Skip to Content.
Sympa Menu

comanage-users - Re: [comanage-users] SAML vars in self-service enrollment

Subject: COmanage Users List

List archive

Re: [comanage-users] SAML vars in self-service enrollment


Chronological Thread 
  • From: Kevin Foote <>
  • To: Dave Dykstra <>
  • Cc: Benn Oshrin <>, "" <>
  • Subject: Re: [comanage-users] SAML vars in self-service enrollment
  • Date: Wed, 19 Apr 2017 18:07:45 +0000
  • Accept-language: en-US
  • Authentication-results: fnal.gov; dkim=none (message not signed) header.d=none;fnal.gov; dmarc=none action=none header.from=colorado.edu;
  • Ironport-phdr: 9a23:4CHtfhKAZydpzIqUsNmcpTZWNBhigK39O0sv0rFitYgfLfnxwZ3uMQTl6Ol3ixeRBMOAuqwC0LKd6vq5EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQtFiT68bL9oIhi6sQrdutQIjYd/N6081gbHrnxUdupM2GhmP0iTnxHy5sex+J5s7SFdsO8/+sBDTKv3Yb02QaRXAzo6PW814tbrtQTYQguU+nQcSGQWnQFWDAXD8Rr3Q43+sir+tup6xSmaIcj7Rq06VDi+86tmTgLjhTwZPDAl7m7Yls1wjLpaoB2/oRx/35XUa5yROPZnY6/RYc8WSW9HU81MVSJOH5m8YpMPAeQfIOhYs4fzqVgArRS8BAmjGOzhxTBTi3/qxqI61vgtHR3a0AEiGd8FrXTarM/yNKcXSe27ybfHzSvCb/NQxDzz6I/Ichc9of6SQLl9dsnRxlcxFwPEiFWcs4LlPzSS1uQRrWeW9PZvVeWri24gsQF+uCWgxsA2hobXm40V10nJ+CNky4g7It24TVR0Yd+iEJZIrCGaN4p2Tdg5TGFvvCY11KEGuZ6hcCgM1psn2xjSYOGEfYiQ+h/vSfqdLDhiiH9qer+znRm//Va6xuHhWMS50k5GojdbntTPrHwByhLe58udRvZ88UqtwyiD2xzV5+pZO047j7DbJIQkwrMolpocr0DDHijulUvukKKYcVko9+ax5+n6YLrquIaQN4hvhQ7gKKgundG/AfgjPQgJQmib//mz2Kf7/U3jR7VKkuM5nbXFsJDbIsQboLS1AwhI0oY/7xa/CDCm0NcCkXYbK1JFfQqLj4nvO17QPPD1Feqzj0ijnTtxyP3LPKftD5rTInTZjbvsc7Rw51ZZyAUpzNBf45xUCqsGIPL2QkLxt8LXDgE4Mwyy2ernBtJ91oQCWW2RGaKWLKTSsVuP5uI1OeaDeYgVtCzjJPc4+v7ilWU5lkMFfam1wZsXb2i1Ee94LEWfZ3rshcwMEWYMvgoiUuPqkluCXiBPZ3qsRa4z+Cw0CJ++B4fZWo+tmKCB3Du8HpBOem9GDVWMHm3ud4qeVPcDdjueItJ6kjMaT7ihUJQs1RWvtA/h17pnNfTY9jcZtZLlyNh6+ffTlRcs+jxoEciRyX+CQHxpnjBAezhj8KlhrARR21SYzbJxy6hUCtB76fVAVkE1MoCKnMJgDNWneQ/ff9HBZlGhXtjuVTI8UNM3hdEJZFpwM96lihfZ1iatRbIZiurYV9QP7qvA0i2pdI5GwHHc2fxk1gF+Tw==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Hi Dave,

I’m obviously not Ben but this Location block simply sets up “lazy”
sessions[1] when
using the shib-sp.

--------
thanks
kevin.foote

[1] https://wiki.shibboleth.net/confluence/display/SHIB/LazySession


> On Apr 19, 2017, at 11:36, Dave Dykstra
> <>
> wrote:
>
> Hi Benn,
>
> I don't see that "<Location /registry>" section in the comanage
> installation documentation; did I miss it? I tried adding it on my
> machine but don't notice any difference. Can you give a specific
> example where it makes a difference?
>
> Dave
>
> On Mon, Apr 17, 2017 at 06:39:35PM -0400, Benn Oshrin wrote:
>> You typically would have something like this in your apache config...
>>
>> <Directory /var/www/html/registry/auth/login/>
>> AuthType shibboleth
>> ShibRequestSetting requireSession 1
>> Require valid-user
>> </Directory>
>>
>> <Location /registry>
>> AuthType shibboleth
>> Require shibboleth
>> </Location>
>>
>> You only want to trigger authentication on the login pages, but you want
>> the ENV variables set on other requests. You don't want to explicitly
>> list enrollment URLs since in general there's not guarantee they won't
>> change.
>>
>> Thanks,
>>
>> -Benn-
>>
>> On 4/17/17 12:22 PM, Paul Caskey wrote:
>>> First of 2 quick questions?
>>>
>>> Is the right way to use IdP-asserted SAML vars in self-service
>>> enrollment to just shibb-protect the enrollment URL?
>>>
>>> The mappings from env vars to form fields seems to be in place?
>>>
>>> Thanks!




Archive powered by MHonArc 2.6.19.

Top of Page