Re: [PacketFence-users] Issues with SAML Authentication Source

Tue, 25 Oct 2016 16:29:20 -0700 

On 10/25/16 2:02 PM, Julien Semaan wrote:
> Hi Charles,
> 
> This look like either the metadata is not valid on the server or the entity ID
> is not right in the source configuration.
> 
> If you post your metadata file as well as
> /usr/local/pf/conf/authentication.conf, I could look at it.

[Weblofin]
description=weblogin
idp_ca_cert_path=/usr/local/pf/conf/saml/idp.pennkey.upenn.edu.crt
idp_entity_id=https://idp.pennkey.upenn.edu
idp_metadata_path=/usr/local/pf/conf/saml/idp.pennkey.upenn.edu.xml
username_attribute=urn:oid:1.3.6.1.4.1.5923.1.1.1.6
dynamic_routing_module=AuthModule
idp_cert_path=/usr/local/pf/conf/saml/idp.pennkey.upenn.edu.crt
sp_entity_id=siepata.net.isc.upenn.edu
type=SAML
authorization_source_id=local
sp_cert_path=/usr/local/pf/conf/saml/server.crt
sp_key_path=/usr/local/pf/conf/saml/server.key

Metadata is attached.

-- 
Charles Rumford
Senior Network Engineer
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
entityID="siepata.net.isc.upenn.edu">
  <md:SPSSODescriptor 
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol 
urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
        <ds:X509Data>
          
<ds:X509Certificate>MIIDYjCCAkoCCQDiC7MDJ80nfzANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCUEExFTATBgNVBAcMDFBoaWxhZGVscGhpYTEOMAwGA1UECgwF
VVBlbm4xDDAKBgNVBAsMA0lTQzEiMCAGA1UEAwwZc2llcGF0YS5uZXQuaXNjLnVw
ZW5uLmVkdTAeFw0xNjEwMjQxNDEzMjlaFw00NDAzMTExNDEzMjlaMHMxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJQQTEVMBMGA1UEBwwMUGhpbGFkZWxwaGlhMQ4wDAYD
VQQKDAVVUGVubjEMMAoGA1UECwwDSVNDMSIwIAYDVQQDDBlzaWVwYXRhLm5ldC5p
c2MudXBlbm4uZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApfQs
ZsjtHemJY5MXUuRhhYZteG1Wzf93vvY80dJM8Qis8osRuAX12hKTcJVVRLWXJKM2
DU6GLWE4btXOLlUBEO0P1radpzhKN9xtoy+WopVhnaK2i2lR5EvGgy6eywQqsYa1
mplDDXomNP/uMvFcsUInXwVg6JkR3CxpoJr4jrqOZvE6h39kwusqsNr4fxB/4xMQ
O0cB8QsGSrGe5a/6Yz78heEYkeoazYuTPXyvmzhKpWElps575FDq1Pk0H/tDc/iY
waI0fLqDh2nDOLkU+HefXIHF4xTWiK1asiy9XnR/t+I7NBWwMjEQ4VwRMID8eo9i
HnZainL2AoF3N9VFVwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBPXZcEQniRWXhD
ORnO9i/iV1G7FCns8S/1L/8Xm7anrmdp2AzrrURr32MYqoHLpGDzP6y4nyBLip3t
zH+iFKo+757bhVwzVFuLe/e/dN4+mdLk1PEcPUT3cD+qUSO6GOp7gci5WUXuThfk
jjI9TfLhGLXtw6TRYpxyhOHJFyAeDdXqh/hGn2YzKOx9x6SI79sB8IQuRH46pZCZ
vT8faTNVF9+WJqieNKZGtVYdoKt+KJdyPiBKq/4YiDzso+xiIkwoLY6PYjuNcfdq
TLgt+vfY6Ywyuw4YD2Tgixe+ngMejZ7i4LdPTOFOedcw1WBWFivH/x6W79g7s629
eDc9C/2/</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
        <ds:X509Data>
          
<ds:X509Certificate>MIIDYjCCAkoCCQDiC7MDJ80nfzANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCUEExFTATBgNVBAcMDFBoaWxhZGVscGhpYTEOMAwGA1UECgwF
VVBlbm4xDDAKBgNVBAsMA0lTQzEiMCAGA1UEAwwZc2llcGF0YS5uZXQuaXNjLnVw
ZW5uLmVkdTAeFw0xNjEwMjQxNDEzMjlaFw00NDAzMTExNDEzMjlaMHMxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJQQTEVMBMGA1UEBwwMUGhpbGFkZWxwaGlhMQ4wDAYD
VQQKDAVVUGVubjEMMAoGA1UECwwDSVNDMSIwIAYDVQQDDBlzaWVwYXRhLm5ldC5p
c2MudXBlbm4uZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApfQs
ZsjtHemJY5MXUuRhhYZteG1Wzf93vvY80dJM8Qis8osRuAX12hKTcJVVRLWXJKM2
DU6GLWE4btXOLlUBEO0P1radpzhKN9xtoy+WopVhnaK2i2lR5EvGgy6eywQqsYa1
mplDDXomNP/uMvFcsUInXwVg6JkR3CxpoJr4jrqOZvE6h39kwusqsNr4fxB/4xMQ
O0cB8QsGSrGe5a/6Yz78heEYkeoazYuTPXyvmzhKpWElps575FDq1Pk0H/tDc/iY
waI0fLqDh2nDOLkU+HefXIHF4xTWiK1asiy9XnR/t+I7NBWwMjEQ4VwRMID8eo9i
HnZainL2AoF3N9VFVwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBPXZcEQniRWXhD
ORnO9i/iV1G7FCns8S/1L/8Xm7anrmdp2AzrrURr32MYqoHLpGDzP6y4nyBLip3t
zH+iFKo+757bhVwzVFuLe/e/dN4+mdLk1PEcPUT3cD+qUSO6GOp7gci5WUXuThfk
jjI9TfLhGLXtw6TRYpxyhOHJFyAeDdXqh/hGn2YzKOx9x6SI79sB8IQuRH46pZCZ
vT8faTNVF9+WJqieNKZGtVYdoKt+KJdyPiBKq/4YiDzso+xiIkwoLY6PYjuNcfdq
TLgt+vfY6Ywyuw4YD2Tgixe+ngMejZ7i4LdPTOFOedcw1WBWFivH/x6W79g7s629
eDc9C/2/</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <!--- Not implemented and probably will never be... Leaving it there should 
it prove to be mandatory for a SAML IDP
    <md:SingleLogoutService 
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
Location="https://siepata.net.isc.upenn.edu/saml/assertion"/>
    -->
    <md:AssertionConsumerService 
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
Location="https://siepata.net.isc.upenn.edu/saml/assertion"; index="0"/>
    <md:AssertionConsumerService 
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" 
Location="https://siepata.net.isc.upenn.edu/saml/assertion"; index="1"/>
    <md:AssertionConsumerService 
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" 
Location="https://siepata.net.isc.upenn.edu/saml/assertion"; index="2"/>
    <md:AssertionConsumerService 
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" 
Location="https://siepata.net.isc.upenn.edu/saml/assertion"; index="3"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive. 
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to