SP Request not redirecting to IDP

Discussion:

SP Request not redirecting to IDP

j***@public.gmane.org

2014-08-18 08:42:09 UTC

Hi All,

I have installed Shibboleth SP on Amazon Linux and successfully start Apache and shibd service. We are using Tivoli Access Management as idp. Our idp team provided me metadata which I am trying to use ins shibboleth2.xml file but unable to redirect request for specific hostname.

Can some one help me to correctly configure shibboleth so that specific virtual host can be redirected to out idp. Please share values or properties trigger this redirection?

Kind Regards,
Junaid Akbar

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

www.wipro.com

Cantor, Scott

2014-08-18 13:27:56 UTC

Post by j***@public.gmane.org
Can some one help me to correctly configure shibboleth so that specific
virtual host can be redirected to out idp. Please share values or
properties trigger this redirection?

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPProtectContent

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

j***@public.gmane.org

2014-08-20 13:51:11 UTC

Hi,

I am trying to implement following scenario,

1. User will access specific URL e.g. mydomain.domain.com
2. Apache receive this request and based on entityID https://mydomain.domain.com, user should be redirected to IDP URL.
3- Once User authenticated, IDP returned with SAML Token and Apache/Shibboleth should allow user to access actual contents e.g. https://mydomain.domain.com pass SAML authentication because of Akamai authentication token.

I have following questions if someone can help me here,

- I am using a domain name e.g. https://mydomain.domain.com and I used it as entityID, do I need to use following URL as 'https://mydomain.domain.com/shibboleth?

- I am using external IDP and they provided me metadata which I have copied in /etc/shibboleth/. I used following configuration to define this metadata but what URL I should use and entityID under SSO? When I have defined metadata file then do I really need to define entityID under <sso?

- Few documentations saying that use this type of url, https://myidp.domain.com/idp/shibboleth? We have different URL in metadata than why we need to define it here?

- After defining all these property how request will route to idp once use hit https://mydomain.domain.com?

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">

<ApplicationDefaults entityID="https://mydomain.domain.com"
REMOTE_USER="eppn persistent-id targeted-id">

<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https">

<SSO entityID="https://mydomain.domain.com">
SAML2 SAML1
</SSO>


<Logout>SAML2 Local</Logout>


<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>


<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>


<Handler type="Session" Location="/Session" showAttributeValues="false"/>


<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>

<Errors supportContact="***@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>


<MetadataProvider type="XML" file="saml20_BP_metadata_TFIM_UAT_22AUG2013.xml"/>


<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>


<AttributeResolver type="Query" subjectMatch="true"/>


<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>


<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

<ApplicationOverride id="aralappid" entityID="https://mydomain.domain.com">
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationOverride>

</ApplicationDefaults>


<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>


<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

</SPConfig>

- I have multiple virtual hosts defined in vhost.conf and would like to trigger shibboleth for one virtual host? I have defined following in vhost.conf file.

<Location />
AuthType shibboleth
ShibCompatWith24 On
ShibRequestSetting requireSession 1
require shib-session
</Location>

Can some one help me here.

Kind Regards,
Junaid Akbar

On 18/08/2014 14:27, "Cantor, Scott" <cantor.2-ZbGKxL/***@public.gmane.org<mailto:***@osu.edu>> wrote:

On 8/18/14, 4:42 AM, "junaid.akbar-***@public.gmane.org<mailto:junaid.akbar-***@public.gmane.org>" <junaid.akbar-***@public.gmane.org<mailto:junaid.akbar-***@public.gmane.org>>
wrote:

Can some one help me to correctly configure shibboleth so that specific
virtual host can be redirected to out idp. Please share values or
properties trigger this redirection?

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPProtectContent

-- Scott

--
To unsubscribe from this list send an email to users-***@shibboleth.net<mailto:users-unsubscribe-***@public.gmane.org>

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

www.wipro.com

Dave Perry

2014-08-20 14:15:56 UTC

Here are the lines we use to protect one of our SPs (Moodle) using Apache (from httpd.conf), slightly anonymized:

<VirtualHost server.ip.address:80>
ServerName subdomain.yourdomain.com
DocumentRoot d:/path/to/files
AcceptPathInfo On

(the next bit says 'if there is a shibboleth session, the entire vhost can access it: )
<Location />
AuthType shibboleth
Require shibboleth
</Location>

(the next bit forces a shibboleth session if you go to this page: )
<Location /auth/shibboleth/index.php>
AuthType shibboleth
ShibRequireSession On
require valid-user
</Location>

