Set up Shibboleth SAML Auth

[labradford]

Part of #583

Set up Shibboleth SAML Auth using Devise and Omniauth SAML

Testing Instructions

• [ ] navigate to pittir.commons-archive.org
• [ ] click login in the upper right corner of the page
• [ ] use pitt credentials to login
• [ ] verify that you are logged in See Lea Ann for SoftServ credentials

[labradford]

• Link to SAML is added to login page
• clicking link redirects to Pitt Passport page with this error:

URL request:

fZFLa8MwEIT%2Fim862XKch4OIU0xCIZA%2BiNseeimys8YisuRqV2nz76s09AGF3vYw8%2B3s7AJlrwdReurMDl49IEUlIjhS1qysQd%2BDq8AdVQOPu23BOqIBBed7OCbd6eATChbugwO5DBR%2BBvJGal3L5nClbRihAMOidRAqI8%2FgH8wgEQfrKBkUUQJ7z9V%2B4IOzrdLAq07VtdUQsFV1x6LNumAv%2BaidjNoxxPW0nsWTPM%2FjeV1DPB3XkELbTGfZJEgRPWwMkjRUsCzNxnE6i7P8IRuLUSqm82cWPYXQn2myJGXRe68NinP8gnlnhJWoUBjZAwpqRFXebEUQCvlVz2%2FL8L8nHES2sZotF5fCb4Nks763WjWnqNTavq0cSIKCkfPAomvrekkXaC8bEPhdhRgF4HnFZg%2BGVKvAMb5c8L%2BfXH4A

using https://developer.pingidentity.com/en/tools/saml-decoder.html it decodes to

<samlp:AuthnRequest 

AssertionConsumerServiceURL='https://dev.hyku.test/users/auth/saml/callback?locale=en' 

Destination='https://passport.pitt.edu/idp/profile/Shibboleth/SSO' ID='_71f41f3e-b5b6-4777-8bbe-53be0efc5624' 

IssueInstant='2023-06-27T23:10:58Z' 

Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'>

<samlp:NameIDPolicy 

AllowCreate='true' 

Format='urn:mace:shibboleth:1.0:nameIdentifier'/>

</samlp:AuthnRequest>

[labradford]

Created AuthnRequest: <samlp:AuthnRequest AssertionConsumerServiceURL='https://dev.hyku.test/users/auth/saml/callback?locale=en' Destination='https://passport.pitt.edu/idp/profile/Shibboleth/SSO' ID='_f848998f-69dd-459b-bc57-10961bdd7e88' IssueInstant='2023-06-27T23:07:20Z' Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><samlp:NameIDPolicy AllowCreate='true' Format='urn:mace:shibboleth:1.0:nameIdentifier'/></samlp:AuthnRequest>

[labradford]

