MISP shibboleth integration
265 views
Skip to first unread message
dubravko sever
Apr 18, 2018, 10:16:16 AM4/18/18
to MISP development
Hi,
We are looking to integrate MISP in federation SSO, but hit the wall. According of available documentation should be easy, it real life it not.
We created IDP (checkpint that returns given SAML):
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">x...@xxx.hr</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2018-04-18T11:59:49Z"
InResponseTo="_ee4291c9b6ef8a1f71b70fbe868acfc1"
Recipient="https://misp2.lab.cs/Shibboleth.sso/SAML2/POST"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2018-04-18T11:46:49Z"
NotOnOrAfter="2018-04-18T11:59:49Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>https://misp2.lab.cs/shibboleth</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2018-04-18T11:49:49Z"
SessionIndex="_9d248b20f505bb325bc5c1ec4a526267ffa5fc"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Name="username"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">dsever</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Name="memberOf"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
............
>
</saml2:Attribute>
<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Name="Organization"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">CS Computer Systems</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
At first place mail address would be ok, no need other attributes. But it logs screams that mail_tag is empty, after trace env. variable it says:
["REMOTE_USER"]=>
string(0) "" means empty.
by Shibboleth config logs like:
<ApplicationDefaults entityID="https://misp2.lab.cs/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id">
And Apache conf looks like:
<VirtualHost *:443 >
ShibCompatValidUser Off
ServerAdmin m...@me.local
ServerName misp2.lab.cs
DocumentRoot /var/www/MISP/app/webroot
UseCanonicalName on
<Location /Shibboleth.sso>
AuthType None
Require all granted
</Location>
<IfModule mod_alias.c>
<Location /shibboleth-sp>
AuthType None
Require all granted
</Location>
Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
</IfModule>
<Directory /var/www/MISP/app/webroot>
Options -Indexes
AllowOverride all
#Require all granted
<If "-T reqenv('HTTP_AUTHORIZATION')">
Require all granted
AuthType None
</If>
<Else>
Require valid-user
AuthType shibboleth
ShibRequestSetting requiresession On
ShibRequestSetting shibexportassertion Off
ShibUseHeaders On
</Else>
</Directory>
SSLEngine On
SSLCertificateFile /etc/ssl/crt/misp2.crt
SSLCertificateKeyFile /etc/ssl/keys/misp2.key
Maybe problem is in attributes-map but not sure how to fix it, please can someone give me a push to move forward...:)
Thanks
Dubravko
Reply all
Reply to author
Forward
0 new messages