Test Shibboleth

[libdgg]

No description provided.

[libdgg]

@lovinscari Needs dependencies added. Needs acceptance criteria. Then move into queued. Do you have any questions or concerns with these next steps?

[lovinscari]

@SolomonHD to update ticket with what is missing and/or what is expected. Possibly this is something @devanshu-m can help with.

[SolomonHD]

Currently we're getting this error when trying to login:

E, [2020-11-09T15:16:11.413078 #21] ERROR -- : (saml) Authentication failure! invalid_ticket: OmniAuth::Strategies::SAML::ValidationError, SAML response missing 'urn:oid:2.5.4.5' attribute

I was also getting this error when trying to use the netid urn.

Right now the SAML response is encrypted so we can't see exactly what we're getting back from the IDP. I plan on sending another metadata to Gerry with encryption disabled, then I'll be able to get a look at exactly what we're getting from the IDP

[SolomonHD]

I've submitted another ticket for changing the metadata to an unencrypted state: INC03492530

[rotated8]

I've bumped the estimate up on this to a 13 because two people are working on it.

@SolomonHD and @devanshu-m will continue working on this ticket for today, and if they can't make progress, we'll open two new tickets (one for installing the shibboleth sp in the avalon docker, and one for switching to the omniauth-shibboleth gem).

[devanshu-m]

After commenting out the uid attribute bit, we could see a better log of the request and omniuath hash. Like we suspected, the urn for uid is missing in the saml response. We do get a provider back which is set correctly to saml, but the uid we get back is a long string which is difficult to decrypt. POA is to see if we can get Gerry to talk to us and show him the logged response we are getting back and if he can guide us in the right direction. It is likely that the response we get from saml/shib is the issue, but I could be wrong and that the issue might be in the request that the app is sending.

[devanshu-m]

New ticket with Gerry to look into issues with the response we are getting and missing attributes: INC03494888

[devanshu-m]

@SolomonHD informed me that Gerry is now releasing the attrs correctly; and I can finally see those attrs in the log. Needs a little more tweaking before we can successfully login. Working on that now.

[SolomonHD]

We were able to login, but we're still having issues with the IsMemberOf attribute. We are only getting on value of this array back. It's due to a setting in ruby saml that by default only returns first element of array. Will work on Monday to get whole array.

[devanshu-m]

Alex tested his login which was successful.

We need to work on better error handling at some point after user groups ticket is done.

[libdgg]

NOTE: per the standup 11/19/2020 it seems that we should use LDAP groups as an approach for the future. Also OmniAuth SAML is not recommended because OmniAuth Sibboleth is a more specific solution that exists.