I am seeing a strange behavior - when the user
federates into Joomla the first time, I still see the error message
is working. In the same browser session, in Joomla I then click the
SSO button to initiate federation the 2nd time, and it immediately
works.
Any idea what might cause that? BTW I'm running Joomla 1.5.24.
This is the simplesamlphp.log contents. At 15:31:56 I initiate the
first SSO, it gets the reply back from the IDP at 15:32:06, which
results in the login failed message. Then I try it again at 15:32:15
and get right in.
Oct 24 15:31:56 simplesamlphp DEBUG [90abfa9ae5] Library - Session:
Check if session is valid. checkauthority:idemauth-sp
thisauthority:null isauthenticated:no remainingtime:-1319455916
Oct 24 15:31:56 simplesamlphp DEBUG [90abfa9ae5] Library - Session:
Check if session is valid. checkauthority:idemauth-sp
thisauthority:null isauthenticated:no remainingtime:-1319455916
Oct 24 15:31:56 simplesamlphp DEBUG [90abfa9ae5] Saved state:
'_eef2d8e8f7b250f1f2a3432c171e863d38fe46a854'
Oct 24 15:31:56 simplesamlphp DEBUG [90abfa9ae5] Sending SAML 2
AuthnRequest to 'fedmanidp'
Oct 24 15:32:06 simplesamlphp DEBUG [90abfa9ae5] Loading state:
'_eef2d8e8f7b250f1f2a3432c171e863d38fe46a854'
Oct 24 15:32:06 simplesamlphp DEBUG [90abfa9ae5] Received SAML2
Response from 'fedmanidp'.
Oct 24 15:32:06 simplesamlphp DEBUG [90abfa9ae5] Found 0 certificates
in SAML2_Assertion
Oct 24 15:32:06 simplesamlphp DEBUG [90abfa9ae5] Found 1 certificates
in SAML2_Response
Oct 24 15:32:06 simplesamlphp DEBUG [90abfa9ae5] Filter config for
fedmanidp->https://fedman.ihg.sand.ttg.lan:444/joomla/: array ( 0
=>
sspmod_core_Auth_Process_AttributeLimit::__set_state(array( 'allowedAttributes'
=> array ( ), 'priority' => 50, )), 1 =>
sspmod_core_Auth_Process_GenerateGroups::__set_state(array( 'generateGroupsFrom'
=> array ( 0 => 'eduPersonAffiliation', ), 'priority'
=> 60, )), 2 =>
sspmod_core_Auth_Process_AttributeAdd::__set_state(array( 'replace'
=> false, 'attributes' => array ( 'groups' => array
( 0 => 'users', 1 => 'members', ), ),
'priority' => 61, )), 3 =>
sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr'
=> 'preferredLanguage', 'priority' => 90, )),)
Oct 24 15:32:06 simplesamlphp DEBUG [90abfa9ae5] GenerateGroups -
attribute 'eduPersonAffiliation' not found.
Oct 24 15:32:06 simplesamlphp DEBUG [90abfa9ae5] Deleting state:
'_eef2d8e8f7b250f1f2a3432c171e863d38fe46a854'
Oct 24 15:32:06 simplesamlphp DEBUG [90abfa9ae5] Session:
doLogin("idemauth-sp")
Oct 24 15:32:06 simplesamlphp DEBUG [90abfa9ae5] Library - Session:
Set IdP to : fedmanidp
Oct 24 15:32:15 simplesamlphp DEBUG [90abfa9ae5] Library - Session:
Check if session is valid. checkauthority:idemauth-sp
thisauthority:idemauth-sp isauthenticated:yes remainingtime:28791
Oct 24 15:32:15 simplesamlphp DEBUG [90abfa9ae5] Library - Session:
Check if session is valid. checkauthority:idemauth-sp
thisauthority:idemauth-sp isauthenticated:yes remainingtime:28791
Oct 24 15:32:15 simplesamlphp DEBUG [90abfa9ae5] Library - Session:
Check if session is valid. checkauthority:idemauth-sp
thisauthority:idemauth-sp isauthenticated:yes remainingtime:28791
Best regards,
Richard
On Oct 24, 12:12 pm, Stefano Gargiulo <rastr...@gmail.com> wrote:
> It works with any Shibboleth and SimpleSAMLphp IdP default configuration
> generated assertions, your assertion also seems to look fine, but maybe
> there's something unsupported by the embedded simpleSAMLphp?
>
> Try to enable debug mode in the idemauth plugin configuration, and log in.
> Do you see a print of a php array populated with your attribute values?
>
> 2011/10/24 Richard Sand <richard.s...@ihg.com>
> > <ns2:AttributeValue>test.us...@ihg-qa.com</
> > > > File a bug:http://code.google.com/p/idemauth/-Hide quoted text -
Thanks so much for your help. I got past that problem - I was signing
the assertion element whereas simplesamlphp wants the response element
signed.
I'm 99% there but I am seeing a strange behavior - when the user
federates into Joomla the first time, I still see the error message
"Username and password do not match or you do not have an account
yet". But the simplesamlphp log file seems to indicate that everything
is working. In the same browser session, in Joomla I then click the
SSO button to initiate federation the 2nd time, and it immediately
works.
Any idea what might cause that? BTW I'm running Joomla 1.5.24.
This is the simplesamlphp.log contents. At 15:31:56 I initiate the
first SSO, it gets the reply back from the IDP at 15:32:06, which
results in the login failed message. Then I try it again at 15:32:15
and get right in.
