grouper-users - Re: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth
Subject: Grouper Users - Open Discussion List
List archive
Re: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth
Chronological Thread
- From: Tom Zeller <>
- To: Jie Lv <>
- Cc: "<>" <>
- Subject: Re: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth
- Date: Tue, 27 Sep 2011 06:27:01 -0700 (MST)
Have you tried AACLI.sh ?
On Sep 27, 2011, at 12:32 AM, "Jie Lv"
<>
wrote:
>> If you are modding code, have you tried logging the attributes
>> returned from the ShibbolethAttributeResolver ? I think filtering
>> occurs afterwards, but it would be good to verify that the resolver is
>> doing the right thing, as it appears to be.
>
> In my attribute-filter.xml, I had the following configuration:
> <afp:AttributeFilterPolicy id="releaseIsMemberOfToAnyone">
> <afp:PolicyRequirementRule xsi:type="basic:ANY"/>
> <afp:AttributeRule attributeID="isMemberOf">
> <afp:PermitValueRule xsi:type="basic:ANY"/>
> </afp:AttributeRule>
> <afp:AttributeFilterPolicy id="releaseAdminToAnyone">
> <afp:PolicyRequirementRule xsi:type="basic:ANY"/>
> <afp:AttributeRule attributeID="admin">
> <afp:PermitValueRule xsi:type="basic:ANY"/>
> </afp:AttributeRule>
> </afp:AttributeFilterPolicy>
>
> In the idp-process.log, I also found the following information:
> 10:24:10.747 - INFO [Shibboleth-Audit:970] -
> 20110927T022410Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_28085b9
> e60b049d33a
> 2d8f0197ccdd84|https://sp-chat.zzu6.edu.cn/shibboleth-sp/carsifed|urn:mace:s
> hibboleth:2.0:profiles:saml2:sso|https://idp2.pku.edu.cn
> /idp/shibboleth/carsifed|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_b2a
> ea9a1eba92338c8aad04e765a5182|10101|urn:oasis:names:tc:S
> AML:2.0:ac:classes:unspecified|isMemberOf,admin,transientId,carsifed:usernam
> e,|_27046f8ccb14094d3068e5b9f669bced||
>
> If I'm going to log and examine the attributes returned from the
> ShibbolethAttributeResolver, what should I do ?
>
> Jie
> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of Tom Zeller
> Sent: Friday, September 23, 2011 11:39 PM
> To: Jie Lv
> Cc:
>
> Subject: Re: [grouper-users] Problem with configuration of Grouper Plugin
> for Shibboleth
>
> Agree on the weirdness. I do not have a test environment right now
> either, and it would take some cycles to establish one.
>
> If you are modding code, have you tried logging the attributes
> returned from the ShibbolethAttributeResolver ? I think filtering
> occurs afterwards, but it would be good to verify that the resolver is
> doing the right thing, as it appears to be.
>
> On Fri, Sep 23, 2011 at 5:28 AM, Jie Lv
> <>
> wrote:
>> Do you think you can add log statements where you see fit, rebuild, and
> let
>> us know how it goes?
>> -----------------
>>
>> I did add the following log statement before line 261,which now became
> line
>> 269:
>> 249 if (LOG.isDebugEnabled()) {
>> 250 LOG.debug("resolve {} attributes {}", msg,
>> attributes.size());
>> 251 for (String key : attributes.keySet()) {
>> 252 for (Object value : attributes.get(key).getValues()) {
>> 253 LOG.debug("resolve {} '{}' : {}", new Object[] {
> msg,
>> key, value });
>> 254 }
>> 255 }
>> 256 }
>> 257 return attributes;
>> 258 }
>> 259 });
>> 260 String msg = "UUUUU:";
>> 261 if (LOG.isDebugEnabled()) {
>> 262 LOG.debug("UUUUU resolve {} attributes {}", msg,
>> attributes.size());
>> 263 for (String key : attributes.keySet()) {
>> 264 for (Object value : attributes.get(key).getValues()) {
>> 265 LOG.debug("UUUUU resolve {} '{}' : {}", new Object[]
> {
>> msg, key, value });
>> 266 }
>> 267 }
>> 268 }
>> 269 return attributes;
>>
>> And this is what I got in idp-process.log:
>> 18:20:21.985 - DEBUG
>>
> [edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
>> or:250] - resolve '10101' dc 'Membe
>> rDataConnector2' attributes 2
>> 18:20:21.986 - DEBUG
>>
> [edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
>> or:253] - resolve '10101' dc 'Membe
>> rDataConnector2' 'id' : 10101
>> 18:20:21.988 - DEBUG
>>
> [edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
>> or:253] - resolve '10101' dc 'Membe
>> rDataConnector2' 'groups' :
>> Group[name=pkuid:faculty:cc,uuid=8cb08ed56aec4638beb3f4fa112d8e8a]
>> 18:20:21.989 - DEBUG
>>
> [edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
>> or:262] - UUUUU resolve UUUUU: attr
>> ibutes 2
>> 18:20:21.989 - DEBUG
>>
> [edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
>> or:265] - UUUUU resolve UUUUU: 'id'
>> : 10101
>> 18:20:21.989 - DEBUG
>>
> [edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
>> or:265] - UUUUU resolve UUUUU: 'gro
>> ups' : Group[name=pkuid:faculty:cc,uuid=8cb08ed56aec4638beb3f4fa112d8e8a]
>>
>> 18:20:22.245 - DEBUG
> [org.apache.xml.security.utils.DigesterOutputStream:-1]
>> - <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML
>> :2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"
>> ID="_a9e45dc1e0a92b9c0e8f065d3dab5909" IssueInstant="2011-09-23T10:20:22
