Not recieving attributes - but why
349 views
Skip to first unread message
Ronnie Jespersen
Mar 8, 2012, 8:36:47 AM3/8/12
to simple...@googlegroups.com
Hey guys.
In the old simplsamlphp installation we made a login.php that would start up with
require_once("_include.php");
$config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getInstance();
and when this was called $attributes = $session->getAttributes();
we would have all the attributes from the IDP we got the respons from. I have now installed the new simplesamlphp and tried making the same code... but the attributes only contain:
In the old simplsamlphp installation we made a login.php that would start up with
require_once("_include.php");
$config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getInstance();
and when this was called $attributes = $session->getAttributes();
we would have all the attributes from the IDP we got the respons from. I have now installed the new simplesamlphp and tried making the same code... but the attributes only contain:
Array
(
[groups] => Array
(
[0] => users
[1] => members
)
[preferredLanguage] => Array
(
[0] => en
)
)
It seems like its not getting any of the attributes that the IDP would return... and I have no idea how to debug the respons from the IDP after a valid login.
Anyone who can help me out here? Where can i debug the result from the IDP??
And have I forgotten anything?
When I look at the IDP's metadata it can retun I see this:
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="urn:oid:2.5.4.16"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="urn:oid:2.5.4.11"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="dk:gov:saml:attribute:RidNumberIdentifier"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="urn:oid:2.5.4.12"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="urn:oid:2.5.4.10"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="dk:gov:saml:attribute:UniqueAccountKey"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="dk:gov:saml:attribute:AssuranceLevel"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="dk:gov:saml:attribute:CvrNumberIdentifier"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="urn:oid:2.5.4.65"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="urn:oid:0.9.2342.19200300.100.1.3"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="dk:gov:saml:attribute:PidNumberIdentifier"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="dk:gov:saml:attribute:SpecVer"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="urn:oid:0.9.2342.19200300.100.1.1"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="urn:oid:2.5.4.3"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="dk:gov:saml:attribute:CprNumberIdentifier"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="urn:oid:2.5.4.5"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="urn:oid:2.5.4.4"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="dk:gov:saml:attribute:IsYouthCert"/>
In my saml20-sp-hosted.php I have
'attributes' => array('dk:gov:saml:attribute:AssuranceLevel','dk:gov:saml:attribute:SpecVer','dk:gov:saml:attribute:CvrNumberIdentifier'),
As I understand it I should have made everything right in order to get the attributes... If I make a passive login into the IDP without simplesamlphp I see the value I need:
dk:gov:saml:attribute:CprNumberIdentifier 0112794556
Olav Morken
Mar 8, 2012, 9:13:39 AM3/8/12
to simple...@googlegroups.com
On Thu, Mar 08, 2012 at 05:36:47 -0800, Ronnie Jespersen wrote:
> Hey guys.
>
> In the old simplsamlphp installation we made a login.php that would start
> up with
>
> require_once("_include.php");
> $config = SimpleSAML_Configuration::getInstance();
> $session = SimpleSAML_Session::getInstance();
>
> and when this was called $attributes = $session->getAttributes();
> we would have all the attributes from the IDP we got the respons from. I
> have now installed the new simplesamlphp and tried making the same code...
> but the attributes only contain:
>
[...]> Hey guys.
>
> In the old simplsamlphp installation we made a login.php that would start
> up with
>
> require_once("_include.php");
> $config = SimpleSAML_Configuration::getInstance();
> $session = SimpleSAML_Session::getInstance();
>
> and when this was called $attributes = $session->getAttributes();
> we would have all the attributes from the IDP we got the respons from. I
> have now installed the new simplesamlphp and tried making the same code...
> but the attributes only contain:
>
>
> It seems like its not getting any of the attributes that the IDP would return... and I have no idea how to debug the respons from the IDP after a valid login.
> Anyone who can help me out here? Where can i debug the result from the IDP??
> And have I forgotten anything?
