Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth


Chronological Thread 
  • From: "Jie Lv" <>
  • To: <>
  • Cc: "'Tom Zeller'" <>
  • Subject: RE: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth
  • Date: Thu, 22 Sep 2011 15:24:54 +0800
Hi Tom,
Thanks for your great advice!

I deleted the " source="example"", and it worked.
Now the Grouper Plugin could successfully get the attribute from Grouper. In
idp-process.log, I saw the following:
2011-09-22 14:47:17,287 DEBUG
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:250] - resolve '10101'
dc 'MemberDataConnector2' attributes 2
2011-09-22 14:47:17,288 DEBUG
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:253] - resolve '10101'
dc 'MemberDataConnector2' 'id' : 10101
2011-09-22 14:47:17,288 DEBUG
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:253] - resolve '10101'
dc 'MemberDataConnector2' 'groups' :
Group[name=pkuid:faculty:cc,uuid=8cb08ed56aec4638beb3f4fa112d8e8a]
2011-09-22 14:47:17,288 DEBUG
[edu.internet2.middleware.grouper.shibboleth.attributeDefinition.GroupAttrib
uteDefinition:51] - resolv
e '10101' ad 'isMemberOf'
2011-09-22 14:47:17,288 DEBUG
[edu.internet2.middleware.grouper.shibboleth.attributeDefinition.GroupAttrib
uteDefinition:60] - resolv
e '10101' ad 'isMemberOf' values from dependencies
'Group[name=pkuid:faculty:cc,uuid=8cb08ed56aec4638beb3f4fa112d8e8a]'
2011-09-22 14:47:17,289 DEBUG
[edu.internet2.middleware.grouper.shibboleth.attributeDefinition.GroupAttrib
uteDefinition:92] - resolv
e '10101' ad 'isMemberOf' values 1
2011-09-22 14:47:17,289 DEBUG
[edu.internet2.middleware.grouper.shibboleth.attributeDefinition.GroupAttrib
uteDefinition:94] - resolv
e '10101' ad 'isMemberOf' value 'pkuid:faculty:cc'

In attribute-filter.xml, I configured IdP to release the attribute:
<AttributeFilterPolicy id="releaseIsMemberOfToAnyone">
<PolicyRequirementRule xsi:type="basic:ANY" />
<AttributeRule attributeID="isMemberOf">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>

In relying-party.xml, I configured the idp to release the authn statement
and attribute statement together.

In idp-process.log, I got the following message:
2011-09-22 14:47:17,293 INFO [Shibboleth-Audit:898] -
20110922T064717Z|urn:oasis:names:tc:SAML:2.0:bindings:SOAP|_8186d5f25a2e9978
0e
e7102bb08e3b4c|https://sp-chat.zzu6.edu.cn/shibboleth-sp/carsifed|urn:mace:s
hibboleth:2.0:profiles:saml2:query:attribute|https://idp
2.pku.edu.cn/idp/shibboleth/carsifed|urn:oasis:names:tc:SAML:2.0:bindings:SO
AP|_8325d826b3609fbe4d1534d020bcb008|10101||isMemberOf,t
ransientId,|||

But on the shibd.log in the SP, I could see the text of the assertions:
2011-09-22 14:47:17 DEBUG Shibboleth.SSO.SAML2 [23]: decrypted Assertion:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:as
sertion" ID="_af4ae8ac4e7057706328c71988cc3f71"
IssueInstant="2011-09-22T06:47:16.808Z" Version="2.0"><saml:Issuer
Format="urn:oasis
:names:tc:SAML:2.0:nameid-format:entity">https://idp2.pku.edu.cn/idp/shibbol
eth/carsifed</saml:Issuer><saml:Subject><saml:NameID For
mat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_74f65e26afee23f5e
c92a1bbdd14c26f</saml:NameID><saml:SubjectConfirmation M
ethod="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData
Address="2001:da8:201:1130:91e3:8141:1fc8:e9ac" InRespon
seTo="_9e9f1523edc2edd9f2e81e085d24cb96"
NotOnOrAfter="2011-09-22T06:52:16.808Z"
Recipient="http://sp-chat.zzu6.edu.cn/Shibboleth.ss
o/SAML2/POST"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions
NotBefore="2011-09-22T06:47:16.808Z" NotOnOrAfter="2011-09
-22T06:52:16.808Z"><saml:AudienceRestriction><saml:Audience>https://sp-chat.
zzu6.edu.cn/shibboleth-sp/carsifed</saml:Audience></saml
:AudienceRestriction></saml:Conditions><saml:AuthnStatement
AuthnInstant="2011-09-22T06:47:16.697Z" SessionIndex="af1f9fabd3ce2193cd
dbe960ce60421b64ad4cef7951dc3956e64ac1369790f2"><saml:SubjectLocality
Address="2001:da8:201:1130:91e3:8141:1fc8:e9ac"/><saml:AuthnCo
ntext><saml:AuthnContextDeclRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspe
cified</saml:AuthnContextDeclRef></saml:AuthnContext></s
aml:AuthnStatement></saml:Assertion>

There was NO attribute named "isMemberOf"

Is there still anything wrong with my current configuration?

Thanks so much for your help!

