Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Replace the attrChecker.html that is located in the "/etc/shibboleth" directory with the template below. If you don't want to edit it by yourself, you can use the ready made template. The template has links to external components such as jquery and bootstrap. They are fetched on the fly from third party sources.

There is two checks if the IdP declare support SIRTFI is done due to the the Assurance Certifcation attribute can contain other values than SIRTFI and the possibility to check for specific values is not possible. The first check is to see if Assurance Certfication is missing and the second is check for when there is a Assurance Certification but now other contact address, i.e. security contact. Furthermore the name checks is speical due to that name in R&S is either displayName or sn and givenName.

All attribute names, except the one for Assurance Certfication, in the template are based on the standard mappings in the Shibboleth SP distribution.

Code Block
languagexml
titleattrChecker.html
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html 
	PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" 
	"DTD/xhtml1-strict.dtd">
	
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
	<link rel="stylesheet" type="text/css" href="<shibmlp styleSheet/>" />
  <script type='text/javascript' src='//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js'></script>
  <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">

	<title>Login failed due to missing user attributes or missing security requirements</title>
  <script>
    $(document).ready(function() {
        $("#textarea").val(
         $('#textarea').val().replace(/\ \*\ (\r\n|\n|\r)/ig,"")
        );
        var mailto = "<shibmlp Meta-Support-Contact/>";
        var target = "<shibmlp target />";
        var target = target.replace("&#58;", ":");
        mailto = mailto.split("&#58;").pop();
        $("#email").attr('href','mailto:' + mailto + '?subject=Attributes missing for ' + encodeURIComponent(target) + '&cc=<shibmlp supportContact/>' + '&body=' + encodeURIComponent(document.getElementById('textarea').value));
        
        $('#showdetails').click(function() {
          $('#details').slideToggle("fast");
        });
        $('#showdetails2').click(function() {
          $('#details').slideToggle("fast");
        });
        document.getElementById("support").innerHTML=mailto;
        document.getElementById("support2").innerHTML=mailto;
    });
  </script>
</head>

<body>
  <div id="msg"/>
    <div class="container">
      <!--PixelTracking without Assurance Certification-->
	  <shibmlpifnot Meta-AssuranceCertification>
      <img title="track" src="/track.png?idp=<shibmlp entityID/>&miss=-SIRTFI<shibmlpifnot displayName><shibmlpifnot givenName>-displayName</shibmlpifnot></shibmlpifnot><shibmlpifnot givenName><shibmlpifnot displayName>-givenName</shibmlpifnot></shibmlpifnot><shibmlpifnot sn><shibmlpifnot displayName>sn</shibmlpifnot></shibmlpifnot><shibmlpifnot mail>-mail</shibmlpifnot><shibmlpifnot eppn>-eduPersonPrincipalName</shibmlpifnot>" alt="" width="1" height="1" />
	  </shibmlpifnot>
      <!--PixelTracking with Assurance Certification but without Other Contact (Security)-->
	  <shibmlpif Meta-AssuranceCertification><shibmlpifnot Meta-Other-Contact/>
      <img title="track" src="/track.png?idp=<shibmlp entityID/>&miss=-SIRTFI<shibmlpifnot displayName><shibmlpifnot givenName>-displayName</shibmlpifnot></shibmlpifnot><shibmlpifnot givenName><shibmlpifnot displayName>-givenName</shibmlpifnot></shibmlpifnot><shibmlpifnot sn><shibmlpifnot displayName>sn</shibmlpifnot></shibmlpifnot><shibmlpifnot mail>-mail</shibmlpifnot><shibmlpifnot eppn>-eduPersonPrincipalName</shibmlpifnot>" alt="" width="1" height="1" />
	  </shibmlpifnot></shibmlpif>
      <!--PixelTracking with Assurance Certification and Other Contact (Security)-->
	  <shibmlpif Meta-AssuranceCertification><shibmlpif Meta-Other-Contact/>
      <img title="track" src="/track.png?idp=<shibmlp entityID/>&miss=<shibmlpifnot displayName><shibmlpifnot givenName>-displayName</shibmlpifnot></shibmlpifnot><shibmlpifnot givenName><shibmlpifnot displayName>-givenName</shibmlpifnot></shibmlpifnot><shibmlpifnot sn><shibmlpifnot displayName>sn</shibmlpifnot></shibmlpifnot><shibmlpifnot mail>-mail</shibmlpifnot><shibmlpifnot eppn>-eduPersonPrincipalName</shibmlpifnot>" alt="" width="1" height="1" />
	  </shibmlpif></shibmlpif>
      <div class="hero-unit">
        <h2>Login failed due to missing user attributes or missing security requirements</h2>
          <p>
          You could unfortunately not login to to our service <shibmlp target />, because your home organisation <shibmlpif Meta-displayName>(<shibmlp Meta-displayName />)</shibmlpif> did not provide all information about you that is needed by this service or that your home organisation Identity Provider doesn't fulfil the service's security requirements.
          </p>
          <a href="#" id="showdetails">Show details</a>
      	  <br/>
          <div id="details" style="display:none">
<hr>
		  <!-- Report non REFEDS SIRTFI  dual check no enitity categories in metadata and entity categories without other contact in metadata -->
		  <shibmlpifnot Meta-AssuranceCertification><h3 class='warning text-danger'>Missing SIRTFI requirement</h3><p class='warning text-danger'>The service you tried to access require that the <shibmlpif Meta-displayName><shibmlp Meta-displayName /></shibmlpif> Identity Provider fulfils and declares support for the security incident response trust framework REFEDS SIRTFI (https://refeds.org/sirtfi).</p></shibmlpifnot>
		  <shibmlpif Meta-AssuranceCertification><shibmlpifnot Meta-Other-Contact/><h3 class='warning text-danger'>Missing SIRTFI requirement</h3><p class='warning text-danger'>The service you tried to access require that the <shibmlpif Meta-displayName><shibmlp Meta-displayName /></shibmlpif> Identity Provider fulfils and declares support for the security incident response trust framework REFEDS SIRTFI (https://refeds.org/sirtfi).</p></shibmlpifnot></shibmlpif>

          <h3>Attribute requirements</h3>
		  <p>The following user information in form of SAML attributes is requested by this service. Required but missing attribute values are marked in red.</p>
          <div class="row">
            <div class="col-sm-5">
              <table class="table table-sm">
                <thead>
                  <tr><th colspan=2>Connection summary</th></tr>
                </thead>
                <tr>
                  <th>Time</th>
                  <td><shibmlp now/> UTC</td>
                </tr>
                <tr>
                  <th>SP</th>
                  <td><shibmlp target /></td>
                </tr>
                <tr>
                  <th>&nbsp;</th>
                  <td>&nbsp;</td>
                </tr>
                <tr>
                  <th>IdP</th>
                  <td><shibmlp Meta-displayName /></td>
                </tr>
                <tr>
                   <td>entityId</td>
                   <td><shibmlp entityID/></td>
                </tr>
                <tr>
                  <td>Contact</td>
                  <td id="support"><shibmlp Meta-Support-Contact/></td>
                </tr>
              </table>
            </div>
            <div class="col-sm-7">
              <table class="table table-sm">
                <thead>
                  <tr>
                    <th>Attribute</th>
                    <th>Value</th>
                  </tr>
                </thead>
                <tbody>
<!--TableStart-->
<tr <shibmlpifnot displayName><shibmlpifnot givenName> class='warning text-danger'</shibmlpifnot></shibmlpifnot>>
	<td>displayName</td>
	<td><shibmlp displayName /></td>
	<td></td>
</tr>
<tr <shibmlpifnot givenName><shibmlpifnot displayName> class='warning text-danger'</shibmlpifnot></shibmlpifnot>>
	<td>givenName</td>
	<td><shibmlp givenName /></td>
</tr>
<tr <shibmlpifnot sn><shibmlpifnot displayName> class='warning text-danger'</shibmlpifnot></shibmlpifnot>>
	<td>sn</td>
	<td><shibmlp sn /></td>
</tr>
<tr <shibmlpifnot mail> class='warning text-danger'</shibmlpifnot>>
	<td>mail</td>
	<td><shibmlp mail /></td>
</tr>
<tr <shibmlpifnot eppn> class='warning text-danger'</shibmlpifnot>>
	<td>eduPersonPrincipalName</td>
	<td><shibmlp eppn /></td>
</tr>
<tr>
	<td>eduPersonTargetedID</td>
	<td><shibmlp persistent-id /></td>
</tr>
<tr>
	<td>eduPersonScopedAffiliation (optional)</td>
	<td><shibmlp affiliation /></td>
</tr>
<!--TableEnd-->
                </tbody>
              </table>
            </div>
          </div>
          Email template for your IdP Administrator
<textarea id="textarea" style="width:100%;height:100px;">
Dear <shibmlpif Meta-displayName><shibmlp Meta-displayName /></shibmlpif> IdP Administrator

I tried to log in to a service with the entityID "<shibmlp target />" today (<shibmlp now />). Unfortunately, the login failed because the <shibmlpif Meta-displayName><shibmlp Meta-displayName /></shibmlpif> Identity Provider did not release the requested user attributes to this service or doesn't fulfil the security and incident handling requirements in REFEDS SIRTFI. To be able to access this service, I kindly ask you to ensure that our Identity Provider fulfil the requirements needed by the service <shibmlp target /> so that I can log into it. Please find a summary of the login attempt below.

<shibmlpifnot Meta-AssuranceCertification>The service I tried to access require that the <shibmlpif Meta-displayName><shibmlp Meta-displayName /></shibmlpif>Identity Provider fulfils and declares support for the security incident response trust framework REFEDS SIRTFI (https://refeds.org/sirtfi).
</shibmlpifnot><shibmlpif Meta-AssuranceCertification><shibmlpifnot Meta-Other-Contact/>The service I tried to access require that the <shibmlpif Meta-displayName><shibmlp Meta-displayName /></shibmlpif> Identity Provider fulfils and declares support for the security incident response trust framework REFEDS SIRTFI (https://refeds.org/sirtfi).
</shibmlpifnot></shibmlpif>
The attributes that were not released to the service are (REFEDS R&S):
<shibmlpifnot displayName> * displayName
</shibmlpifnot><shibmlpifnot givenName> * givenName
</shibmlpifnot><shibmlpifnot sn> * sn
</shibmlpifnot><shibmlpifnot mail> * mail
</shibmlpifnot><shibmlpifnot eppn> * eduPersonPrincipalName 
</shibmlpifnot><shibmlpifnot persistent-id> * eduPersonTargetedID (only if eduPersonPrincipalName is reasignable to another user)
</shibmlpifnot><shibmlpifnot affiliation> * eduPersonScopedAffiliation (optional)
</shibmlpifnot><shibmlpif displayName><shibmlpif givenName><shibmlpif sn><shibmlpif mail><shibmlpif eppn><shibmlpif persistent-id><shibmlpif affiliation> * no missing attributes!</shibmlpif></shibmlpif></shibmlpif></shibmlpif></shibmlpif></shibmlpif></shibmlpif>

Connection summary:
 * IdP:      <shibmlp entityID/> (<shibmlp Meta-displayName />)
 * SP:       <shibmlp target />
 * Time:     <shibmlp now/> UTC

Best Regards</textarea>
<hr>
</div>
          <p>
Please contact your home organisations helpdesk (here: <span id="support2"><shibmlp Meta-Support-Contact/></span>) and request attribute release for missing attributes or declare that they fulfil the security requirements. To do this, click on the button below. This will open your mail program with the needed technical information to resolve this issue. You can add additional information and review the email before sending it. Alternatively you can copy and paste the request from the  <a href="#" id="showdetails2">details</a> text box.
          </p>
          <a id="email" class="btn btn-primary btn-large" href="#">Report Problem to your Home Organisation's Helpdesk</a>
        </div>
      </div>
    </div>
  </div>
</body>
</html>

...