</VirtualHost>

HTH
_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning-NOSDTyrR4+***@public.gmane.org<mailto:***@hull-college.ac.uk> *

From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of junaid.akbar-***@public.gmane.org
Sent: 20 August 2014 14:51
To: users-***@public.gmane.org
Subject: Re: SP Request not redirecting to IDP

Hi,

I am trying to implement following scenario,

1. User will access specific URL e.g. mydomain.domain.com
2. Apache receive this request and based on entityID https://mydomain.domain.com, user should be redirected to IDP URL.
3- Once User authenticated, IDP returned with SAML Token and Apache/Shibboleth should allow user to access actual contents e.g. https://mydomain.domain.com pass SAML authentication because of Akamai authentication token.

I have following questions if someone can help me here,

- I am using a domain name e.g. https://mydomain.domain.com and I used it as entityID, do I need to use following URL as 'https://mydomain.domain.com/shibboleth?

- I am using external IDP and they provided me metadata which I have copied in /etc/shibboleth/. I used following configuration to define this metadata but what URL I should use and entityID under SSO? When I have defined metadata file then do I really need to define entityID under <sso?

- Few documentations saying that use this type of url, https://myidp.domain.com/idp/shibboleth? We have different URL in metadata than why we need to define it here?

- After defining all these property how request will route to idp once use hit https://mydomain.domain.com?

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">

<ApplicationDefaults entityID="https://mydomain.domain.com"
REMOTE_USER="eppn persistent-id targeted-id">

<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https">

<SSO entityID="https://mydomain.domain.com">
SAML2 SAML1
</SSO>


<Logout>SAML2 Local</Logout>


<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>


<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>


<Handler type="Session" Location="/Session" showAttributeValues="false"/>


<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>

<Errors supportContact="***@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>


<MetadataProvider type="XML" file="saml20_BP_metadata_TFIM_UAT_22AUG2013.xml"/>


<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>


<AttributeResolver type="Query" subjectMatch="true"/>


<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>


<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

<ApplicationOverride id="aralappid" entityID="https://mydomain.domain.com">
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationOverride>

</ApplicationDefaults>


<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>


<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

</SPConfig>

- I have multiple virtual hosts defined in vhost.conf and would like to trigger shibboleth for one virtual host? I have defined following in vhost.conf file.

<Location />
AuthType shibboleth
ShibCompatWith24 On
ShibRequestSetting requireSession 1
require shib-session
</Location>

Can some one help me here.

Kind Regards,
Junaid Akbar

On 18/08/2014 14:27, "Cantor, Scott" <cantor.2-ZbGKxL/***@public.gmane.org<mailto:***@osu.edu>> wrote:

On 8/18/14, 4:42 AM, "junaid.akbar-***@public.gmane.org<mailto:junaid.akbar-***@public.gmane.org>" <junaid.akbar-***@public.gmane.org<mailto:junaid.akbar-***@public.gmane.org>>
wrote:

Can some one help me to correctly configure shibboleth so that specific
virtual host can be redirected to out idp. Please share values or
properties trigger this redirection?

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPProtectContent

-- Scott

--
To unsubscribe from this list send an email to users-***@shibboleth.net<mailto:users-unsubscribe-***@public.gmane.org>

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

www.wipro.com<http://www.wipro.com>

**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT

j***@public.gmane.org

2014-08-20 14:23:56 UTC

Do you have answers to my other questions regarding shibboleth2.xml?

Kind Regards,
Junaid Akbar

From: Dave Perry <Dave.Perry-NOSDTyrR4+***@public.gmane.org<mailto:***@hull-college.ac.uk>>
Reply-To: Shib Users <users-***@public.gmane.org<mailto:users-***@public.gmane.org>>
Date: Wednesday, 20 August 2014 15:15
To: Shib Users <users-***@public.gmane.org<mailto:users-***@public.gmane.org>>
Subject: RE: SP Request not redirecting to IDP

Here are the lines we use to protect one of our SPs (Moodle) using Apache (from httpd.conf), slightly anonymized:

<VirtualHost server.ip.address:80>
ServerName subdomain.yourdomain.com
DocumentRoot d:/path/to/files
AcceptPathInfo On

(the next bit says if there is a shibboleth session, the entire vhost can access it: )
<Location />
AuthType shibboleth
Require shibboleth
</Location>

(the next bit forces a shibboleth session if you go to this page: )
<Location /auth/shibboleth/index.php>
AuthType shibboleth
ShibRequireSession On
require valid-user
</Location>