Usually, attributes returned from the IdP is decided by a policy at the
IdP. An easy way to examine the response received from the IdP is by
enabling the 'debug' option in config/config.php. In recent versions,
this causes the SP to log all messages sent and received. (You may need
to adjust the logging.level option.)
An alternative (if the responses are sent unencrypted through the
HTTP-POST binding) is to use the SAML tracer Firefox Add-On. That is an
extension that we developed in order to make it easy to examine SAML
messages sent through the browser.
Best regards,
Olav Morken
UNINETT / Feide
Ronnie Jespersen
Mar 8, 2012, 9:50:46 AM3/8/12
to simple...@googlegroups.com
Super so now I have the debug result but that didnt get me closer to the problem :(
Im gonna dump the result here(I removed the certificates etc. for safety reasons)
Mar 08 15:43:21 simplesamlphp DEBUG [de65c7106c] Session: 'saml2' not valid because we are not authenticated.
Mar 08 15:43:21 simplesamlphp INFO [de65c7106c] SAML2.0 - SP.initSSO: Accessing SAML 2.0 SP initSSO script
Mar 08 15:43:21 simplesamlphp DEBUG [de65c7106c] Sending message:
Mar 08 15:43:21 simplesamlphp DEBUG [de65c7106c] <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_ed5fdc6243a3b80d21839edf4373587815233f458f" Version="2.0" IssueInstant="2012-03-08T14:43:21Z" Destination="https://saml.test-nemlog-in.dk/adfs/ls" AssertionConsumerServiceURL="https://saml.tabulexnet.dk/simplesaml/saml2/sp/AssertionConsumerService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
Mar 08 15:43:21 simplesamlphp DEBUG [de65c7106c] <saml:Issuer>https://saml.tabulexnet.dk</saml:Issuer>
Mar 08 15:43:21 simplesamlphp DEBUG [de65c7106c] <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true"/>
Mar 08 15:43:21 simplesamlphp DEBUG [de65c7106c] </samlp:AuthnRequest>
Mar 08 15:43:21 simplesamlphp DEBUG [de65c7106c] Redirect to 1077 byte URL: https://saml.test-nemlog-
Mar 08 15:43:53 simplesamlphp INFO [de65c7106c] SAML2.0 - SP.AssertionConsumerService: Accessing SAML 2.0 SP endpoint AssertionConsumerService
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Received message:
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_c18cced9-1b1c-4a41-93c7-aab18ea242e0" Version="2.0" IssueInstant="2012-03-08T14:43:53.683Z" Destination="https://saml.tabulexnet.dk/simplesaml/saml2/sp/AssertionConsumerService.php" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_ed5fdc6243a3b80d21839edf4373587815233f458f">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://test-nemlog-in.dk</Issuer>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <samlp:Status>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </samlp:Status>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </e:EncryptionMethod>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <KeyInfo>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:X509IssuerSerial>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:X509IssuerName>CN=TDC OCES Systemtest CA II, O=TDC, C=DK</ds:X509IssuerName>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:X509SerialNumber>1077414972</ds:X509SerialNumber>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </ds:X509IssuerSerial>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </ds:X509Data>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </KeyInfo>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <e:CipherData>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <e:CipherValue></e:CipherValue>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </e:CipherData>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </e:EncryptedKey>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </KeyInfo>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <xenc:CipherData>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <xenc:CipherValue></xenc:CipherValue>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </xenc:CipherData>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </xenc:EncryptedData>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </EncryptedAssertion>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </samlp:Response>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Has 1 candidate keys for validation.
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Validation with key #0 failed without exception.
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Decrypted message:
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_09d72120-e54f-4c5d-abe8-d30ae675614e" IssueInstant="2012-03-08T14:43:53.683Z" Version="2.0">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <Issuer>https://test-nemlog-in.dk</Issuer>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:SignedInfo>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:Reference URI="#_09d72120-e54f-4c5d-abe8-d30ae675614e">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:Transforms>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </ds:Transforms>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:DigestValue>w5H6h8mVQ8IIBTJH6h+36MzV9UI=</ds:DigestValue>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </ds:Reference>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </ds:SignedInfo>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:SignatureValue></ds:SignatureValue>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:X509Data>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:X509Certificate></ds:X509Certificate>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </ds:X509Data>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </KeyInfo>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </ds:Signature>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <Subject>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">+bKEQo2DS+2MI7nOl9eBbANbuWX4NgZnIu/YKQ/nat8=</NameID>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <SubjectConfirmationData InResponseTo="_ed5fdc6243a3b80d21839edf4373587815233f458f" NotOnOrAfter="2012-03-08T14:48:53.683Z" Recipient="https://saml.tabulexnet.dk/simplesaml/saml2/sp/AssertionConsumerService.php"/>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </SubjectConfirmation>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </Subject>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <Conditions NotBefore="2012-03-08T14:43:53.683Z" NotOnOrAfter="2012-03-08T15:43:53.683Z">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <AudienceRestriction>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <Audience>https://saml.tabulexnet.dk</Audience>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </AudienceRestriction>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </Conditions>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <AuthnStatement AuthnInstant="2012-03-08T14:43:43.916Z" SessionIndex="_09d72120-e54f-4c5d-abe8-d30ae675614e">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <AuthnContext>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <AuthnContextClassRef>element:urn:oasis:names:tc:SAML:2.0:ac:classes:X509</AuthnContextClassRef>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </AuthnContext>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </AuthnStatement>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </Assertion>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Decryption with key #0 succeeded.
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Has 1 candidate keys for validation.
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Validation with key #0 succeeded.
Mar 08 15:43:53 simplesamlphp INFO [de65c7106c] SAML2.0 - SP.AssertionConsumerService: Successful response from IdP
Mar 08 15:43:53 simplesamlphp NOTICE STAT [de65c7106c] saml20-sp-SSO https://saml.tabulexnet.dk https://test-nemlog-in.dk NA
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Filter config for https://test-nemlog-in.dk->https://saml.tabulexnet.dk: array ( 0 => sspmod_core_Auth_Process_AttributeLimit::__set_state(array( 'allowedAttributes' => array ( ), 'isDefault' => false, 'priority' => 50, )), 1 => sspmod_core_Auth_Process_GenerateGroups::__set_state(array( 'generateGroupsFrom' => array ( 0 => 'eduPersonAffiliation', ), 'priority' => 60, )), 2 => sspmod_core_Auth_Process_AttributeAdd::__set_state(array( 'replace' => false, 'attributes' => array ( 'groups' => array ( 0 => 'users', 1 => 'members', ), ), 'priority' => 61, )), 3 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 90, )),)
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] GenerateGroups - attribute 'eduPersonAffiliation' not found.
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] LanguageAdaptor: Language in session was set [en]
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Session: doLogin("saml2")
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Session: Valid session found with 'saml2'.
Im gonna dump the result here(I removed the certificates etc. for safety reasons)
Mar 08 15:43:21 simplesamlphp DEBUG [de65c7106c] Session: 'saml2' not valid because we are not authenticated.
