I will have some SPs behind the proxy that need to use the refeds MFA profile via InCommon along with other SPs behind the same proxy that only require simple one-step password authentication. I’ve looked through the list archives and don’t see a solution to the problem I’m having.
I can verify by watching the browser saml flow that the SP is correctly requesting refeds mfa in RequestedAuthnContext. However, this request does not appear to be passed on to the selected IdP and the MFA authentication attribute is not set upon return.
There appears to be configuration available (acr_mapping) to specify what AuthnContextClassRef value satosa returns to the SP based on the selected IdP but that is not what we need for this application.
My question: is satosa supposed to pass the SP’s requested AuthnContext to the end user’s IdP and pass back the IdP’s response?
I’ll dig some more but am hoping that someone already knows how/if this should work in satosa.
Thanks much, Jim
Hi Satosa users,
I’m trying to add the Swiss eduPerson attributes [1] to the Satosa attribute maps [2] but running into problems when trying to use them. I’m running Satosa with Docker and have pulled the swiss attributes into .py files in the attributemaps folder, added them to my internal_attribute.yaml schema, restarted my container… however they don’t seem to be recognised.
==========================
The attribute coming from my IdP
==========================
<ns0:Attribute FriendlyName="swissEduPersonHomeOrganization" Name="urn:oid:2.16.756.1.2.5.1.1.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns0:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">cern.ch</ns0:AttributeValue></ns0:Attribute>
====================================================
The config in internal_attribute.yaml (I just want to pass the attribute straight through to my Eps)
====================================================
swissedupersonhomeorganization:
saml: [swissEduPersonHomeOrganization]
==========================
Debug messages
==========================
"Unknown attribute name: <ns0:Attribute xmlns:ns0="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" FriendlyName="swissEduPersonHomeOrganization" Name="urn:oid:2.16.756.1.2.5.1.1.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns0:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">cern.ch</ns0:AttributeValue></ns0:Attribute>”
...
"skipped backend attribute '['swissEduPersonHomeOrganization']': no value found”
The OID appears to be correct (SWISSEDUPERSON_OID = 'urn:oid:2.16.756.1.2.5.1.1.’, SWISSEDUPERSON_OID+’4' =‘swissEduPersonHomeOrganization’). Am I missing something? Some missing config or some cache somewhere?
Thanks in advance for any advice,
Hannah
[1] https://www.switch.ch/aai/docs/AAI_Attr_Specs.pdf
[2] https://github.com/IdentityPython/SATOSA/pull/270
Hi to everybody,
I'm doing fine with pyMultiLDAP as MS [3].
I can test multiple LDAP connections with received, aggregated and
rewritten data directly with pymultildap from command line, before move
configuration to deployed systems.
The same settings[1] used command line would be used in MS configuration,
as is.
I'm using multildap in satosa, in my pysaml2 Idp[2] and also as general
purpose LDAP proxy for SEARCH and BIND methods, with the help of slapd-sock.
At this moment I do not need too much parameters per SP in the MS
configuration but probably in the future I will. I preferred to delegate
data behaviour directly in multildap.settings instead of MS configuration.
I share as it come,
regards
[1]
https://github.com/peppelinux/pyMultiLDAP/blob/master/examples/settings.py.…
<https://github.com/peppelinux/pyMultiLDAP/blob/master/examples/settings.py.…>
[2] https://uniauth.readthedocs.io/en/latest/index.html
[3]
https://github.com/peppelinux/pyMultiLDAP/tree/fe602e39240d6a3240f09c852cb6…
--
____________________
Dott. Giuseppe De Marco
CENTRO ICT DI ATENEO
University of Calabria
87036 Rende (CS) - Italy
Phone: +39 0984 496961
e-mail: giuseppe.demarco at unical.it
