search

purepennons / gss

Automatically exported from code.google.com/p/gss
Other
0 stars 0 forks source link

Shibboleth attribute retrieval #25

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
Hi,

I'm working on GSS deployment in CRO-NGI infrastructure together with Nikola 
and Damir who already posted some questions here.

We managed to deploy GSS with Shibboleth authentication in our testing 
environment, but after successful authentication GSS received only null values 
for all the attributes.

In order to make things work I had to slightly modify source code in 
gr.ebs.gss.server.Login.java and gr.ebs.gss.server.CouponHandler.java classes.
Specifically, in gr.ebs.gss.server.Login.java I had to replace the original 
block of code

 String[] attrs = new String[] {"REMOTE_USER", 
                                "HTTP_SHIB_INETORGPERSON_DISPLAYNAME",
                                "HTTP_SHIB_INETORGPERSON_GIVENNAME",
                                "HTTP_SHIB_PERSON_COMMONNAME",
                                "HTTP_SHIB_PERSON_SURNAME", 
                                "HTTP_SHIB_INETORGPERSON_MAIL", 
                                "HTTP_SHIB_EP_UNSCOPEDAFFILIATION", 
                                "HTTP_PERSISTENT_ID"};
 ...
 Object usernameAttr = request.getAttribute("REMOTE_USER");
 Object nameAttr = request.getAttribute("HTTP_SHIB_INETORGPERSON_DISPLAYNAME");
 Object givennameAttr = request.getAttribute("HTTP_SHIB_INETORGPERSON_GIVENNAME");
 Object cnAttr = request.getAttribute("HTTP_SHIB_PERSON_COMMONNAME");
 Object snAttr = request.getAttribute("HTTP_SHIB_PERSON_SURNAME");
 Object mailAttr = request.getAttribute("HTTP_SHIB_INETORGPERSON_MAIL");
 Object persistentIdAttr = request.getAttribute("HTTP_PERSISTENT_ID");

with:

 String[] attrs = new String[] {"eduPersonPrincipalName", "displayName",
                                "givenName", "cn",
                                "sn", "mail",
                                "unscoped-affiliation", "persistent-id"};
 ...
 Object usernameAttr = request.getHeader("eduPersonPrincipalName");
 Object nameAttr = request.getHeader("displayName");
 Object givennameAttr = request.getHeader("givenName");
 Object cnAttr = request.getHeader("cn");
 Object snAttr = request.getHeader("sn");
 Object mailAttr = request.getHeader("mail");
 Object persistentIdAttr = request.getHeader("persistent-id");

I also had to make similar changes in gr.ebs.gss.server.CouponHandler.java

I installed Shibboleth 2.3.1 from CentOS package and configured Apache to work 
with mod_shib and mod_jk following standard installation and configuration 
instructions.

This is my first installation of Shibboleth SP and although everything seems to 
work fine, I would really appreciate if you had any suggestions on how to make 
things work without those source code modifications.

Best Regards,

Dubravko Voncina
University Computing Centre
University of Zagreb, Croatia

Original issue reported on code.google.com by dubravko...@srce.hr on 18 Aug 2010 at 3:02

GoogleCodeExporter commented 8 years ago 
This is probably caused by you looking for the Shibboleth properties using 
request.getHeader() instead of request.getAttribute(). Shibboleth attributes 
are passed by mod_shib and mod_jk via attributes in the request object.

I'm also curious about why you decided to change the attribute names. In our 
installation, mod_shib sends the capitalized names that correspond to the 
traditional, CGI-inspired convention. I'm attaching a copy of our mod_jk 
configuration for your reference. In there we specify the environment variable 
names that will be sent by mod_jk to the Login servlet in tomcat/jboss.

Original comment by past...@gmail.com on 19 Aug 2010 at 9:37

Attachments:

GoogleCodeExporter commented 8 years ago 
Thank you for the tip.
Looking at the jk.conf file that you provided I can see that 'JkEnvVar' 
parameters in my current Apache configuration are missing. That is probably the 
reason why I was receiving null values for all the attributes. As I said, this 
is first time we are deploying Shibboleth SP, mod_shib and mod_jk (we are using 
SAML protocol in our AAI federation, but without Shibboleth) so I had no 
previous experience on how to configure things properly.
I'm currently on vacation and have a very limited access to our testing 
environment, but as soon as I get back to work I'll try to fix things according 
to your instructions.

Dubravko

Original comment by dubravko...@srce.hr on 22 Aug 2010 at 6:38

GoogleCodeExporter commented 8 years ago 
Hi, I'm Faidon Liambotis, I work at GRNET's NOC and was the one that deployed 
GSS on GRNET. A couple of comments from me:

* About using request headers to pass on attributes: this is a practice used in 
the 1.3 days but is discouraged nowadays. Have a look at
  https://spaces.internet2.edu/display/SHIB2/NativeSPAttributeAccess
and the spoof checking section. Also have a look at the "ShibUseHeaders" and 
"ShibUseEnvironment" config options at:
  https://spaces.internet2.edu/display/SHIB2/NativeSPApacheConfig

* About the attribute names, you can choose your own names at the 
attribute-map.xml configuration file. If these are passed via the environment 
to the application, you'll see the HTTP_* (capitalized & underscored) 
convention used.

Original comment by parav...@gmail.com on 27 Aug 2010 at 12:02

GoogleCodeExporter commented 8 years ago 
Since it's been a month with no feedback I'm assuming this is now resolved and 
I'm closing the issue. If that is not the case, let us know.

Original comment by past...@gmail.com on 28 Sep 2010 at 12:14