Menu
▾
▴
Re: [Unity-idm-discuss] Fwd: Re: Nullpointer when SP tries to access IDP
|
From: Willem E. <wi...@cl...> - 2017-06-14 11:42:10
|
The translation profile we use:
Name:
SAML-Attributes
Description:
The set of CLARIN attributes release to service providers
Rules:
1: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:1.3.6.1.4.1.5923.1.1.1.6
expression = idsByType['email'][0].replaceAll('@', '_') + '@clarin.eu'
mandatory = false
attributeDisplayName =
attributeDescription =
2: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:2.5.4.10
expression = 'CLARIN'
mandatory = false
attributeDisplayName =
attributeDescription =
3: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:1.3.6.1.4.1.5923.1.1.1.9
expression = 'me...@cl...'
mandatory = false
attributeDisplayName =
attributeDescription =
4: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:2.16.840.1.113730.3.1.241
expression = attr['clarin-full-name']
mandatory = false
attributeDisplayName =
attributeDescription =
5: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:0.9.2342.19200300.100.1.3
expression = idsByType['email'][0]
mandatory = false
attributeDisplayName =
attributeDescription =
6: Condition:
groups contains '/clarin/academic'
Action:
createAttribute
Action parameters:
attributeName = urn:oid:1.3.6.1.4.1.5923.1.1.1.7
expression = 'http://www.clarin.eu/entitlement/academic'
mandatory = false
attributeDisplayName =
attributeDescription =
7: Condition:
groups contains '/clarin/normal'
Action:
createAttribute
Action parameters:
attributeName = urn:oid:1.3.6.1.4.1.5923.1.1.1.7
expression = 'http://www.clarin.eu/entitlement/none'
mandatory = false
attributeDisplayName =
attributeDescription =
8: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:2.5.4.3
expression = attr['cn']
mandatory = false
attributeDisplayName =
attributeDescription =
9: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:1.3.6.1.4.1.5923.1.1.1.10
expression = idsByType['targetedPersistent'][0]
mandatory = false
attributeDisplayName =
attributeDescription =
10: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:mace:dir:attribute-def:eduPersonTargetedID
expression = idsByType['targetedPersistent'][0]
mandatory = false
attributeDisplayName =
attributeDescription =
The SAML request from SP -> IdP:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_AE13D5C8472D79640CE19B291E2442E8"
Version="2.0"
IssueInstant="2017-06-14T11:39:04Z"
Destination="https://idm.clarin.eu/saml-idp/saml2idp-web"
ForceAuthn="false"
IsPassive="false"
>
<saml:Issuer>https://clarino.uib.no/</saml:Issuer>
<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
AllowCreate="false"
/>
</samlp:AuthnRequest>
The SAML response from IdP -> SP:
<urn:Response IssueInstant="2017-06-14T11:39:22.163Z"
ID="SAMLY2lib_msg_8632ac33e351d8f2ba9316addaacff9bbba3e403cf02e3e"
Version="2.0"
InResponseTo="_AE13D5C8472D79640CE19B291E2442E8"
xmlns:urn="urn:oasis:names:tc:SAML:2.0:protocol"
>
<urn1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:urn1="urn:oasis:names:tc:SAML:2.0:assertion"
>https://idm.clarin.eu</urn1:Issuer>
<urn:Status>
<urn:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
<urn:StatusMessage>[Error: null pointer:
idsByType['targetedPersistent'][0]]
[Near : {... idsByType['targetedPersistent' ....}]
^
[Line: 1, Column: 1]</urn:StatusMessage>
</urn:Status>
</urn:Response>
Hope this helps.
Best,
Willem
On 13/06/2017 11:27, Krzysztof Benedyczak wrote:
> Hi Willem,
>
> W dniu 13.06.2017 o 11:05, Willem Elbers pisze:
>> Forgot to include the mailing list...
>
> Actually same here - the last time...
>
>>
>> Hi Krzystof,
>>
>> apologies for the delay, I became father again which took most of my
>> focus :)
>
> Huge congratulations!
>
>>
>> After increasing the translation profile logging I can see the following
>> for my identity:
>>
>> Working login:
>>
>> Entity 261:
>> - [email] wi...@cl...
>> - [persistent] 20940047-d9c3-4796-b43b-ebe7f399b2bd
>> - [targetedPersistent] 838bb7e5-dda6-4952-996e-6c25807e348a
>> - [transient] a5f7ef17-19b5-4d1f-9ed7-b48573ed3991
>> In group: /clarin
>> Groups: [/clarin/developer, /clarin-admin, /clarin/normal,
>> /clarin/academic, /clarin, /]
>> Requester: https://sp.catalog.clarin.eu
>>
>> Failed login with problematic SP:
>>
>> Entity 261:
>> - [email] wi...@cl...
>> - [persistent] 20940047-d9c3-4796-b43b-ebe7f399b2bd
>> In group: /clarin
>> Groups: [/clarin/developer, /clarin-admin, /clarin/normal,
>> /clarin/academic, /clarin, /]
>> Requester: https://clarino.uib.no/
>>
>> As you can see from the log, for the problematic SP the
>> [targetedPersistent] and [transient] identities are missing, hence the
>> error.
>>
>> The SAML configuration is as follows:
>>
>> unity.saml.issuerURI=https://idm.clarin.eu
>> unity.saml.credential=IDP
>> unity.saml.defaultGroup=/clarin
>> unity.saml.spAcceptPolicy=validRequester
>> unity.saml.signResponses=asRequest
>> unity.saml.validityPeriod=3600
>> unity.saml.requestValidityPeriod=600
>> unity.saml.authenticationTimeout=20
>> unity.saml.acceptedSPMetadataSource.1.url=https://infra.clarin.eu/aai/md_about_spf_sps.xml
>>
>> unity.saml.acceptedSPMetadataSource.2.url=file:///opt/dev-sp.clarin.eu.xml
>>
>> unity.saml.refreshInterval=3600
>> unity.saml.translationProfile=SAML-Attributes
>> unity.saml.skipConsent=true
>>
>> Please let me know if you need more info.
>
> Yes, the critical part is your translation profile. Also can you
> describe the flow? I guess you have saml login to unity, correct? If
> so - the request would be helpful too.
>
> Best
> Krzysztof
>
>
--
Willem Elbers
CLARIN ERIC
www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers
|
