I have Ipsilon configured with
ipsilon-server-install --pam yes --info-sssd yes --info-sssd-domain example.com --krb yes --krb-realms EXAMPLE.COM
and I can see mod_lookup_identity enabled and configured in /etc/ipsilon/idp/idp.conf and ifp is enabled and configured in /etc/sssd/sssd.conf and looking at /idp/admin/providers/saml I have the default attribute mapping
# 1 From * To *
and the default allowed attributes
# 1 Name *
on the SP after successful Kerberos authentication has an empty
element so I don't see the values populated on SP in MELLON_* environment variables.
Rob advised patching Ipsilon with
diff --git a/ipsilon/login/common.py b/ipsilon/login/common.py
index 60f6df1..1835f72 100644
@@ -79,6 +79,8 @@ class LoginManagerBase(PluginConfig, PluginObject):
# create session login including all the userdata just gathered
# save username into a cookie if parent was form base auth
if auth_type == 'password':
cookie = SecureCookie(USERNAME_COOKIE, username)
and that fixes the problem, even if I'm not sure it's the correct fix because f7b6d96 seems to suggest session.login was supposed to do the saving.
milestone: => 1.0 m3
owner: => rcritten
status: new => assigned
The data wasn't being saved because there is a short-circuit at the top of login where if the current user matches the user in the session then just return.
This is a problem because when authenticating via authform or authkrb the login first comes in from remote_login() with no userdata. A subsequent call to login() after calling the info plugins is thus a no-op.
Add a conditional in login such that if the user matches and the existing userattrs is empty, save the supplied user attrs.
patch_available: 0 => 1
status: assigned => accepted
resolution: => fixed
status: accepted => closed
rhbz: => 0
Metadata Update from @nkinder:
- Issue assigned to rcritten
- Issue set to the milestone: 1.0 m3
to comment on this ticket.