Simplesamlphp IdP and Shibboleth SP (v. 2.4.3)

[Søren Grønning Iversen]

Hi all,

I'm experiencing a problem with the combination of an otherwise well functioning SSP IdP and a Shibboleth SP (version 2.4.3) on an Apache server which should be correctly configured for use with the Shibboleth SP, but none the less I see a never ending series of SAMLRequests being sent to the IdP after correctly having been redirected to type in username and password . . .

The question is if anyone knows what might trigger this on the IdP side? Missing metadata from the SP?

The SP's metadata have been retreived from the Shibboleth SP's https://sp.example.com/Shibboleth.sso/Metadata path and has been converted to SSP's flat format instead of the XML format Shibboleth uses.

It looks like this:

array (
  'entityid' => 'https://sp.example.com/shibboleth',
  'contacts' =>
  array (
  ),
  'metadata-set' => 'saml20-sp-remote',
  'AttributeNameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
  'AssertionConsumerService' =>
  array (
    0 =>
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://sp.example.com/Shibboleth.sso/SAML2/POST',
      'index' => 0,
    ),
    1 =>
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
      'Location' => 'https://sp.example.com/Shibboleth.sso/SAML2/POST-SimpleSign',
      'index' => 1,
    ),
    2 =>
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
      'Location' => 'https://sp.example.com/Shibboleth.sso/SAML2/Artifact',
      'index' => 2,
    ),
    3 =>
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:PAOS',
      'Location' => 'https://sp.example.com/Shibboleth.sso/SAML2/ECP',
      'index' => 3,
    ),
  ),
  'SingleLogoutService' =>
  array (
  ),
  'keys' =>
  array (
    0 =>
    array (
      'encryption' => true,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => '<cert-data-Base64>',
    ),
  ),
  'metadata-index' => 'https://sp.example.com/shibboleth',
)

I hope to hear from someone with experience with this type of setup :)

-Søren G.

[Palle Girgensohn]

Søren Grønning Iversen skrev:

> Hi all,
>
> I'm experiencing a problem with the combination of an otherwise well
> functioning SSP IdP and a Shibboleth SP (version 2.4.3) on an Apache

> server which /should /be correctly configured for use with the

Hi,

I use this setup extensively. The php version of the metadata looks
fine. You should start by checking that you are in fact logged in
properly in simplesaml, using the admin gui, and after that check the
shibboleth /var/log/shibboleth/shibd.log file. You can bump the logging
by modifying the shibd.logger file, and set some flags to debug if
necessary. What does your logs say?

Palle

[Søren Grønning Iversen]

Hi Palle,

I turned on DEBUG logging and it somewhat hellped me - I'm integrating
Shibboleth with the content management system, Typo3, and apparently
Typo3 isn't accepting the login (it's not mapping to a user) since the
attributes seem to never arrive at the SP in the correct format.

I specified

'AttributeNameFormat' =>
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'

in my saml20-sp-remote.php, but it sees it as DEBUG
Shibboleth.AttributeExtractor.XML [2]: skipping unmapped NameID with
format (urn:oasis:names:tc:SAML:2.0:nameid-format:transient) which I
haven't changed generally on my IdP . . . -Should I do so?

Best regards,

S�ren G.

On 05/03/13 23.55, Palle Girgensohn wrote:
> S�ren Gr�nning Iversen skrev:

>> -S�ren G.

[Palle Girgensohn]

Edit shib's attribute-mapping.xml and add the attributes you need.

6 mar 2013 kl. 07:21 skrev Søren Grønning Iversen <s.gro...@gmail.com>:

> Hi Palle,
>
> I turned on DEBUG logging and it somewhat hellped me - I'm integrating Shibboleth with the content management system, Typo3, and apparently Typo3 isn't accepting the login (it's not mapping to a user) since the attributes seem to never arrive at the SP in the correct format.
>
> I specified
>
> 'AttributeNameFormat' =>
> 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
>
> in my saml20-sp-remote.php, but it sees it as DEBUG Shibboleth.AttributeExtractor.XML [2]: skipping unmapped NameID with format (urn:oasis:names:tc:SAML:2.0:nameid-format:transient) which I haven't changed generally on my IdP . . . -Should I do so?
>
> Best regards,
>

> Søren G.

>
> On 05/03/13 23.55, Palle Girgensohn wrote:

>> Søren Grønning Iversen skrev:

>>> -Søren G.

>> Hi,
>>
>> I use this setup extensively. The php version of the metadata looks
>> fine. You should start by checking that you are in fact logged in
>> properly in simplesaml, using the admin gui, and after that check the
>> shibboleth /var/log/shibboleth/shibd.log file. You can bump the logging
>> by modifying the shibd.logger file, and set some flags to debug if
>> necessary. What does your logs say?
>>
>> Palle
>

> --
> You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

[Søren Grønning Iversen]

Yes, I've tried that, but it doesn't seem to work:

<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<!--
The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names
agreed to within the Shibboleth
community. The non-OID URNs are SAML 1.1 names and most of the OIDs
are SAML 2.0 names, with a
few exceptions for newer attributes where the name is the same for
both versions. You will
usually want to uncomment or map the names for both SAML versions
as a unit.
-->

<!-- First some useful eduPerson attributes that many sites might
use. -->

<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>

<Attribute
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"
caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"
caseSensitive="false"/>
</Attribute>

<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation"
id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder"
caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder"
caseSensitive="false"/>
</Attribute>

<Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement"
id="entitlement"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>

<Attribute name="urn:oid:2.5.4.3" id="cn"/>
<Attribute name="urn:oid:2.5.4.4" id="sn"/>
<Attribute name="urn:oid:2.5.4.42" id="givenName"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
<Attribute name="urn:oid:0.9.2341.19200300.100.1.1" id="uid"/>

</Attributes>


I should believe the attribute-map.xml file is valid, however, it seems
like the SP is ignoring my mappings . . .

Thanks again, Palle

On 06/03/13 08.03, Palle Girgensohn wrote:
> Edit shib's attribute-mapping.xml and add the attributes you need.
>

> 6 mar 2013 kl. 07:21 skrev S锟絩en Gr锟絥ning Iversen <s.gro...@gmail.com>:
>
>> Hi Palle,
>>
>> I turned on DEBUG logging and it somewhat hellped me - I'm integrating Shibboleth with the content management system, Typo3, and apparently Typo3 isn't accepting the login (it's not mapping to a user) since the attributes seem to never arrive at the SP in the correct format.
>>
>> I specified
>>
>> 'AttributeNameFormat' =>
>> 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
>>
>> in my saml20-sp-remote.php, but it sees it as DEBUG Shibboleth.AttributeExtractor.XML [2]: skipping unmapped NameID with format (urn:oasis:names:tc:SAML:2.0:nameid-format:transient) which I haven't changed generally on my IdP . . . -Should I do so?
>>
>> Best regards,
>>

>> S锟絩en G.

>>
>> On 05/03/13 23.55, Palle Girgensohn wrote:

>>> S锟絩en Gr锟絥ning Iversen skrev:

>>>> -S锟絩en G.

[Palle Girgensohn]

In shib's log, you can get the entire saml message ( ...MessageDecoder if memory serves me), and also a list of attributes it accepts and ignores. Can that help you?

>> 6 mar 2013 kl. 07:21 skrev Søren Grønning Iversen <s.gro...@gmail.com>:
>>
>>> Hi Palle,
>>>
>>> I turned on DEBUG logging and it somewhat hellped me - I'm integrating Shibboleth with the content management system, Typo3, and apparently Typo3 isn't accepting the login (it's not mapping to a user) since the attributes seem to never arrive at the SP in the correct format.
>>>
>>> I specified
>>>
>>> 'AttributeNameFormat' =>
>>> 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
>>>
>>> in my saml20-sp-remote.php, but it sees it as DEBUG Shibboleth.AttributeExtractor.XML [2]: skipping unmapped NameID with format (urn:oasis:names:tc:SAML:2.0:nameid-format:transient) which I haven't changed generally on my IdP . . . -Should I do so?
>>>
>>> Best regards,
>>>

>>> Søren G.

>>>
>>> On 05/03/13 23.55, Palle Girgensohn wrote:

>>>> Søren Grønning Iversen skrev:

>>>>> -Søren G.

[Søren Grønning Iversen]

Well, basically it just skips them all . . . The SP says the attributes
are unmapped, but to my best knowledge the attribute-map.xml proves
differently . . .

On 06/03/13 08.32, Palle Girgensohn wrote:
> In shib's log, you can get the entire saml message ( ...MessageDecoder if memory serves me), and also a list of attributes it accepts and ignores. Can that help you?
>

>>>> S锟絩en G.

>>>>
>>>> On 05/03/13 23.55, Palle Girgensohn wrote:

>>>>> S锟絩en Gr锟絥ning Iversen skrev:

>>>>>> -S锟絩en G.

[Palle Girgensohn]

And you restarted shibd?

6 mar 2013 kl. 08:38 skrev Søren Grønning Iversen <s.gro...@gmail.com>:

> Well, basically it just skips them all . . . The SP says the attributes are unmapped, but to my best knowledge the attribute-map.xml proves differently . . .
> On 06/03/13 08.32, Palle Girgensohn wrote:
>> In shib's log, you can get the entire saml message ( ...MessageDecoder if memory serves me), and also a list of attributes it accepts and ignores. Can that help you?
>>

>>>>> Søren G.

>>>>>
>>>>> On 05/03/13 23.55, Palle Girgensohn wrote:

>>>>>> Søren Grønning Iversen skrev:

>>>>>>> -Søren G.

