[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: Re: Configuring Slack to use Shibboleth
From: David Langenberg <davel () uchicago ! edu>
Date: 2016-04-29 16:34:55
Message-ID: etPan.57238d2d.129fc2d8.54b () mduggan-lt ! ad ! it ! ucla ! edu
[Download RAW message or body]
[Attachment #2 (text/plain)]
We have slack + shib working (IdPv3):
relying-party.xml
<bean id="slack" parent="RelyingPartyByName"
c:relyingPartyIds="#{{'https://uchicago-psd.slack.com'
}}">
<property name="profileConfigurations">
<list>
<bean id="b7" parent="SAML2.SSO"
p:postAuthenticationFlows="context-check" <!-- this is \
uchicago-specific nothing to do with slack ignore --> p:encryptAssertions="false"
p:includeAttributeStatement="true"
p:signAssertions="true"
p:proxyCount="0"
p:assertionLifetime="PT1M"
p:encryptNameIDs="false"
\
p:nameIDFormatPrecedence="#{{'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'}}"
p:signResponses="true" />
</list>
</property>
</bean>
saml-nameid.xml:
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
p:attributeSourceIds="#{ { 'uid' } }" />
You need to create & release a User.Email attribute.
attribute-resolver.xml:
<resolver:AttributeDefinition id="User.Email" xsi:type="Simple" \
xmlns="urn:mace:shibboleth:2.0:resolver:ad"> <resolver:Dependency \
ref="scriptedEmail"/>
<resolver:AttributeEncoder xsi:type="SAML2String" \
xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="User.Email" \
friendlyName="mail"/> </resolver:AttributeDefinition>
attribute-filter.xml:
<afp:AttributeFilterPolicy id="Slack.com">
<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" \
value="https://uchicago-psd.slack.com" /> <afp:AttributeRule \
attributeID="User.Email"> <afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="uid">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="sn">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonTargetedId"> <!-- probably don't need \
this --> <afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
--
David Langenberg
Identity & Access Management Architect
University of Chicago
On April 29, 2016 at 10:15:01 AM, Matt Brennan \
(brennanma@gmail.com<mailto:brennanma@gmail.com>) wrote:
Did you guys get this to work? I'm trying to set it up, but every time I hit "Save" \
it authenticates me through the IdP and brings me back to the default chat room. I \
can't seem to find any log messages (on either side) that actually give a hint what's \
going on.
-Matt
On Thu, Apr 14, 2016 at 5:37 PM, Nate Klingenstein \
<ndk@sudonym.me<mailto:ndk@sudonym.me>> wrote:
> They provide documentation for their custom SAML process here:
> https://get.slack.help/hc/en-us/articles/205168057
I was just reviewing this last night. Beyond the typical custom implementation \
stuff, one thing that jumped out at me is the Required for both:
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" \
NameQualifier="TEAMDOMAIN.slack.com<http://TEAMDOMAIN.slack.com>" \
SPNameQualifier="https://slack.com/">Your Unique Identifier</saml:NameID>
and
<saml:Attribute Name="User.Email" \
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> \
<saml:AttributeValue \
xsi:type="xs:anyType">testuser@youremail.com<mailto:testuser@youremail.com> \
</saml:AttributeValue> </saml:Attribute>
I haven't played with it to see what happens if one, the other, neither, both, or a \
changed value gets sent. It's my next step, so if anyone knows anything, it would be \
helpful.
My hope is that they just use the persistentId as an identifier and email as email. \
I have lots of hope in life, though.
--
To unsubscribe from this list send an email to \
users-unsubscribe@shibboleth.net<mailto:users-unsubscribe@shibboleth.net>
--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style>body{font-family:Helvetica,Arial;font-size:13px}</style>
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space;"> <div id="bloop_customfont" \
style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: \
0px; line-height: auto;"> We have slack + shib working (IdPv3):</div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: \
rgba(0,0,0,1.0); margin: 0px; line-height: auto;"> <br>
</div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: \
rgba(0,0,0,1.0); margin: 0px; line-height: auto;"> relying-party.xml</div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: \
rgba(0,0,0,1.0); margin: 0px; line-height: auto;"> <br>
</div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: \
rgba(0,0,0,1.0); margin: 0px; line-height: auto;"> <div id="bloop_customfont" \
style="margin: 0px;"><bean id="slack" \
parent="RelyingPartyByName" </div> <div id="bloop_customfont" \
style="margin: 0px;"> \
c:relyingPartyIds="#{{'https://uchicago-psd.slack.com'</div> <div \
id="bloop_customfont" style="margin: 0px;"> \
}}"></div> <div id="bloop_customfont" style="margin: 0px;"> \
<property \
name="profileConfigurations"></div> <div id="bloop_customfont" \
style="margin: 0px;"> \
<list></div> <div id="bloop_customfont" style="margin: 0px;"> \
<bean id="b7" \
parent="SAML2.SSO" </div> <div id="bloop_customfont" style="margin: \
0px;"> \
p:postAuthenticationFlows="context-check" <!-- this \
is uchicago-specific nothing to do with slack ignore --></div> <div \
id="bloop_customfont" style="margin: 0px;"> \
\
p:encryptAssertions="false"</div> <div id="bloop_customfont" style="margin: \
0px;"> \
p:includeAttributeStatement="true"</div> <div \
id="bloop_customfont" style="margin: 0px;"> \
\
p:signAssertions="true"</div> <div id="bloop_customfont" style="margin: \
0px;"> \
