[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problems with End Point Reference



Rosa Sanchez Guerrero wrote:
> I attach the log files.

Now the log files are less than 100k. Howcome the RAR attachement
was over 10M?

> Sorry, the previous post I asked if you will show me
> the steps to try implementing WSF, WSC and IDP?, But really wanted to ask
> you if you will
> show me the steps to try running WSF, WSC and IDP, well, I used your tool
> to
> implement the role of WSF and WSC  and Lasso IDP's role in implementing
> the
> IDP.
>
> My timeline for getting the Discovery in place is about two weeks.

Can we collaborate, say, Thu-Fri next week? I am very busy on Mon-Wed.

Looking at the zxid2.stderr, I notice some of the messages have been
translated to semi-spanish. Is there need for transaltion? Should I
set up some infrastructure for translation in the project? Of course
the stderr is mainly my debug messages so they are subject to change
without notice. The act and err files are more stable.

Obviously your translations and other edits on log messages
make it more difficult to grep my source code and thus more
difficult to help you.

For example, I do not see how my code could ever have produced
the following:

t zxidses.c:171 zxid_get_ses            zx d GOT ses(SJg07oE_O)
nid(_C64444B60C2A8EA8665B8FCC75CC5902)
sso_a7n_path(/home/apt/rsanchez/zxid/log/rely/U1qBrGtR2wvphHUY0NCz52plr6A/a7n/hE75dlELQGEfi7R903VaCYnRyPM)
sesix()
t zxidhlowsf.c:132 main                 zx E zxid_get_ses
finish===============================0

t zxidhlowsf.c:138 main                 zx E before zxid_find_epr
===============================0

t zxidepr.c:166 zxid_find_epr           zx d Looking in session
dir(/home/apt/rsanchez/zxid/ses/SJg07oE_O)
t zxidepr.c:176 zxid_find_epr           zx E len
svc:(25)===============================
t zxidepr.c:180 zxid_find_epr           zx E
SVC:(urn:liberty:disco:2006-08)===============================
t zxidepr.c:192 zxid_find_epr           zx E 
de->d_name:(.)==================================
t zxidepr.c:194 zxid_find_epr           zx E r
:((null))===============================
t zxidepr.c:196 zxid_find_epr           zx E de
:(Mf)===============================
t zxidepr.c:192 zxid_find_epr           zx E 
de->d_name:(..)==================================
t zxidepr.c:194 zxid_find_epr           zx E r
:((null))===============================
t zxidepr.c:196 zxid_find_epr           zx E de
:(*ƒf)===============================
t zxidepr.c:192 zxid_find_epr           zx E 
de->d_name:(.ses)==================================
t zxidepr.c:194 zxid_find_epr           zx E r
:((null))===============================
t zxidepr.c:196 zxid_find_epr           zx E de
:(#@i)===============================
t zxidepr.c:257 zxid_find_epr           zx E Estoy antes de
close(dir)(0)===============================
t zxidepr.c:260 zxid_find_epr           zx E Estoy despues de
close(dir)(0)===============================
t zxidhlowsf.c:141 main                 zx E after zxid_find_epr
===============================(null)


All those equals signs are not from me.

Debugging the zxid_snarf_eprs_from_ses() is the right place to
look if you are trying to determine whether Lasso IdP sent the
bootstraps in the first place.

However, I can not really help you until you use 0.32 unmodified
to produce the log.

You should also try to get logging from Lasso side. In particular,
the signed SSO assertion would be interesting as that would allow
you to see if the bootstrap attributes are there at all.

