Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth


Chronological Thread 
  • From: "Jie Lv" <>
  • To: "'Chris Hyzer'" <>, "'Tom Zeller'" <>
  • Cc: <>
  • Subject: RE: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth
  • Date: Fri, 23 Sep 2011 18:28:42 +0800

Do you think you can add log statements where you see fit, rebuild, and let
us know how it goes?
-----------------

I did add the following log statement before line 261,which now became line
269:
249 if (LOG.isDebugEnabled()) {
250 LOG.debug("resolve {} attributes {}", msg,
attributes.size());
251 for (String key : attributes.keySet()) {
252 for (Object value : attributes.get(key).getValues()) {
253 LOG.debug("resolve {} '{}' : {}", new Object[] { msg,
key, value });
254 }
255 }
256 }
257 return attributes;
258 }
259 });
260 String msg = "UUUUU:";
261 if (LOG.isDebugEnabled()) {
262 LOG.debug("UUUUU resolve {} attributes {}", msg,
attributes.size());
263 for (String key : attributes.keySet()) {
264 for (Object value : attributes.get(key).getValues()) {
265 LOG.debug("UUUUU resolve {} '{}' : {}", new Object[] {
msg, key, value });
266 }
267 }
268 }
269 return attributes;

And this is what I got in idp-process.log:
18:20:21.985 - DEBUG
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:250] - resolve '10101' dc 'Membe
rDataConnector2' attributes 2
18:20:21.986 - DEBUG
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:253] - resolve '10101' dc 'Membe
rDataConnector2' 'id' : 10101
18:20:21.988 - DEBUG
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:253] - resolve '10101' dc 'Membe
rDataConnector2' 'groups' :
Group[name=pkuid:faculty:cc,uuid=8cb08ed56aec4638beb3f4fa112d8e8a]
18:20:21.989 - DEBUG
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:262] - UUUUU resolve UUUUU: attr
ibutes 2
18:20:21.989 - DEBUG
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:265] - UUUUU resolve UUUUU: 'id'
: 10101
18:20:21.989 - DEBUG
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:265] - UUUUU resolve UUUUU: 'gro
ups' : Group[name=pkuid:faculty:cc,uuid=8cb08ed56aec4638beb3f4fa112d8e8a]

18:20:22.245 - DEBUG [org.apache.xml.security.utils.DigesterOutputStream:-1]
- <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML
:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema";
ID="_a9e45dc1e0a92b9c0e8f065d3dab5909" IssueInstant="2011-09-23T10:20:22
.187Z" Version="2.0"><saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp2.pku.e
du.cn/idp/shibboleth/
carsifed</saml2:Issuer><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="http
s://idp2.pku.edu.cn/idp/shibboleth/carsifed"
SPNameQualifier="https://sp-chat.zzu6.edu.cn/shibboleth-sp/carsifed";>_5d6a4d
0514570030e
548d9a24b04cb17</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationDa
ta Address="2001:da8:201:1130:5490:4cef:4cd8:8332"
InResponseTo="_12e6eb509b60298d05b99eb5464f8ef1"
NotOnOrAfter="2011-09-23T10:25:2
2.187Z"
Recipient="http://sp-chat.zzu6.edu.cn/Shibboleth.sso/SAML2/POST";></saml2:Sub
jectConfirmationData></saml2:SubjectConfirmation
></saml2:Subject><saml2:Conditions NotBefore="2011-09-23T10:20:22.187Z"
NotOnOrAfter="2011-09-23T10:25:22.187Z"><saml2:AudienceRestr
iction><saml2:Audience>https://sp-chat.zzu6.edu.cn/shibboleth-sp/carsifed</s
aml2:Audience></saml2:AudienceRestriction></saml2:Condit
ions><saml2:AuthnStatement AuthnInstant="2011-09-23T10:20:21.802Z"
SessionIndex="e8b0d3333f6cdb1955dbaacade73a9f20299ef64b2e70937224
e354868f74fcb"><saml2:SubjectLocality
Address="2001:da8:201:1130:5490:4cef:4cd8:8332"></saml2:SubjectLocality><sam
l2:AuthnContext><s
aml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
</saml2:AuthnContextClassRef></saml2:AuthnContext></saml
2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute
FriendlyName="carsifed:username" Name="carsifed:username" NameFormat="ur
n:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type=
"xs:string">10101</saml2:AttributeValue></saml2:Attribute></saml2:AttributeS
tatement></saml2:Assertion>

Still, there is NO attribute named "isMemberOf" in the SAML attribute
statement.
Seems really weird to me.

Jie
-----Original Message-----
From: Chris Hyzer
[mailto:]

Sent: Friday, September 23, 2011 1:36 PM
To: Jie Lv; 'Tom Zeller'
Cc:

Subject: RE: [grouper-users] Problem with configuration of Grouper Plugin
for Shibboleth


> So I understand, what do you think the problem is between lines 199-200 ?
> ---
> Line 199 is:
> nameAttribute.setValues(GrouperUtil.toList(new String[] { name }));
> I don't quite understand why you're using GrouperUtil.toList( ) instead of
> Java Util classess to construct a list?

Because there is more than one way to do things, and if there is no bug in
it, or performance problem, or maintainability problem etc, then lets focus
on working on more important things :) FYI we have a lot of Grouper and
Jakarta etc utility methods that are null safe / shortcuts and are used
throughout the code.

> The variable "attributes" in line 261, INSTEAD OF the variable in line 257
,
> is the value to be used by Shibboleth.
> I'm not quite sure why you wrote the code like this.
> But I wonder if you could insert the code for logging before line 261 to
> check if the return value for function resolve() is correct?
>

Its an anonymous inner class that passes the value to the outer part which
returns it... looks fine to me. Do you think you can add log statements
where you see fit, rebuild, and let us know how it goes? :)

Thanks,
Chris




Archive powered by MHonArc 2.6.16.

Top of Page