lemonldap-ng issues
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues
2017-11-08T16:01:45Z
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2
[SAML] Attribute authority
2017-11-08T16:01:45Z
Clément OUDOT
[SAML] Attribute authority
LemonLDAP::NG IDP will also be an SAML2 attribute authority.
LemonLDAP::NG IDP will also be an SAML2 attribute authority.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3
[SAML] Attribute authority declaration in metadata
2017-11-08T16:01:43Z
Clément OUDOT
[SAML] Attribute authority declaration in metadata
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/13
Check that authLogout is well managed in AuthMulti
2017-11-08T11:36:24Z
Clément OUDOT
Check that authLogout is well managed in AuthMulti
The logout process call authLogout method from the authentication module. We should test how this works with AuthMulti.
The logout process call authLogout method from the authentication module. We should test how this works with AuthMulti.
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/14
Use CSS framework for templates
2017-11-08T11:36:24Z
Clément OUDOT
Use CSS framework for templates
For example YAML : http://www.yaml.de/en/home.html
For example YAML : http://www.yaml.de/en/home.html
1.4.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/16
Use parameterized statements in DBI to prevent SQL injection
2017-11-08T16:02:10Z
Clément OUDOT
Use parameterized statements in DBI to prevent SQL injection
More info here:
http://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements
More info here:
http://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/18
[SAML] Common domain cookie support
2017-11-08T16:02:05Z
Clément OUDOT
[SAML] Common domain cookie support
This should be implemented for 1.0 because it is required for IDP Lite SAML2 conformance
This should be implemented for 1.0 because it is required for IDP Lite SAML2 conformance
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/19
Select authentication module on authentication portal
2017-11-08T16:02:00Z
Clément OUDOT
Select authentication module on authentication portal
We should be able to propose multiple authentication scheme so the user can choose how to log.
For example, we should let the user choose to use OpenID, SAML or a local authentication.
We can try to map each authentication shema to a U...
We should be able to propose multiple authentication scheme so the user can choose how to log.
For example, we should let the user choose to use OpenID, SAML or a local authentication.
We can try to map each authentication shema to a URI :
* http://auth.example.com/openid
* http://auth.example.com/saml
* http://auth.example.com/ldap
Depending on the URI, portal will choose its auth module. If no auth module in uri, it will propose known authentication methods
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/21
Special characters from SAML attribute statement are not well encoded
2017-11-08T16:01:40Z
Clément OUDOT
Special characters from SAML attribute statement are not well encoded
SAML attributes are not automatically encoded in UTF-8. We should maybe check this before register them into session.
This can be tested by using AuthSAML with an IDP sending attributes values containing accents
SAML attributes are not automatically encoded in UTF-8. We should maybe check this before register them into session.
This can be tested by using AuthSAML with an IDP sending attributes values containing accents
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/25
Provide authorized application trough SOAP
2017-11-08T16:02:05Z
Clément OUDOT
Provide authorized application trough SOAP
I want to be able to request by SOAP the portal, in order to get all authorized applications. This SOAP call can then be run from a portlet, to be included in Liferay for example.
I want to be able to request by SOAP the portal, in order to get all authorized applications. This SOAP call can then be run from a portlet, to be included in Liferay for example.
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/26
Auto-register page
2017-11-08T16:03:52Z
Clément OUDOT
Auto-register page
We can provide a page to allow a new user to register and then get access to the portal.
* Create a register form
* Store the user infos in a temporary session
* Send a confirmation link to the user
* Create user in userDB after confirm...
We can provide a page to allow a new user to register and then get access to the portal.
* Create a register form
* Store the user infos in a temporary session
* Send a confirmation link to the user
* Create user in userDB after confirmation
1.4.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/27
OpenID provider
2017-11-08T11:36:31Z
Clément OUDOT
OpenID provider
Module IssuerDBOpenID.pm
Module IssuerDBOpenID.pm
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/28
Read user information from OpenID provider
2017-11-08T16:02:00Z
Clément OUDOT
Read user information from OpenID provider
This should be implemented in UserDBOpenID.pm
This should be implemented in UserDBOpenID.pm
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/29
Improve application menu configuration
2017-11-08T16:02:02Z
Clément OUDOT
Improve application menu configuration
Application list in menu is not very easy to configure (it's a big hash in lemonldap-ng.ini).
We have to discuss on how manage application list in our next stable version. It seems it's maybe not a good practice to pass HTML code to tem...
Application list in menu is not very easy to configure (it's a big hash in lemonldap-ng.ini).
We have to discuss on how manage application list in our next stable version. It seems it's maybe not a good practice to pass HTML code to templates. We should rather have methods that will return all authorized applications for a category.
We have maybe to simplify how application list can be build. For example, Myabe we should only accept 1 or 2 levels of category. Same idea, is this mandatory to have applications under applications? If we restrict this, it could be then easier to configure from a graphical point of view.
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/30
[SAML] Unit tests
2017-11-08T11:36:31Z
Clément OUDOT
[SAML] Unit tests
We should provide unit tests (*.t) for SAML modules
We should provide unit tests (*.t) for SAML modules
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/31
[SAML] Proxy IDP
2017-11-08T16:01:52Z
Clément OUDOT
[SAML] Proxy IDP
We can configure LemonLDAP::NG as SP and IdP. We have to work on some functionnalities to be full proxy IDP compliany :
* Reuse authnStatement from SP in IDP
* Check proxyCount and other proxy conditions
We can configure LemonLDAP::NG as SP and IdP. We have to work on some functionnalities to be full proxy IDP compliany :
* Reuse authnStatement from SP in IDP
* Check proxyCount and other proxy conditions
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/32
[SAML] Manage Artifact methods for SAML messages emission in SP
2017-11-08T16:01:51Z
Clément OUDOT
[SAML] Manage Artifact methods for SAML messages emission in SP
SP know how to handle an artifact in a received SAML message, but do not know how to send its messages trought artifact methods
SP know how to handle an artifact in a received SAML message, but do not know how to send its messages trought artifact methods
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/33
[SAML] Check "Destination" attribute
2017-11-08T11:36:31Z
Clément OUDOT
[SAML] Check "Destination" attribute
SAML messages can carry a "Destination" attribute. We should check that its value is the authentication portal URL.
SAML messages can carry a "Destination" attribute. We should check that its value is the authentication portal URL.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/35
[SAML] Manage SLO trough SOAP
2017-11-08T15:56:41Z
Clément OUDOT
[SAML] Manage SLO trough SOAP
The idea is to use images that will call a script on the portal. This script will manage SLO SOAP request and catch the response.
We should use a special SLO cookie, so that script is aware of which user is asking SLO. This can't be the...
The idea is to use images that will call a script on the portal. This script will manage SLO SOAP request and catch the response.
We should use a special SLO cookie, so that script is aware of which user is asking SLO. This can't be the main WebSSO cookie because it is already destroyed at this stage (local logout already occured).
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/36
[SAML] Check dates and other conditions in SLO requests
2017-11-08T16:01:50Z
Clément OUDOT
[SAML] Check dates and other conditions in SLO requests
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/37
[SAML] Proxy restriction should include all known IDP, and not only target IDP
2017-11-08T11:36:31Z
Clément OUDOT
[SAML] Proxy restriction should include all known IDP, and not only target IDP
In AuthSAML, we can allow or not that authn statements were proxified. For now, we just test this was not proxified, but we should allow proxy for all known IDP (in our circle of trust), and just refuse them from unknown IDP.
In AuthSAML, we can allow or not that authn statements were proxified. For now, we just test this was not proxified, but we should allow proxy for all known IDP (in our circle of trust), and just refuse them from unknown IDP.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/40
[SAML] Dedicated portal errors code for SAML errors
2017-11-08T16:01:52Z
Clément OUDOT
[SAML] Dedicated portal errors code for SAML errors
For now, SAML errors are only reported in Apache error log. User only see "Error". For some specific SAML errors, we should give more information to final user.
For now, SAML errors are only reported in Apache error log. User only see "Error". For some specific SAML errors, we should give more information to final user.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/42
[SAML][SP] Attrubtes sent trought IDP initiated SSO are not registered into s...
2017-11-08T11:36:31Z
Clément OUDOT
[SAML][SP] Attrubtes sent trought IDP initiated SSO are not registered into session
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/44
[SAML][SP] IDP list when unknown IDP in IDP cookie
2017-11-08T11:36:31Z
Clément OUDOT
[SAML][SP] IDP list when unknown IDP in IDP cookie
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/46
[logout] verify referer into logout process
2017-11-08T15:56:39Z
Thomas Chemineau
[logout] verify referer into logout process
When handler intercepts logout URL (which is directly write by hand in a internet browser), handler redirects it to the portal.
The URL is the form of "http://auth.example.com/url=base64(url)".
There is no Referer header into the HTTP ...
When handler intercepts logout URL (which is directly write by hand in a internet browser), handler redirects it to the portal.
The URL is the form of "http://auth.example.com/url=base64(url)".
There is no Referer header into the HTTP request when user goes to the portal. An error is produced: "Bad URL".
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/97
Add configuration parameters for private keys passwords
2017-11-10T06:04:24Z
Clément OUDOT
Add configuration parameters for private keys passwords
We should be able to set private key password in SAML configuration
We should be able to set private key password in SAML configuration
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/98
Add option to disable SAML conditions checks
2017-11-10T06:04:24Z
Clément OUDOT
Add option to disable SAML conditions checks
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/102
IssuerDB contextual selection
2017-11-10T06:04:24Z
Clément OUDOT
IssuerDB contextual selection
We have to modify the way we use IssuerDB: for now, only one IssuerDB can be active.
The idea would be to have a regexp on URL that will activate the IssuerDB module. For example /saml/ for IssuerDBSAML.
In Manager, we can display all...
We have to modify the way we use IssuerDB: for now, only one IssuerDB can be active.
The idea would be to have a regexp on URL that will activate the IssuerDB module. For example /saml/ for IssuerDBSAML.
In Manager, we can display all IssuerDB modules, with these options:
* activation
* URL regexp
* rule (to deny some users for example)
The only function to manage differently is issuerLogout, because all backends should be deconnected.
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1330
Menu rules for applications using SAML/CAS/OIDC
2018-03-14T10:28:03Z
Yadd
Menu rules for applications using SAML/CAS/OIDC
Many applications use a federation protocol instead of an handler. This issue will provide capability to manage application visibility using service-provider-rules.
Many applications use a federation protocol instead of an handler. This issue will provide capability to manage application visibility using service-provider-rules.
2.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/707
Kerberos authentication module
2017-11-16T14:51:58Z
Clément OUDOT
Kerberos authentication module
We have a lot of problems witj mod_auth_kerb and Multi. I think the best solution would be to code a AuthKerberos module. It would be easier to manage kerberos inside LL::NG with it.
Of course, this requires a lot of work and a good und...
We have a lot of problems witj mod_auth_kerb and Multi. I think the best solution would be to code a AuthKerberos module. It would be easier to manage kerberos inside LL::NG with it.
Of course, this requires a lot of work and a good understanding of Kerberos protocol.
Some pointers:
* http://t.chemineau.me/blog/2007/07/02/presentation-du-protocole-kerberos?utm_content=buffer8f1aa&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
* http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
* http://web.mit.edu/kerberos/dialogue.html
1.9.14
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1308
make saml work with POST sso binding and multiple authentication
2017-11-17T17:15:39Z
dcoutadeur dcoutadeur
make saml work with POST sso binding and multiple authentication
This issue is in the same context as:
https://jira.ow2.org/browse/#1304
The aim is to make SAML SSO work with POST binding and an IdP configured with Multiple authentication involving Kerberos.
The main problem is that redirection...
This issue is in the same context as:
https://jira.ow2.org/browse/#1304
The aim is to make SAML SSO work with POST binding and an IdP configured with Multiple authentication involving Kerberos.
The main problem is that redirection script (called by an ErrorDocument) does not get the POST values
1.9.14
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1328
Value 0 can not be set in hidden field
2017-11-16T14:51:59Z
Clément OUDOT
Value 0 can not be set in hidden field
When using method setHiddenFormValue in Portal/Simple.pm, value 0 can never be set in hidden field because of:
```
# Store value
if ($val) {
{code}
We need instead:
{code:perl}
# Store value
if (defined $val) {...
When using method setHiddenFormValue in Portal/Simple.pm, value 0 can never be set in hidden field because of:
```
# Store value
if ($val) {
{code}
We need instead:
{code:perl}
# Store value
if (defined $val) {
```
1.9.14
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1329
No need to 'warn' if no IDP or SP is present in configuration
2017-11-16T14:51:59Z
Clément OUDOT
No need to 'warn' if no IDP or SP is present in configuration
When using SAML, we have a warning if no IDP or SP is present in configuration, which is normal if we configure LL::NG only as SAML SP or SAML IDP. This log message should only be here for debug.
When using SAML, we have a warning if no IDP or SP is present in configuration, which is normal if we configure LL::NG only as SAML SP or SAML IDP. This log message should only be here for debug.
1.9.14
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/47
[SAML] RequestedAuthnContext should always be translated into authenticationL...
2017-11-28T17:47:22Z
Clément OUDOT
[SAML] RequestedAuthnContext should always be translated into authenticationLevel
As SP, when we request an authentication context, we verify that IDP has used this context. But it can have used another one, stronger. In this case, we should not raise an error.
We should always associate SAML authnContext to an authe...
As SP, when we request an authentication context, we verify that IDP has used this context. But it can have used another one, stronger. In this case, we should not raise an error.
We should always associate SAML authnContext to an authenticationLevel, and translate them back. We will never raise error, but this authenticationLevel can then be used in rules.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/49
[SAML][IDP] Manage encrypted NameID
2017-11-28T17:47:23Z
Clément OUDOT
[SAML][IDP] Manage encrypted NameID
Encrypted NameID should be set in Lasso::Provider (so it will be read from an option). Then all NameID for this provider will be encrypted.
Encrypted NameID should be set in Lasso::Provider (so it will be read from an option). Then all NameID for this provider will be encrypted.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/50
[SAML][SP] OneTimeUse flag should not reduce session duration
2017-11-28T17:47:23Z
Clément OUDOT
[SAML][SP] OneTimeUse flag should not reduce session duration
OneTimeUse flag was not used correctly. We should only trust SessionNotOnOrAfter for session duration calculation. Our SP will behave the same with or without OneTimeUse flag.
OneTimeUse flag was not used correctly. We should only trust SessionNotOnOrAfter for session duration calculation. Our SP will behave the same with or without OneTimeUse flag.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/51
[SAML][IDP] SAML sessionIndex value should be a crypted value of LL::NG sessi...
2017-11-28T17:47:23Z
Clément OUDOT
[SAML][IDP] SAML sessionIndex value should be a crypted value of LL::NG session_id
SAML sessionIndex should carry the real session_id (but encrypted). This will next be used in SLO to destroy the correct LL::NG session.
SAML sessionIndex should carry the real session_id (but encrypted). This will next be used in SLO to destroy the correct LL::NG session.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/52
IssuerDB activation rule
2017-11-28T17:47:23Z
Clément OUDOT
IssuerDB activation rule
We should have an IssuerDB rule that will be check before IssuerDB send authn response.
This is needed to serve authn response only for specific users (like those locally authenticated for example).
We should have an IssuerDB rule that will be check before IssuerDB send authn response.
This is needed to serve authn response only for specific users (like those locally authenticated for example).
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/53
[SAML][IDP] sendLogoutResponseAfterLogoutRequest method does not exists
2017-11-28T17:47:23Z
Clément OUDOT
[SAML][IDP] sendLogoutResponseAfterLogoutRequest method does not exists
This method is called in IssuerDBSAML, in issuerForUnAuthUser.
Is is not defined anywhere.
This method is called in IssuerDBSAML, in issuerForUnAuthUser.
Is is not defined anywhere.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/56
[SAML][IDP] SLO trough HTTP-POST
2017-11-28T17:47:23Z
Clément OUDOT
[SAML][IDP] SLO trough HTTP-POST
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/58
Catch ENV variables to fill session for all UserDB modules
2017-11-28T17:47:23Z
Clément OUDOT
Catch ENV variables to fill session for all UserDB modules
We have a special trick in UserDBLDAP :
# Special code to catch env var
if ( my $tmp = $ENV{$_} ) {
$tmp =~ s/[\r\n]/ /gs;
$self->{sessionInfo}->{$_} = $tmp;
}
...