{:idp_entity_id=>"https://passport.pitt.edu/idp/shibboleth", :name_identifier_format=>"urn:mace:shibboleth:1.0:nameIdentifier", :idp_sso_service_url=>"https://passport.pitt.edu/idp/profile/Shibboleth/SSO", :idp_sso_service_binding=>"urn:mace:shibboleth:1.0:profiles:AuthnRequest", :idp_slo_service_url=>nil, :idp_slo_service_binding=>nil, :idp_slo_response_service_url=>nil, :idp_attribute_names=>[], :idp_cert=>nil, :idp_cert_fingerprint=>nil, :idp_cert_multi=>{:signing=>["\nMIIDLzCCAhegAwIBAgIUZiByS7B062+ol+pZKrqkwBxrqLUwDQYJKoZIhvcNAQEL\nBQAwHDEaMBgGA1UEAwwRcGFzc3BvcnQucGl0dC5lZHUwHhcNMTUxMTEzMTczMDQ3\nWhcNMzUxMTEzMTczMDQ3WjAcMRowGAYDVQQDDBFwYXNzcG9ydC5waXR0LmVkdTCC\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIXgP4IOEjINaJ9dePEzc5Wp\nJ8+Ytw0Ojc/JlImfMlUf9yiwiQZQhYIv7C7KmSIgBBvzj/4e6x+tGioE3vIPq9Yz\n47zLOUjzsPgSXnmqSujVCF1zce5aXsjwNcZ5JFN037pgoNLpwtuzfLg9sPbTdQV4\ndRGE07eIXiil6+ER1diFrmGQYSrlfY8DX4sZzl7er6eNEkN5bb3sYK4W13g54Vwf\nBT9/nZe8dsVq7HSZeGdqtyU9Vm49BxpRJLi/X1xsoTCsa8jSRGhpfktR/UygnMWc\noKfayjUC/3fjyBBEvb2EbIiAByYZeApM8zCynHpoHbNTCECIfmkQ6YYohEVave8C\nAwEAAaNpMGcwHQYDVR0OBBYEFAguZrxqsqNCg5KQhdAnsGrSFZEgMEYGA1UdEQQ/\nMD2CEXBhc3Nwb3J0LnBpdHQuZWR1hihodHRwczovL3Bhc3Nwb3J0LnBpdHQuZWR1\nL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBAQBdX30sZVe9QfYYJydn\nx+nWdKeGT0FxqPHaLaa/NHREOetOG1DHYCi617zy0bXq9Vnm+bZpqIheBHwzGzpk\nU5MJrPjwnmy1YyjoFNKy9N5KTQ+nCv7fKfLv55LSNE685T144B2KcRcFg3cDd2jt\nkeVXfOYIBWnyEPnFeTlVA5Y16kbly78ixjTRGXaSLtrwCOJ25kM2+RAyZwp6/lHC\nS6tSx6TluEVAaA9y/ByyF41xdJk6iqgtqR6NmUIZLZlJ5dAOoyddHFgzWnKCqvtF\nRtrlnjGNwrHyXGWJbgY7wixreqLbBKAQ+nbaesqlCii8lR/5LawpnSAZmGD2diwl\n133k\n ", "\nMIIDLzCCAhegAwIBAgIUZiByS7B062+ol+pZKrqkwBxrqLUwDQYJKoZIhvcNAQEL\nBQAwHDEaMBgGA1UEAwwRcGFzc3BvcnQucGl0dC5lZHUwHhcNMTUxMTEzMTczMDQ3\nWhcNMzUxMTEzMTczMDQ3WjAcMRowGAYDVQQDDBFwYXNzcG9ydC5waXR0LmVkdTCC\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIXgP4IOEjINaJ9dePEzc5Wp\nJ8+Ytw0Ojc/JlImfMlUf9yiwiQZQhYIv7C7KmSIgBBvzj/4e6x+tGioE3vIPq9Yz\n47zLOUjzsPgSXnmqSujVCF1zce5aXsjwNcZ5JFN037pgoNLpwtuzfLg9sPbTdQV4\ndRGE07eIXiil6+ER1diFrmGQYSrlfY8DX4sZzl7er6eNEkN5bb3sYK4W13g54Vwf\nBT9/nZe8dsVq7HSZeGdqtyU9Vm49BxpRJLi/X1xsoTCsa8jSRGhpfktR/UygnMWc\noKfayjUC/3fjyBBEvb2EbIiAByYZeApM8zCynHpoHbNTCECIfmkQ6YYohEVave8C\nAwEAAaNpMGcwHQYDVR0OBBYEFAguZrxqsqNCg5KQhdAnsGrSFZEgMEYGA1UdEQQ/\nMD2CEXBhc3Nwb3J0LnBpdHQuZWR1hihodHRwczovL3Bhc3Nwb3J0LnBpdHQuZWR1\nL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBAQBdX30sZVe9QfYYJydn\nx+nWdKeGT0FxqPHaLaa/NHREOetOG1DHYCi617zy0bXq9Vnm+bZpqIheBHwzGzpk\nU5MJrPjwnmy1YyjoFNKy9N5KTQ+nCv7fKfLv55LSNE685T144B2KcRcFg3cDd2jt\nkeVXfOYIBWnyEPnFeTlVA5Y16kbly78ixjTRGXaSLtrwCOJ25kM2+RAyZwp6/lHC\nS6tSx6TluEVAaA9y/ByyF41xdJk6iqgtqR6NmUIZLZlJ5dAOoyddHFgzWnKCqvtF\nRtrlnjGNwrHyXGWJbgY7wixreqLbBKAQ+nbaesqlCii8lR/5LawpnSAZmGD2diwl\n133k\n "], :encryption=>["\nMIIDMDCCAhigAwIBAgIVANJ07z1fNkIV0lD9Ve89KN3gzBKSMA0GCSqGSIb3DQEB\nCwUAMBwxGjAYBgNVBAMMEXBhc3Nwb3J0LnBpdHQuZWR1MB4XDTE1MTExMzE3MzA0\nOFoXDTM1MTExMzE3MzA0OFowHDEaMBgGA1UEAwwRcGFzc3BvcnQucGl0dC5lZHUw\nggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCAadDai5NaRQW9XOuD0KHw\nGCeYzsUyKvGwi4AhcQBB2D5ZwVEZhg08NCvlD8s2kmlQIL58BDhe8/UKF+cFV9jR\nksiUDuIYY1L8ypm/9A0jKjq4J5dbY+zlkfpze8C34/qTIA5owBNmvlL4b6llOBV2\nsrDCbv2mho3j7fJICv+fm/SovPFQJBO8zVeNomXjm97aY9TRfrhzlZ0wVwAy700u\nuXRAar7qP+gC23gwAR4fL5WvI/kNABgcGPnBSnUOra1hxNtcK1MLgyqJbBkYosSR\njwlvHTyFICaR+KGqiuLJLPVn6SMlzs2ND20CHxOaz2oz3746ZTJDoHoQc/dvuOA3\nAgMBAAGjaTBnMB0GA1UdDgQWBBTyBzAX8brmshdB0o8aSTWVOg6MFTBGBgNVHREE\nPzA9ghFwYXNzcG9ydC5waXR0LmVkdYYoaHR0cHM6Ly9wYXNzcG9ydC5waXR0LmVk\ndS9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAQEAG2Ou9h7e4oED7Vou\nCeMh58qC9pt4H3gleMexTaZ2VovE7i/orVkbB36Ik6lplEjlo8o54PXurGIUOpm9\nbTGNuGODTMjjq6ojUNSawpz7W7DRqxJJvLTh2gGJSNCX3AOhfmDJvxCpHaOlEZ3R\nAlpGnV7EpG3uTaE4YCvep16gCpAyjJhmqV5ouMswH6SxXzUG4UqJAm+obblgoqcC\nXajmdjCN8hayTFsVy1H3a82M+zhcdpFo+QraqVan3Z29Lf9LIbGqngxWxGE4mchi\njdaqsVSwq38Xr96uO/Apms/9CPL/CayrvlbPpvcv0u9z5uEmmssPdW4DhaILLsRo\nzdvadQ==\n "]}, :valid_until=>nil, :cache_duration=>nil, :assertion_consumer_service_url=>"consumer_service_url", :sp_entity_id=>"sp_entity_id"}