>> .187Z" Version="2.0"><saml2:Issuer
>>
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp2.pku.e
>> du.cn/idp/shibboleth/
>> carsifed</saml2:Issuer><saml2:Subject><saml2:NameID
>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
>> NameQualifier="http
>> s://idp2.pku.edu.cn/idp/shibboleth/carsifed"
>>
> SPNameQualifier="https://sp-chat.zzu6.edu.cn/shibboleth-sp/carsifed">_5d6a4d
>> 0514570030e
>> 548d9a24b04cb17</saml2:NameID><saml2:SubjectConfirmation
>>
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationDa
>> ta Address="2001:da8:201:1130:5490:4cef:4cd8:8332"
>> InResponseTo="_12e6eb509b60298d05b99eb5464f8ef1"
>> NotOnOrAfter="2011-09-23T10:25:2
>> 2.187Z"
>>
> Recipient="http://sp-chat.zzu6.edu.cn/Shibboleth.sso/SAML2/POST"></saml2:Sub
>> jectConfirmationData></saml2:SubjectConfirmation
>>> </saml2:Subject><saml2:Conditions NotBefore="2011-09-23T10:20:22.187Z"
>> NotOnOrAfter="2011-09-23T10:25:22.187Z"><saml2:AudienceRestr
>>
> iction><saml2:Audience>https://sp-chat.zzu6.edu.cn/shibboleth-sp/carsifed</s
>> aml2:Audience></saml2:AudienceRestriction></saml2:Condit
>> ions><saml2:AuthnStatement AuthnInstant="2011-09-23T10:20:21.802Z"
>> SessionIndex="e8b0d3333f6cdb1955dbaacade73a9f20299ef64b2e70937224
>> e354868f74fcb"><saml2:SubjectLocality
>>
> Address="2001:da8:201:1130:5490:4cef:4cd8:8332"></saml2:SubjectLocality><sam
>> l2:AuthnContext><s
>>
> aml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
>> </saml2:AuthnContextClassRef></saml2:AuthnContext></saml
>> 2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute
>> FriendlyName="carsifed:username" Name="carsifed:username" NameFormat="ur
>> n:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type=
>>
> "xs:string">10101</saml2:AttributeValue></saml2:Attribute></saml2:AttributeS
>> tatement></saml2:Assertion>
>>
>> Still, there is NO attribute named "isMemberOf" in the SAML attribute
>> statement.
>> Seems really weird to me.
>>
>> Jie
>> -----Original Message-----
>> From: Chris Hyzer
>> [mailto:]
>> Sent: Friday, September 23, 2011 1:36 PM
>> To: Jie Lv; 'Tom Zeller'
>> Cc:
>>
>> Subject: RE: [grouper-users] Problem with configuration of Grouper Plugin
>> for Shibboleth
>>
>>
>>> So I understand, what do you think the problem is between lines 199-200 ?
>>> ---
>>> Line 199 is:
>>> nameAttribute.setValues(GrouperUtil.toList(new String[] { name }));
>>> I don't quite understand why you're using GrouperUtil.toList( ) instead
> of
>>> Java Util classess to construct a list?
>>
>> Because there is more than one way to do things, and if there is no bug in
>> it, or performance problem, or maintainability problem etc, then lets
> focus
>> on working on more important things :) FYI we have a lot of Grouper and
>> Jakarta etc utility methods that are null safe / shortcuts and are used
>> throughout the code.
>>
>>> The variable "attributes" in line 261, INSTEAD OF the variable in line
> 257
>> ,
>>> is the value to be used by Shibboleth.
>>> I'm not quite sure why you wrote the code like this.
>>> But I wonder if you could insert the code for logging before line 261 to
>>> check if the return value for function resolve() is correct?
>>>
>>
>> Its an anonymous inner class that passes the value to the outer part which
>> returns it... looks fine to me. Do you think you can add log statements
>> where you see fit, rebuild, and let us know how it goes? :)
>>
>> Thanks,
>> Chris
>>
>>
>
- Re: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, (continued)
- Re: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, Peter Schober, 09/22/2011
- RE: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, Jie Lv, 09/22/2011
- Re: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, Peter Schober, 09/22/2011
- RE: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, Jie Lv, 09/22/2011
- Re: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, Tom Zeller, 09/22/2011
- RE: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, Jie Lv, 09/22/2011
- RE: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, Chris Hyzer, 09/23/2011
- RE: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, Jie Lv, 09/23/2011
- Re: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, Tom Zeller, 09/23/2011
- RE: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, Jie Lv, 09/27/2011
- Re: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, Tom Zeller, 09/27/2011
- RE: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, Jie Lv, 09/27/2011
- Re: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, Tom Zeller, 09/29/2011
- RE: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, Jie Lv, 09/22/2011
- Re: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, Peter Schober, 09/22/2011
- RE: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, Jie Lv, 09/22/2011
- Re: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, Peter Schober, 09/22/2011
- Re: [grouper-users] Problem with configuration of Grouper Plugin for Shibboleth, Tom Zeller, 09/23/2011
Archive powered by MHonArc 2.6.16.