[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Shibboleth 2 IdP compatibility



Hi Sampo,

   I see that you added shibboleth namespaces in the 0.42 release.  Thanks!

But I'm currently locked into the 0.32 release in my environment (a
production stable integration), so I'm planning to back-port the namespace
support into 0.32.

Is there any easy way to determine what needs patching and what doesn't to
import support for these namespaces?  I did a grep and saw many files
involved.  I was considering a diff of 0.41 to 0.42 as a starting point.

Or perhaps it's a better idea to rebuild my 0.32 distribution with the
Shibboleth *.sg files?  Is this generally as simple as altering the Makefile
to be aware of the new SG files?

Thanks,
Eric

zxid-0.50]$ grep -ril shib *
Changes
Makefile
Manifest
README.zxid
c/zx-elems.c
c/zx-md-aux.c
c/zx-md-dec.c
c/zx-md-enc.c
c/zx-shibmd-aux.c
c/zx-shibmd-dec.c
c/zx-shibmd-enc.c
c/zx-data.h
c/zx-md-getput.c
c/zx-ns.c
c/zx-ns.h
c/zx-ds-data.h
c/zx-md-data.h
c/zx-enc.c
c/zx-shibmd-data.h
c/zx-shibmd-getput.c
c/zx-const.h
csharp/zxid.cs
csharp/zxidPINVOKE.cs
sg/shibboleth-metadata-1.0.sg
sg/saml-schema-metadata-2.0.sg
zx/c/zx-elems.c
zx/c/zx-md-aux.c
zx/c/zx-md-dec.c
zx/c/zx-md-enc.c
zx/c/zx-shibmd-aux.c
zx/c/zx-shibmd-dec.c
zx/c/zx-shibmd-enc.c
zx/c/zx-data.h
zx/c/zx-md-getput.c
zx/c/zx-ns.c
zx/c/zx-ns.h
zx/c/zx-ds-data.h
zx/c/zx-md-data.h
zx/c/zx-enc.c
zx/c/zx-shibmd-data.h
zx/c/zx-shibmd-getput.c
zx/c/zx-const.h
zx/sg/shibboleth-metadata-1.0.sg
zx/sg/saml-schema-metadata-2.0.sg
grep: warning: zx/zx: recursive directory loop

zx/zxid-idp.pd
zx/Makefile
zx/Manifest
zx/zxid-ref.pd
zx/Changes
zx/csharp/zxid.cs
zx/csharp/zxidPINVOKE.cs
zx/zxidjava/zxidjniConstants.java
zx/zxidjava/zxidjniJNI.java
zx/zxidjava/zxid_wrap.c
zx/README.zxid
zxid-idp.pd
zxid-ref.pd
zxidjava/zxidjniConstants.java
zxidjava/zxidjniJNI.java
zxidjava/zxid_wrap.c


On Tue, Oct 13, 2009 at 7:41 AM, <sampo@xxxxxxxxxxx> wrote:

> Unless you already integrated, can you send me the schema and I'll
> integrate it.
>
> Cheers,
> --Sampo
>
> Eric Rybski wrote:
> > Hi,
> >    I'm trying to connect a zxid 0.32-based SP to to a Shibboleth 2.1 IdP
> (
> > https://www.testshib.org).  The metadata (
> > https://idp.testshib.org/idp/shibboleth) for this instance implements
> > namespaces which zxid does not currently support, like
> > "urn:mace:shibboleth:metadata:1.0".
> >
> > I've been following documentation for adding new namespaces:
> >
> >
> http://www.zxid.org/html/README.zxid-17README_zxid-CreatingNewInterfacesUsingZXIDMethodology.html
> >
> > I'm now at step 2: manual tweaking of SG files.  I'm not sure I'm
> > modifying
> > files correctly, as I don't have clear examples as to how the SG results
> > should look given different XML cases (primarily steps 2.2 and 2.3). It's
> > also unclear whether I need to make any changes specific to step 2.1.
> >
> > For example:
> >    - As per step 2.3, I changed one occurence of
> > @xml:lang?
> >
> > to:
> > @xml:lang? -> %xs:string  #@xml:lang vs. @lang   ***".
> >
> >    - As per step 2.2, I changed:
> > %SiteGroupType:
> >     shib:OriginSite
> >  |   shib:DestinationSite
> >  |   shib:SiteGroup
> >
> > to:
> > %SiteGroupType:
> >     shib:OriginSite
> >     shib:DestinationSite*
> >     shib:SiteGroup*
> >
> > given XML definition:
> >         <sequence>
> >             <choice maxOccurs="unbounded">
> >                 <element ref="shib:OriginSite"/>
> >                 <element ref="shib:DestinationSite"/>
> >                 <element ref="shib:SiteGroup"/>
> >             </choice>
> >             <element ref="ds:Signature" minOccurs="0"/>
> >         </sequence>
> >
> >
> > Are these accurate modifications?  I've attached copies of the unmodified
> > (no manual tweaks) .sg files I generated, as well as the original XSD
> > files,
> > for reference.
> >
> >    If anyone has more experience building "correct" .sg files, I'd
> greatly
> > appreciate help getting these SG files updated.  Once correctly modified,
> > perhaps these could also be included in the zxid distribution for
> > out-of-the-box compatibility with Shibboleth 2 identity providers.
> >
> > Note: The archive also includes my modified xsd2sg.pl, as there were a
> few
> > elements, attributes, and syntax constructs implemented in the Shibboleth
> > XSD files that were not being handled.
> >
> > Regards,
> > Eric
> >
> > [demime 1.01d removed an attachment of type application/zip which had a
> > name of shib_2.2.1_sg.zip]