[labradford]

New error using this config:

config.omniauth :saml, {
    :idp_entity_id=>"https://passport.pitt.edu/idp/shibboleth",
    :name_identifier_format=>"urn:oasis:tc:SAML:2.0:nameid-format:transient",
    :idp_sso_service_url=>"https://passport.pitt.edu/idp/profile/SAML2/Redirect/SSO",
    :idp_sso_service_binding=>"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
    :idp_slo_service_url=>nil,
    :idp_cert=>'MIIDLzCCAhegAwIBAgIUZiByS7B062+ol+pZKrqkwBxrqLUwDQYJKoZIhvcNAQEL BQAwHDEaMBgGA1UEAwwRcGFzc3BvcnQucGl0dC5lZHUwHhcNMTUxMTEzMTczMDQ3 WhcNMzUxMTEzMTczMDQ3WjAcMRowGAYDVQQDDBFwYXNzcG9ydC5waXR0LmVkdTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIXgP4IOEjINaJ9dePEzc5Wp J8+Ytw0Ojc/JlImfMlUf9yiwiQZQhYIv7C7KmSIgBBvzj/4e6x+tGioE3vIPq9Yz 47zLOUjzsPgSXnmqSujVCF1zce5aXsjwNcZ5JFN037pgoNLpwtuzfLg9sPbTdQV4 dRGE07eIXiil6+ER1diFrmGQYSrlfY8DX4sZzl7er6eNEkN5bb3sYK4W13g54Vwf BT9/nZe8dsVq7HSZeGdqtyU9Vm49BxpRJLi/X1xsoTCsa8jSRGhpfktR/UygnMWc oKfayjUC/3fjyBBEvb2EbIiAByYZeApM8zCynHpoHbNTCECIfmkQ6YYohEVave8C AwEAAaNpMGcwHQYDVR0OBBYEFAguZrxqsqNCg5KQhdAnsGrSFZEgMEYGA1UdEQQ/ MD2CEXBhc3Nwb3J0LnBpdHQuZWR1hihodHRwczovL3Bhc3Nwb3J0LnBpdHQuZWR1 L2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBAQBdX30sZVe9QfYYJydn x+nWdKeGT0FxqPHaLaa/NHREOetOG1DHYCi617zy0bXq9Vnm+bZpqIheBHwzGzpk U5MJrPjwnmy1YyjoFNKy9N5KTQ+nCv7fKfLv55LSNE685T144B2KcRcFg3cDd2jt keVXfOYIBWnyEPnFeTlVA5Y16kbly78ixjTRGXaSLtrwCOJ25kM2+RAyZwp6/lHC S6tSx6TluEVAaA9y/ByyF41xdJk6iqgtqR6NmUIZLZlJ5dAOoyddHFgzWnKCqvtF RtrlnjGNwrHyXGWJbgY7wixreqLbBKAQ+nbaesqlCii8lR/5LawpnSAZmGD2diwl 133k',
    :issuer=>"https://dev.hyku.test",
  }

[labradford]

JIO SAML setup https://github.com/scientist-softserv/jio/blob/57fa5ef65465822c539462cf9ef7795c31035dc4/jio_blacklight/config/initializers/devise.rb#L298

[labradford]

Is the plan to setup federated authentication via InCommon (preferred), or a direct IdP-SP connection (seemingly described below)?