Oct 24 15:31:56 simplesamlphp DEBUG [90abfa9ae5] Library - Session:
Check if session is valid. checkauthority:idemauth-sp
thisauthority:null isauthenticated:no remainingtime:-1319455916
Oct 24 15:31:56 simplesamlphp DEBUG [90abfa9ae5] Library - Session:
Check if session is valid. checkauthority:idemauth-sp
thisauthority:null isauthenticated:no remainingtime:-1319455916
Oct 24 15:31:56 simplesamlphp DEBUG [90abfa9ae5] Saved state:
'_eef2d8e8f7b250f1f2a3432c171e863d38fe46a854'
Oct 24 15:31:56 simplesamlphp DEBUG [90abfa9ae5] Sending SAML 2
AuthnRequest to 'fedmanidp'
Oct 24 15:32:06 simplesamlphp DEBUG [90abfa9ae5] Loading state:
'_eef2d8e8f7b250f1f2a3432c171e863d38fe46a854'
Oct 24 15:32:06 simplesamlphp DEBUG [90abfa9ae5] Received SAML2
Response from 'fedmanidp'.
Oct 24 15:32:06 simplesamlphp DEBUG [90abfa9ae5] Found 0 certificates
in SAML2_Assertion
Oct 24 15:32:06 simplesamlphp DEBUG [90abfa9ae5] Found 1 certificates
in SAML2_Response
Oct 24 15:32:06 simplesamlphp DEBUG [90abfa9ae5] Filter config for
fedmanidp->https://fedman.ihg.sand.ttg.lan:444/joomla/: array ( 0
=>
sspmod_core_Auth_Process_AttributeLimit::__set_state(array( 'allowedAttributes'
=> array ( ), 'priority' => 50, )), 1 =>
sspmod_core_Auth_Process_GenerateGroups::__set_state(array( 'generateGroupsFrom'
=> array ( 0 => 'eduPersonAffiliation', ), 'priority'
=> 60, )), 2 =>
sspmod_core_Auth_Process_AttributeAdd::__set_state(array( 'replace'
=> false, 'attributes' => array ( 'groups' => array
( 0 => 'users', 1 => 'members', ), ),
'priority' => 61, )), 3 =>
sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr'
=> 'preferredLanguage', 'priority' => 90, )),)
Oct 24 15:32:06 simplesamlphp DEBUG [90abfa9ae5] GenerateGroups -
attribute 'eduPersonAffiliation' not found.
Oct 24 15:32:06 simplesamlphp DEBUG [90abfa9ae5] Deleting state:
'_eef2d8e8f7b250f1f2a3432c171e863d38fe46a854'
Oct 24 15:32:06 simplesamlphp DEBUG [90abfa9ae5] Session:
doLogin("idemauth-sp")
Oct 24 15:32:06 simplesamlphp DEBUG [90abfa9ae5] Library - Session:
Set IdP to : fedmanidp
Oct 24 15:32:15 simplesamlphp DEBUG [90abfa9ae5] Library - Session:
Check if session is valid. checkauthority:idemauth-sp
thisauthority:idemauth-sp isauthenticated:yes remainingtime:28791
Oct 24 15:32:15 simplesamlphp DEBUG [90abfa9ae5] Library - Session:
Check if session is valid. checkauthority:idemauth-sp
thisauthority:idemauth-sp isauthenticated:yes remainingtime:28791
Oct 24 15:32:15 simplesamlphp DEBUG [90abfa9ae5] Library - Session:
Check if session is valid. checkauthority:idemauth-sp
thisauthority:idemauth-sp isauthenticated:yes remainingtime:28791
Best regards,
Richard
On Oct 24, 12:12 pm, Stefano Gargiulo <rastr...@gmail.com> wrote:
> It works with any Shibboleth and SimpleSAMLphp IdP default configuration
> generated assertions, your assertion also seems to look fine, but maybe
> there's something unsupported by the embedded simpleSAMLphp?
>
> Try to enable debug mode in the idemauth plugin configuration, and log in.
> Do you see a print of a php array populated with your attribute values?
>
Stefano Gargiulo
Oct 25, 2011, 4:45:25 AM10/25/11
to idemaut...@googlegroups.com
Ok now simplesamlphp is ok is a joomla question.
It Never happened to me but try to change idemauth plugin ordertry first or last position. I think another plugin is raising this message now
Stefano.
Richard Sand
Oct 25, 2011, 9:23:55 AM10/25/11
to idemauth-users
I tried setting Idemauth as first and as last. I also tried disabling
the joomla default authentication plugin (the only other auth plugin).
No difference.
This is a totally vanilla out-of-the-box clean install of Joomla
1.5.24. Has idemauth been validated against this version?
Sorry for all of the questions. This really does seem to be the last
hurdle here to get this working.
Best regards,
Richard
On Oct 25, 4:45 am, Stefano Gargiulo <rastr...@gmail.com> wrote:
> Ok now simplesamlphp is ok is a joomla question.
>
> It Never happened to me but try to change idemauth plugin ordertry first or
> last position. I think another plugin is raising this message now
>
> Stefano.
> Il giorno 24/ott/2011 21:43, "Richard Sand" <richard.s...@ihg.com> ha
> ...
>
> read more »
the joomla default authentication plugin (the only other auth plugin).
No difference.
This is a totally vanilla out-of-the-box clean install of Joomla
1.5.24. Has idemauth been validated against this version?
Sorry for all of the questions. This really does seem to be the last
hurdle here to get this working.
Best regards,
Richard
On Oct 25, 4:45 am, Stefano Gargiulo <rastr...@gmail.com> wrote:
> Ok now simplesamlphp is ok is a joomla question.
>
> It Never happened to me but try to change idemauth plugin ordertry first or
> last position. I think another plugin is raising this message now
>
> Stefano.
>
> read more »
Reply all
Reply to author
Forward
0 new messages