InformAction Forums

Hi all,

I've been working on deploying a Shibboleth federated-access SSO solution, and we have a problem when accessing the Discovery Service (actually, we have two problems).

The first is that the Discovery Service (remote site, such as something.myfederation.com) needs to request (GET) something from our Identity Provider (IdP) on our own network (eg. https://idp.myinstitution.com/...), which is being blocked by the LOCAL deny rule.

URL bar shows something like: http://something.myfederation.com/...longurl
ABE reports: Request { GET https://idp.myinstitution.com/...longurl <<< https://somethingelse.myfederation.com/... - 6 } filtered by ABE: <LOCAL> Deny

I'm unclear as to what rule I should create. I'd like to put it in a rules.abe file on (presumably) https://idp.myinstitution.com/rules.abe

The second problem is that I can't actually read the (whole) ABE report, because I have a multi-monitor display (Windows 7, fully patched, Firefox 14.0.1, NoScript 2.5.8), which I regularly RDP to or use locally, and when ABE displays this error message it makes the display area (not the window) as wide as the (multi-monitor) display. Actually, it seems to make it even wider perhaps, because even if I make the Firefox window span my entire multi-monitor desktop, the right-side Firefox widgets etc. are still off-window.

This causes a significant usability problem. I can't even copy the ABE error to read it properly. This could be a significant issue for us as we've been instructed to use NoScript where possible when using our workstations.

Thanks for helping,
Cameron Kerr

cameron.kerr wrote: URL bar shows something like: http://something.myfederation.com/...longurl
ABE reports: Request { GET https://idp.myinstitution.com/...longurl <<< https://somethingelse.myfederation.com/... - 6 } filtered by ABE: <LOCAL> Deny

I'm unclear as to what rule I should create. I'd like to put it in a rules.abe file on (presumably) https://idp.myinstitution.com/rules.abe

You need to add something like this above the default SYSTEM rule: Note that the leading dot means 'myfederation.com and all subdomains'. If it should only apply to somethingelse.myfederation.com, then modify accordingly.
SELF++ means that myinstitution.com and its subdomains are allowed to send requests to themselves.

Unfortunately you won't be able to put this in a rules.abe subscription, because what you need to do is add an exception to the built-in rule - which subscriptions are not permitted to do, by design.

The second problem is that I can't actually read the (whole) ABE report, because I have a multi-monitor display (Windows 7, fully patched, Firefox 14.0.1, NoScript 2.5.8), which I regularly RDP to or use locally, and when ABE displays this error message it makes the display area (not the window) as wide as the (multi-monitor) display. Actually, it seems to make it even wider perhaps, because even if I make the Firefox window span my entire multi-monitor desktop, the right-side Firefox widgets etc. are still off-window.

This is a known issue raised a while ago: http://forums.informaction.com/viewtopi ... =23&t=8385. You can disable the notification bar in Options-Notifications, and instead read the message from the Error Console (Ctrl + Shift + J or Tools-Web Developer-Error Console) under the Info section.

Good luck! If you have any further problems, let us know.

Okay, so I've worked around the display issue (not very happy with that workaround though).

That rule seems to have worked. Now I have another similar issue: (wrapping added by me for readability
I'm not sure how to interpret this message, so I'm at a loss to write a rule for it currently.

If I were to guess, I would say that https://idp.myinstitution.com/... (the bit before the <<<) is composed of the list of URLs (after the <<<) which are all being blocked. But if that's the case, then I would have thought this (existing) rule should have satisfied that:
Appreciate any help,
Thanks,
Cameron