Mar 08 15:43:21 simplesamlphp INFO [de65c7106c] SAML2.0 - SP.initSSO: Accessing SAML 2.0 SP initSSO script
Mar 08 15:43:21 simplesamlphp DEBUG [de65c7106c] Sending message:
Mar 08 15:43:21 simplesamlphp DEBUG [de65c7106c] <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_ed5fdc6243a3b80d21839edf4373587815233f458f" Version="2.0" IssueInstant="2012-03-08T14:43:21Z" Destination="https://saml.test-nemlog-in.dk/adfs/ls" AssertionConsumerServiceURL="https://saml.tabulexnet.dk/simplesaml/saml2/sp/AssertionConsumerService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
Mar 08 15:43:21 simplesamlphp DEBUG [de65c7106c] <saml:Issuer>https://saml.tabulexnet.dk</saml:Issuer>
Mar 08 15:43:21 simplesamlphp DEBUG [de65c7106c] <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true"/>
Mar 08 15:43:21 simplesamlphp DEBUG [de65c7106c] </samlp:AuthnRequest>
Mar 08 15:43:21 simplesamlphp DEBUG [de65c7106c] Redirect to 1077 byte URL: https://saml.test-nemlog-
Mar 08 15:43:53 simplesamlphp INFO [de65c7106c] SAML2.0 - SP.AssertionConsumerService: Accessing SAML 2.0 SP endpoint AssertionConsumerService
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Received message:
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_c18cced9-1b1c-4a41-93c7-aab18ea242e0" Version="2.0" IssueInstant="2012-03-08T14:43:53.683Z" Destination="https://saml.tabulexnet.dk/simplesaml/saml2/sp/AssertionConsumerService.php" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_ed5fdc6243a3b80d21839edf4373587815233f458f">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://test-nemlog-in.dk</Issuer>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <samlp:Status>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </samlp:Status>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </e:EncryptionMethod>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <KeyInfo>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:X509IssuerSerial>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:X509IssuerName>CN=TDC OCES Systemtest CA II, O=TDC, C=DK</ds:X509IssuerName>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:X509SerialNumber>1077414972</ds:X509SerialNumber>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </ds:X509IssuerSerial>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </ds:X509Data>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </KeyInfo>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <e:CipherData>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <e:CipherValue></e:CipherValue>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </e:CipherData>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </e:EncryptedKey>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </KeyInfo>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <xenc:CipherData>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <xenc:CipherValue></xenc:CipherValue>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </xenc:CipherData>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </xenc:EncryptedData>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </EncryptedAssertion>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </samlp:Response>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Has 1 candidate keys for validation.
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Validation with key #0 failed without exception.
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Decrypted message:
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_09d72120-e54f-4c5d-abe8-d30ae675614e" IssueInstant="2012-03-08T14:43:53.683Z" Version="2.0">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <Issuer>https://test-nemlog-in.dk</Issuer>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:SignedInfo>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:Reference URI="#_09d72120-e54f-4c5d-abe8-d30ae675614e">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:Transforms>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </ds:Transforms>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:DigestValue>w5H6h8mVQ8IIBTJH6h+36MzV9UI=</ds:DigestValue>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </ds:Reference>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </ds:SignedInfo>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:SignatureValue></ds:SignatureValue>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:X509Data>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <ds:X509Certificate></ds:X509Certificate>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </ds:X509Data>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </KeyInfo>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </ds:Signature>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <Subject>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">+bKEQo2DS+2MI7nOl9eBbANbuWX4NgZnIu/YKQ/nat8=</NameID>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <SubjectConfirmationData InResponseTo="_ed5fdc6243a3b80d21839edf4373587815233f458f" NotOnOrAfter="2012-03-08T14:48:53.683Z" Recipient="https://saml.tabulexnet.dk/simplesaml/saml2/sp/AssertionConsumerService.php"/>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </SubjectConfirmation>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </Subject>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <Conditions NotBefore="2012-03-08T14:43:53.683Z" NotOnOrAfter="2012-03-08T15:43:53.683Z">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <AudienceRestriction>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <Audience>https://saml.tabulexnet.dk</Audience>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </AudienceRestriction>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </Conditions>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <AuthnStatement AuthnInstant="2012-03-08T14:43:43.916Z" SessionIndex="_09d72120-e54f-4c5d-abe8-d30ae675614e">
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <AuthnContext>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] <AuthnContextClassRef>element:urn:oasis:names:tc:SAML:2.0:ac:classes:X509</AuthnContextClassRef>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </AuthnContext>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </AuthnStatement>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] </Assertion>
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Decryption with key #0 succeeded.
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Has 1 candidate keys for validation.
