consent and missing persistent-id

120 views
Skip to first unread message

Janusz Ulanowski

unread,
Aug 19, 2009, 11:41:45 AM8/19/09
to simple...@googlegroups.com
Hi,
When I set in config.php
something like that:
......
'authproc.idp' => array(
20 => array('class' => 'core:TargetedID', 'nameId' => TRUE,),

....
)

and enable consent I get
Warning: htmlspecialchars() expects parameter 1 to be string, object
given in /opt/simplesamlphp/modules/consent/templates/consentform.php on
line 162
/simplesaml/module.php/consent/getconsent.php

and when I confirm this attribute is missed in the message:
<saml:Attribute Name="eduPersonTargetedID"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue/>
</saml:Attribute>


it's happening when 'nameId' => TRUE

Thanks


--
Janusz Ulanowski

Olav Morken

unread,
Aug 20, 2009, 3:10:57 AM8/20/09
to simple...@googlegroups.com

The NameID cannot currently be shown in the consent page, as it is
an XML-attribute. The simplest solution is to move the core:TargetedID
filter to run after consent.

To transmit the NameID attribute, you currently need to mark it as a
"raw" attribute. To do that, add the following to the idp-hosted
metadata for your IdP:

'attributeencodings' => array(
'eduPersonTargetedID' => 'raw',
),

--
Olav Morken

Janusz Ulanowski

unread,
Aug 20, 2009, 3:26:42 AM8/20/09
to simple...@googlegroups.com
Olav, thanks very much.

--
Janusz Ulanowski

Janusz Ulanowski

unread,
Aug 20, 2009, 5:39:11 AM8/20/09
to simple...@googlegroups.com

Hi,
I did as you said but it's not working.
Even if if I add

array('class' => 'core:TargetedID', 'nameId' => TRUE,)

below consent the value is still missing in the attributestatement.

If consent is diabled it works but shibboleth-sp can't resolve it.
So the second question: Attributemap brakes on this attribute.:
*"Catchable fatal error*: Object of class DOMNodeList could not be converted to string in */opt/simplesamlphp/modules/saml2/lib/Message.php* on line *483"*

Is any other way to convert name?

Thanks in advance,
Janusz

Olav Morken

unread,
Aug 20, 2009, 6:24:48 AM8/20/09
to simple...@googlegroups.com

It is the number before the entry that determines the order it is run
in.


90 => array('class' => 'consent:Consent', ...),


20 => array('class' => 'core:TargetedID', 'nameId' => TRUE,),

The first number is the priority, which is used to combine the entries
from saml20-idp-hosted, saml20-sp-remote and config.php. You need to
give the TargetedID-filter a larger number than the consent-filter.

> If consent is diabled it works but shibboleth-sp can't resolve it.
> So the second question: Attributemap brakes on this attribute.:
> *"Catchable fatal error*: Object of class DOMNodeList could not be converted to string in */opt/simplesamlphp/modules/saml2/lib/Message.php* on line *483"*
>
> Is any other way to convert name?

'attributeencodings' => array(


'eduPersonTargetedID' => 'raw',
),

The 'eduPersonTargetedID' must match the final name of the attribute
when it is sent, so you need to replace it with whatever the name of
the attribute is after the attribute map has done its work. This is
probably 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10'.


--
Olav Morken

Peter Schober

unread,
Aug 20, 2009, 6:35:16 AM8/20/09
to simple...@googlegroups.com
* Janusz Ulanowski <janusz.u...@heanet.ie> [2009-08-20 11:47]:

> If consent is diabled it works but shibboleth-sp can't resolve it.

Does anything show up in the Shib SP's logs? Change the logging to
DEBUG (first line of shibd.logger should look something like:
log4j.rootCategory=DEBUG, shibd_log ) and restart shibd.
The complete SAML assertion should now be in the shibd log file.

Are you sure the ePTId on the wire is of the right format? E.g. see
this thread from a few months back:
http://groups.google.com/group/shibboleth-users/browse_thread/thread/452bd5f1c2408abd
-peter

Janusz Ulanowski

unread,
Aug 20, 2009, 6:57:45 AM8/20/09
to simple...@googlegroups.com

Thanks a lot Olav, attributemapping works perfect - problem was with

'attributeencodings'

But I still have problem with missing value when consent is enabled. Maybe it's a mistake in my configuration.

my metadata idp hosted:
----------------------------------------------------
$metadata = array(
// The SAML entity ID is the index of this config.
'__DYNAMIC:1__' => array(
// The hostname of the server (VHOST) that this SAML entity will use.
'host' => '__DEFAULT__',
// X.509 key and certificate. Relative to the cert directory.
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
'userid.attribute' => 'cn',
'AttributeNameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'attributeencodings' => array(
'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' => 'raw',
),
'auth' => 'ldapmulti'
)
);
----------------------------------------------------
this is my authproc.idp section::
-------------------------------
'authproc.idp' => array(
45 => array(
'class' => 'core:StatisticsWithAttribute',
'attributename' => 'realm',
'type' => 'saml20-idp-SSO',
),
50 => 'core:AttributeLimit',


90 => array(
'class' => 'consent:Consent',

'store' => 'consent:Cookie',
'focus' => 'yes',
'checked' => FALSE
),
91 => array('class' => 'core:TargetedID', 'nameId' => TRUE,),
95 => array(
'class' => 'core:AttributeMap', 'name2oid'
),
),
-----------------------------------

and my attribute statement looks:

---

<saml:AttributeStatement>
<saml:Attribute Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">user2000</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">LastNAME</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">FirstNAME</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue/>
</saml:Attribute>
</saml:AttributeStatement>
-----


Olav Morken

unread,
Aug 20, 2009, 10:10:44 AM8/20/09
to simple...@googlegroups.com
On Thu, Aug 20, 2009 at 11:57:45 +0100, Janusz Ulanowski wrote:
> But I still have problem with missing value when consent is enabled. Maybe it's a mistake in my configuration.

I tried your configuration, and found a bug in simpleSAMLphp. I have
committed a fix for this to SVN. Please try the latest version from
subversion, and check if the problem is gone.

--
Olav Morken

Janusz Ulanowski

unread,
Aug 20, 2009, 11:02:20 AM8/20/09
to simple...@googlegroups.com
That's great, it works:)
Only one thing. SPNameQualifier gets wrong value it gets IdP's EntityID
instead of SP

Thanks again for your help.
Janusz

Janusz Ulanowski

unread,
Aug 20, 2009, 11:32:15 AM8/20/09
to simple...@googlegroups.com

Olav Morken

unread,
Aug 21, 2009, 1:47:04 AM8/21/09
to simple...@googlegroups.com

Ah, yes - I see the bug now, and have committed a fix for it. Thank you
very much for testing this filter! Please let us know if you find any
more bugs.

--
Olav Morken

Janusz Ulanowski

unread,
Aug 21, 2009, 4:10:24 AM8/21/09
to simple...@googlegroups.com
Perfect! Thank you very much.

--
Janusz Ulanowski

Reply all
Reply to author
Forward
0 new messages