Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apache2-mod_auth_mellon for
openSUSE:Factory checked in at 2024-12-19 21:41:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2-mod_auth_mellon (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_auth_mellon.new.29675 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_auth_mellon"
Thu Dec 19 21:41:53 2024 rev:6 rq:1232178 version:0.19.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/apache2-mod_auth_mellon/apache2-mod_auth_mellon.changes
2024-04-10 17:51:29.498905268 +0200
+++
/work/SRC/openSUSE:Factory/.apache2-mod_auth_mellon.new.29675/apache2-mod_auth_mellon.changes
2024-12-19 21:42:04.968292980 +0100
@@ -1,0 +2,8 @@
+Wed Dec 11 12:21:07 UTC 2024 - [email protected]
+
+- version update to 0.19.1
+ * Remove legacy code that is unused because of minimum requirements.
+ * Cleanup HTML in rendered forms.
+ * Documentation cleanups and improvements.
+
+-------------------------------------------------------------------
Old:
----
mod_auth_mellon-0.19.0.tar.gz
New:
----
mod_auth_mellon-0.19.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2-mod_auth_mellon.spec ++++++
--- /var/tmp/diff_new_pack.n2q0lS/_old 2024-12-19 21:42:05.764325974 +0100
+++ /var/tmp/diff_new_pack.n2q0lS/_new 2024-12-19 21:42:05.768326140 +0100
@@ -18,19 +18,20 @@
%define upstream_name mod_auth_mellon
Name: apache2-mod_auth_mellon
-Version: 0.19.0
+Version: 0.19.1
Release: 0
Summary: A SAML 2.0 authentication module for the Apache Server
License: GPL-2.0-or-later
Group: Productivity/Networking/Web/Servers
URL: https://github.com/latchset/%{upstream_name}
-Source0:
https://github.com/latchset/%{upstream_name}/releases/download/v%{version}/%{upstream_name}-%{version}.tar.gz
+Source0:
https://github.com/latchset/%{upstream_name}/archive/refs/tags/v%{version}.tar.gz#/%{upstream_name}-%{version}.tar.gz
Source1: %{upstream_name}.conf
Source2: %{name}.conf
Source3: README.diagnostics
Patch0: mod_auth_mellon-0.16.0-env-script-interpreter.patch
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel
+BuildRequires: automake
BuildRequires: curl-devel
BuildRequires: gcc
BuildRequires: glib2-devel
@@ -72,6 +73,7 @@
%autosetup -n %{upstream_name}-%{version}
%build
+autoreconf -fi
export APXS=%{_httpd_apxs}
%configure --enable-diagnostics
%make_build clean
++++++ mod_auth_mellon-0.19.0.tar.gz -> mod_auth_mellon-0.19.1.tar.gz ++++++
++++ 6148 lines of diff (skipped)
++++ retrying with extended exclude list
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/mod_auth_mellon-0.19.0/.dir-locals.el
new/mod_auth_mellon-0.19.1/.dir-locals.el
--- old/mod_auth_mellon-0.19.0/.dir-locals.el 1970-01-01 01:00:00.000000000
+0100
+++ new/mod_auth_mellon-0.19.1/.dir-locals.el 2024-07-16 10:28:51.000000000
+0200
@@ -0,0 +1,2 @@
+( (nil . ((indent-tabs-mode . nil)))
+ (c-mode . ((c-basic-offset . 4))) )
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/mod_auth_mellon-0.19.0/.github/workflows/ccpp.yml
new/mod_auth_mellon-0.19.1/.github/workflows/ccpp.yml
--- old/mod_auth_mellon-0.19.0/.github/workflows/ccpp.yml 1970-01-01
01:00:00.000000000 +0100
+++ new/mod_auth_mellon-0.19.1/.github/workflows/ccpp.yml 2024-07-16
10:28:51.000000000 +0200
@@ -0,0 +1,23 @@
+name: C/C++ CI
+
+on: [push, pull_request]
+
+jobs:
+ build:
+
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v1
+ - name: update apt cache
+ run: sudo apt-get update
+ - name: install dependencies
+ run: sudo apt-get install apache2-dev liblasso3-dev libcurl4-openssl-dev
+ - name: autoreconf
+ run: autoreconf -i -f
+ - name: autoconf
+ run: autoconf
+ - name: configure
+ run: ./configure
+ - name: make
+ run: make
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/mod_auth_mellon-0.19.0/.gitignore new/mod_auth_mellon-0.19.1/.gitignore
--- old/mod_auth_mellon-0.19.0/.gitignore 1970-01-01 01:00:00.000000000
+0100
+++ new/mod_auth_mellon-0.19.1/.gitignore 2024-07-16 10:28:51.000000000
+0200
@@ -0,0 +1,10 @@
+*.lo
+*.la
+*.o
+*.slo
+aclocal.m4
+config.*
+configure
+Makefile
+.libs/
+.vscode/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/mod_auth_mellon-0.19.0/NEWS new/mod_auth_mellon-0.19.1/NEWS
--- old/mod_auth_mellon-0.19.0/NEWS 2024-01-13 15:32:02.000000000 +0100
+++ new/mod_auth_mellon-0.19.1/NEWS 2024-07-16 10:28:51.000000000 +0200
@@ -1,3 +1,15 @@
+Version 0.19.1
+---------------------------------------------------------------------------
+
+Cleanup:
+
+* Remove legacy code that is unused because of minimum requirements.
