Grouper Users - Open Discussion List

[David Langenberg <>]

I'd check your metadata.  Is your Grouper install using the InCommon
metadata for your IdP?  According to that error message your IdP is
claiming it's EntityID is https://idp-d.uncg.edu/idp/shibboleth rather than
https://prdidp.uncg.edu/idp/shibboleth.  That'd lead me to suspect that it's 
also sending the
wrong scope.  ePPN is a scoped attribute and if the scope your IdP is
sending is not the one the SP is expecting, then the SP will drop it. 

Dave

At 2013.05.09.14.25, in 
<>,
        "Rob Gorrell" 
<>
 wrote:
>    David,
> 
>    I think you are right... I checked my IdP's attribute-filter and files,
>    I'm releasing eppn.
> 
>    I checked my grouper SP, and its attribute-map has a definition for
>    urn:mace:dir:attribute-def:eduPersonPrincipalName
> 
>    and I checked my shibboleth2.xml and i have REMOTE_USER="eppn
>    persistent-id targeted-id"
> 
>    but, looking my shibd logs on the grouper SP, I see:
>    2013-05-09 16:03:05 WARN Shibboleth.AttributeFilter [1]: removed value at
>    position (0) of attribute (eppn) from
>    (https://idp-d.uncg.edu/idp/shibboleth)
>    2013-05-09 16:03:05 WARN Shibboleth.AttributeFilter [1]: no values left,
>    removing attribute (eppn) from (https://idp-d.uncg.edu/idp/shibboleth)
> 
>    This means my SP is dropping eppn, correct? Can you offer any wisdom, my
>    skills on the SP side of the house are rather week, we are mostly an IdP
>    here and don't currently run any SP's though I'm trying to become more
>    familar with the SP concepts.
> 
>    Thanks,
>    -Rob
> 
>    On Thu, May 9, 2013 at 3:54 PM, David Langenberg 
> <>
>    wrote:
> 
>      Hi Rob,
> 
>      Looking at it, it seems your IdP has not released ePPN to your SP.  
> That
>      looks more like an eduPersonTargetedId.  I'd first take a look at your
>      attribute-filter.xml on the IdP to ensure your Grouper SP is getting 
> the
>      necessary attributes.  Then ensure that your attribute-map.xml in the
>      Grouper SP is setup to properly map them.  Finally be sure that in the
>      Grouper SP shibboleth2.xml you define remote_user to include the 
> correct
>      attribute.
> 
>      In our install here, we send UID from the IdP and map that to
>      REMOTE_USER in the SP.
> 
>      As for grouper-shib.jar in maven.  What that does is provide a way to
>      plug grouper into the Shibboleth IdP Attribute Resolver.  It's used
>      primarily by the Grouper PSP (and can be used by the Shib IdP).
> 
>      Dave
> 
>      At 2013.05.09.13.39, in
>      
> <>,
>              "Rob Gorrell" 
> <>
>  wrote:
>      >    I was wondering if there were any good soup-to-nuts references for
>      the
>      >    novice Grouper user in controlling Grouper UI authentication using
>      >    Shibboleth? I'm working on a first time Grouper deployment and was
>      >    interested with the notion of using shibb as the authentication
>      mechanism
>      >    to the UI. I had hoped the path would be a little more
>      straightforward
>      >    with where these two products come from, but then again, Grouper
>      (and even
>      >    shibb) are still pretty new to me.
>      >
>      >    I found the Newcastle wiki material
>      >  
>       
> (https://spaces.internet2.edu/display/Grouper/Newcastle+University+-+Protecting+UI+With+Shib)
>      >    as well as the notes in the Grouper Hosted on a Cloud
>      >  
>       
> (https://spaces.internet2.edu/display/Grouper/Grouper+Hosted+on+a+Cloud+Server)
>      >    about using shibb with grouper and with this, have been successful
>      in
>      >    setting up an SP that is protecting my Group UI instance,
>      redirecting me
>      >    to my IdP, authenticating me and dumping me back at the Grouper UI
>      with an
>      >    established shibb session, but then Grouper UI is telling me
>      "Error: Cant
>      >    find login subject
>      >  
>       
> https://idp-d.uncg.edu/idp/shibboleth!https://dlx-grouperui.uncg.edu/shibboleth!GN9trT6dTIQDtXiFAgiIlrV1xts=,
>      >    ADMIN_UI".
>      >
>      >    What I seem to be missing (and doesn't seem explained in the
>      Newcastle
>      >    article) is how to map the shibb eppn + attributes into the 
> Grouper
>      >    $REMOTE_USER so that shibb user is identified and matched to a
>      grouper
>      >    subject? I also was stumbling across some information about
>      >    grouper-shib.jar over at Maven... is that possibly where this
>      component
>      >    comes into play?
>      >
>      >    I was hoping someone might be able to give me a conceptual high
>      level
>      >    direction of whats involved in shibbolizing the UI geared at those
>      that
>      >    aren't experts in either grouper or shibboleth... or is this road
>      I've
>      >    embarked down not for the faint of heart?
>      >
>      >    Thanks,
>      >    -Rob
>      >
>      >    --
>      >    Robert W. Gorrell
>      >    Middleware Engineer, Identity and Access Management
>      >    University of NC at Greensboro
>      >    336-334-5954
>      [End of excerpt from
>      
> <>]
>      --
>      David Langenberg
>      Identity & Access Management
>      The University of Chicago
> 
>    --
>    Robert W. Gorrell
>    Middleware Engineer, Identity and Access Management
>    University of NC at Greensboro
>    336-334-5954
[End of excerpt from 
<>]

-- 
David Langenberg
Identity & Access Management
The University of Chicago