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Validation with key #0 succeeded.
Mar 08 15:43:53 simplesamlphp INFO [de65c7106c] SAML2.0 - SP.AssertionConsumerService: Successful response from IdP
Mar 08 15:43:53 simplesamlphp NOTICE STAT [de65c7106c] saml20-sp-SSO https://saml.tabulexnet.dk https://test-nemlog-in.dk NA
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Filter config for https://test-nemlog-in.dk->https://saml.tabulexnet.dk: array ( 0 => sspmod_core_Auth_Process_AttributeLimit::__set_state(array( 'allowedAttributes' => array ( ), 'isDefault' => false, 'priority' => 50, )), 1 => sspmod_core_Auth_Process_GenerateGroups::__set_state(array( 'generateGroupsFrom' => array ( 0 => 'eduPersonAffiliation', ), 'priority' => 60, )), 2 => sspmod_core_Auth_Process_AttributeAdd::__set_state(array( 'replace' => false, 'attributes' => array ( 'groups' => array ( 0 => 'users', 1 => 'members', ), ), 'priority' => 61, )), 3 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 90, )),)
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] GenerateGroups - attribute 'eduPersonAffiliation' not found.
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] LanguageAdaptor: Language in session was set [en]
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Session: doLogin("saml2")
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Session: Valid session found with 'saml2'.
Olav Morken
Mar 9, 2012, 2:00:55 AM3/9/12
to simple...@googlegroups.com
On Thu, Mar 08, 2012 at 06:50:46 -0800, Ronnie Jespersen wrote:
> Super so now I have the debug result but that didnt get me closer to the
> problem :(
> Super so now I have the debug result but that didnt get me closer to the
> problem :(
At least we can tell that the attributes are actually missing from the
response, which is a kind of progress :)
So, for some reason the IdP is not sending attributes. If you have a
list of requirements for the IdP, you should go through them and
doublecheck that you are adhering to them. If it looks like everything
is correct on your end, you will probably need to contact technical
support for the IdP.
Ronnie Jespersen
Mar 9, 2012, 5:51:40 AM3/9/12
to simple...@googlegroups.com
Might it have something to do with this?
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Has 1 candidate keys for validation.
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Validation with key #0 failed without exception.
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Decrypted message:
Could it be that I'm not able do decrypt the answer from the IDP and thats not why I don't have some attributes?
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Has 1 candidate keys for validation.
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Validation with key #0 failed without exception.
Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Decrypted message:
Olav Morken
Mar 9, 2012, 7:37:59 AM3/9/12
to simple...@googlegroups.com
On Fri, Mar 09, 2012 at 02:51:40 -0800, Ronnie Jespersen wrote:
> Might it have something to do with this?
>
> Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Has 1 candidate keys for
> validation.
> Might it have something to do with this?
>
> Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Has 1 candidate keys for
> validation.
I.e. the IdP has one signing-key in its metadata.
> Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Validation with key #0
> failed without exception.
But we could not validate the response element with it. A closer look
at the message reveals that the message itself does not contain a
signature element, so that is to be expected.
> Mar 08 15:43:53 simplesamlphp DEBUG [de65c7106c] Decrypted message:
The assertion was successfully decrypted. (The decrypted assertion
is on the following lines.)
> Could it be that I'm not able do decrypt the answer from the IDP and thats
> not why I don't have some attributes?
Since the assertion-element is successfully decrypted, that is not the
problem.
If you examine the decrypted assertion, you will see that there is no
AttributeStatement element in it, which is why we don't find any
attributes.
Ronnie Jespersen
Mar 9, 2012, 7:56:28 AM3/9/12
to simple...@googlegroups.com
Ok, that is promising..
I have written to the technical support of the IDP asking them if they have any idea why the attributes is missing in the saml answer.
Thanks
I have written to the technical support of the IDP asking them if they have any idea why the attributes is missing in the saml answer.
Thanks
Reply all
Reply to author
Forward
0 new messages