Author: primaryt

Shibboleth Cert miss-match with UK Federation

Posted on by primaryt


I’m wasn’t sure how this happened but this error appeared in my SP:

2009-11-02 15:39:30 ERROR OpenSSL [3]: path validation failure: self signed certificate
2009-11-02 15:39:30 ERROR XMLTooling.SOAPTransport.CURL [3]: supplied TrustEngine failed to validate SSL/TLS server certificate
2009-11-02 15:39:30 ERROR Shibboleth.AttributeResolver.Query [3]: exception during SAML query to xxxxx AttributeQuery: CURLSOAPTransport failed while contacting SOAP endpoint (xxxx): SSL certificate problem, verify that the CA cert is OK. Details:
2009-11-02 15:39:30 ERROR Shibboleth.AttributeResolver.Query [3]: unable to obtain a SAML response from attribute authority
Note: I replaced my IDP paths with xxxx for the purpose of this post.
I got in touch with the UK Federation asking if they could shed any light on the problem.
It turns out that this was due to my IDP information not being correct at the metadata end. I notified the UK Federation and they updated my record and republished their metadata and it started working again 🙂
Thanks to Sara for helping out with this.
Note: was the value that wasn’t changed at federation level.

Jaldi Jaldi – Mumtaz fast food – Curry on the go review

Posted on by primaryt


Random piece of information: Jaldi translated to English = Soon
Jaldi Jaldi is Mumtaz‘ latest brain child. After Mumtaz‘ success in the supermarket chains and their huge revenue growth the Mumtaz chain have made a brave decision to weather to current social climate.
The branding is very well done.

Mumtaz is not the most popular curry house in Bradford,
the curry house serves mostly visitors to the City with local people tending to opt for less commercial curry houses such as the Sweet Centre or Akbars.

The Starters were too hot & Curry was too cold. The chicken curry was not thoroughly reheated.
Should chicken be reheated? Subway do it.. Short answer is yes.

Has this devalued the Mumtaz brand?
The curry tasted fine but it was disappointing that you couldn’t get a chipatti or roti version and that rice was compulsory.

You would struggle to actually eat it “on the go” in the same way you could a sandwich or burger and the cardboard container absorbed quite a lot of the grease and moisture leaving a rather unpleasant appearance.

Jaldi Jaldi is a great idea, and the concept is fantastic, the execution is lacking a bit of refinement. The prices were too high and at some point laughable especially by the majority of the Asian community in Bradford who are used to much better value for money when purchasing curry.

The staff at the Bradford Forster Square shop were very polite and helpful. The whole experience was very easy and hastle free. I think that Jaldi Jaldi will do a good job catering for local shoppers and workers in the Forster Square area.
Would I take a friend to Jaldi Jaldi to eat?

Nah, Bradford has far too many good curry houses to rush a good curry. Curry as fast food to me and my friends is not a popular concept. Why would you want to rush something so beautiful and pleasant?

Shibboleth WAYFless URLs UKFederation

Posted on by primaryt

Shibboleth is a single sign on method used by UK schools.
Shibboleth allows you to log into multiple services without the need to enter your username and password.

Shibboleth WAYFLess URLS is a
knowledge requirement for Shibboleth Service Providers and users. A shibboleth user may use a service frequently and want to skip the Identity provider selection page, a wayfless URL does exactly this.

Example



Copy and paste the above and replace %20 with ?

Another example

What bit do I need to change to configure my service to Primary Logon?
https://wayf.ukfederation.org.uk/shibboleth-wayf/ukfull.wayf?target=cookie
&providerId=urn:mace:ac.uk:sdss.ac.uk:provider:service:target.iay.org.uk
&cache=perm&action=selection
&origin=https://idp.primarylogon.co.uk/idp/shibboleth
&shire=https://target.iay.org.uk/Shibboleth.sso/SAML/POST
The bits in bold need changing.

Testing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs

Posted on by primaryt
Part 4. Testing (2 hours)

Shibboleth can be started using /sbin/service shibd start
Another option is to use: service shibd restart
If the above doesn’t work try /usr/sbin/shibd -f

If you are going to use different commands to start shibd ensure that multiple copies are not running by doing ps aux | grep shibd

If you see shibd -f & /usr/sbin/shibd….. then you need to kill them and start one. I recommend using service shibd start.

Log files will be in: /var/log/shibboleth/

Check the shibd.log file for errors using this command: cat /var/log/shibboleth/shibd.log | grep ERROR
Your resource URL is https://shib.yourdomain.com/secure
Try browse to it.
If you get nothing then Apache hasn’t started properly, check the apache logs.
You should get something that starts with the shibboleth logo OR a WAYF login screen.
If you get the WAYF screen the things are going great, if you get the Shibboleth error message then we need to make some more configuration changes. See your logs and continue reading.
If you get “Cannot connect to shibd process, a site adminstrator should be notified.”
then your SELINUX restrictions have kicked in. Check by doing
cat /var/log/audit/audit.log | grep shib

More info on SELinux can be found here or by using the sestatus command:

A good output should look like this:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

The fix for the SELinux problem is documented on Page 1 however I recommend being a bit more brutal if your environment is hyper fussy about security.

Once you have a working setup you can browse to http://shib.yourdomain.com/Shibboleth.sso/Metadata to get your automatically generated Metadata and proceed with the UK Federation registration process.
When you speak to the UK Federation to approve your registration you will be asked to run this command from /etc/shibboleth
openssl x509 -sha1 -in sp.crt -noout -fingerprint

You will be asked to provide them with the fingerprint so keep a record of this.
Griffin goes “meow”.