If a direct IdP-SP connection, our X509 keys can be found in the metadata: https://passport.pitt.edu/idp/shibboleth and we will need your SP metadata from the staging and production sites for import into our IdP.

If federated via InCommon, you will simply publish your metadata to the federation, which already holds our metadata. If you are not currently members of InCommon, but are open to becoming members, I am happy to connect you with our InCommon administrators.

[labradford]

client sent request 7/17 to add our config to IdP

[labradford]

Central Pitt IT has confirmed that this is ready for testing. What URL do I use to initiate SP-based authentication? I have used the basic authentication credentials to access https://pittir.commons-archive.org/users/sign_in?locale=en, but I don't see a Shibboleth link.

Note that our process has typically been to deploy IdP changes to a pre-production server at 136.142.34.85, so a host file override should be needed to access passport.pitt.edu via that IP instead of via the production IP.

[labradford]

I, [2023-07-25T19:25:33.860621 #1] INFO -- : [55f8a1e1e70cd72632797c8c60de6d0a] Started POST "/users/auth/saml?locale=en" for 10.0.5.99 at 2023-07-25 19:25:33 +0000
--
Tue, Jul 25 2023 12:25:33 pm | D, [2023-07-25T19:25:33.863401 #1] DEBUG -- : [55f8a1e1e70cd72632797c8c60de6d0a] Account Load (0.8ms) SELECT "public"."accounts".* FROM "public"."accounts" INNER JOIN "public"."domain_names" ON "public"."domain_names"."account_id" = "public"."accounts"."id" WHERE "domain_names"."is_active" = $1 AND "domain_names"."cname" = $2 LIMIT $3 [["is_active", true], ["cname", "pittir.commons-archive.org"], ["LIMIT", 1]]
Tue, Jul 25 2023 12:25:33 pm | D, [2023-07-25T19:25:33.867401 #1] DEBUG -- : [55f8a1e1e70cd72632797c8c60de6d0a] Account Load (0.5ms) SELECT "public"."accounts".* FROM "public"."accounts" WHERE "public"."accounts"."tenant" = $1 LIMIT $2 [["tenant", "51cdb0ca-a42b-42f2-adbb-a59560b1c0eb"], ["LIMIT", 1]]
Tue, Jul 25 2023 12:25:33 pm | D, [2023-07-25T19:25:33.869991 #1] DEBUG -- : [55f8a1e1e70cd72632797c8c60de6d0a] SolrEndpoint Load (0.5ms) SELECT "public"."endpoints".* FROM "public"."endpoints" WHERE "public"."endpoints"."type" IN ('SolrEndpoint') AND "public"."endpoints"."id" = $1 LIMIT $2 [["id", 465], ["LIMIT", 1]]
Tue, Jul 25 2023 12:25:33 pm | D, [2023-07-25T19:25:33.871570 #1] DEBUG -- : [55f8a1e1e70cd72632797c8c60de6d0a] FcrepoEndpoint Load (0.5ms) SELECT "public"."endpoints".* FROM "public"."endpoints" WHERE "public"."endpoints"."type" IN ('FcrepoEndpoint') AND "public"."endpoints"."id" = $1 LIMIT $2 [["id", 466], ["LIMIT", 1]]
Tue, Jul 25 2023 12:25:33 pm | D, [2023-07-25T19:25:33.872817 #1] DEBUG -- : [55f8a1e1e70cd72632797c8c60de6d0a] RedisEndpoint Load (0.5ms) SELECT "public"."endpoints".* FROM "public"."endpoints" WHERE "public"."endpoints"."type" IN ('RedisEndpoint') AND "public"."endpoints"."id" = $1 LIMIT $2 [["id", 467], ["LIMIT", 1]]
Tue, Jul 25 2023 12:25:33 pm | D, [2023-07-25T19:25:33.874208 #1] DEBUG -- : [55f8a1e1e70cd72632797c8c60de6d0a] DataCiteEndpoint Load (0.5ms) SELECT "public"."endpoints".* FROM "public"."endpoints" WHERE "public"."endpoints"."type" IN ('DataCiteEndpoint') AND "public"."endpoints"."id" = $1 LIMIT $2 [["id", 468], ["LIMIT", 1]]
Tue, Jul 25 2023 12:25:33 pm | D, [2023-07-25T19:25:33.874864 #1] DEBUG -- omniauth: (saml) Request phase initiated.
Tue, Jul 25 2023 12:25:33 pm | D, [2023-07-25T19:25:33.876251 #1] DEBUG -- : [55f8a1e1e70cd72632797c8c60de6d0a] Created AuthnRequest: <samlp:AuthnRequest AssertionConsumerServiceURL='https://pittir.commons-archive.org/users/auth/saml/callback?locale=en' Destination='https://passport.pitt.edu/idp/profile/SAML2/Redirect/SSO' ID='_6b10fa10-5bf0-4080-a769-935c6098aacf' IssueInstant='2023-07-25T19:25:33Z' Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer>https://pittir.commons-archive.org</saml:Issuer><samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'/></samlp:AuthnRequest>
Tue, Jul 25 2023 12:25:33 pm | D, [2023-07-25T19:25:33.878169 #1] DEBUG -- : [55f8a1e1e70cd72632797c8c60de6d0a] Account Load (0.4ms) SELECT "public"."accounts".* FROM "public"."accounts" WHERE "public"."accounts"."tenant" = $1 LIMIT $2 [["tenant", "public"], ["LIMIT", 1]]