</VirtualHost>

HTH
_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning-NOSDTyrR4+***@public.gmane.org<mailto:***@hull-college.ac.uk> *

From: users-bounces-***@public.gmane.org<mailto:users-bounces-***@public.gmane.org> [mailto:users-bounces-***@public.gmane.org] On Behalf Of junaid.akbar-***@public.gmane.org<mailto:junaid.akbar-***@public.gmane.org>
Sent: 20 August 2014 14:51
To: users-***@public.gmane.org<mailto:users-***@public.gmane.org>
Subject: Re: SP Request not redirecting to IDP

Hi,

I am trying to implement following scenario,

1. User will access specific URL e.g. mydomain.domain.com
2. Apache receive this request and based on entityID https://mydomain.domain.com, user should be redirected to IDP URL.
3- Once User authenticated, IDP returned with SAML Token and Apache/Shibboleth should allow user to access actual contents e.g. https://mydomain.domain.com pass SAML authentication because of Akamai authentication token.

I have following questions if someone can help me here,

- I am using a domain name e.g. https://mydomain.domain.com and I used it as entityID, do I need to use following URL as 'https://mydomain.domain.com/shibboleth?

- I am using external IDP and they provided me metadata which I have copied in /etc/shibboleth/. I used following configuration to define this metadata but what URL I should use and entityID under SSO? When I have defined metadata file then do I really need to define entityID under <sso?

- Few documentations saying that use this type of url, https://myidp.domain.com/idp/shibboleth? We have different URL in metadata than why we need to define it here?

- After defining all these property how request will route to idp once use hit https://mydomain.domain.com?

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">

<ApplicationDefaults entityID="https://mydomain.domain.com"
REMOTE_USER="eppn persistent-id targeted-id">

<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https">

<SSO entityID="https://mydomain.domain.com">
SAML2 SAML1
</SSO>


<Logout>SAML2 Local</Logout>


<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>


<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>


<Handler type="Session" Location="/Session" showAttributeValues="false"/>


<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>

<Errors supportContact="***@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>


<MetadataProvider type="XML" file="saml20_BP_metadata_TFIM_UAT_22AUG2013.xml"/>


<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>


<AttributeResolver type="Query" subjectMatch="true"/>


<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>


<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

<ApplicationOverride id="aralappid" entityID="https://mydomain.domain.com">
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationOverride>

</ApplicationDefaults>


<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>


<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

</SPConfig>

- I have multiple virtual hosts defined in vhost.conf and would like to trigger shibboleth for one virtual host? I have defined following in vhost.conf file.

<Location />
AuthType shibboleth
ShibCompatWith24 On
ShibRequestSetting requireSession 1
require shib-session
</Location>

Can some one help me here.

Kind Regards,
Junaid Akbar

On 18/08/2014 14:27, "Cantor, Scott" <cantor.2-ZbGKxL/***@public.gmane.org<mailto:***@osu.edu>> wrote:

On 8/18/14, 4:42 AM, "junaid.akbar-***@public.gmane.org<mailto:junaid.akbar-***@public.gmane.org>" <junaid.akbar-***@public.gmane.org<mailto:junaid.akbar-***@public.gmane.org>>
wrote:

Can some one help me to correctly configure shibboleth so that specific
virtual host can be redirected to out idp. Please share values or
properties trigger this redirection?

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPProtectContent

-- Scott

--
To unsubscribe from this list send an email to users-***@shibboleth.net<mailto:users-unsubscribe-***@public.gmane.org>

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

www.wipro.com<http://www.wipro.com>

________________________________
This message is sent in confidence for the addressee only. It may contain confidential or sensitive information. The contents are not to be disclosed to anyone other than the addressee. Unauthorised recipients are requested to preserve this confidentiality and to advise us of any errors in transmission. Any views expressed in this message are solely the views of the individual and do not represent the views of the College. Nothing in this message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
________________________________

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

www.wipro.com

Dave Perry

2014-08-21 15:04:17 UTC

Last version was too big apparently...

From: Dave Perry
Sent: 21 August 2014 09:37
To: 'Shib Users'
Subject: RE: SP Request not redirecting to IDP

Here is our ApplicationDefaults section (which includes pulling in the metadata for our IdP). Hopefully it answers the key one (which I think is how do I always use a specific IdP if trying to shibboleth-login to a site on a vhost?):

<ApplicationDefaults entityID="https://subdomain.domain.com/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id">

<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="http">

(our idp lives at domain/idp - yours might not be that way)
<SSO entityID="https://idp.domain.com/idp/shibboleth">
SAML2 SAML1
</SSO>

<Logout>SAML2 Local</Logout>


<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>


<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>


<Handler type="Session" Location="/Session" showAttributeValues="false"/>


<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>


<Errors supportContact="email-9IKiO1iGCm/QT0dZR+***@public.gmane.org<mailto:email-9IKiO1iGCm/QT0dZR+***@public.gmane.org>"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>


(metadata lives in the same folder as shibboleth2.xml)

<MetadataProvider type="XML" file="idp-metadata.xml"/>


<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>


<AttributeResolver type="Query" subjectMatch="true"/>


<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>


<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

</ApplicationDefaults>

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning-NOSDTyrR4+***@public.gmane.org<mailto:***@hull-college.ac.uk> *

From: users-bounces-***@public.gmane.org<mailto:users-bounces-***@public.gmane.org> [mailto:users-bounces-***@public.gmane.org] On Behalf Of junaid.akbar-***@public.gmane.org<mailto:junaid.akbar-***@public.gmane.org>
Sent: 20 August 2014 15:24
To: users-***@public.gmane.org<mailto:users-***@public.gmane.org>
Subject: Re: SP Request not redirecting to IDP

Do you have answers to my other questions regarding shibboleth2.xml?

Kind Regards,
Junaid Akbar

From: Dave Perry <Dave.Perry-NOSDTyrR4+***@public.gmane.org<mailto:***@hull-college.ac.uk>>
Reply-To: Shib Users <users-***@public.gmane.org<mailto:users-***@public.gmane.org>>
Date: Wednesday, 20 August 2014 15:15
To: Shib Users <users-***@public.gmane.org<mailto:users-***@public.gmane.org>>
Subject: RE: SP Request not redirecting to IDP

Here are the lines we use to protect one of our SPs (Moodle) using Apache (from httpd.conf), slightly anonymized:

<VirtualHost server.ip.address:80>
ServerName subdomain.yourdomain.com
DocumentRoot d:/path/to/files
AcceptPathInfo On

(the next bit says 'if there is a shibboleth session, the entire vhost can access it: )
<Location />
AuthType shibboleth
Require shibboleth
</Location>

(the next bit forces a shibboleth session if you go to this page: )
<Location /auth/shibboleth/index.php>
AuthType shibboleth
ShibRequireSession On
require valid-user
</Location>

</VirtualHost>

HTH
_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning-NOSDTyrR4+***@public.gmane.org<mailto:***@hull-college.ac.uk> *

On 18/08/2014 14:27, "Cantor, Scott" <cantor.2-ZbGKxL/***@public.gmane.org<mailto:***@osu.edu>> wrote:

On 8/18/14, 4:42 AM, "junaid.akbar-***@public.gmane.org<mailto:junaid.akbar-***@public.gmane.org>" <junaid.akbar-***@public.gmane.org<mailto:junaid.akbar-***@public.gmane.org>>
wrote:

Can some one help me to correctly configure shibboleth so that specific
virtual host can be redirected to out idp. Please share values or
properties trigger this redirection?

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPProtectContent

-- Scott

--
To unsubscribe from this list send an email to users-***@shibboleth.net<mailto:users-unsubscribe-***@public.gmane.org>

**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT

Cantor, Scott

2014-08-21 15:07:54 UTC

Post by Dave Perry
Here is our ApplicationDefaults section (which includes pulling in the
metadata for our IdP). Hopefully it answers the key one (which I think is
how do I always use a specific IdP if trying to shibboleth-login to a

No, that simply uses the same IdP for every request, without regard for
the vhost. Specifying the IdP by vhost is done with content settings. In
such a case, there shouldn't really be anything in the SSO element, to
prevent accidents.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

junaidakb

2014-08-27 15:12:48 UTC

HI All,

I have configured my apache and shibboleth based on following link,

http://www.jeesty.com/shibboleth

But still when I am hitting my domain name request is not redirecting to my
IDP. Can you please suggest what I am missing here. I just want whenever I
hit my domain it should redirect to IDP if SAML token doesn't exist.