We have a special trick in UserDBLDAP :
# Special code to catch env var
if ( my $tmp = $ENV{$_} ) {
$tmp =~ s/[\r\n]/ /gs;
$self->{sessionInfo}->{$_} = $tmp;
}
else {
$self->{sessionInfo}->{$_} =
$self->{ldap}
->getLdapValue( $self->{entry}, $self->{exportedVars}->{$_} )
|| "";
}
This should be available for all UserDB modules. So I propose to put the code in Portal/Simple.pm in setSessionInfo. Then UserDbEnv will not be usefull anymore, UserDBNull will be ok!
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/61
FastCGI portal
2017-11-28T17:47:23Z
Yadd
FastCGI portal
Using mod_perl under mpm-worker (multi-thread) can cause problems with XML libs (notifications,...). I propose to build another portal using the FastCGI interface. It could be reused to build a PerlResponseHandler portal
Using mod_perl under mpm-worker (multi-thread) can cause problems with XML libs (notifications,...). I propose to build another portal using the FastCGI interface. It could be reused to build a PerlResponseHandler portal
1.3.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/62
[SAML] samldate2timestamp is not returning correct timestamp
2017-11-28T17:47:23Z
Clément OUDOT
[SAML] samldate2timestamp is not returning correct timestamp
Indeed, mktime just suppose our date is localtime, not gmtime. So I will use Time::Local to do this.
Indeed, mktime just suppose our date is localtime, not gmtime. So I will use Time::Local to do this.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/64
SLO error with simpleSAMLphp
2017-11-28T17:47:23Z
Clément OUDOT
SLO error with simpleSAMLphp
A SLO request from simpleSAMLphp gives this error:
```
[Wed May 19 15:18:23 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: URL http://auth.example.com/saml/singleLogout detected as an SLO URL
[Wed May 19 15:18:23 2010] [d...
A SLO request from simpleSAMLphp gives this error:
```
[Wed May 19 15:18:23 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: URL http://auth.example.com/saml/singleLogout detected as an SLO URL
[Wed May 19 15:18:23 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: SAML method: HTTP-REDIRECT
[Wed May 19 15:18:23 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: HTTP-REDIRECT: SAML Request RelayState=_25b896281fcede6c1b7352761cab6b4be1b0ab4cf8;Signature=iQLYh7Oza796e7PxAZjmHnRt2N0LIxYzS8ZcAwj0ebs75LptPmOZ7oR%2BUDhM%2Fl0St5HHMfXQ6tkWDbnPoytXAoIdZrXEOMQZAW%2B88noCV%2Fgipir6LtwVbWxHcTny5LjqczfSL32Clh5I%2FwcmKqNKKiS75DtY4h%2BoPodSNO3gSrA%3D;SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1;SAMLRequest=fZJtT9swFIX%2FSuSvqI3dlyzx2midyrZowEbLkOALMrGTevJL5muL0l%2BPm3QSIG3frGM%2F55575AUwrTp6YVsb%2FEb8CQJ8stfKAO1vlig4Qy0DCdQwLYD6mm5Xlxd0Msa0c9bb2ir0Cvk%2FwQCE89IalFTrJXrICjbL82KezaZzMmkIb%2Bq6mWePmJMPj0XGc55jMisKzFFyKxxEcomiUcQBgqgMeGZ8lDDBIzwfkeKGTCnJ6QTfo2Qdt5GG%2BZ7aed%2FRNGXB78Ziz3SnxLi2Oj2GTkGaVomhBlQujhrtJ7jyxIE8En0pu%2B6NgbY8xGOUT15dqoVnnHnWi1w0LCg%2Fgm6RvjYeplzFjqp18sU6zfy%2FyyNj0iuSj5r%2BKRWaSbXi3AkAVNY2cOs%2Fqbhuax07BvuYvBeta08RhqlDhI5uo0XsqDJc7EvTVnX1fHN2xlebYmXvbt3XKQ4%2FzLaSnw%2BTX%2FfmNzzn5z%2Fra9l80%2FrJnq%2Fxvjkc1PenzfWuYNkw4Z3pX%2FHNRytfAA%3D%3D
[Wed May 19 15:18:23 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Lasso Session loaded
[Wed May 19 15:18:23 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Lasso Identity loaded
[Wed May 19 15:18:23 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: SLO: Logout request is valid
[Wed May 19 15:18:23 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Found entityID http://simplesamlphp.example.com/module.php/saml/sp/metadata.php/default-sp in SAML message
[Wed May 19 15:18:23 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: http://simplesamlphp.example.com/module.php/saml/sp/metadata.php/default-sp match SimpleSAMLPHP SP in configuration
[Wed May 19 15:18:23 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: No logout request found, build it
[Wed May 19 15:18:23 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Lasso error [ warning ]: 2010-05-19 15:18:23\tEncoded a RelayState of more than 80 bytes, see #3.4.3 of saml-bindings-2.0-os
[Wed May 19 15:18:23 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Send HTTP-REDIRECT logout request to http://wcs.example.com/saml/metadata
[Wed May 19 15:18:23 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Set _25b896281fcede6c1b7352761cab6b4be1b0ab4cf8 in RelayState
[Wed May 19 15:18:23 2010] [error] Can't call method "SessionIndex" on an undefined value at /usr/local/share/perl/5.10.1/Lemonldap/NG/Portal/IssuerDBSAML.pm line 855.\n
```
We have to eval the code calling SessionIndex.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/66
[SAMl][IDP] Options to check message signatures
2017-11-28T17:47:23Z
Clément OUDOT
[SAMl][IDP] Options to check message signatures
We should use options to check (or not) messages signatures in IDP, as we do in SP.
We should use options to check (or not) messages signatures in IDP, as we do in SP.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/67
[SAML][IDP] Map NameID Format to local session keys
2017-11-28T17:47:23Z
Clément OUDOT
[SAML][IDP] Map NameID Format to local session keys
We should be able to configure which session key correspond to an SAML NameID Format for IDP.
We should be able to configure which session key correspond to an SAML NameID Format for IDP.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/68
Failed to load signing key for http://urlIDP/saml/metadata
2017-11-28T17:47:23Z
Romain GUIGNARD
Failed to load signing key for http://urlIDP/saml/metadata
I have configured two lemonldap. The first as an Identity Provider and the second as a Service Provider.
I have imported the metadata of the identity provider in the service provider. When I try to go on the application test1 for example...
I have configured two lemonldap. The first as an Identity Provider and the second as a Service Provider.
I have imported the metadata of the identity provider in the service provider. When I try to go on the application test1 for example, I have always this error in the service provider log.
"Failed to load signing public key for http://auth.test.lemonldap/saml/metadata"
In attachment :
1) Log_Apache_SP
2) Metadata-IDP
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/70
Do not throw error if no SP or no IDP configured
2017-11-28T17:47:23Z
Clément OUDOT
Do not throw error if no SP or no IDP configured
We cannot run portal if SAML is set as authentication or issuerDB and no IDP or SP were added. This should not prevent to run the portal.
We cannot run portal if SAML is set as authentication or issuerDB and no IDP or SP were added. This should not prevent to run the portal.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/72
[SAML] UTF-8 encoded attributes are reencoded
2017-11-28T17:47:23Z
Clément OUDOT
[SAML] UTF-8 encoded attributes are reencoded
I have a LL::NG as SP and another as IDP. The IDP send an UTF-8 encoded attribute to the SP, and the SP reencoded it, so the value in SP is bad : Clément OUDOT
I have a LL::NG as SP and another as IDP. The IDP send an UTF-8 encoded attribute to the SP, and the SP reencoded it, so the value in SP is bad : Clément OUDOT
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/73
[SAML] Initial URL is not kept when IDP is choosen in AuthSAML
2017-11-28T17:47:31Z
Clément OUDOT
[SAML] Initial URL is not kept when IDP is choosen in AuthSAML
When we are redirected on an SAML portal from the handler, the url parameter is lost when choosing the IDP, and not set in relaystate.
When we are redirected on an SAML portal from the handler, the url parameter is lost when choosing the IDP, and not set in relaystate.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/74
[error] Unable to open relaystate session
2017-11-28T17:47:31Z
Clément OUDOT
[error] Unable to open relaystate session
I use 2 LL::NNG : one as SP, the other as IDP
When a relaystate is passed from SP to IDP, and then came back, I have this error in SP error log :
{quote}
[Fri May 28 11:28:14 2010] [error] Unable to open relaystate session: Invalid ses...
I use 2 LL::NNG : one as SP, the other as IDP
When a relaystate is passed from SP to IDP, and then came back, I have this error in SP error log :
{quote}
[Fri May 28 11:28:14 2010] [error] Unable to open relaystate session: Invalid session ID: 4ab77597b391473a3525a95a534b6589;Signature=vHAs5C3NEQHdK4tmI9kCT5kmZHTuEosLjGQSe4DhltoylWOyG/hHXYsVSe0aJfZDrjkkC4C5VdlE2W2ypN5UGA==;SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1;SAMLRequest=fZJLb8IwEIT/SuQ7SQgBGiuJlJBWQuqDlqqHXiorLGDJj9TeUPrvawdVhUO5jvfbnRk5t0yKjlY97tULfPZgMThKoSwdHgrSG0U1s9xSxSRYii1dVw/3NAlj2hmNutWCnCHXCWYtGORakWDZFOQjrW/n2WKRVFVWJbNJVU3qZFrHk/G0mad1nJHgDYx18wVxuIOs7WGpLDKFTorH8SiejpKb1zijyYym6TsJGpeBK4YDtUfsaBQxly88yCQUILXyPkPhZnbasLDVMvJKZLnaCVjznXpy/u60aWHopSBbJiz46ysXgB/gVylzD9LBlSnPb8GRyU7A33IJyDYMWR6dI/mp/kdX1LJZacHbb39YMrzeo1f4ZrQdRmnnO7IICkmwXvllzz0TfMvBXDbwrysSVELor4UBhi4dmh5IVJ68Xv6O8gc= at /usr/share/perl5/Apache/Session/Generate/MD5.pm line 40.\n
{quote}
The relaystate parameter is obtained with a $self->param('RelayState') on SP side. This works well with other IDP, so I think the pb should come from the IDP part.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/75
SSO HTTP-POST profile not declared in IDP metadata
2017-11-28T17:47:31Z
Clément OUDOT
SSO HTTP-POST profile not declared in IDP metadata
We should be able to use SSO POST profile on IDP, and this is not allowed because not shown in metadata :
{quote}
[Fri May 28 11:42:02 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Use method 3 with IDP lemonldapng for SS...
We should be able to use SSO POST profile on IDP, and this is not allowed because not shown in metadata :
{quote}
[Fri May 28 11:42:02 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Use method 3 with IDP lemonldapng for SSO profile
[Fri May 28 11:42:02 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Lasso error code -409: Unsupported protocol profile
[Fri May 28 11:42:02 2010] [error] Could not initiate authentication request on http://auth.vm2.lemonsaml.linagora.com/saml/metadata
[Fri May 28 11:42:02 2010] [error] Could not create authentication request on lemonldapng
{quote}
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/76
[SAML] SOAP SLO denied on IDP
2017-11-28T17:47:31Z
Clément OUDOT
[SAML] SOAP SLO denied on IDP
When sending an SLO Request from SP to IDP using SOAP:
{quote}
[Fri May 28 14:59:33 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: URL http://auth.vm2.lemonsaml.linagora.com/saml/singleLogoutSOAP detected as an SLO URL
[Fr...
When sending an SLO Request from SP to IDP using SOAP:
{quote}
[Fri May 28 14:59:33 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: URL http://auth.vm2.lemonsaml.linagora.com/saml/singleLogoutSOAP detected as an SLO URL
[Fri May 28 14:59:33 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: SAML method: HTTP-SOAP
[Fri May 28 14:59:33 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: HTTP-SOAP: SAML Request <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsutil="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Body wsutil:Id=""><samlp:LogoutRequest ID="_3A43E6DC4747B114B1A4F29E7388B851" Version="2.0" IssueInstant="2010-05-28T12:59:33Z" Destination="http://auth.vm2.lemonsaml.linagora.com/saml/singleLogoutSOAP"><saml:Issuer>http://auth.vm1.lemonsaml.linagora.com/saml/metadata</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\n<SignedInfo>\n<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>\n<Reference URI="#_3A43E6DC4747B114B1A4F29E7388B851">\n<Transforms>\n<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>\n<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n</Transforms>\n<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\n<DigestValue>7ImBQ6AqbRnYErKHx8iJclsTxrg=</DigestValue>\n</Reference>\n</SignedInfo>\n<SignatureValue>Rwh7Y5at66rbx0rzmm3p3x27eFH7Zs8sfupif15RgpwPDr11F8kQamhhU37NjoH8\nT/nqmAnpg6Vb6FyD0kBQ3Q==</SignatureValue>\n</Signature><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="http://auth.vm2.lemonsaml.linagora.com/saml/metadata" SPNameQualifier="http://auth.vm1.lemonsaml.linagora.com/saml/metadata">_DB52CAE945DE9E1736D67A1958928E10</saml:NameID><samlp:SessionIndex>zf9SIllOvEaMXvRqYDZuKkwI8kM50lagPAXxjZAQOFjAsnaU2PXu/nn8TNi9N9h/</samlp:SessionIndex></samlp:LogoutRequest></s:Body></s:Envelope>
[Fri May 28 14:59:33 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: SLO: Logout request is valid
[Fri May 28 14:59:33 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Found entityID http://auth.vm1.lemonsaml.linagora.com/saml/metadata in SAML message
[Fri May 28 14:59:33 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: http://auth.vm1.lemonsaml.linagora.com/saml/metadata match lemonldapng SP in configuration
[Fri May 28 14:59:33 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Signature is valid
[Fri May 28 14:59:33 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Destination http://auth.vm2.lemonsaml.linagora.com/saml/singleLogoutSOAP found in SAML message
[Fri May 28 14:59:33 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Destination match URL http://auth.vm2.lemonsaml.linagora.com/saml/singleLogoutSOAP
[Fri May 28 14:59:33 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: SOAP response <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsutil="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Body wsutil:Id=""><samlp:LogoutResponse ID="_CCA6680BA2797FCC06A03EF5BB31F4C8" InResponseTo="_3A43E6DC4747B114B1A4F29E7388B851" Version="2.0" IssueInstant="2010-05-28T12:59:33Z"><saml:Issuer>http://auth.vm2.lemonsaml.linagora.com/saml/metadata</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\n<SignedInfo>\n<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>\n<Reference URI="#_CCA6680BA2797FCC06A03EF5BB31F4C8">\n<Transforms>\n<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>\n<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n</Transforms>\n<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\n<DigestValue>w8JJ5aivST95HyUYDqgSrsUhr8U=</DigestValue>\n</Reference>\n</SignedInfo>\n<SignatureValue>h4vQZCx22lvWbgyYtiTTa0+Okqa3qmmttsP7NUtEO2dipFtTGVg2r5PbKnzTjUDY\npRY70rqKouSVv2ETJLUD/oCQNWcOhOfaO7LORVKUGe68v+sfC08Zu2S43IrwQ1ed\nNd9ss71gvgxkuiir5PY7NNo6oFQuI53m94vAWLgcKog=</SignatureValue>\n</Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/></samlp:StatusCode></samlp:Status></samlp:LogoutResponse></s:Body></s:Envelope>
[Fri May 28 14:59:33 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: processing to sub returnSOAPMessage
{quote}
We have a bad status code:
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/></samlp:StatusCode
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/77
Error when no SessionNotOnOrAfter value in authn statement
2017-11-28T17:47:31Z
Clément OUDOT
Error when no SessionNotOnOrAfter value in authn statement
After today's Lasso update, I had this error:
{quote}
[Mon May 31 15:17:02 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: processing to sub setAuthSessionInfo
[Mon May 31 15:17:02 2010] [error] Month '-1' out of range 0..1...