Tue, Jul 25 2023 12:25:33 pm | 10.0.4.228, 10.0.4.111 - - [25/Jul/2023:19:25:33 +0000] "POST /users/auth/saml?locale=en HTTP/1.0" 302 - 0.0322
Tue, Jul 25 2023 12:26:57 pm | I, [2023-07-25T19:26:57.053424 #1] INFO -- : [4adcc4c6-a8f1-4a2a-ba20-66e54df7bcc1] Started GET "/" for 10.0.5.99 at 2023-07-25 19:26:57 +0000
Tue, Jul 25 2023 12:26:57 pm | D, [2023-07-25T19:26:57.055913 #1] DEBUG -- : [4adcc4c6-a8f1-4a2a-ba20-66e54df7bcc1] Account Load (0.8ms) SELECT "public"."accounts".* FROM "public"."accounts" INNER JOIN "public"."domain_names" ON "public"."domain_names"."account_id" = "public"."accounts"."id" WHERE "domain_names"."is_active" = $1 AND "domain_names"."cname" = $2 LIMIT $3 [["is_active", true], ["cname", "35.83.56.226"], ["LIMIT", 1]]
Tue, Jul 25 2023 12:26:57 pm | I, [2023-07-25T19:26:57.056981 #1] INFO -- : [4adcc4c6-a8f1-4a2a-ba20-66e54df7bcc1] Processing by Hyrax::HomepageController#index as HTML
Tue, Jul 25 2023 12:26:57 pm | D, [2023-07-25T19:26:57.057884 #1] DEBUG -- : [4adcc4c6-a8f1-4a2a-ba20-66e54df7bcc1] CACHE Account Load (0.0ms) SELECT "public"."accounts".* FROM "public"."accounts" INNER JOIN "public"."domain_names" ON "public"."domain_names"."account_id" = "public"."accounts"."id" WHERE "domain_names"."is_active" = $1 AND "domain_names"."cname" = $2 LIMIT $3 [["is_active", true], ["cname", "35.83.56.226"], ["LIMIT", 1]]
Tue, Jul 25 2023 12:26:57 pm | I, [2023-07-25T19:26:57.063753 #1] INFO -- : [4adcc4c6-a8f1-4a2a-ba20-66e54df7bcc1] Completed 404 Not Found in 7ms (ActiveRecord: 0.0ms)
Tue, Jul 25 2023 12:26:57 pm | D, [2023-07-25T19:26:57.063940 #1] DEBUG -- : [4adcc4c6-a8f1-4a2a-ba20-66e54df7bcc1] User excluded error: #<ActionController::RoutingError: Not Found>
Tue, Jul 25 2023 12:26:57 pm | F, [2023-07-25T19:26:57.064469 #1] FATAL -- : [4adcc4c6-a8f1-4a2a-ba20-66e54df7bcc1]
Tue, Jul 25 2023 12:26:57 pm | F, [2023-07-25T19:26:57.064502 #1] FATAL -- : [4adcc4c6-a8f1-4a2a-ba20-66e54df7bcc1] ActionController::RoutingError (Not Found):
Tue, Jul 25 2023 12:26:57 pm | F, [2023-07-25T19:26:57.064522 #1] FATAL -- : [4adcc4c6-a8f1-4a2a-ba20-66e54df7bcc1]
Tue, Jul 25 2023 12:26:57 pm | F, [2023-07-25T19:26:57.064551 #1] FATAL -- : [4adcc4c6-a8f1-4a2a-ba20-66e54df7bcc1] app/controllers/application_controller.rb:31:in `block in <class:ApplicationController>'
Tue, Jul 25 2023 12:26:57 pm | [4adcc4c6-a8f1-4a2a-ba20-66e54df7bcc1] app/middleware/no_cache_middleware.rb:13:in `call'
Tue, Jul 25 2023 12:26:57 pm | 10.0.4.72 - - [25/Jul/2023:19:26:57 +0000] "GET /404 HTTP/1.0" 404 1564 0.0123
Tue, Jul 25 2023 12:27:05 pm | I, [2023-07-25T19:27:05.663380 #1] INFO -- : [bd20609abcade84357f992028ffc20e0] Started GET "/sitemap.txt" for 10.0.5.99 at 2023-07-25 19:27:05 +0000
Tue, Jul 25 2023 12:27:05 pm | D, [2023-07-25T19:27:05.665983 #1] DEBUG -- : [bd20609abcade84357f992028ffc20e0] Account Load (0.8ms) SELECT "public"."accounts".* FROM "public"."accounts" INNER JOIN "public"."domain_names" ON "public"."domain_names"."account_id" = "public"."accounts"."id" WHERE "domain_names"."is_active" = $1 AND "domain_names"."cname" = $2 LIMIT $3 [["is_active", true], ["cname", "commons-archive.org"], ["LIMIT", 1]]
Tue, Jul 25 2023 12:27:05 pm | D, [2023-07-25T19:27:05.667051 #1] DEBUG -- : [bd20609abcade84357f992028ffc20e0] User excluded error: #<ActionController::RoutingError: No route matches [GET] "/sitemap.txt">
Tue, Jul 25 2023 12:27:05 pm | F, [2023-07-25T19:27:05.667366 #1] FATAL -- : [bd20609abcade84357f992028ffc20e0]
Tue, Jul 25 2023 12:27:05 pm | F, [2023-07-25T19:27:05.667398 #1] FATAL -- : [bd20609abcade84357f992028ffc20e0] ActionController::RoutingError (No route matches [GET] "/sitemap.txt"):
Tue, Jul 25 2023 12:27:05 pm | F, [2023-07-25T19:27:05.667439 #1] FATAL -- : [bd20609abcade84357f992028ffc20e0]
Tue, Jul 25 2023 12:27:05 pm | F, [2023-07-25T19:27:05.667467 #1] FATAL -- : [bd20609abcade84357f992028ffc20e0] app/middleware/no_cache_middleware.rb:13:in `call'
Tue, Jul 25 2023 12:27:05 pm | 10.0.4.228, 10.0.4.111 - - [25/Jul/2023:19:27:05 +0000] "GET /404 HTTP/1.0" 404 1564 0.0054
Tue, Jul 25 2023 12:28:07 pm | - Gracefully stopping, waiting for requests to finish
Tue, Jul 25 2023 12:28:07 pm | === puma shutdown: 2023-07-25 19:28:07 +0000 ===
Tue, Jul 25 2023 12:28:07 pm | - Goodbye!

