New tenant: New Mexico State University

[dlowenberg]

Will forward logo by email (note: email from Tanner Schaub)

Marisa and Ashley tested shib

-- UPDATE:

Config seems OK and logo works if I set my tenant to nmsu.

HOWEVER, shibboleth doesn't seem to work correctly. I obtained two different entity_ids when I tried to find one.

From discovery service I found this in some weird way: https://sts.windows.net/a3ec87a8-9fb8-4158-ba8f-f11bace1ebaa/

From the XML file that is still on the old servers: https://myidp.nmsu.edu

The first gives this:

The second gives this:

Neither seems to give a login. @marisastrong and @ashleygould . Do you have any insight if either of these are correct entityIDs or why this isn't working?

[marisastrong]

2021-09-07 09:40:51 ERROR OpenSAML.MetadataProvider.Dynamic [12] [default]: error while resolving (https://sts.windows.net/a3ec87a8-9fb8-4158-ba8f-f11bace1ebaa/): CURLSOAPTransport failed while contacting SOAP endpoint (https://mdq.incommon.org/entities/https%3A%2F%2Fsts.windows.net%2Fa3ec87a8-9fb8-4158-ba8f-f11bace1ebaa%2F): The requested URL returned error: 404 2021-09-07 09:40:51 WARN OpenSAML.MetadataProvider.Dynamic [12] [default]: next refresh of metadata for (https://sts.windows.net/a3ec87a8-9fb8-4158-ba8f-f11bace1ebaa/) no sooner than 600 seconds 2021-09-07 11:57:00 ERROR OpenSAML.MetadataProvider.Dynamic [2] [default]: error while resolving (https://sts.windows.net/a3ec87a8-9fb8-4158-ba8f-f11bace1ebaa/): CURLSOAPTransport failed while contacting SOAP endpoint (https://mdq.incommon.org/entities/https%3A%2F%2Fsts.windows.net%2Fa3ec87a8-9fb8-4158-ba8f-f11bace1ebaa%2F): The requested URL returned error: 404 2021-09-07 11:57:00 WARN OpenSAML.MetadataProvider.Dynamic [2] [default]: next refresh of metadata for (https://sts.windows.net/a3ec87a8-9fb8-4158-ba8f-f11bace1ebaa/) no sooner than 600 seconds 2021-09-07 16:12:05 ERROR Shibboleth.Listener : failed socket call (bind), result (13): Permission denied 2021-09-07 16:12:05 CRIT Shibboleth.Listener : failed to bind to socket.

@ashleygould we may need to re-order the MetadataProviders in the shibboleth2.xml file so that the local file is referenced first, then if not found there, goes to MDQ. Otherwise we get an error while searching MDQ and it's not clear to me that Shib SP knows to check the other MetadataProvider source.

<MetadataProvider type="MDQ" id="incommon" ignoreTransport="true" cacheDirectory="inc-mdq-cache"
                        maxCacheDuration="28800" minCacheDuration="600"
                        baseUrl="https://mdq.incommon.org/">
            <MetadataFilter type="Signature" certificate="inc-md-cert-mdq.pem"/>
            <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>
        </MetadataProvider>

        <!-- Non Federated Entities use local file -->
        <MetadataProvider type="XML" path="non_federation_metadata.xml"/>

[marisastrong]

This issue was resolved by adding scope to the IdP metadata and having NMSU pass in the oid format of the attributes vs eppn or eduPrincipalPersonName. This is a known issue and documented in the Shibboleth notes on Confluence. There also was a separate issue where NMSU user was trying to authenticate into ORCID using their institutions SSO. That integration did not succeed which made it appear that the Dryad / Institution SSO integration was not working. Once we understood the workflow that occured (ORCID - SSO signon) we advised user to authenticate to ORCID with username/pwd credentials and the Dryad login succeeded.

[sfisher]

Thanks for going through all this, Marisa.

That integration of institutions at ORCID is very confusing and doesn't seem to work for lots of people, also.