search

OpenConext / OpenConext-myconext

A (guest) IdP for OpenConext
https://eduid.nl/
4 stars 7 forks source link

Attribute manipulation for eduID IdP #494

Closed phavekes closed 4 days ago

phavekes commented 4 days ago

This issue is imported from pivotal 

When setting the eduID source for the eduID attribute in manage, no eduID attribute is returned when logging in with the eduID IdP.

The logs show:

May 23 10:51:37 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-4] myconext.security.GuestIdpAuthenticationRequestFilter Starting SSO filter
May 23 10:51:37 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-4] myconext.security.GuestIdpAuthenticationRequestFilter Attempting user authentication from security context: null
May 23 10:51:37 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-4] myconext.security.GuestIdpAuthenticationRequestFilter Cookie REGISTER_MODUS_COOKIE_NAME is: Null
May 23 10:51:45 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-2] tiqr.org.DefaultTiqrService Started authentication for 5e25ad5fd4734f96f2913ff4
May 23 10:51:45 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-7] myconext.tiqr.TiqrController Polling authentication for Peterhqwrwe Doe with status PENDING
May 23 10:51:46 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-3] myconext.tiqr.TiqrController Polling authentication for Peterhqwrwe Doe with status PENDING
May 23 10:51:48 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-9] myconext.tiqr.TiqrController Polling authentication for Peterhqwrwe Doe with status PENDING
May 23 10:51:49 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-6] myconext.tiqr.TiqrController Polling authentication for Peterhqwrwe Doe with status PENDING
May 23 10:51:50 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-1] myconext.tiqr.TiqrController Polling authentication for Peterhqwrwe Doe with status PENDING
May 23 10:51:51 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-8] myconext.tiqr.TiqrController Polling authentication for Peterhqwrwe Doe with status PENDING
May 23 10:51:52 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-5] myconext.tiqr.TiqrController Polling authentication for Peterhqwrwe Doe with status PENDING
May 23 10:51:53 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-2] myconext.tiqr.TiqrController Polling authentication for Peterhqwrwe Doe with status PENDING
May 23 10:51:54 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-7] myconext.tiqr.TiqrController Polling authentication for Peterhqwrwe Doe with status PENDING
May 23 10:51:55 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-3] myconext.tiqr.TiqrController Polling authentication for Peterhqwrwe Doe with status PENDING
May 23 10:51:56 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-9] myconext.tiqr.TiqrController Polling authentication for Peterhqwrwe Doe with status PENDING
May 23 10:51:57 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-6] myconext.tiqr.TiqrController Polling authentication for Peterhqwrwe Doe with status PENDING
May 23 10:51:58 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-1] myconext.tiqr.TiqrController Polling authentication for Peterhqwrwe Doe with status PENDING
May 23 10:51:58 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-8] tiqr.org.DefaultTiqrService Finished authentication for 5e25ad5fd4734f96f2913ff4
May 23 10:51:58 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-8] myconext.tiqr.TiqrController Successful authentication for user 5e25ad5fd4734f96f2913ff4
May 23 10:51:59 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-5] myconext.tiqr.TiqrController Polling authentication for Peterhqwrwe Doe with status SUCCESS
May 23 10:51:59 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-5] myconext.tiqr.TiqrController Updating user Peter@havekes.eu
May 23 10:51:59 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-2] myconext.security.GuestIdpAuthenticationRequestFilter Starting magic filter
May 23 10:51:59 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-2] myconext.security.GuestIdpAuthenticationRequestFilter Disabling SAML authentication request after login by Peter@havekes.eu 
May 23 10:51:59 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-2] myconext.security.GuestIdpAuthenticationRequestFilter Remember me functionality activated for Peter@havekes.eu 
May 23 10:51:59 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-2] myconext.security.GuestIdpAuthenticationRequestFilter Tiqr flow authenticated for Peter@havekes.eu 
May 23 10:51:59 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-2] myconext.security.GuestIdpAuthenticationRequestFilter Successfully logged in with tiqr
May 23 10:51:59 test01.ams.surfconext.nl myconext: [http-nio-9189-exec-7] myconext.aa.AttributeAggregatorController Attribute aggregation response []
phavekes commented 4 days ago

(Peter Havekes - May 23, 2024)

phavekes commented 4 days ago

Vanuit chat: De eduID attribute-aggregation krijgt als input een eduPersonPrincipalName en zoekt vervolgens de User op aan de hand van de eduPersonPrincipalName van de linkedAccounts van de users. Als een User geen linked accounts heeft, dan wordt er dus ook niks teruggeven. Is dat voldoende verklaring voor Attribute manipulation for eduID IdP? Ik heb extra logging toegevoegd aan het attribute-aggregation endpoint. (Peter Havekes - May 24, 2024)

phavekes commented 4 days ago

To fix this: When AA is called with an eppn ending in the configured schachomeorganisation (eduid.nl), extract the uid from the eppn, and use that to find the correct user and eduID identifier (Peter Havekes - May 24, 2024)

phavekes commented 4 days ago

https://github.com/OpenConext/OpenConext-myconext/commit/27836ed6567d979fb5a33da380d0d009b24dbd5c (Okke Harsta - May 24, 2024)