+
+* Cleanup HTML in rendered forms.
+
+* Documentation cleanups and improvements.
+
+
Version 0.19.0
---------------------------------------------------------------------------
@@ -5,6 +17,9 @@
* Support for HTTP-POST binding on Singe Logout endpoint.
+* Use correct Apache API to get the useragent IP, for compatibiltiy with
+ e.g. mod_rpaf/mod_remoteip.
+
* Update documentation.
Cleanup:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/mod_auth_mellon-0.19.0/README.md new/mod_auth_mellon-0.19.1/README.md
--- old/mod_auth_mellon-0.19.0/README.md 2024-01-13 15:31:28.000000000
+0100
+++ new/mod_auth_mellon-0.19.1/README.md 2024-07-16 10:28:51.000000000
+0200
@@ -14,6 +14,7 @@
* pkg-config
* Apache (>=2.0)
* OpenSSL
+ * libcURL
* lasso (>=2.4)
You will also require development headers and tools for all of the
@@ -425,8 +426,10 @@
# MellonSPMetadataFile is the full path to the file containing
# the metadata for this service provider.
- # If mod_auth_mellon was compiled against Lasso version 2.2.2
- # or higher, this option is optional. Otherwise, it is mandatory.
+ # This option is optional. If set, this metadata will be used
+ # to configure Mellon. If the XML contains multiple entities, the
+ # the first one will be used. This XML will also be published at
+ # Mellon's metadata endpoint.
# Default: None set.
MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
@@ -446,9 +449,7 @@
# MellonSPPrivateKeyFile is a .pem file which contains the private
# key of the service provider. The .pem-file cannot be encrypted
- # with a password. If built with lasso-2.2.2 or higher, the
- # private key only needs to be readable by root, otherwise it has
- # to be readable by the Apache pseudo user.
+ # with a password. The private key only needs to be readable by root.
# Default: None set.
MellonSPPrivateKeyFile /etc/apache2/mellon/sp-private-key.pem
@@ -465,11 +466,9 @@
# to MellonIdPMetadataFile. If omitted, no metadata validation will
# take place.
#
- # Multiple IdP metadata can be configured by using multiple
- # MellonIdPMetadataFile directives.
- # If your lasso library is recent enough (higher than 2.3.5),
- # then MellonIdPMetadataFile will accept an XML file containing
- # descriptors for multiple IdPs.
+ # Multiple IdP metadata can be configured by pointing to an
+ # XML file containing descriptors for multiple IdPs, or you
+ # can repeat this directive for each different IdP.
# If you have multiple IdPs enabled, you will need to provide a
# discovery method to pick the right IdP for this user (see below),
# if none is given, Mellon will fall back to the first listed.
@@ -477,9 +476,8 @@
# Default: None set.
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
- # MellonIdPMetadataGlob is a glob(3) pattern enabled alternative
- # to MellonIdPMetadataFile. Like MellonIdPMetadataFile it will
- # accept an optional validating chain if lasso is recent enough.
+ # MellonIdPMetadataGlob is a glob(3) pattern enabled alternative
+ # to MellonIdPMetadataFile.
#
# Default: None set.
#MellonIdPMetadataGlob /etc/apache2/mellon/*-metadata.xml
@@ -875,11 +873,11 @@
user logs in.
-## Example to support both SAML and Basic Auth
+## Example to support both SAML and different auth methods
The below snippet will allow for preemptive basic auth (such as from a REST
client)
for the "/auth" path, but if accessed interactively will trigger SAML auth with
-mod_auth_mellon.
+mod_auth_mellon.