After today's Lasso update, I had this error:
{quote}
[Mon May 31 15:17:02 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: processing to sub setAuthSessionInfo
[Mon May 31 15:17:02 2010] [error] Month '-1' out of range 0..11 at /usr/local/share/perl/5.10.1/Lemonldap/NG/Portal/_SAML.pm line 1969\n
{quote}
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/78
Request Denied on SOAP SLO request on IDP
2017-11-28T17:47:32Z
Clément OUDOT
Request Denied on SOAP SLO request on IDP
When SP do an SOAP SLO request on IDP, I have this debug trace:
SP side:
{quote}
[Mon May 31 16:28:37 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Use method SOAP with IDP lemonldapng-vm2 for SLO profile
[Mon May 31 16:2...
When SP do an SOAP SLO request on IDP, I have this debug trace:
SP side:
{quote}
[Mon May 31 16:28:37 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Use method SOAP with IDP lemonldapng-vm2 for SLO profile
[Mon May 31 16:28:37 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Set 7b3dba313cd02d3e1ce02955774a59a5 in RelayState
[Mon May 31 16:28:37 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Logout request created
[Mon May 31 16:28:37 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Keep request ID _9C33E765434194C44E4D3187D5019E9B in assertion session adbad1925ba4ad4133e020aa60a3919e
[Mon May 31 16:28:37 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Send SOAP message <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsutil="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Body wsutil:Id=""><samlp:LogoutRequest ID="_9C33E765434194C44E4D3187D5019E9B" Version="2.0" IssueInstant="2010-05-31T14:28:37Z" Destination="http://auth.vm2.lemonsaml.linagora.com/saml/singleLogoutSOAP"><saml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\n<SignedInfo>\n<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>\n<Reference URI="#_9C33E765434194C44E4D3187D5019E9B">\n<Transforms>\n<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>\n<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n</Transforms>\n<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\n<DigestValue>n8YveIW+A6qRSrUTp5zS9joVCDs=</DigestValue>\n</Reference>\n</SignedInfo>\n<SignatureValue>suV+p6x6PfIolKlyEvzhWdkT8me4fqXA8nNGOlBT0aYf4wKk5cI9L2i768/AXEOg\nGL38rQwqnFeQq6/xal2wEg==</SignatureValue>\n</Signature><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">coudot@linagora.com</saml:NameID><samlp:SessionIndex>f5+Ke/5WbO1QKLlbTDdL9o41vrt6jZ/Gs6v+WAuJt9VjuIc3U79JqPGFgRlppaK8</samlp:SessionIndex></samlp:LogoutRequest></s:Body></s:Envelope> to http://auth.vm2.lemonsaml.linagora.com/saml/singleLogoutSOAP
[Mon May 31 16:28:37 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Get response <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsutil="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Body wsutil:Id=""><samlp:LogoutResponse ID="_FC7174C22CE3E06365A8A41C918B1830" InResponseTo="_9C33E765434194C44E4D3187D5019E9B" Version="2.0" IssueInstant="2010-05-31T14:28:35Z"><saml:Issuer>http://auth.vm2.lemonsaml.linagora.com/saml/metadata</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\n<SignedInfo>\n<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>\n<Reference URI="#_FC7174C22CE3E06365A8A41C918B1830">\n<Transforms>\n<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>\n<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n</Transforms>\n<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\n<DigestValue>m2xwXkyGR2iMIg0FW6xupbfzmVA=</DigestValue>\n</Reference>\n</SignedInfo>\n<SignatureValue>bWrwGnVIYPz69AhUge6LvNwPw0PhfxbWEpJ/xc0CAwdTclX/KkPDewaRVB+DkHtk\njX1qcqz9NCTxZuQ06LATpQ9pDkmrjXCS9/6DkNHXeCiwlfabowUKuzxdrFdIVCTE\na6xDOvi9lqEBT0vviZS5CejjsuzyRoSIq/DM+gYfE+8=</SignatureValue>\n</Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/></samlp:StatusCode></samlp:Status></samlp:LogoutResponse></s:Body></s:Envelope>
[Mon May 31 16:28:37 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Lasso error code 302: Request denied by identity provider
[Mon May 31 16:28:37 2010] [error] Fail to process logout response
{quote}
IDP side:
{quote}
[Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: URL http://auth.vm2.lemonsaml.linagora.com/saml/singleLogoutSOAP detected as an SLO URL
[Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: SAML method: HTTP-SOAP
[Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: HTTP-SOAP: SAML Request <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsutil="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Body wsutil:Id=""><samlp:LogoutRequest ID="_9C33E765434194C44E4D3187D5019E9B" Version="2.0" IssueInstant="2010-05-31T14:28:37Z" Destination="http://auth.vm2.lemonsaml.linagora.com/saml/singleLogoutSOAP"><saml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\n<SignedInfo>\n<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>\n<Reference URI="#_9C33E765434194C44E4D3187D5019E9B">\n<Transforms>\n<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>\n<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n</Transforms>\n<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\n<DigestValue>n8YveIW+A6qRSrUTp5zS9joVCDs=</DigestValue>\n</Reference>\n</SignedInfo>\n<SignatureValue>suV+p6x6PfIolKlyEvzhWdkT8me4fqXA8nNGOlBT0aYf4wKk5cI9L2i768/AXEOg\nGL38rQwqnFeQq6/xal2wEg==</SignatureValue>\n</Signature><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">coudot@linagora.com</saml:NameID><samlp:SessionIndex>f5+Ke/5WbO1QKLlbTDdL9o41vrt6jZ/Gs6v+WAuJt9VjuIc3U79JqPGFgRlppaK8</samlp:SessionIndex></samlp:LogoutRequest></s:Body></s:Envelope>
[Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: SLO: Logout request is valid
[Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Found entityID http://auth.example.com/saml/metadata in SAML message
[Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: http://auth.example.com/saml/metadata match coudot SP in configuration
[Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Signature is valid
[Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Destination http://auth.vm2.lemonsaml.linagora.com/saml/singleLogoutSOAP found in SAML message
[Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Destination match URL http://auth.vm2.lemonsaml.linagora.com/saml/singleLogoutSOAP
[Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: SOAP response <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsutil="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Body wsutil:Id=""><samlp:LogoutResponse ID="_FC7174C22CE3E06365A8A41C918B1830" InResponseTo="_9C33E765434194C44E4D3187D5019E9B" Version="2.0" IssueInstant="2010-05-31T14:28:35Z"><saml:Issuer>http://auth.vm2.lemonsaml.linagora.com/saml/metadata</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\n<SignedInfo>\n<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>\n<Reference URI="#_FC7174C22CE3E06365A8A41C918B1830">\n<Transforms>\n<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>\n<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n</Transforms>\n<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\n<DigestValue>m2xwXkyGR2iMIg0FW6xupbfzmVA=</DigestValue>\n</Reference>\n</SignedInfo>\n<SignatureValue>bWrwGnVIYPz69AhUge6LvNwPw0PhfxbWEpJ/xc0CAwdTclX/KkPDewaRVB+DkHtk\njX1qcqz9NCTxZuQ06LATpQ9pDkmrjXCS9/6DkNHXeCiwlfabowUKuzxdrFdIVCTE\na6xDOvi9lqEBT0vviZS5CejjsuzyRoSIq/DM+gYfE+8=</SignatureValue>\n</Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/></samlp:StatusCode></samlp:Status></samlp:LogoutResponse></s:Body></s:Envelope>
[Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: processing to sub returnSOAPMessage
{quote}
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/79
Mandatory attributes are not requested
2017-11-28T17:47:32Z
Clément OUDOT
Mandatory attributes are not requested
Mandatory attributes are not requested. This is because $idp was not replace by $idpConfKey in UserDBSAML.
Mandatory attributes are not requested. This is because $idp was not replace by $idpConfKey in UserDBSAML.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/80
POST fields should be hidden
2017-11-28T17:47:32Z
Clément OUDOT
POST fields should be hidden
In SAML, when we use POST bindings, we see POST fields. We should mask them, and maybe set a information message to the user (informations are in transfer...)
In SAML, when we use POST bindings, we see POST fields. We should mask them, and maybe set a information message to the user (informations are in transfer...)
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/81
SessionNotOnOrAfter should be set explicitely
2017-11-28T17:47:32Z
Clément OUDOT
SessionNotOnOrAfter should be set explicitely
As said in this mail : http://lists.labs.libre-entreprise.org/pipermail/lasso-devel/2010-May/002765.html
SessionNotOnOrAfter is no more set by default, we should set it explicitely
As said in this mail : http://lists.labs.libre-entreprise.org/pipermail/lasso-devel/2010-May/002765.html
SessionNotOnOrAfter is no more set by default, we should set it explicitely
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/83
Set NameID in attribute request
2017-11-28T17:47:32Z
Clément OUDOT
Set NameID in attribute request
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/84
Check format and friendly name of requested attribute
2017-11-28T17:47:32Z
Clément OUDOT
Check format and friendly name of requested attribute
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/85
Check requested attribute values
2017-11-28T17:47:32Z
Clément OUDOT
Check requested attribute values
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/86
Do not parse metadata on each authentication
2017-11-28T17:47:32Z
Clément OUDOT
Do not parse metadata on each authentication
We should not parse metadata (service and partners) on each authentication, because it will slow down the process. We have to add a caching method to keep the Lasso::Server object.
We should not parse metadata (service and partners) on each authentication, because it will slow down the process. We have to add a caching method to keep the Lasso::Server object.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/88
Better signature management
2017-11-28T17:47:32Z
Clément OUDOT
Better signature management
SAML messages signatures are managed 2 times:
* In service metadata, SP and IDP part can require authnrequest signed, or not (see WantAuthnRequestSigned parameter)
* In IDP and SP nodes, we have options to check or not signature
We have...
SAML messages signatures are managed 2 times:
* In service metadata, SP and IDP part can require authnrequest signed, or not (see WantAuthnRequestSigned parameter)
* In IDP and SP nodes, we have options to check or not signature
We have to check all combinations of these parameters.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/89
Security keys in service metadata
2017-11-28T17:47:32Z
Clément OUDOT
Security keys in service metadata
We use one public key for SP and another for IDP but they are linked to the same private key.
We should only manage on public key (or certificate) and use it everywhere.
We can also use on key for signing, and another for encryption.
We use one public key for SP and another for IDP but they are linked to the same private key.
We should only manage on public key (or certificate) and use it everywhere.
We can also use on key for signing, and another for encryption.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/91
SOAP configuration parameter is not needed in SAML
2017-11-28T17:47:32Z
Clément OUDOT
SOAP configuration parameter is not needed in SAML
Indeed, we do not use LL::NG SOAP services to manager SAML SOAP messages.
Indeed, we do not use LL::NG SOAP services to manager SAML SOAP messages.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/92
Cannot change password from menu
2017-11-28T17:47:32Z
Clément OUDOT
Cannot change password from menu
When changing password from menu, we have this error:
{quote}
[Tue Jun 08 12:27:11 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: processing to sub authenticate
[Tue Jun 08 12:27:11 2010] [debug] CGI.pm(91): Lemonldap::NG:...
When changing password from menu, we have this error:
{quote}
[Tue Jun 08 12:27:11 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: processing to sub authenticate
[Tue Jun 08 12:27:11 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: processing to sub userError
[Tue Jun 08 12:27:11 2010] [warn] Lemonldap::NG : Bad password for coudot (127.0.0.1)
{quote}
We should not run the authenticate process step when changing password.
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/93
LDAP connection error on high load
2017-11-28T17:47:32Z
Clément OUDOT
LDAP connection error on high load
When we have high load on LDAP, connections can be closed, but this is not well handled on our side:
{quote}
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonld...
When we have high load on LDAP, connections can be closed, but this is not well handled on our side:
{quote}
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33, <DATA> line 275.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33, <DATA> line 275.\n
[Wed May 26 17:47:15 2010] [error] StartTLS failed
[Wed May 26 17:47:15 2010] [error] LDAP error: I/O Error Connection reset by peer
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33, <DATA> line 275.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "loadPP" without a package or object reference at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Portal/AuthLDAP.pm line 24.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33, <DATA> line 275.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33, <DATA> line 275.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33.\n
{quote}
We have to be sure that our $ldap object is defined before calling search method.
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/96
Add encryptionkey in Attribute Authority metadata
2017-11-28T17:47:32Z
Clément OUDOT
Add encryptionkey in Attribute Authority metadata
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/100
Secondary SAML session should be destroyed when primary session is deleted
2017-11-28T17:47:35Z
Clément OUDOT
Secondary SAML session should be destroyed when primary session is deleted
Else we can have something like that:
{quote}
[Fri Jun 11 15:30:30 2010] [warn] More than one SAML session found for user coudot@linagora.com
[Fri Jun 11 15:30:30 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Retrieve SAM...
Else we can have something like that:
{quote}
[Fri Jun 11 15:30:30 2010] [warn] More than one SAML session found for user coudot@linagora.com
[Fri Jun 11 15:30:30 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Retrieve SAML session b5038fc53956d28f40dc7bc9e4ebdf5c for user coudot@linagora.com
[Fri Jun 11 15:30:30 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Retrieve real session 5551c6b12c19577d836907f3306c1268 for user coudot@linagora.com
[Fri Jun 11 15:30:30 2010] [info] Session 5551c6b12c19577d836907f3306c1268 isn't yet available (213.41.232.151)
[Fri Jun 11 15:30:30 2010] [error] Cannot get session 5551c6b12c19577d836907f3306c1268
{quote}
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/101
CAS Provider (IssuerDBCAS)
2017-11-28T17:47:35Z
Clément OUDOT
CAS Provider (IssuerDBCAS)
we can deliver CAS tickets to authenticated users.
we can deliver CAS tickets to authenticated users.
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/103
String encoding in sessions
2017-11-28T17:47:35Z
Clément OUDOT
String encoding in sessions
We should discuss on how manage string encoding in sessions. It seems for now we store them as UTF-8, but this can be a problem:
* HTTP-BASIC only wants ISO
* some protected applications are not UTF-8 compliant
We should be able to choo...
We should discuss on how manage string encoding in sessions. It seems for now we store them as UTF-8, but this can be a problem:
* HTTP-BASIC only wants ISO
* some protected applications are not UTF-8 compliant
We should be able to choose the encoding per vhost or per header.
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/104
Store entities metadata in raw format
2017-11-28T17:47:35Z
Clément OUDOT
Store entities metadata in raw format
By now entities metadata are converted in a big Hash, and then reformated, but this breaks markups order and this can have an impact (RSA KeyValue for example).
We have to store raw metadata, and import them correctly in portal.
By now entities metadata are converted in a big Hash, and then reformated, but this breaks markups order and this can have an impact (RSA KeyValue for example).
We have to store raw metadata, and import them correctly in portal.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/105
Error on SLO request for already closed session
2017-11-28T17:47:36Z
Clément OUDOT
Error on SLO request for already closed session
When receiving an SLO request for an already closed session, we have:
{quote}
[Mon Jun 14 15:15:07 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Get session id 20189080805e4e4bdff2c840498106b5 (decrypted from 673D6bgWdpr2...
When receiving an SLO request for an already closed session, we have:
{quote}
[Mon Jun 14 15:15:07 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Get session id 20189080805e4e4bdff2c840498106b5 (decrypted from 673D6bgWdpr2rg/3sdRBcuCzCyxB4zO/XUT16e4kpilfx2P5cAFxFFV4O1LGuKZB)
[Mon Jun 14 15:15:07 2010] [info] Session 20189080805e4e4bdff2c840498106b5 isn't yet available (213.41.232.151)
[Mon Jun 14 15:15:07 2010] [error] Can't use string ("0") as a HASH ref while "strict refs" in use at /usr/local/share/perl/5.10.0/Lemonldap/NG/Portal/IssuerDBSAML.pm line 293.\n
[Mon Jun 14 15:15:07 2010] [debug] mod_deflate.c(615): [client 213.41.232.151] Zlib: Compressed 387 to 289 : URL /saml/singleLogout, referer: http://wcs.vm2.lemonsaml.linagora.com/
{quote}
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/106
Display OK or ERROR icons on HTTP REDIRECT and HTTP POST SLO iframes
2017-11-28T17:47:36Z
Clément OUDOT
Display OK or ERROR icons on HTTP REDIRECT and HTTP POST SLO iframes
We should be able to have a graphical SLO state, as we have with SOAP
We should be able to have a graphical SLO state, as we have with SOAP
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/107
Manage asynchronous SLO request on closed SSO session (SAML IDP)
2017-11-28T17:47:36Z
Clément OUDOT
Manage asynchronous SLO request on closed SSO session (SAML IDP)
We should send an SLO response when catching an SLO request for an already closed SSO session. This is done for SOAP, but not for HTTP-REDIRECT or HTTP-POST
We should send an SLO response when catching an SLO request for an already closed SSO session. This is done for SOAP, but not for HTTP-REDIRECT or HTTP-POST
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/108
NameID unspecified format should use the default NameID format
2017-11-28T17:47:36Z
Clément OUDOT
NameID unspecified format should use the default NameID format
For example Google Apps send AuthnRequest with NameID unspecified format. But Google Apps wait for user mail in AuthnResponse, so we should always map unspecified format to choosen default NameID format.
For example Google Apps send AuthnRequest with NameID unspecified format. But Google Apps wait for user mail in AuthnResponse, so we should always map unspecified format to choosen default NameID format.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/109
Do not send AttributeStatement when no attribute should be sent
2017-11-28T17:47:36Z
Clément OUDOT
Do not send AttributeStatement when no attribute should be sent
We have an empty attribute statement in AuthResponse from IDP when no attributes are present. This should not be teh case, and cause for example a problem with Google Apps.
See http://www.google.com/support/forum/p/apps/thread?tid=262be...
We have an empty attribute statement in AuthResponse from IDP when no attributes are present. This should not be teh case, and cause for example a problem with Google Apps.
See http://www.google.com/support/forum/p/apps/thread?tid=262beadae133a615&hl=fr&fid=262beadae133a61500048948ff302e66
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/110
Store SAML token in session
2017-11-28T17:47:36Z
Clément OUDOT
Store SAML token in session
We should store SAML token in session (SAML SP side), to replay this token on other applications or web services.
We should store SAML token in session (SAML SP side), to replay this token on other applications or web services.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/111
Build SLO response request with other SLO request status
2017-11-28T17:47:36Z
Clément OUDOT
Build SLO response request with other SLO request status
IDP send SLO request to connected SP. We should store SP SLO status and then build SLO response to SLO issuer SP.
IDP send SLO request to connected SP. We should store SP SLO status and then build SLO response to SLO issuer SP.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/113
Lemonldap::NG is not compatible with the use of a LDAP server using a differe...
2017-11-28T17:47:36Z
Yadd
Lemonldap::NG is not compatible with the use of a LDAP server using a different encoding than UTF-8 for storing passwords
Since Lemonldap::NG web pages are UTF-8 encoded, the LDAP bind use the same encoding to test user password. I propose to add a "ldapPwdEnc" parameter to indicate LDAP password encoding
Since Lemonldap::NG web pages are UTF-8 encoded, the LDAP bind use the same encoding to test user password. I propose to add a "ldapPwdEnc" parameter to indicate LDAP password encoding
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/114
Bad usage of Apache::Session::searchOn() on portal
2017-11-28T17:47:36Z
Yadd
Bad usage of Apache::Session::searchOn() on portal
When singleIP is used, searchOn is called with $self->{ipAddr} instead of 'ipAddr', Apache::Session::Browseable indexes are never used.
When singleIP is used, searchOn is called with $self->{ipAddr} instead of 'ipAddr', Apache::Session::Browseable indexes are never used.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/115
In info page, when clicking on "Continue", we are not redirected to urldc
2017-11-28T17:47:36Z
Clément OUDOT
In info page, when clicking on "Continue", we are not redirected to urldc
It seems there is a problem with hidden fields
It seems there is a problem with hidden fields
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/119
Special UTF-8 characters raise error in metadata
2017-11-28T17:47:36Z
Clément OUDOT
Special UTF-8 characters raise error in metadata
When we have a special character (eg: é) in a metadata, it is well saved by Manager, but then we have this Lasso error in portal:
{quote}
[Mon Jun 28 10:46:02 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Get Metadata for...
When we have a special character (eg: é) in a metadata, it is well saved by Manager, but then we have this Lasso error in portal:
{quote}
[Mon Jun 28 10:46:02 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Get Metadata for IDP lemonldapng-vm2
[Mon Jun 28 10:46:02 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Lasso error [ critical ]: libxml2: Input is not proper UTF-8, indicate encoding !\\nBytes: 0xE9 0x20 0x4C 0x65\\n
[Mon Jun 28 10:46:02 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Lasso error [ debug ]: 2010-06-28 10:46:02 (server.c/:65) Failed to add new provider.
[Mon Jun 28 10:46:02 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Lasso error code -202: Failed to add new provider.
[Mon Jun 28 10:46:02 2010] [error] Fail to use IDP lemonldapng-vm2 Metadata
{quote}
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/121
Fake SLO process for standard applications
2017-11-28T17:47:39Z
Clément OUDOT
Fake SLO process for standard applications
We implemented SAML SLO with iframes and all the complex SAML SLO management (request/responses, etc.)
We can maybe provide a fake SLO process for standards applications:
* We configure in Manager the full logout URLs (not a pattern)
* ...
We implemented SAML SLO with iframes and all the complex SAML SLO management (request/responses, etc.)
We can maybe provide a fake SLO process for standards applications:
* We configure in Manager the full logout URLs (not a pattern)
* On portal logout, we build hidden iframes that will do a GET on these logout URLs
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/122
Secondary SAML session are not deleted on local IDP logout
2017-11-28T17:47:39Z
Clément OUDOT
Secondary SAML session are not deleted on local IDP logout
this should be corrected in issuerLogout method.
this should be corrected in issuerLogout method.
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/123
Store Lasso Identity Dump in UserDB
2017-11-28T17:47:39Z
Clément OUDOT
Store Lasso Identity Dump in UserDB
We should store Lasso identity Dump in userDB so that we can be compliant with persistent NameID
We should store Lasso identity Dump in userDB so that we can be compliant with persistent NameID
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/124
Stop info/confirm timer at 0
2017-11-28T17:47:39Z
Clément OUDOT
Stop info/confirm timer at 0
Our timer become negative if we have a big load time (for example when using SAML artifact binding), and this displays --2, or ---3 on info/confirm page
Our timer become negative if we have a big load time (for example when using SAML artifact binding), and this displays --2, or ---3 on info/confirm page
1.0-rc2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/125
SAML request is lost in portal user interaction (remove other sessions for ex...
2017-11-28T17:47:39Z
Clément OUDOT
SAML request is lost in portal user interaction (remove other sessions for example)
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/128
LemonLDAP::NG not compatible with perl-LDAP 0.4001
2017-11-28T17:47:39Z
Clément OUDOT
LemonLDAP::NG not compatible with perl-LDAP 0.4001
When using perl-LDAP 0.4001, we have errors in make test:
{quote}
t/04-Lemonldap-NG-Portal-SOAP.t .......... 1/2 Lemonldap::NG::Portal::AuthLDAP load error: Modification of a read-only value attempted at /usr/local/share/perl/5.10.1/Net...
When using perl-LDAP 0.4001, we have errors in make test:
{quote}
t/04-Lemonldap-NG-Portal-SOAP.t .......... 1/2 Lemonldap::NG::Portal::AuthLDAP load error: Modification of a read-only value attempted at /usr/local/share/perl/5.10.1/Net/LDAP/Constant.pm line 13.
Compilation failed in require at /usr/local/share/perl/5.10.1/Net/LDAP/Message.pm line 7.
BEGIN failed--compilation aborted at /usr/local/share/perl/5.10.1/Net/LDAP/Message.pm line 7.
Compilation failed in require at /usr/local/share/perl/5.10.1/Net/LDAP.pm line 13.
BEGIN failed--compilation aborted at /usr/local/share/perl/5.10.1/Net/LDAP.pm line 13.
Compilation failed in require at /home/clement/svn/lemonldap/trunk/modules/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/_LDAP.pm line 8.
BEGIN failed--compilation aborted at /home/clement/svn/lemonldap/trunk/modules/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/_LDAP.pm line 8.
Compilation failed in require at /home/clement/svn/lemonldap/trunk/modules/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/AuthLDAP.pm line 9.
BEGIN failed--compilation aborted at /home/clement/svn/lemonldap/trunk/modules/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/AuthLDAP.pm line 9.
Compilation failed in require at (eval 97) line 3.
Lemonldap::NG::Portal::Simple error: Configuration error, Unable to load Lemonldap::NG::Portal::AuthLDAP
# Looks like you planned 2 tests but ran 1.
{quote}
This causes problems for packaging on Debian and RHEL5.5:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577340
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/129
LDAP timeout configuration
2017-11-28T17:47:40Z
Clément OUDOT
LDAP timeout configuration
It could be nice to configure LDAP timeout value, by default, it is 120 seconds...
It could be nice to configure LDAP timeout value, by default, it is 120 seconds...
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/132
Can't refuse SAML federation
2017-11-28T17:47:40Z
Yadd
Can't refuse SAML federation
When I refuse the proposed SAML IDP, the timer still continue, so I'm redirected to the IdP.
Note : I've been connected-deconnected a first time before.
When I refuse the proposed SAML IDP, the timer still continue, so I'm redirected to the IdP.
Note : I've been connected-deconnected a first time before.
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/133
SAML sessions are displayed as "other sessions"
2017-11-28T17:47:40Z
Yadd
SAML sessions are displayed as "other sessions"
When removeother() parse sessions, it discover SAML datas stored in sessions DB and consider them as sessions.
When removeother() parse sessions, it discover SAML datas stored in sessions DB and consider them as sessions.
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/139
Use default values for SAML URL if they are not defined in configuration
2017-11-28T17:47:40Z
Clément OUDOT
Use default values for SAML URL if they are not defined in configuration
We whould be able to run SAML service with default values for all SAML URL. This means that the metadata generation should work even if no URL are stored in configuration.
We whould be able to run SAML service with default values for all SAML URL. This means that the metadata generation should work even if no URL are stored in configuration.
1.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1332
LDAP groups not correctly set in session
2017-12-04T13:22:58Z
Clément OUDOT
LDAP groups not correctly set in session
I tried to collect LDAP groups but they are not well stored in session. For a user belonging to group "admin", I have this value in $groups:
```js
"groups" : "; admin|",
```
And I don't find the hGroups variable in session.
I tried to collect LDAP groups but they are not well stored in session. For a user belonging to group "admin", I have this value in $groups:
```js
"groups" : "; admin|",
```
And I don't find the hGroups variable in session.
2.0.0
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1333
Server internal error with Register module
2017-12-12T06:00:34Z
Clément OUDOT
Server internal error with Register module
Tried to use LDAP Register module and got this error
```
Dec 4 16:26:31 llng-site LLNG[40694]: User not authenticated, Try in use, cancel redirection
Dec 4 16:26:31 llng-site LLNG[40694]: Start routing register
Dec 4 16:26:31 llng-si...
Tried to use LDAP Register module and got this error
```
Dec 4 16:26:31 llng-site LLNG[40694]: User not authenticated, Try in use, cancel redirection
Dec 4 16:26:31 llng-site LLNG[40694]: Start routing register
Dec 4 16:26:31 llng-site LLNG[40694]: Prepare captcha
Dec 4 16:26:31 llng-site LLNG[40694]: First access to register form
Dec 4 16:26:31 llng-site LLNG[40694]: Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/register.tpl
Dec 4 16:26:31 llng-site LLNG[40694]: Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/register.tpl
Dec 4 16:26:47 llng-site LLNG[40697]: User not authenticated, Try in use, cancel redirection
Dec 4 16:26:47 llng-site LLNG[40697]: Start routing register
Dec 4 16:26:47 llng-site LLNG[40697]: Good captcha response
Dec 4 16:26:47 llng-site LLNG[40697]: Captcha code verified
Dec 4 16:26:47 llng-site LLNG[40697]: No register_token
Dec 4 16:26:47 llng-site LLNG[40697]: Register session found: 1512332807_4879
Dec 4 16:26:47 llng-site LLNG[40697]: Try to get SSO session 1512332807_4879
Dec 4 16:26:47 llng-site LLNG[40697]: Session cannot be tied: Invalid session ID: 1512332807_4879 at /usr/share/perl5/Apache/Session/Generate/MD5.pm line 42, <F> line 4.
Dec 4 16:26:47 llng-site LLNG[40697]: Register expiration timestamp: 3600
Dec 4 16:26:47 llng-site LLNG[40697]: Register start timestamp: 1512401207
Dec 4 16:26:47 llng-site LLNG[40697]: Skin bootstrap selected from GET/POST parameter
```
2.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/8
Publish WSDL for SOAP services
2018-09-27T04:09:56Z
Clément OUDOT
Publish WSDL for SOAP services
WSDL should be published trough HTTP, like http://auth.example.com/index.pl?wsdl
WSDL should be published trough HTTP, like http://auth.example.com/index.pl?wsdl
2.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/34
[SAML] Check authn request conditions in IDP
2019-11-21T16:45:08Z
Clément OUDOT
[SAML] Check authn request conditions in IDP
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/95
Force autoRedirect even with portal errors
2019-10-14T18:54:49Z
Clément OUDOT
Force autoRedirect even with portal errors
I have a use case where I do not want to use the portal web interface, but POST credentials from antoher application to the portal.
Of course, we will also send the "url" parameter to be redirect in case of success. But I would like to ...
I have a use case where I do not want to use the portal web interface, but POST credentials from antoher application to the portal.
Of course, we will also send the "url" parameter to be redirect in case of success. But I would like to be redirect even in case of error, with the error code added in return URL.
Here is a little patch:
```
===================================================================
--- trunk/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm (révision 1327)
+++ trunk/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm (copie de travail)
@@ -883,6 +883,35 @@
issuerForAuthUser autoRedirect)
);
$self->updateStatus;
+
+ # forceAutoRedirect: never display portal even with errors
+ if ( $self->{forceAutoRedirect}
+ and ( $self->{urldc} or $self->{error} == PE_BADURL ) )
+ {
+
+ # If URL was bad, use referer
+ $self->{urldc} ||= $self->referer();
+
+ # Add error code in URL
+ if ( $self->{urldc} !~ /sso_error=/ ) {
+ if ( $self->{urldc} =~ /\Q?\E/ ) { $self->{urldc} .= "&"; }
+ else { $self->{urldc} .= "?"; }
+ $self->{urldc} .= "sso_error=" . $self->{error};
+ }
+ else {
+ $self->{urldc} =~ s/sso_error=(\d+)/sso_error=$self->{error}/;
+ }
+
+ # Redirect
+ $self->lmLog( "Force redirection on " . $self->{urldc}, 'debug' );
+ $self->SUPER::redirect(
+ -uri => $self->{urldc},
+ -status => '303 See Other'
+ );
+ $self->quit();
+ }
+
+ # Return result
return ( ( $self->{error} > 0 ) ? 0 : 1 );
}
```
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/259
Add system to overload parameters in *Choice (like "multi" key)
2018-11-29T08:52:07Z
Yadd
Add system to overload parameters in *Choice (like "multi" key)
UserDB modules use exportedVars parameter to load datas. For example, if you use choice with LDAP and OpenID(sreg), exportedVars key must change. I think that it is not possible for now, isn't it ?
UserDB modules use exportedVars parameter to load datas. For example, if you use choice with LDAP and OpenID(sreg), exportedVars key must change. I think that it is not possible for now, isn't it ?
2.0.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/402
SOAP method getMenuApplications does not work with Safe jail
2019-10-14T16:17:12Z
Clément OUDOT
SOAP method getMenuApplications does not work with Safe jail
SOAP method getMenuApplications does not work with Safe jail, but work great with useSafeJail = 0.
SOAP method getMenuApplications does not work with Safe jail, but work great with useSafeJail = 0.
FAQ
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/993
Define a local password policy
2020-07-28T13:58:11Z
Clément OUDOT
Define a local password policy
We have the possibility to rely on LDAP password policy, but with LDAP server not supporting it, AD, DBI, we can't have password policy.
The idea is to be able to manage this policy directly in LL::NG:
* Check password complexity when i...
We have the possibility to rely on LDAP password policy, but with LDAP server not supporting it, AD, DBI, we can't have password policy.
The idea is to be able to manage this policy directly in LL::NG:
* Check password complexity when it is changed
* Manager password expiration (password change date can be maintained in persistent session)
2.0.6
Clément OUDOT
Clément OUDOT