Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] cookbook for protecting Grouper UI using Shibboleth

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] cookbook for protecting Grouper UI using Shibboleth


Chronological Thread 
  • From: David Langenberg <>
  • To: Rob Gorrell <>
  • Cc:
  • Subject: Re: [grouper-users] cookbook for protecting Grouper UI using Shibboleth
  • Date: Thu, 9 May 2013 14:36:25 -0600
  • Authentication-results: sfpop-ironport07.merit.edu; dkim=neutral (message not signed) header.i=none

I'd check your metadata. Is your Grouper install using the InCommon
metadata for your IdP? According to that error message your IdP is
claiming it's EntityID is https://idp-d.uncg.edu/idp/shibboleth rather than
https://prdidp.uncg.edu/idp/shibboleth. That'd lead me to suspect that it's
also sending the
wrong scope. ePPN is a scoped attribute and if the scope your IdP is
sending is not the one the SP is expecting, then the SP will drop it.

Dave

At 2013.05.09.14.25, in
<>,
"Rob Gorrell"
<>
wrote:
> David,
>
> I think you are right... I checked my IdP's attribute-filter and files,
> I'm releasing eppn.
>
> I checked my grouper SP, and its attribute-map has a definition for
> urn:mace:dir:attribute-def:eduPersonPrincipalName
>
> and I checked my shibboleth2.xml and i have REMOTE_USER="eppn
> persistent-id targeted-id"
>
> but, looking my shibd logs on the grouper SP, I see:
> 2013-05-09 16:03:05 WARN Shibboleth.AttributeFilter [1]: removed value at
> position (0) of attribute (eppn) from
> (https://idp-d.uncg.edu/idp/shibboleth)
> 2013-05-09 16:03:05 WARN Shibboleth.AttributeFilter [1]: no values left,
> removing attribute (eppn) from (https://idp-d.uncg.edu/idp/shibboleth)
>
> This means my SP is dropping eppn, correct? Can you offer any wisdom, my
> skills on the SP side of the house are rather week, we are mostly an IdP
> here and don't currently run any SP's though I'm trying to become more
> familar with the SP concepts.
>
> Thanks,
> -Rob
>
> On Thu, May 9, 2013 at 3:54 PM, David Langenberg
> <>
> wrote:
>
> Hi Rob,
>
> Looking at it, it seems your IdP has not released ePPN to your SP.
> That
> looks more like an eduPersonTargetedId. I'd first take a look at your
> attribute-filter.xml on the IdP to ensure your Grouper SP is getting
> the
> necessary attributes. Then ensure that your attribute-map.xml in the
> Grouper SP is setup to properly map them. Finally be sure that in the
> Grouper SP shibboleth2.xml you define remote_user to include the
> correct
> attribute.
>
> In our install here, we send UID from the IdP and map that to
> REMOTE_USER in the SP.
>
> As for grouper-shib.jar in maven. What that does is provide a way to
> plug grouper into the Shibboleth IdP Attribute Resolver. It's used
> primarily by the Grouper PSP (and can be used by the Shib IdP).
>
> Dave
>
> At 2013.05.09.13.39, in
>
> <>,
> "Rob Gorrell"
> <>
> wrote:
> > I was wondering if there were any good soup-to-nuts references for
> the
> > novice Grouper user in controlling Grouper UI authentication using
> > Shibboleth? I'm working on a first time Grouper deployment and was
> > interested with the notion of using shibb as the authentication
> mechanism
> > to the UI. I had hoped the path would be a little more
> straightforward
> > with where these two products come from, but then again, Grouper
> (and even
> > shibb) are still pretty new to me.
> >
> > I found the Newcastle wiki material
> >
>
> (https://spaces.internet2.edu/display/Grouper/Newcastle+University+-+Protecting+UI+With+Shib)
> > as well as the notes in the Grouper Hosted on a Cloud
> >
>
> (https://spaces.internet2.edu/display/Grouper/Grouper+Hosted+on+a+Cloud+Server)
> > about using shibb with grouper and with this, have been successful
> in
> > setting up an SP that is protecting my Group UI instance,
> redirecting me
> > to my IdP, authenticating me and dumping me back at the Grouper UI
> with an
> > established shibb session, but then Grouper UI is telling me
> "Error: Cant
> > find login subject
> >
>
> https://idp-d.uncg.edu/idp/shibboleth!https://dlx-grouperui.uncg.edu/shibboleth!GN9trT6dTIQDtXiFAgiIlrV1xts=,
> > ADMIN_UI".
> >
> > What I seem to be missing (and doesn't seem explained in the
> Newcastle
> > article) is how to map the shibb eppn + attributes into the
> Grouper
> > $REMOTE_USER so that shibb user is identified and matched to a
> grouper
> > subject? I also was stumbling across some information about
> > grouper-shib.jar over at Maven... is that possibly where this
> component
> > comes into play?
> >
> > I was hoping someone might be able to give me a conceptual high
> level
> > direction of whats involved in shibbolizing the UI geared at those
> that
> > aren't experts in either grouper or shibboleth... or is this road
> I've
> > embarked down not for the faint of heart?
> >
> > Thanks,
> > -Rob
> >
> > --
> > Robert W. Gorrell
> > Middleware Engineer, Identity and Access Management
> > University of NC at Greensboro
> > 336-334-5954
> [End of excerpt from
>
> <>]
> --
> David Langenberg
> Identity & Access Management
> The University of Chicago
>
> --
> Robert W. Gorrell
> Middleware Engineer, Identity and Access Management
> University of NC at Greensboro
> 336-334-5954
[End of excerpt from
<>]

--
David Langenberg
Identity & Access Management
The University of Chicago




Archive powered by MHonArc 2.6.16.

Top of Page