```ApacheConf
<Location />
@@ -906,6 +904,26 @@
</Location>
```
+In a similar vain you can exclude a subpath from Mellon authentication by
adding
+a Location block that exempts the path after:
+
+```ApacheConf
+<VirtualHost *:443>
+ <Location />
+ AuthType "Mellon"
+ Require valid-user
+ MellonEnable "auth"
+ ...
+
+ Require all granted
+ </Location>
+
+ <Location /noSSO>
+ MellonEnable "off"
+ Require all granted
+ </Location>
+</VirtualHost>
+```
## Mellon & User Agent Caching behavior
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/mod_auth_mellon-0.19.0/auth_mellon_handler.c
new/mod_auth_mellon-0.19.1/auth_mellon_handler.c
--- old/mod_auth_mellon-0.19.0/auth_mellon_handler.c 2024-01-13
15:31:28.000000000 +0100
+++ new/mod_auth_mellon-0.19.1/auth_mellon_handler.c 2024-07-16
10:28:51.000000000 +0200
@@ -613,7 +613,7 @@
" <input type=\"hidden\" name=\"SAMLResponse\" value=\"%s\">\n"
" <input type=\"hidden\" name=\"RelayState\" value=\"%s\">\n"
" <noscript>\n"
- " <input type=\"submit\">\n"
+ " <input type=\"submit\" value=\"Proceed\">\n"
" </noscript>\n"
" </form>\n"
" </body>\n"
@@ -634,7 +634,7 @@
" <form method=\"POST\" action=\"%s\">\n"
" <input type=\"hidden\" name=\"SAMLResponse\" value=\"%s\">\n"
" <noscript>\n"
- " <input type=\"submit\">\n"
+ " <input type=\"submit\" value=\"Proceed\">\n"
" </noscript>\n"
" </form>\n"
" </body>\n"
@@ -1182,45 +1182,6 @@
profile = LASSO_PROFILE(logout);
- /* We need to set the SessionIndex in the LogoutRequest to the SessionIndex
- * we received during the login operation. This is not needed since release
- * 2.3.0.
- */
- if (lasso_check_version(2, 3, 0, LASSO_CHECK_VERSION_NUMERIC) == 0) {
- session = lasso_profile_get_session(profile);
- assertion_list = lasso_session_get_assertions(
- session, profile->remote_providerID);
- if(! assertion_list ||
- LASSO_IS_SAML2_ASSERTION(assertion_list->data) ==
FALSE) {
- AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r,
- "No assertions found for the current session.");
- lasso_logout_destroy(logout);
- return HTTP_INTERNAL_SERVER_ERROR;
- }
- /* We currently only look at the first assertion in the list
- * lasso_session_get_assertions returns.
- */
- assertion_n = assertion_list->data;
-
- assertion = LASSO_SAML2_ASSERTION(assertion_n);
-
- /* We assume that the first authnStatement contains the data we want.
*/
- authnStatement =
LASSO_SAML2_AUTHN_STATEMENT(assertion->AuthnStatement->data);
-
- if(!authnStatement) {
- AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r,
- "No AuthnStatement found in the current assertion.");
- lasso_logout_destroy(logout);
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
- if(authnStatement->SessionIndex) {
- request = LASSO_SAMLP2_LOGOUT_REQUEST(profile->request);
- request->SessionIndex = g_strdup(authnStatement->SessionIndex);
- }
- }
-
-
/* Set the RelayState parameter to the return url (if we have one). */
if(return_to) {
profile->msg_relayState = g_strdup(return_to);
@@ -2886,19 +2847,18 @@
}
output = apr_psprintf(r->pool,
- "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n"
+ "<!DOCTYPE html>\n"
"<html>\n"
" <head>\n"
" <title>SAML rePOST request</title>\n"
" </head>\n"
- " <body onload=\"document.getElementById('form').submit();\">\n"
- " <noscript>\n"
- " Your browser does not support Javascript, \n"
- " you must click the button below to proceed.\n"
- " </noscript>\n"
- " <form id=\"form\" method=\"POST\" action=\"%s\"
enctype=\"%s\"%s>\n%s"
+ " <body onload=\"document.forms[0].submit()\">\n"
+ " <noscript>\n"
+ " <strong>Note:</strong> Since your browser does not support
JavaScript, you must press the button below once to proceed.\n"
+ " </noscript>\n"
+ " <form method=\"POST\" action=\"%s\" enctype=\"%s\"%s>\n%s"
" <noscript>\n"
- " <input type=\"submit\">\n"
+ " <input type=\"submit\" value=\"Proceed\">\n"
" </noscript>\n"
" </form>\n"
" </body>\n"
@@ -3014,7 +2974,7 @@
" <input type=\"hidden\" name=\"SAMLRequest\" value=\"%s\">\n"
" <input type=\"hidden\" name=\"RelayState\" value=\"%s\">\n"
" <noscript>\n"
- " <input type=\"submit\">\n"
+ " <input type=\"submit\" value=\"Proceed\">\n"
" </noscript>\n"
" </form>\n"
" </body>\n"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/mod_auth_mellon-0.19.0/config.h.in new/mod_auth_mellon-0.19.1/config.h.in
--- old/mod_auth_mellon-0.19.0/config.h.in 2024-01-13 15:32:06.000000000
+0100
+++ new/mod_auth_mellon-0.19.1/config.h.in 1970-01-01 01:00:00.000000000
+0100
@@ -1,72 +0,0 @@
-/* config.h.in. Generated from configure.ac by autoheader. */
-
-/* build with diagnostics */
-#undef ENABLE_DIAGNOSTICS
-
-/* Define to 1 if you have the declaration of `', and to 0 if you don't. */
-#undef HAVE_DECL_
-
-/* Define to 1 if you have the declaration of
- `LASSO_SIGNATURE_METHOD_RSA_SHA256', and to 0 if you don't. */
-#undef HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA256
-
-/* Define to 1 if you have the declaration of
- `LASSO_SIGNATURE_METHOD_RSA_SHA384', and to 0 if you don't. */
-#undef HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA384
-
-/* Define to 1 if you have the declaration of
- `LASSO_SIGNATURE_METHOD_RSA_SHA512', and to 0 if you don't. */
-#undef HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA512
-
-/* lasso library supports ECP profile */
-#undef HAVE_ECP
-
-/* Define to 1 if you have the <inttypes.h> header file. */
-#undef HAVE_INTTYPES_H
-
-/* Define to 1 if you have the <stdint.h> header file. */
-#undef HAVE_STDINT_H
-
-/* Define to 1 if you have the <stdio.h> header file. */
-#undef HAVE_STDIO_H
-
-/* Define to 1 if you have the <stdlib.h> header file. */
-#undef HAVE_STDLIB_H
-
-/* Define to 1 if you have the <strings.h> header file. */
-#undef HAVE_STRINGS_H
-
-/* Define to 1 if you have the <string.h> header file. */
-#undef HAVE_STRING_H
-
-/* Define to 1 if you have the <sys/stat.h> header file. */
-#undef HAVE_SYS_STAT_H
-
-/* Define to 1 if you have the <sys/types.h> header file. */
-#undef HAVE_SYS_TYPES_H
-
-/* Define to 1 if you have the <unistd.h> header file. */
-#undef HAVE_UNISTD_H
-
-/* Define to the address where bug reports for this package should be sent. */
-#undef PACKAGE_BUGREPORT
-
-/* Define to the full name of this package. */
-#undef PACKAGE_NAME
-
-/* Define to the full name and version of this package. */
-#undef PACKAGE_STRING
-
-/* Define to the one symbol short name of this package. */
-#undef PACKAGE_TARNAME
-
-/* Define to the home page for this package. */
-#undef PACKAGE_URL
-
-/* Define to the version of this package. */
-#undef PACKAGE_VERSION
-
-/* Define to 1 if all of the C90 standard headers exist (not just the ones
- required in a freestanding environment). This macro is provided for
- backward compatibility; new code need not use it. */
-#undef STDC_HEADERS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/mod_auth_mellon-0.19.0/configure.ac new/mod_auth_mellon-0.19.1/configure.ac
--- old/mod_auth_mellon-0.19.0/configure.ac 2024-01-13 15:32:02.000000000
+0100
+++ new/mod_auth_mellon-0.19.1/configure.ac 2024-07-16 10:28:51.000000000
+0200
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_mellon],[0.19.0],[https://github.com/latchset/mod_auth_mellon/issues])
+AC_INIT([mod_auth_mellon],[0.19.1],[https://github.com/latchset/mod_auth_mellon/issues])
AC_CONFIG_HEADERS([config.h])
# We require support for C99.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/mod_auth_mellon-0.19.0/doc/mellon-attribute-map.xsl
new/mod_auth_mellon-0.19.1/doc/mellon-attribute-map.xsl
--- old/mod_auth_mellon-0.19.0/doc/mellon-attribute-map.xsl 1970-01-01
01:00:00.000000000 +0100
+++ new/mod_auth_mellon-0.19.1/doc/mellon-attribute-map.xsl 2024-07-16
10:28:51.000000000 +0200
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Convert urn:mace:shibboleth:2.0:attribute-map to MellonSetEnv statements
+
+ Author: Pat Riehecky <[email protected]>
+ Copyright (2019). Fermi Research Alliance, LLC
+-->
+<xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
+ xmlns:map="urn:mace:shibboleth:2.0:attribute-map"
+>
+ <xsl:output method="text" omit-xml-declaration="yes" indent="no"/>
+
+ <xsl:template match="/map:Attributes">
+ <xsl:apply-templates select="map:Attribute">
+ <xsl:sort select="@id" data-type="text" />
+ <xsl:sort select="@name" data-type="text" order="descending"/>
+ </xsl:apply-templates>
+ </xsl:template>
+
+ <xsl:template match='map:Attribute'>
+ <xsl:value-of select="concat('MellonSetEnvNoPrefix ', @id, ' ' ,
@name)"/><xsl:text>
</xsl:text>
+ </xsl:template>
+
+</xsl:stylesheet>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/mod_auth_mellon-0.19.0/doc/user_guide/mellon_user_guide.adoc
new/mod_auth_mellon-0.19.1/doc/user_guide/mellon_user_guide.adoc
--- old/mod_auth_mellon-0.19.0/doc/user_guide/mellon_user_guide.adoc
2024-01-13 15:31:28.000000000 +0100
+++ new/mod_auth_mellon-0.19.1/doc/user_guide/mellon_user_guide.adoc
2024-07-16 10:28:51.000000000 +0200
@@ -1539,6 +1539,8 @@
error. See <<metadata_creation, Metadata Creation>> for how Mellon
metadata is created. `MellonSPMetadataFile` is optional, Mellon can
create its own metadata from its initial configuration parameters.
+Should this file contain multiple SP entities, only the first one
+found will be used.
<5> The private cryptographic key used by Mellon to sign its SAML
data. See <<metadata_keys>> for more detail.
@@ -2744,10 +2746,9 @@
Since you're most likely using the SAML Web-SSO profile, which is
entirely browser based, you can use any of the browser tools to watch
-HTTP requests and responses. The Firefox web browser provides the
-FireBug add-on and the Chrome browser offers Developer Tools. Each of
-these browsers also has additional add-ons to display SAML messages;
-see <<inspect_saml_messages>>.
+HTTP requests and responses. Besides the standard web development tools
+in each browser, there's a browser add-on specifically to display SAML
+messages; see <<inspect_saml_messages>>.
NOTE: The easiest and most complete way to trace HTTP requests and
responses during SAML flow, capture SAML messages, and examine how
@@ -2782,20 +2783,23 @@
write a browser extension to capture and decode the SAML messages
exchanged between the SP and IdP.
-==== Firefox SAML Tracer [[saml_tracer]]
+==== SAML Tracer [[saml_tracer]]
-The Firefox
-https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/[SAML
-Tracer] Add-On will display decoded SAML messages used during single
-sign-on and single logout. SAML Tracer is not capable of decrypting
-an encrypted IdP response, because it does not have access to the IdP's
-public encryption key contained in the IdP's metadata. See
-<<encrypted_response>> for how to deal with this issue.
+The SAML Tracer browser exteion is available
+https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/[for
+Firefox] and
+https://chromewebstore.google.com/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch[for
+Chome] and will display decoded SAML
+messages used during single sign-on and single logout. SAML Tracer is
+not capable of decrypting an encrypted IdP response, because it does
+not have access to the IdP's public encryption key contained in the
+IdP's metadata. See <<encrypted_response>> for how to deal with this
+issue.
To use SAML Tracer you must first install the add-on. Then each time
-you want to use SAML Tracer you will need to go to the Firefox menu
+you want to use SAML Tracer you will need to go to the browser's menu
and select the SAML Tracer option. This will bring up a separate
-Firefox window which looks like this:
+window which looks like this:
image::saml-tracer.svg[]
@@ -2816,19 +2820,6 @@
complete SAML message. The `http` tab shows you the HTTP headers
associated with the HTTP request/response.
-==== Chrome, SAML Chrome Panel
-
-The Chrome Web browser offers several add-ons to display SAML
-messages. The most commonly used is
-https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace[SAML
-Chrome Panel]. SAML Chrome Panel integrates with the Chrome developer
-tools.
-
-Here is an example of the SAML Chrome Panel in the developer tools
-panel:
-
-image::chrome_SAML_Chrome_Panel.svg[]
-
==== If the IdP response is encrypted [[encrypted_response]]
Data in a SAML response may be encrypted for confidentiality (usually