Jie
-----Original Message-----
From:


[mailto:]
On Behalf Of Tom Zeller
Sent: Tuesday, September 20, 2011 11:28 PM
To: Jie Lv
Cc:

Subject: Re: [grouper-users] Problem with configuration of Grouper Plugin
for Shibboleth

The following

<grouper:Attribute id="groups" source="example"/>

should be

<grouper:Attribute id="groups" />

or

<grouper:Attribute id="groups" source="g:gsa"/>

The <grouper:Attribute /> element defines the grouper subject
attribute id to be returned from the given subject source. The source,
if omitted, defaults to "g:gsa", i.e. the internal grouper subject
adapter. This is either a bug or just plain confusing.

And, I couldn't find the thread on the grouper-users archives, but
some folks have found that releasing attributes directly from grouper
is not such a great idea if the grouper database is inaccessible due
to maintenance or whatever. The workaround is to release grouper
attributes that have been provisioned to ldap.

On Tue, Sep 20, 2011 at 5:06 AM, Jie Lv
<>
wrote:
> Hi everyone,
>
>
>
> I’ve been working to integrate Grouper and Shibboleth.
>
> In my setup, I’ve been using Grouper APIBinary 2.0.0, Grouper LDAPPCNG
> 2.0.0, Shibboleth IdP 2.1.1
>
>
>
> I set up a group named “pku:faculty:Computer Center”, and added a member
> named “10101”
>
>
>
> I used gsh command line utility to check my setup. I got the following
> message:
>
> gsh 0% subj = findSubject("10101")
>
> subject: id='10101' type='person' source='example' name='test101011'
>
> gsh 1% sess = GrouperSession.start(subj)
>
> edu.internet2.middleware.grouper.GrouperSession:
> 731c5237ae4a4ec3b8abec24511c6142,'10101','person'
>
> gsh 2% member = MemberFinder.findBySubject(sess, subj)
>
> member: id='10101' type='person' source='example'
> uuid='576123fcc5694fd693b1557d53f8dac1'
>
> gsh 3% member.getGroups()
>
> group: name='pkuid:faculty:cc' displayName='pku:faculty:Computer Center'
> uuid='8cb08ed56aec4638beb3f4fa112d8e8a'
>
>
>
> Then I configured my Shibboleth IdP to use Grouper Plugin to extract the
> above information from Grouper. The configuration in
attribute-resolver.xml
> is as follows:
>
> <resolver:DataConnector id="MemberDataConnector2"
> xsi:type="grouper:MemberDataConnector">
>
>   <grouper:Attribute id="groups" source="example"/>
>
> </resolver:DataConnector>
>
> <resolver:AttributeDefinition id="isMemberOf" xsi:type="grouper:Group"
> sourceAttributeID="groups" >
>
>   <resolver:Dependency ref="MemberDataConnector2" />
>
>   <grouper:Attribute id="name" />
>
> </resolver:AttributeDefinition>
>
>
>
> But I can’t get the grouper information after I logged into my IdP with
the
> account 10101. In idp-process.log, I got the following message:
>
> 2011-09-20 17:59:45,528 DEBUG
>
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:141]
> - resolve '10101'
>
> dc 'MemberDataConnector2'
>
> 2011-09-20 17:59:45,606 DEBUG
>
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:160]
> - resolve '10101'
>
> dc 'MemberDataConnector2' found subject 'Subject id: 10101, sourceId:
> example'
>
> 2011-09-20 17:59:45,613 DEBUG
>
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:182]
> - resolve '10101'
>
> dc 'MemberDataConnector2' found member ''10101'/'person'/'example''
>
> 2011-09-20 17:59:45,613 DEBUG
>
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:190]
> - resolve '10101'
>
> dc 'MemberDataConnector2' subjectIDs [id 'groups' source 'example']
>
> 2011-09-20 17:59:45,613 DEBUG
>
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:192]
> - resolve '10101'
>
> dc 'MemberDataConnector2' member '10101'/'person'/'example' field id
> 'groups' source 'example'
>
> 2011-09-20 17:59:45,614 DEBUG
>
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:250]
> - resolve '10101'
>
> dc 'MemberDataConnector2' attributes 1
>
> 2011-09-20 17:59:45,614 DEBUG
>
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:253]
> - resolve '10101'
>
> dc 'MemberDataConnector2' 'id' : 10101
>
> 2011-09-20 17:59:45,614 DEBUG
>
[edu.internet2.middleware.grouper.shibboleth.attributeDefinition.GroupAttrib
uteDefinition:51]
> - resolv
>
> e '10101' ad 'isMemberOf'
>
> 2011-09-20 17:59:45,614 DEBUG
>
[edu.internet2.middleware.grouper.shibboleth.attributeDefinition.GroupAttrib
uteDefinition:92]
> - resolv
>
> e '10101' ad 'isMemberOf' values 0
>
>
>
> Both the gsh and Grouper Plugin are running on the same machine and are
> using exactly the same configuration files of
“grouper.hibernate.properties”
> and “sources.xml”.
>
>
>
> So is there anything wrong with my configuration of Grouper Plugin for
> Shibboleth?
>
>
>
> Thanks in advance!
>
>
>
> Jie


Archive powered by MHonArc 2.6.16.

Top of Page