Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] cookbook for protecting Grouper UI using Shibboleth

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] cookbook for protecting Grouper UI using Shibboleth


Chronological Thread 
  • From: Rob Gorrell <>
  • To: David Langenberg <>
  • Cc:
  • Subject: Re: [grouper-users] cookbook for protecting Grouper UI using Shibboleth
  • Date: Thu, 9 May 2013 16:25:00 -0400
  • Authentication-results: sfpop-ironport02.merit.edu; dkim=neutral (message not signed) header.i=none

David,

I think you are right... I checked my IdP's attribute-filter and files, I'm releasing eppn.

I checked my grouper SP, and its attribute-map has a definition for urn:mace:dir:attribute-def:eduPersonPrincipalName

and I checked my shibboleth2.xml and i have REMOTE_USER="eppn persistent-id targeted-id"

but, looking my shibd logs on the grouper SP, I see:
2013-05-09 16:03:05 WARN Shibboleth.AttributeFilter [1]: removed value at position (0) of attribute (eppn) from (https://idp-d.uncg.edu/idp/shibboleth)
2013-05-09 16:03:05 WARN Shibboleth.AttributeFilter [1]: no values left, removing attribute (eppn) from (https://idp-d.uncg.edu/idp/shibboleth)

This means my SP is dropping eppn, correct? Can you offer any wisdom, my skills on the SP side of the house are rather week, we are mostly an IdP here and don't currently run any SP's though I'm trying to become more familar with the SP concepts.

Thanks,
-Rob


On Thu, May 9, 2013 at 3:54 PM, David Langenberg <> wrote:
Hi Rob,

Looking at it, it seems your IdP has not released ePPN to your SP.  That
looks more like an eduPersonTargetedId.  I'd first take a look at your
attribute-filter.xml on the IdP to ensure your Grouper SP is getting the
necessary attributes.  Then ensure that your attribute-map.xml in the
Grouper SP is setup to properly map them.  Finally be sure that in the
Grouper SP shibboleth2.xml you define remote_user to include the correct
attribute.

In our install here, we send UID from the IdP and map that to
REMOTE_USER in the SP.

As for grouper-shib.jar in maven.  What that does is provide a way to
plug grouper into the Shibboleth IdP Attribute Resolver.  It's used
primarily by the Grouper PSP (and can be used by the Shib IdP).

Dave

At 2013.05.09.13.39, in <CAOE6Pzz9Xaoggz42y6z4LzthOF2x5P=>,
        "Rob Gorrell" <> wrote:
>    I was wondering if there were any good soup-to-nuts references for the
>    novice Grouper user in controlling Grouper UI authentication using
>    Shibboleth? I'm working on a first time Grouper deployment and was
>    interested with the notion of using shibb as the authentication mechanism
>    to the UI. I had hoped the path would be a little more straightforward
>    with where these two products come from, but then again, Grouper (and even
>    shibb) are still pretty new to me.
>
>    I found the Newcastle wiki material
>    (https://spaces.internet2.edu/display/Grouper/Newcastle+University+-+Protecting+UI+With+Shib)
>    as well as the notes in the Grouper Hosted on a Cloud
>    (https://spaces.internet2.edu/display/Grouper/Grouper+Hosted+on+a+Cloud+Server)
>    about using shibb with grouper and with this, have been successful in
>    setting up an SP that is protecting my Group UI instance, redirecting me
>    to my IdP, authenticating me and dumping me back at the Grouper UI with an
>    established shibb session, but then Grouper UI is telling me "Error: Cant
>    find login subject
>    https://idp-d.uncg.edu/idp/shibboleth!https://dlx-grouperui.uncg.edu/shibboleth!GN9trT6dTIQDtXiFAgiIlrV1xts=,
>    ADMIN_UI".
>
>    What I seem to be missing (and doesn't seem explained in the Newcastle
>    article) is how to map the shibb eppn + attributes into the Grouper
>    $REMOTE_USER so that shibb user is identified and matched to a grouper
>    subject? I also was stumbling across some information about
>    grouper-shib.jar over at Maven... is that possibly where this component
>    comes into play?
>
>    I was hoping someone might be able to give me a conceptual high level
>    direction of whats involved in shibbolizing the UI geared at those that
>    aren't experts in either grouper or shibboleth... or is this road I've
>    embarked down not for the faint of heart?
>
>    Thanks,
>    -Rob
>
>    --
>    Robert W. Gorrell
>    Middleware Engineer, Identity and Access Management
>    University of NC at Greensboro
>    336-334-5954
[End of excerpt from <CAOE6Pzz9Xaoggz42y6z4LzthOF2x5P=>]

--
David Langenberg
Identity & Access Management
The University of Chicago




--
Robert W. Gorrell
Middleware Engineer, Identity and Access Management
University of NC at Greensboro
336-334-5954



Archive powered by MHonArc 2.6.16.

Top of Page