[labradford]

Added Rob to this ticket since he did most of the work

[labradford]

I was automatically redirected through Passport to an authenticated Dashboard after touching the link below.

The username / email associated with the account was unexpected: aadzzwnyzxqx78ooqzjopxzrmvi5aoxvwvdrg3ltqi6rkwty7wrudi/7m89v+jklh8kbzen/yyx82y8l3senbr7zl8nh2kveztd0eixlzjqwortd2wlksonp9j/mzigyv6bfoxypc/ug0gaeavkv0yndr4cvykp0evzw5qdbt+e2xwjcdw==@example.com

I'm attaching the SAML which Passport sent to the SP as a reference.

[labradford]

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 Destination="https://pittir.commons-archive.org/users/auth/saml/1/callback"
                 ID="_7cb651988baa5bd3fa74347d11d534ae"
                 InResponseTo="_12bd3e81-9e2e-43ae-8ae1-e5e49bf3df48"
                 IssueInstant="2023-08-15T19:19:56.065Z"
                 Version="2.0"
                 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                 >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://passport.pitt.edu/idp/shibboleth</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_7cb651988baa5bd3fa74347d11d534ae">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                PrefixList="xsd"
                                                />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>9G7BC04Vt4TPuNnRseHnUNFwf5y9DBmxgeXF5V2P5iM=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>H22o1SkreBF9OJo/6X7bV84crJI/60J52D5rfOS1jiA4GpcxQodrasm4VkAbWoP2Jcbhf3qQbwkQY1F9qnfUDAxZRja17QhX4rTvYrugkINA543BVDULD/LVExsFmmbdrJv+9nmsT1v9BP6M58wAjNYGwEBUiCpYRwMcS2IZqbNyu1VFmTe3/YBHCkQ7fV5yudeUEgI18R+0MFpbYiDLBgVyPNhl2WftUoJf9Al00WzA3DNnPgTAx1T6f4BkDHG61bEZuL5M2LN4GpAcPqhmGkg0yR4oloJoQzqn7U6YkSKcvipiPL/jQpLPEFHZEl88MBKm38LFFacUkU5nZco3BQ==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIDLzCCAhegAwIBAgIUZiByS7B062+ol+pZKrqkwBxrqLUwDQYJKoZIhvcNAQELBQAwHDEaMBgG
A1UEAwwRcGFzc3BvcnQucGl0dC5lZHUwHhcNMTUxMTEzMTczMDQ3WhcNMzUxMTEzMTczMDQ3WjAc
MRowGAYDVQQDDBFwYXNzcG9ydC5waXR0LmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAIXgP4IOEjINaJ9dePEzc5WpJ8+Ytw0Ojc/JlImfMlUf9yiwiQZQhYIv7C7KmSIgBBvzj/4e
6x+tGioE3vIPq9Yz47zLOUjzsPgSXnmqSujVCF1zce5aXsjwNcZ5JFN037pgoNLpwtuzfLg9sPbT
dQV4dRGE07eIXiil6+ER1diFrmGQYSrlfY8DX4sZzl7er6eNEkN5bb3sYK4W13g54VwfBT9/nZe8
dsVq7HSZeGdqtyU9Vm49BxpRJLi/X1xsoTCsa8jSRGhpfktR/UygnMWcoKfayjUC/3fjyBBEvb2E
bIiAByYZeApM8zCynHpoHbNTCECIfmkQ6YYohEVave8CAwEAAaNpMGcwHQYDVR0OBBYEFAguZrxq
sqNCg5KQhdAnsGrSFZEgMEYGA1UdEQQ/MD2CEXBhc3Nwb3J0LnBpdHQuZWR1hihodHRwczovL3Bh
c3Nwb3J0LnBpdHQuZWR1L2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBAQBdX30sZVe9
QfYYJydnx+nWdKeGT0FxqPHaLaa/NHREOetOG1DHYCi617zy0bXq9Vnm+bZpqIheBHwzGzpkU5MJ
rPjwnmy1YyjoFNKy9N5KTQ+nCv7fKfLv55LSNE685T144B2KcRcFg3cDd2jtkeVXfOYIBWnyEPnF
eTlVA5Y16kbly78ixjTRGXaSLtrwCOJ25kM2+RAyZwp6/lHCS6tSx6TluEVAaA9y/ByyF41xdJk6
iqgtqR6NmUIZLZlJ5dAOoyddHFgzWnKCqvtFRtrlnjGNwrHyXGWJbgY7wixreqLbBKAQ+nbaesql
Cii8lR/5LawpnSAZmGD2diwl133k</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                     ID="_f5f75c07b463308943fdc53c7cc45f65"
                     IssueInstant="2023-08-15T19:19:56.065Z"
                     Version="2.0"
                     xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                     >
        <saml2:Issuer>https://passport.pitt.edu/idp/shibboleth</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#_f5f75c07b463308943fdc53c7cc45f65">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                    PrefixList="xsd"
                                                    />
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>F93bEk8cN7d2n8MnkBBvtbcxuDrHSweHFVHOBu03r/M=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>ah7qaOZq5K1i4zVpRpBkiQIOYSQoR872Oi4rl2OqjTcFfRRs2zAf8KJZFotppXfxUOWdskF+KVxAYGAcc89CZIKCnzt+G8G+9oZShimGzigsvdKljvAG2oXph5NXqR2LvLM9PVlZvMCgyHYJ6ky7eKxhJTsB+t6s3LeI2PIw3z2KW4E3Hn1NTZVV1zNMwl5m5hk+JGTZLVoUxUWLyixBxITPmfat7wYpUyZ5tvukIE/5OtJiOLMAh62JT5D3v9AD9OWLec8ohJ7C/RUY+ZpQW4Z/0vq3Rht/RMEBNcPmiakwhCizAQ6E4lF4Y/x4ZHO0XwjeloW7e6yi6GGsdP9YsQ==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIDLzCCAhegAwIBAgIUZiByS7B062+ol+pZKrqkwBxrqLUwDQYJKoZIhvcNAQELBQAwHDEaMBgG
A1UEAwwRcGFzc3BvcnQucGl0dC5lZHUwHhcNMTUxMTEzMTczMDQ3WhcNMzUxMTEzMTczMDQ3WjAc
MRowGAYDVQQDDBFwYXNzcG9ydC5waXR0LmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAIXgP4IOEjINaJ9dePEzc5WpJ8+Ytw0Ojc/JlImfMlUf9yiwiQZQhYIv7C7KmSIgBBvzj/4e
6x+tGioE3vIPq9Yz47zLOUjzsPgSXnmqSujVCF1zce5aXsjwNcZ5JFN037pgoNLpwtuzfLg9sPbT
dQV4dRGE07eIXiil6+ER1diFrmGQYSrlfY8DX4sZzl7er6eNEkN5bb3sYK4W13g54VwfBT9/nZe8
dsVq7HSZeGdqtyU9Vm49BxpRJLi/X1xsoTCsa8jSRGhpfktR/UygnMWcoKfayjUC/3fjyBBEvb2E
bIiAByYZeApM8zCynHpoHbNTCECIfmkQ6YYohEVave8CAwEAAaNpMGcwHQYDVR0OBBYEFAguZrxq
sqNCg5KQhdAnsGrSFZEgMEYGA1UdEQQ/MD2CEXBhc3Nwb3J0LnBpdHQuZWR1hihodHRwczovL3Bh
c3Nwb3J0LnBpdHQuZWR1L2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBAQBdX30sZVe9
QfYYJydnx+nWdKeGT0FxqPHaLaa/NHREOetOG1DHYCi617zy0bXq9Vnm+bZpqIheBHwzGzpkU5MJ
rPjwnmy1YyjoFNKy9N5KTQ+nCv7fKfLv55LSNE685T144B2KcRcFg3cDd2jtkeVXfOYIBWnyEPnF
eTlVA5Y16kbly78ixjTRGXaSLtrwCOJ25kM2+RAyZwp6/lHCS6tSx6TluEVAaA9y/ByyF41xdJk6
iqgtqR6NmUIZLZlJ5dAOoyddHFgzWnKCqvtFRtrlnjGNwrHyXGWJbgY7wixreqLbBKAQ+nbaesql
Cii8lR/5LawpnSAZmGD2diwl133k</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                          NameQualifier="https://passport.pitt.edu/idp/shibboleth"
                          SPNameQualifier="https://pittir.commons-archive.org/users/auth/saml/sp"
                          >AAdzZWNyZXQx78ooqzjOpXZrMvI5AOXVwvdrg3lTqI6RkwtY7wruDI/7M89V+JklH8kbzEN/Yyx82Y8L3sENBR7Zl8NH2KvEZTd0EiXLZJqWoRTD2WlKsONp9j/mzigyV6bfOXYPc/UG0gAeaVkv0yNdr4CvYKp0EvZW5QDBT+E2xwjCdw==</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData Address="96.236.226.3"
                                               InResponseTo="_12bd3e81-9e2e-43ae-8ae1-e5e49bf3df48"
                                               NotOnOrAfter="2023-08-15T19:24:56.069Z"
                                               Recipient="https://pittir.commons-archive.org/users/auth/saml/1/callback"
                                               />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2023-08-15T19:19:56.065Z"
                          NotOnOrAfter="2023-08-15T19:24:56.065Z"
                          >
            <saml2:AudienceRestriction>
                <saml2:Audience>https://pittir.commons-archive.org/users/auth/saml/sp</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2023-08-15T12:01:29.129Z"
                              SessionIndex="_9b31aa916a063209301e5cb8b52b22b4"
                              >
            <saml2:SubjectLocality Address="96.236.226.3" />
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>https://refeds.org/profile/mfa</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement>
            <saml2:Attribute FriendlyName="givenName"
                             Name="urn:oid:2.5.4.42"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >Clinton</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="workflowid"
                             Name="workflowid"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >05</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="eduPersonPrincipalName"
                             Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                             >
                <saml2:AttributeValue>CTGRAHAM@pitt.edu</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="sn"
                             Name="urn:oid:2.5.4.4"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >Graham</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="mail"
                             Name="urn:oid:0.9.2342.19200300.100.1.3"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >CTGRAHAM@pitt.edu</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

[labradford]

QA - am able to login via pitt.edu login

[ctgraham]

Confirmed login with ctgraham and with trp89 and with chl310.