Hello,
Our SP is a Dynamics 365 Portal, S2S as SAML2SAML proxy, backend gets metadata from SWAMID, frontend act as IdP for our portal.
Getting the following error, it always stop at “returning attributes”.
Could it possibly be a problem with self-signed SSL certificate that Microsoft CRM Portal does not accept or is any parties not accepting SHA256?
Or is there anything else that I forgot to configure?
Thanks for any help from you guys. The end of the debug log is below.
Mats
[2017-10-19 13:07:26] [DEBUG]: [urn:uuid:2daabe4d-92c3-434e-b743-fddd2002878b] Routing to frontend: Saml2IDP
[2017-10-19 13:07:26] [DEBUG]: [urn:uuid:2daabe4d-92c3-434e-b743-fddd2002878b] Filter: ['givenname', 'mail', 'edupersontargetedid', 'displayname', 'surname', 'name']
[2017-10-19 13:07:26] [DEBUG]: frontend attribute givenName mapped from givenname
[2017-10-19 13:07:26] [DEBUG]: frontend attribute eduPersonTargetedID mapped from edupersontargetedid
[2017-10-19 13:07:26] [DEBUG]: frontend attribute email mapped from mail
[2017-10-19 13:07:26] [DEBUG]: frontend attribute sn mapped from surname
[2017-10-19 13:07:26] [DEBUG]: frontend attribute cn mapped from name
[2017-10-19 13:07:26] [DEBUG]: frontend attribute displayName mapped from displayname
[2017-10-19 13:07:26] [DEBUG]: [urn:uuid:2daabe4d-92c3-434e-b743-fddd2002878b] returning attributes {"email": [“XXX.XXX at XXX.XXX.XXX <mailto:XXX.XXX at XXX.XXX.XXX>"], "cn": [“XXX XXX"], "eduPersonTargetedID": [“XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"], "sn": [“XXX"], "givenName": [“XXX"], "displayName": ["Mats Liu"]}
[2017-10-19 13:07:26] [DEBUG]: [urn:uuid:2daabe4d-92c3-434e-b743-fddd2002878b] signing with algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
[2017-10-19 13:07:26] [DEBUG]: [urn:uuid:2daabe4d-92c3-434e-b743-fddd2002878b] using digest algorithm http://www.w3.org/2001/04/xmlenc#sha256
[2017-10-19 13:07:26] [DEBUG]: [urn:uuid:2daabe4d-92c3-434e-b743-fddd2002878b] Saving state as cookie, secure: True, max-age: 1200, path: /
[2017-10-19 13:07:26] [DEBUG]: read request data: {}
[2017-10-19 13:07:26] [DEBUG]: Did not find cookie named 'SATOSA_STATE' in cookie string ''
[2017-10-19 13:07:26] [DEBUG]: [urn:uuid:33b0dd08-5a33-4873-b6d9-1efd3421575b] Routing path: favicon.ico
[2017-10-19 13:07:26] [DEBUG]: [urn:uuid:33b0dd08-5a33-4873-b6d9-1efd3421575b] Unknown backend favicon.ico
Hi,
I am planning to aggregate and manage a couple of different sources of SAML
metadata using pyFF to then expose it for consumption by SATOSA.
My first thought was to have pyFF dump an XML of the aggregate to the file
system and point SATOSA (really pysaml2) at it. But I don't see that the
"local" method for SATOSA/pysaml2 to consume metadata ever refreshes what
it finds on the file system--it appears to read it once but never again. I
need SATOSA to be consuming "fresh" metadata at least every 24 hours.
A second option might be to leverage the pysaml2 "loader" functionality and
pass in my own callable for reading in the metadata from the file system
periodically. But again I don't see that once pysaml2 has the internal
representation of the metadata that it would ever invoke my callable again.
Is that true?
So what I will probably do is operate pyFF as a MDQ server and leverage the
pysaml2 "mdq" functionality.
How are other SATOSA deployers making sure that SATOSA has "fresh" SAML
metadata?
Thanks,
Scott K
We have a satosa instance running as a social-saml gateway: Frontend=saml; backend=google.
It is behind Apache and accessed by mod_rewrite, essentually:
RewriteRule ^/(.*)$ https://localhost:7445/$1 [P]
This works, but the https seems unnecessary. It would be more efficient to use simple http for the localhost rewrite.
However, that fails with a "Not destined for me!" in request.py's _verify -- simply because http is not https.
Is there a way to use simple http but avoid the error? Commenting out the "raise OtherError" works, but I'd rather not have to edit the sources.
Thanks,
Jim Fox
University of Washington