p:proxyCount="0"</div> <div id="bloop_customfont" \
style="margin: 0px;"> \
p:assertionLifetime="PT1M"</div> <div \
id="bloop_customfont" style="margin: 0px;"> \
\
p:encryptNameIDs="false"</div> <div id="bloop_customfont" style="margin: \
0px;"> \
\
p:nameIDFormatPrecedence="#{{'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'}}"</div>
<div id="bloop_customfont" style="margin: 0px;"> \
\
p:signResponses="true" /></div> <div id="bloop_customfont" \
style="margin: 0px;"> \
</list></div> <div id="bloop_customfont" style="margin: 0px;"> \
</property></div> <div id="bloop_customfont" \
style="margin: 0px;"> </bean></div> </div>
<div><br>
</div>
<div>saml-nameid.xml:</div>
<div><br>
</div>
<div>
<div> <bean \
parent="shibboleth.SAML2AttributeSourcedGenerator"</div> <div> \
\
p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"</div> \
<div> p:attributeSourceIds="#{ { 'uid' \
} }" /></div> </div>
<div><br>
</div>
<div><br>
</div>
<div>You need to create & release a User.Email attribute. </div>
<div>attribute-resolver.xml:</div>
<div><br>
</div>
<div>
<div> <resolver:AttributeDefinition id="User.Email" \
xsi:type="Simple" \
xmlns="urn:mace:shibboleth:2.0:resolver:ad"></div> <div> \
<resolver:Dependency ref="scriptedEmail"/></div> \
<div><br> </div>
<div><br>
</div>
<div> <resolver:AttributeEncoder \
xsi:type="SAML2String" \
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"</div> <div> \
\
name="User.Email" \
friendlyName="mail"/></div> <div> \
</resolver:AttributeDefinition></div> </div>
<div><br>
</div>
<div>attribute-filter.xml:</div>
<div><br>
</div>
<div>
<div><afp:AttributeFilterPolicy id="Slack.com"></div>
<div> <afp:PolicyRequirementRule \
xsi:type="basic:AttributeRequesterString" \
value="https://uchicago-psd.slack.com" /></div> <div> \
<afp:AttributeRule attributeID="User.Email"></div> <div> \
<afp:PermitValueRule xsi:type="basic:ANY" /></div> \
<div> </afp:AttributeRule></div> <div> \
<afp:AttributeRule attributeID="uid"></div> <div> \
<afp:PermitValueRule xsi:type="basic:ANY" /></div> <div> \
</afp:AttributeRule></div> <div> <afp:AttributeRule \
attributeID="givenName"></div> <div> \
<afp:PermitValueRule xsi:type="basic:ANY" /></div> <div> \
</afp:AttributeRule></div> <div> <afp:AttributeRule \
attributeID="sn"></div> <div> \
<afp:PermitValueRule xsi:type="basic:ANY" /></div> <div> \
</afp:AttributeRule></div> <div> <afp:AttributeRule \
attributeID="eduPersonTargetedId"> <!-- probably don't need this \
--></div> <div> <afp:PermitValueRule \
xsi:type="basic:ANY" /></div> <div> \
</afp:AttributeRule></div> <div></afp:AttributeFilterPolicy></div>
</div>
<br>
<div id="bloop_sign_1461947332469104896" class="bloop_sign">
<div style="font-family:helvetica,arial;font-size:13px">-- <br>
David Langenberg<br>
Identity & Access Management Architect</div>
<div style="font-family:helvetica,arial;font-size:13px">University of Chicago</div>
</div>
<br>
<p class="airmail_on">On April 29, 2016 at 10:15:01 AM, Matt Brennan (<a \
href="mailto:brennanma@gmail.com">brennanma@gmail.com</a>) wrote:</p> <blockquote \
type="cite" class="clean_bq"><span> <div>
<div></div>
<div>
<title></title>
<div dir="ltr">Did you guys get this to work? I'm trying to set it up, but every time \
I hit "Save" it authenticates me through the IdP and brings me back to the \
default chat room. I can't seem to find any log messages (on either side) that \
actually give a hint what's going on.
<div><br>
</div>
<div>-Matt</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Apr 14, 2016 at 5:37 PM, Nate Klingenstein <span \
dir="ltr"> <<a href="mailto:ndk@sudonym.me" \
target="_blank">ndk@sudonym.me</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <span class="">> They provide documentation for their \
custom SAML process here:<br> > <a \
href="https://get.slack.help/hc/en-us/articles/205168057" rel="noreferrer" \
target="_blank"> https://get.slack.help/hc/en-us/articles/205168057</a><br>
<br>
</span>I was just reviewing this last night. Beyond the typical custom \
implementation stuff, one thing that jumped out at me is the Required for both:<br> \
<br> <saml:NameID \
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" \
NameQualifier="<a href="http://TEAMDOMAIN.slack.com" rel="noreferrer" \
target="_blank">TEAMDOMAIN.slack.com</a>" SPNameQualifier="<a \
href="https://slack.com/" rel="noreferrer" \
target="_blank">https://slack.com/</a>">Your Unique \
Identifier</saml:NameID><br> <br>
and<br>
<br>
<saml:Attribute Name="User.Email" \
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><br>
<saml:AttributeValue xsi:type="xs:anyType"><a \
href="mailto:testuser@youremail.com">testuser@youremail.com</a><br> \
</saml:AttributeValue><br> </saml:Attribute><br>
<br>
I haven't played with it to see what happens if one, the other, neither, both, or a \
changed value gets sent. It's my next step, so if anyone knows anything, it \
would be helpful.<br> <br>
My hope is that they just use the persistentId as an identifier and email as \
email. I have lots of hope in life, though.<br> <span class="HOEnZb"><font \
color="#888888">--<br> To unsubscribe from this list send an email to <a \
href="mailto:users-unsubscribe@shibboleth.net"> \
users-unsubscribe@shibboleth.net</a></font></span></blockquote> </div>
<br>
</div>
-- <br>
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net</div>
</div>
</span></blockquote>
</body>
</html>
--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
--===============5542044172778264854==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic