Ipsilon 0.5.0 released
by Patrick Uiterwijk
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi all,
Just now, Ipsilon 0.5.0 has been released.
The highlights of this release are:
- - A REST API for listing and adding Service Providers
- - New NameID formats: Transient, Persistent and Unspecified (Username)
- - Lots of bug fixes
For more information, please see the release[1] page for version 0.5.0.
Thanks to everyone who helped in this release, and a special thanks for
those that helped us find a lot of bugs during the test day[2]!
Patrick
[1]: https://fedorahosted.org/ipsilon/wiki/Releases/v0.5.0
[2]: https://fedoraproject.org/wiki/Test_Day:2015-03-12_Ipsilon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVGdrOAAoJEIZXmA2atR5Qj8kP/Rfk7dhiNwl67RfiZn/oHf3P
ExT/OcyYgFODjPTyGpwC+QTf5xtrpUKLkU7v8CHDcAPnNSOdIDSAONypPea8fpW0
PGVYIjwJHJKbyjuugKJGIyZlHPbbvYIJp7NILT6uVQMqL0KQcoZYPPnXpWILyLqs
TSBP00PycUzl5IDbRkEYarTDLxat6iiQOvMVDRYlrxHs89TqjfMuTgzMHPYI4W6i
qzDgy6kDAFvRzfjyZHoBUQR8YOqRehg680W5QJC6vWveIOXW0bNhGjKgPf0GmutS
/Dj2tQj3b2bnqRcjXyhFY9nGXoUg314/JYZ2VjbsC45LmZkKy9tsY9LusOXWjYSG
S4pUHnn8OZsYYVSsRdsf6vUV/5hHZeD5oBnwCjSQGvRRA5JJNxjl3yHAOcwHXbFk
JyDnzuhckvfcgabQBVfHcWBlEaxdnBBu3a4Hrblq0UWs3mh7xu+PNnbH91YmNagt
Bq9YYGVU4ev92/zzNQh52rAOEt5mca43ruR6xLTopYe6drjfhe2OWWiZfHMDXWP7
Bh95wq+8i3/FP8c8SjNxdCcqxozHgw55qqPYtOXD+TqeqED9GXNTj44WiRZyBc6O
O1SrITzhXKqxN0PaAKx2CHS1XdW9gGoAt2CgtYK5BLbdlerMIJ5kkK81gV3I83ea
sC6qO1+KOQPgeGHJe3XX
=hq9u
-----END PGP SIGNATURE-----
9 years, 1 month
mod_auth_mellon metadata issues (MellonSPentityId)
by John Dennis
On the conference call this morning I mentioned I had to set
MellonSPentityId and Simo said "that sounds wrong, lasso should load it
from the metadata". During the conference I couldn't remember the exact
issue so I went back and investigated. Simo was right, lasso does load
it from the metadata but you can override it in the Mellon config, so
why did I need to do this?
I discovered the hard way it's very easy to get mellon to screw up your
SP metadata if you allow mellon to generate it. Here's the issue, when
mellon generates the metadata it does so on first request, it takes the
URL of the request and uses the first part of the URL (the mellon
endpoint) as the entityID and the prefix for all the binding URL's in
the metadata. If the server is configured to allow both http and https
schemes mellon will happily set your entityID and binding URL's to
include either http or https depending on the first request it sees. If
Ipsilon loaded metadata from http but you're using https everything
get's screwed up because the entityID's and binding URL's don't match.
I suppose in a real deployment one would have an Apache rewrite rule
that redirected any mellon http endpoints to https. But if you've just
set things up to test you may not have forced only https for mellon.
So this is just a head's up warning, metadata resolution can fail
leading to confusing failures if at any point you were not rigorous over
uniformly using http vs. https. FWIW I always test SAML using https but
at times had grabbed the SP metadata using http, if you then load that
into Ipsilon bad things happen, or if you had loaded metadata into
Ipsilon that had been generated with https but the first request to
mellon was http, things just won't resolve. If like me you're restarting
mellon many times a day the opportunity for a finger fumble is great,
something that worked last invocation now fails mysteriously ;-). Just a
heads up so you don't get burned.
--
John
9 years, 1 month
Redirect loop problem using ipsilon-client-install
by Nathan Kinder
Hi,
I've been working on running through the documentation Rob has been
preparing for next week's Fedora test day [1]. I'm running into a
problem with the SP configuration using the 0.4.0 packages on F21.
In the past, I've been configuring mod_auth_mellon by hand, but this
time I'm using ipsilon-client-install as mentioned in the wiki:
ipsilon-client-install --saml-idp-metadata
https://$IPA_FQDN/idp/saml2/metadata --saml-auth /sp
After uploading the metadata to the Ipsilon server, attempting to access
my sp at https://sp1.example.test/sp (using Kerberos auth) ends up in a
ping-pong loop of redirects that ultimately just fails in a bad request.
I've hit this sort of problem when configuring things by hand and the
URLs in the SP metadata didn't match up with my httpd config. I'm just
letting ipsilon-client-install configure everything though, so this
feels like a bug.
I've attached the SP metadata and the httpd config that
ipsilon-client-install set up. I'd like to know if anything looks
amiss. I'm really not sure myself, since I've been manually configuring
my SPs quite differently.
I have debug logs from the IdP as well, but they are pretty huge due to
the large number or redirects. They're available here:
https://nkinder.fedorapeople.org/failure.log
Thanks,
-NGK
[1] https://fedoraproject.org/wiki/Test_Day:2015-03-12_Ipsilon
9 years, 2 months