simplesamlphp IDP connect with Shibboleth SP
955 views
Skip to first unread message
Richard Genthner
Nov 21, 2011, 3:52:39 PM11/21/11
to simple...@googlegroups.com
Has anyone done a SSP Idp connecting to a shibboleth SP ? If so I could use some help with the saml2-sp-remote.
--
Thanks,
Richard Genthner
System Administrator
Symplicity
tel 703.351.0200 x 8051
web www.symplicity.com
Olav Morken
Nov 22, 2011, 2:15:30 AM11/22/11
to simple...@googlegroups.com
On Mon, Nov 21, 2011 at 15:52:39 -0500, Richard Genthner wrote:
> Has anyone done a SSP Idp connecting to a shibboleth SP ? If so I could use some help with the saml2-sp-remote.
> Has anyone done a SSP Idp connecting to a shibboleth SP ? If so I could use some help with the saml2-sp-remote.
Could you be more specific about what the problem is? Is it to match
fields in XML metadata to values in the array? In that case take a look
at the "XML to simpleSAMLphp metadata converter" (on the federation-tab
of your SP).
Regards,
Olav Morken
UNINETT / Feide
Arminas
Nov 22, 2011, 7:12:22 AM11/22/11
to simple...@googlegroups.com
We had problems with attributes names format. Default attribute name format in Shibboleth and SimpleSAMLphp is different, so make sure these two programs can understand each other.
Adding line in saml20 remote sp's metadata helped for us:
'AttributeNameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
Regards,
Arminas
Peter Schober
Nov 22, 2011, 7:51:03 AM11/22/11
to simple...@googlegroups.com
* Arminas <g.ar...@gmail.com> [2011-11-22 13:12]:
> Adding line in saml20 remote sp's metadata helped for us:
> 'AttributeNameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
> Adding line in saml20 remote sp's metadata helped for us:
> 'AttributeNameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
If you want to set that for every SP individually and continue to use
basic attribute names for the rest.
Otherwise add an core:AttributeMap for name2oid to your config and be
done with it.
-peter
Richard Genthner
Nov 22, 2011, 7:59:55 AM11/22/11
to simple...@googlegroups.com
Peter what do you mean add core:AttributeMap for name2oid i didn't see that in the documentation can you explain more ?
--
Thanks,
--
Thanks,
Richard Genthner
System Administrator
Symplicity
tel 703.351.0200 x 8051
web www.symplicity.com
Peter Schober
Nov 22, 2011, 8:33:27 AM11/22/11
to simple...@googlegroups.com
* Richard Genthner <rgen...@symplicity.com> [2011-11-22 14:00]:
> Peter what do you mean add core:AttributeMap for name2oid i didn't
> see that in the documentation can you explain more ?
> Peter what do you mean add core:AttributeMap for name2oid i didn't
> see that in the documentation can you explain more ?
Cf. simplesamlphp/docs/simplesamlphp-idp.txt
though I have this in my config/config.php (not saml20-idp-hosted).
-peter
Arminas
Nov 22, 2011, 8:58:33 AM11/22/11
to simple...@googlegroups.com
In docs/simplesamlphp-idp.txt: "We therefore recommended enabling this in new installations." Why it is not enabled by default?
-peter
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
Arminas
Peter Schober
Nov 22, 2011, 9:09:27 AM11/22/11
to simple...@googlegroups.com
* Arminas <g.ar...@gmail.com> [2011-11-22 15:04]:
> In docs/simplesamlphp-idp.txt: "We therefore recommended enabling this in
> new installations." Why it is not enabled by default?
> In docs/simplesamlphp-idp.txt: "We therefore recommended enabling this in
> new installations." Why it is not enabled by default?
Changing defaults is always an issue.
-peter
Peter Schober
Aug 21, 2012, 10:10:43 AM8/21/12
to simple...@googlegroups.com
* unixuser <christin...@gmail.com> [2012-08-21 09:59]:
> On Tuesday, November 22, 2011 7:51:03 AM UTC-5, Peter Schober wrote:
Note that you're replying to a mostly unrelated thread which is 9
months old.
> Our SP is shib 2.4.3 and the remote IDP is simplesamlphp. The IDP
> admins didn't give me entries for the attribute-map.xml file but a
> metadata file that has entries like this.
As an SP admin I wouldn't expect an IdP admin to provide me with the
config for the SAML implementation I happen to have deployed.
Also the XML you posted is not valid SAML 2.0 Metadata.
Since your question seems to be one of mapping arbitrary recieved
attributes with your Shibboleth SP this is nothing this list can help
you with.
Personally I'd simply turn up logging on the Shib SP to DEBUG and look
at the attribute statement from the SAML assertion itself. Then you'll
know exactly what the IdP sent and what you need to add to your SP's
attribute-map.xml.
-peter
> On Tuesday, November 22, 2011 7:51:03 AM UTC-5, Peter Schober wrote:
Note that you're replying to a mostly unrelated thread which is 9
months old.
> Our SP is shib 2.4.3 and the remote IDP is simplesamlphp. The IDP
> admins didn't give me entries for the attribute-map.xml file but a
> metadata file that has entries like this.
As an SP admin I wouldn't expect an IdP admin to provide me with the
config for the SAML implementation I happen to have deployed.
Also the XML you posted is not valid SAML 2.0 Metadata.
Since your question seems to be one of mapping arbitrary recieved
attributes with your Shibboleth SP this is nothing this list can help
you with.
Personally I'd simply turn up logging on the Shib SP to DEBUG and look
at the attribute statement from the SAML assertion itself. Then you'll
know exactly what the IdP sent and what you need to add to your SP's
attribute-map.xml.
-peter
Christine Ross
Aug 21, 2012, 2:19:37 PM8/21/12
to simple...@googlegroups.com
Hi, Thanks for responding. I responded to this in error as I found out the IDP is opensso. My appologies and this can be deleted.
-peter
Reply all
Reply to author
Forward
0 new messages