[Søren Grønning Iversen]

Yes and this has had no effect. I've not been able to retrieve any attributes from my SSP IdP even though the Shibboleth SP installation and configuration is working properly (I have achieved getting a session with the IdP, but no attributes are retrieved . . .)

The rest seems to work properly, I can get a session (as said) and logout, retrieve metadata etc.

[Peter Schober]

* S�ren Gr�nning Iversen <s.gro...@gmail.com> [2013-03-05 23:49]:

> Shibboleth SP, but none the less I see a never ending series of
> SAMLRequests being sent to the IdP after correctly having been
> redirected to type in username and password . . .

Seems more fitting for the Shibboleth list then but anyway...

* S�ren Gr�nning Iversen <s.gro...@gmail.com> [2013-03-06 07:21]:

> I turned on DEBUG logging and it somewhat hellped me - I'm
> integrating Shibboleth with the content management system, Typo3,
> and apparently Typo3 isn't accepting the login (it's not mapping to
> a user) since the attributes seem to never arrive at the SP in the
> correct format.

I'd take the application (Typo3) out of the equasion and rely on
Shibboleth's handlers to initiate a session:
e.g. https://sp.example.org/Shibboleth.sso/Login?entityID=<your-idp>&target=https://sp.example.org/Shibboleth.sso/Session
This won't change any behaviour but will let you test the SAML flow
without ever touching the application code.

> I specified

>
> 'AttributeNameFormat' =>
> 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
>

> in my saml20-sp-remote.php, but it sees it as DEBUG
> Shibboleth.AttributeExtractor.XML [2]: skipping unmapped NameID with
> format (urn:oasis:names:tc:SAML:2.0:nameid-format:transient) which I
> haven't changed generally on my IdP . . . -Should I do so?

There's a reason the default Shibboleth attribute map has mappings
for persistent NameIDs but not for transient NameIDs.
It will be of no use for you in the application, as it's, well,
transient.

* Palle Girgensohn <gir...@pingpong.net> [2013-03-06 08:03]:

> Edit shib's attribute-mapping.xml and add the attributes you need.

Yes, but not the one above.

Palle has given you all the right hints but your replies are missing
any specifics. What attributes are you sending? What attributes are
being recieved (SAML assertion from the SP's log on DEBUG), what are
their exact names and name formats?
Just grep'ing for "skipping" lines will give you that.

I'm guessing you're still sending "basic" attribute names, not URIs,
for which there are no mappings in the Shib SP. You'll probably
missing a call to 'class' => 'core:AttributeMap', 'name2oid' in your
SSP config (unless 'AttributeNameFormat' magically does that).
But unless you provide detailed technical information it will all
remain guesswork.
-peter

[Søren Grønning Iversen]

Hi Peter and Palle,

Palle: Thank you for your pointers, which made me believe my SP setup ought to work!

Peter: You were right about the 'name2oid' part, it seems . . . :)

Now, when I login to my IdP, I get redirected as I'd expect and I see the expected attributes after being redirected to my Shibboleth session page!

I don't know how I'd stare myself blind when looking over these different config files, but I do believe I checked the 'name2oid' part, but none the less I'm happy to have been able to get your help, both of you, in solving this matter. And I'm glad it actually turned out to be an issue with my SSP setup, so that I didn't inconvenience anyone out of the ordinary!

Thank you both!

Now I'm on to fixing my Typo3 problem ;)

Best regards

Søren

On 06/03/13 09.39, Peter Schober wrote:

* Søren Grønning Iversen <s.gro...@gmail.com> [2013-03-05 23:49]:

Shibboleth SP, but none the less I see a never ending series of
SAMLRequests being sent to the IdP after correctly having been
redirected to type in username and password . . .

Seems more fitting for the Shibboleth list then but anyway...

* Søren Grønning Iversen <s.gro...@gmail.com> [2013-03-06 07:21]:

[Palle Girgensohn]

Happy to hear of your progress! :-)

[Peter Schober]

* S�ren Gr�nning Iversen <s.gro...@gmail.com> [2013-03-06 10:46]:

> Peter: You were right about the 'name2oid' part, it seems . . . :)
>
> Now, when I login to my IdP, I get redirected as I'd expect and I
> see the expected attributes after being redirected to my Shibboleth
> session page!

Great!
(My guesswork wasn't so bad after all.)

> Now I'm on to fixing my Typo3 problem ;)

Jfyi, there are a couple of extensions avialable for use with the
Shibboleth SP at the typo3 extension site, including one written at
Univie (without my involvement, or endorsement, for that matter ;).
Not sure why they couldn't use the one provided by the German library
folks, AFAIK it had something to do with different use cases
involving Typo3 front-end and/or/vs. back-end authentication or
whatever. So be sure to check out a few of those and you will probably
still have to change some code (IIRC the Univie one made a couple of
assumptions about the deployment, based on specifics in the local env.)
-peter