Cheers,
--Sampo

> Thanks and I aprecciate your attention, warm regards.
>
>
> 2009/4/18 <sampo@xxxxxxxxxxx>
>
>> Rosa Sanchez Guerrero wrote:
>> > Dear Sirs,
>> >
>> > I am working with version zxid-0.29. I attached the file that contains
>> > zxid.rar in the log files, sessions ...
>>
>> Sorry, I can't handle rar files. How about tar.gz?
>>
>> At any rate, please do not send attachments over 2MB. Instead, please
>> put it available on some web server and send me a URL.
>>
>> > Regarding the problem of End Ponit Reference, when I explicais that
>> one
>> > way
>> > to get it is it could have been passed as bootstrap
>> > attribute in the SAML SSO assertion, how can I do this? Should I do
>> this
>> > in
>> > the IDP?
>>
>> It has to be configured at the IdP end. Its effectively an attribute
>> "push" operation where IdP decides to send the attribute without
>> any specific request for it.
>>
>> > Lasso IDP is supposed to have implemented this feature?
>>
>> Quite probably, but I am unfamiliar with the approach they take
>> and how it would be configured.
>>
>> > Will you
>> > show me the steps to try implementing WSF, WSC and IDP? I would like
>> to
>> > make
>> > certain that I'm doing correctly.
>>
>> I am the lead developer and quite busy. I will help, but I expect
>> you to do quite a lot of the work yourself.
>>
>> You did not answer the timeline question. Without knowing that,
>> I do not know if I have time to help you. My calendar is very
>> busy.
>>
>> Cheers,
>> --Sampo
>>
>> > Moreover the alternative that you propose me to use a commercial
>> discovery
>> > server implementation, we want to make our test scenarios with open
>> > source,
>> > so we'd like to get the End Point Reference without using the
>> discovery
>> > server
>> >
>> > * *I aprecciate your attention, warm regards.
>> >
>> >
>> > 2009/4/18 <sampo@xxxxxxxxxxx>
>> >
>> >> Rosa Sanchez Guerrero wrote:
>> >> > Dear Sirs,
>> >> >
>> >> >  I am a student at the University Carlos III of Madrid and my name
>> is
>> >> Rosa
>> >> > Sanchez Guerrero.
>> >> >
>> >> > I am working with identity management using the SAML protocol. We
>> need
>> >> a
>> >> > web
>> >> > service provider (WSF) and an identity provider (IdP).
>> >> >
>> >> > To implement the role of provider of web services, we decided to
>> use
>> >> your
>> >> > tool ZXID and to implement the role of identity provider using the
>> >> form
>> >> of
>> >> > Authentic Lasso to recommend in the documentation. The identity
>> >> provider
>> >> > is
>> >> > working correctly, and we are trying WSF file zxidhlowsf.c. When we
>> >> put
>> >> in
>> >> > the web browser https: / / sp1.zxidsp.org: 8443/zxidhlo and try to
>> >> login,
>> >> > it
>> >> > connects with the IdP authenticates the user, but when it happens
>> ZXID
>> >> > redirection to an internal error in the server. This error occurs
>> in
>> >> the
>> >> > function zxid_find_epr, which is on file zxidepr.c. This function
>> >> returns
>> >> > the End Point Reference null value because in / zxid / ses / SESID
>> not
>> >> > created the file SVC, SHA1.
>> >>
>> >> Without seeing the specific log messages I do not know exactly what
>> >> is happening. You should also let me know which version of zxid you
>> >> are using (latest is 0.32).
>> >>
>> >> > Consult the documentation we have seen that this information is
>> sought
>> >> > through a discovery server (DS) or via an assertion in the SSO.
>> >> However,
>> >> > we
>> >> > suspect that the server is required and this discovery is
>> commercial.
>> >> I
>> >> > could say some indication of what may be happening (for example, if
>> it
>> >> is
>> >> > necessary for the IdP metadata display something on the End Point
>> >> > Reference
>> >> > or something similar ...).
>> >>
>> >> In your scenario you presumably want the EPR of the WSP. The WSC can
>> >> find this out in two ways:
>> >>
>> >> 1. it could have been passed as "bootstrap"
>> >>   attribute in the SAML SSO assertion; or
>> >> 2. it can be discovered from the discovery service, however to
>> discover
>> >>   the IdP must have passed a discovery bootstrap attribute containing
>> >>   the EPR of the discovery service and the Discovery Service
>> >>   must be running.
>> >>
>> >> So I suspect the Lasso IdP is not passing a bootstrap attribute
>> >> of either variant.
>> >>
>> >> While ZXID fully implements discovery client, I do ot yet have
>> >> Discovery Server implmentation, though this is being worked on
>> >> as part of zxid IdP implemetation. Only open source discovery
>> >> service implementation I am aware of is by Conor Cahill
>> >> http://www.cahillfamily.com/OpenSource/
>> >> but his implmentation is not very well integrated to any SSO IdP.
>> >>
>> >> Other alternative, as you say, is to use a commercial discovery
>> >> server implmentation. For example symlabs.com offers free
>> >> evaluation version.
>> >>
>> >> What is your timeline for getting the Discovery in place?
>> >>
>> >> --Sampo