eduvpn
Missing request header "eppn"
I configured Shibboleth for authentication on eduvpn using the eppn/eduPersonPrincipalName but after signing in on the IdP the eduvpn page greets me with a 400 error saying missing request header "eppn". I cant find the relevant log file for this error. Any pointers on how to resolve this?
In /etc/shibboleth/attribute-map.xml:
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
Make sure that your IdP provides one of these urn attributes to Shibboleth SP in that exact way. Otherwise you might have to update the mapping to map something to eppn.
I see that our documentation could probably use an update. Let us know if you manage to get it to work and whether it would help if we update our docs (and how).
This is how the attribute is defined in our IdP:
<AttributeDefinition xsi:type="Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}">
<InputDataConnector ref="myLDAP" attributeNames="sAMAccountName" />
<DisplayName xml:lang="en">Principal Name</DisplayName>
<DisplayName xml:lang="de">Principal Name</DisplayName>
<AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
<AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
</AttributeDefinition>
The urn:oid is the same but does it make a difference if the ID is eduPersonPrincipalName and not eppn?
I'm not sure, am not that familiar with Shibboleth. Perhaps you can use tooling like saml-tracer to see what actually gets sent to the SP and go from there?
Thanks for the link. I just tried the tool on eduvpn and on a SP that works. On both it shows information that isn't quite useful for me concerning attributes. I would appreciate it if someone who used Shibboleth with eduvpn gives me some tips.
I uncommented the attribute schacPersonalUniqueCode in attribute-map.xml, which we also use on our IdP and it still is missing the request header. The resolver test from our IdP shows that it transfers those attributes to the eduvpn server. I guess something on the eduvpn server prevents it from seeing those attributes or something like. I don't know.
Thanks for the link. I just tried the tool on eduvpn and on a SP that works. On both it shows information that isn't quite useful for me concerning attributes. I would appreciate it if someone who used Shibboleth with eduvpn gives me some tips.
Right... I think if you want to also reach others you could write a message to eduvpn-deploy. There MAY be some people there using Shibboleth.
As for SAML tracer, see screenshot below for the 'interesting' information, this is from my SAML setup, but with Shib it will be similar, look for the "POST" line and then the attributes under the "SAML" tab:
Thanks for following up with a screenshot. I didn't use the tool like how it is supposed to and somehow missed those tabs in the middle. It showed me that there are indeed no attributes in play. I need to look at it at another angle. I will also write to eduvpn-deploy like you suggested.
This seems more like a Shib issue, and not eduVPN, so perhaps it is better to request help @ the Shibboleth community?