'Re: shibboleth.SAML2PersistentGenerator question'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: shibboleth.SAML2PersistentGenerator question
From:       Les LaCroix via users <users () shibboleth ! net>
Date:       2021-02-22 20:01:58
Message-ID: CA+0uUd8YRaTNRHZnWZKFDCDDJTjBtjnhJ=cGeSwbA5TXrXLipA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Scott and Peter, thank you for your responses.  You confirmed that it
wasn't an obvious mistake that I missed.  Thanks!

I'm going to go down a different path, namely one of not caring.  Since
late August, my users have logged in to 5 SPs that specifically request a
persistent nameid.  Of the five, two have a special nameid generator
because they demand that the nameid is actually an email address or eppn.
Two others I know for sure that they look at attributes and not the
subject.  I'm willing to bet that the final one also doesn't care about
the nameid in the subject, since its metadata lists eppn, epuid, and eptid
among the requested attributes.

-Les

p.s. I determined that my problem wasn't introduced when I tried to upgrade
to v4, but sometime before then.  I still don't know what I did to create
the problem: the relevant properties are the same, and as far as I can
tell, we've never made changes to the c14n
configs.  idp.persistentId.generator has always been commented out in
saml-nameid.properties.  But I don't think I care.


<http://www.carleton.edu/>

*Les LaCroix '79*

Strategic Technologist

Information Technology Services

t: (507) 222-5455


On Mon, Feb 22, 2021 at 7:26 AM Cantor, Scott <cantor.2@osu.edu> wrote:

> Basically that's all impossible, so that leaves "something you think is
> the same isn't", and there's not really any way to debug that but you.
>
> The inputs to the calculation are obviously the principal, salt, and SP
> entityID, and then the digest and encoding. One of them's not the same,
> that's really all there is to it.
>
> I would maybe be looking at principal name and perhaps see if subject c14n
> is not doing what it was doing originally.
>
> -- Scott
>
>
>

[Attachment #5 (text/html)]

<div dir="ltr"><div class="gmail_default" style="font-family:trebuchet \
ms,sans-serif;font-size:small;color:#073763">Scott and Peter, thank you for your \
responses.   You confirmed that it wasn&#39;t an obvious mistake that I missed.   \
Thanks!</div><div class="gmail_default" style="font-family:trebuchet \
ms,sans-serif;font-size:small;color:#073763"><br></div><div class="gmail_default" \
style="font-family:trebuchet ms,sans-serif;font-size:small;color:#073763">I&#39;m \
going to go down a different path, namely one of not caring.   Since late August, my \
users have logged in to 5 SPs that specifically request a persistent nameid.   Of the \
five, two have a special nameid generator because  they demand that the nameid is \
actually an email address or eppn.   Two others I know for sure that they look at \
attributes and not the subject.   I&#39;m willing to bet that the final one also \
doesn&#39;t care about the  nameid in the subject,  since its  metadata lists eppn, \
epuid, and eptid among the  requested attributes.</div><div class="gmail_default" \
style="font-family:trebuchet \
ms,sans-serif;font-size:small;color:#073763"><br></div><div class="gmail_default" \
style="font-family:trebuchet \
ms,sans-serif;font-size:small;color:#073763">-Les</div><div class="gmail_default" \
style="font-family:trebuchet \
ms,sans-serif;font-size:small;color:#073763"><br></div><div class="gmail_default" \
style="font-family:trebuchet ms,sans-serif;font-size:small;color:#073763">p.s. I \
determined that my problem wasn&#39;t introduced when I tried to upgrade to v4, but \
sometime before then.   I still don&#39;t know what I did to create the problem: the \
relevant properties are the same, and as far as I can tell, we&#39;ve never made \
changes to the  c14n configs.    idp.persistentId.generator has always been commented \
out in saml-nameid.properties.   But I don&#39;t think I care.</div><div \
class="gmail_default" style="font-family:trebuchet \
ms,sans-serif;font-size:small;color:#073763"><br></div><div><div dir="ltr" \
class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><br><table \
style="color:rgb(136,136,136);border:none;border-collapse:collapse"><tbody><tr \
style="height:0pt;border-top:1pt solid rgb(204,204,204)"><td style="border-right:1pt \
solid rgb(204,204,204);vertical-align:middle;padding:5pt;overflow:hidden"><p \
dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><a \
href="http://www.carleton.edu/" target="_blank"><span \
style="font-size:11pt;font-family:Arial;color:rgb(17,85,204);vertical-align:baseline;white-space:pre-wrap"><span \
style="border:none;display:inline-block;overflow:hidden;width:70px;height:73px"><img \
height="73" src="https://lh6.googleusercontent.com/QEL1To3Ci_dJA1huaKzfZ0Lf4MaZlAy_f-W \
3vQjbyzNq_yXq_ZYGv3tuT4dkaZS_bZ5X6fZR4iKzBboZhxbCF5htZFnLNKGqmrzHsVJtsjsy0pfK5w2z0Dlq-EtZcWhv0PxBpWmR" \
width="70" style="margin-left:0px;margin-top:0px"></span></span></a></p></td><td \
style="border-left:1pt solid \
rgb(204,204,204);vertical-align:top;padding:10.8pt;overflow:hidden"><p dir="ltr" \
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><font color="#dea410" \
face="Arial"><span style="font-size:14.6667px;white-space:pre-wrap"><b>Les LaCroix \
&#39;79</b></span></font></p><p dir="ltr" \
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span \
style="color:rgb(11,80,145)"><span \
style="font-size:11pt;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">Strategic \
Technologist</span></span></p><p dir="ltr" \
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span \
style="color:rgb(11,80,145)"><span \
style="font-size:11pt;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">Information \
Technology Services</span></span></p><p dir="ltr" \
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span \
style="color:rgb(11,80,145)"><span \
style="font-size:11pt;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">t: \
(507) 222-5455</span></span></p></td></tr></tbody></table></div></div></div><br></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Feb 22, 2021 at 7:26 AM \
Cantor, Scott &lt;<a href="mailto:cantor.2@osu.edu">cantor.2@osu.edu</a>&gt; \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Basically that&#39;s \
all impossible, so that leaves &quot;something you think is the same isn&#39;t&quot;, \
and there&#39;s not really any way to debug that but you.<br> <br>
The inputs to the calculation are obviously the principal, salt, and SP entityID, and \
then the digest and encoding. One of them&#39;s not the same, that&#39;s really all \
there is to it.<br> <br>
I would maybe be looking at principal name and perhaps see if subject c14n is not \
doing what it was doing originally.<br> <br>
-- Scott<br>
<br>
<br>
</blockquote></div>



-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic