Hi all,
I've been working on deploying a Shibboleth federated-access SSO solution, and we have a problem when accessing the Discovery Service (actually, we have two problems).
The first is that the Discovery Service (remote site, such as something.myfederation.com) needs to request (GET) something from our Identity Provider (IdP) on our own network (eg. https://idp.myinstitution.com/...), which is being blocked by the LOCAL deny rule.
URL bar shows something like: http://something.myfederation.com/...longurl
ABE reports: Request { GET https://idp.myinstitution.com/...longurl <<< https://somethingelse.myfederation.com/... - 6 } filtered by ABE: <LOCAL> Deny
I'm unclear as to what rule I should create. I'd like to put it in a rules.abe file on (presumably) https://idp.myinstitution.com/rules.abe
The second problem is that I can't actually read the (whole) ABE report, because I have a multi-monitor display (Windows 7, fully patched, Firefox 14.0.1, NoScript 2.5.8), which I regularly RDP to or use locally, and when ABE displays this error message it makes the display area (not the window) as wide as the (multi-monitor) display. Actually, it seems to make it even wider perhaps, because even if I make the Firefox window span my entire multi-monitor desktop, the right-side Firefox widgets etc. are still off-window.
This causes a significant usability problem. I can't even copy the ABE error to read it properly. This could be a significant issue for us as we've been instructed to use NoScript where possible when using our workstations.
Thanks for helping,
Cameron Kerr
Shibboleth SSO ABE and Multi-Monitor display bug
-
cameron.kerr
- Posts: 2
- Joined: Thu Oct 25, 2012 8:18 pm
Shibboleth SSO ABE and Multi-Monitor display bug
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Re: Shibboleth SSO ABE and Multi-Monitor display bug
You need to add something like this above the default SYSTEM rule:cameron.kerr wrote: URL bar shows something like: http://something.myfederation.com/...longurl
ABE reports: Request { GET https://idp.myinstitution.com/...longurl <<< https://somethingelse.myfederation.com/... - 6 } filtered by ABE: <LOCAL> Deny
I'm unclear as to what rule I should create. I'd like to put it in a rules.abe file on (presumably) https://idp.myinstitution.com/rules.abe
Code: Select all
Site .myinstitution.com
Accept from SELF++ .myfederation.com
SELF++ means that myinstitution.com and its subdomains are allowed to send requests to themselves.
Unfortunately you won't be able to put this in a rules.abe subscription, because what you need to do is add an exception to the built-in rule - which subscriptions are not permitted to do, by design.
This is a known issue raised a while ago: http://forums.informaction.com/viewtopi ... =23&t=8385. You can disable the notification bar in Options-Notifications, and instead read the message from the Error Console (Ctrl + Shift + J or Tools-Web Developer-Error Console) under the Info section.The second problem is that I can't actually read the (whole) ABE report, because I have a multi-monitor display (Windows 7, fully patched, Firefox 14.0.1, NoScript 2.5.8), which I regularly RDP to or use locally, and when ABE displays this error message it makes the display area (not the window) as wide as the (multi-monitor) display. Actually, it seems to make it even wider perhaps, because even if I make the Firefox window span my entire multi-monitor desktop, the right-side Firefox widgets etc. are still off-window.
Good luck! If you have any further problems, let us know.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0
-
cameron.kerr
- Posts: 2
- Joined: Thu Oct 25, 2012 8:18 pm
Re: Shibboleth SSO ABE and Multi-Monitor display bug
Okay, so I've worked around the display issue (not very happy with that workaround though).
That rule seems to have worked. Now I have another similar issue: (wrapping added by me for readability
I'm not sure how to interpret this message, so I'm at a loss to write a rule for it currently.
If I were to guess, I would say that https://idp.myinstitution.com/... (the bit before the <<<) is composed of the list of URLs (after the <<<) which are all being blocked. But if that's the case, then I would have thought this (existing) rule should have satisfied that:
Appreciate any help,
Thanks,
Cameron
That rule seems to have worked. Now I have another similar issue: (wrapping added by me for readability
Code: Select all
[ABE] <LOCAL> Deny on {
GET https://idp.myinstitution.com/...
<<< https://idp.myinstitution.com/...
, https://somewhere.myfederation.com/...
, https://somewhere.myfederation.com/...
, https://somewhereelse.myfederation.com/...
- 6}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
If I were to guess, I would say that https://idp.myinstitution.com/... (the bit before the <<<) is composed of the list of URLs (after the <<<) which are all being blocked. But if that's the case, then I would have thought this (existing) rule should have satisfied that:
Code: Select all
Site idp.myinstitution.com
Accept from SELF++ .myfederation.com
# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
Thanks,
Cameron
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1