==> /var/log/httpd/dispatcher.log <==
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Found farm
aral-website for aral-de-amitest.navitas.bpglobal.com
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] checking [/]
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] no cache due to
missing extenson in uri: /
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] cache-action for
[/]: NONE
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] connected to render
i-5895e11a (10.0.1.88:4503)
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Spooling header:
accept
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Spooling header:
accept-encoding
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Spooling header:
Accept-ESI
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Spooling header:
accept-language
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Spooling header:
Accept-Language
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Spooling header:
Akamai-Origin-Hop
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Spooling header:
Cache-Control
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Spooling header:
host
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Spooling header:
user-agent
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Spooling header: Via
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Spooling header:
X-Akamai-CONFIG-LOG-DETAIL
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Spooling header:
X-Akamai-Staging
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Spooling header:
X-Forwarded-For
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Spooling header:
X-Forwarded-Port
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Spooling header:
X-Forwarded-Proto
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Detected: chunked
transfer encoding
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Detected: dispatcher
must not cache
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Detected: dispatcher
must not cache
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] response.status =
200
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)]
response.headers[Server] = "Day-Servlet-Engine/4.1.32 "
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)]
response.headers[Content-Type] = "text/html;charset=UTF-8"
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)]
response.headers[Date] = "Wed, 27 Aug 2014 10:13:37 GMT"
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)]
response.headers[Cache-Control] = "no-cache"
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] send http headers
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Content length: -1,
written: 74297
[Wed Aug 27 10:15:04 2014] [I] [20783(140360018876416)] "GET
/?breakcachedddsdfefdsfsd" 200 74268 360ms

==> /var/log/httpd/ssl_access_log <==
10.0.4.95 - - [27/Aug/2014:10:15:04 +0000] "GET /?breakcachedddsdfefdsfsd
HTTP/1.1" 200 74268

==> /var/log/httpd/dispatcher.log <==
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] Found farm
aral-website for aral-de-amitest.navitas.bpglobal.com
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] checking
[/content/aral/de/esi/newsletter.html]
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] never flushed
[/navitas/www/cq/cache/content/aral/de/content/.stat] -> use cache
[/navitas/www/cq/cache/content/aral/de/content/aral/de/esi/newsletter.html]
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] cache-action for
[/content/aral/de/esi/newsletter.html]: SPOOL
[Wed Aug 27 10:15:04 2014] [D] [20783(140360018876416)] request declined
[Wed Aug 27 10:15:04 2014] [I] [20783(140360018876416)] "GET
/content/aral/de/esi/newsletter.html" 0 - 0ms

==> /var/log/httpd/native.log <==
2014-08-27 10:15:04 DEBUG Shibboleth.Apache [20783] shib_handler: mapped
https://aral-de-amitest.navitas.bpglobal.com/content/aral/de/esi/newsletter.html
to default

==> /var/log/httpd/ssl_access_log <==
10.0.4.95 - - [27/Aug/2014:10:15:04 +0000] "GET
/content/aral/de/esi/newsletter.html HTTP/1.1" 304 -

==> /var/log/httpd/dispatcher.log <==
[Wed Aug 27 10:15:05 2014] [D] [20804(140360018876416)] Found farm
aral-website for aral-de-amitest.navitas.bpglobal.com
[Wed Aug 27 10:15:05 2014] [D] [20804(140360018876416)] checking
[/content/aral/de/esi/newsletter.anon.register.html]
[Wed Aug 27 10:15:05 2014] [D] [20804(140360018876416)] never flushed
[/navitas/www/cq/cache/content/aral/de/content/.stat] -> use cache
[/navitas/www/cq/cache/content/aral/de/content/aral/de/esi/newsletter.anon.register.html]
[Wed Aug 27 10:15:05 2014] [D] [20804(140360018876416)] cache-action for
[/content/aral/de/esi/newsletter.anon.register.html]: SPOOL
[Wed Aug 27 10:15:05 2014] [D] [20804(140360018876416)] request declined
[Wed Aug 27 10:15:05 2014] [I] [20804(140360018876416)] "GET
/content/aral/de/esi/newsletter.anon.register.html" 0 - 0ms

==> /var/log/httpd/native.log <==
2014-08-27 10:15:05 DEBUG Shibboleth.Apache [20804] shib_handler: mapped
https://aral-de-amitest.navitas.bpglobal.com/content/aral/de/esi/newsletter.anon.register.html
to default

==> /var/log/httpd/ssl_access_log <==
10.0.4.95 - - [27/Aug/2014:10:15:05 +0000] "GET
/content/aral/de/esi/newsletter.anon.register.html HTTP/1.1" 304 -

==> /var/log/httpd/dispatcher.log <==
[Wed Aug 27 10:15:05 2014] [D] [20810(140360018876416)] Found farm
aral-website for aral-de-amitest.navitas.bpglobal.com
[Wed Aug 27 10:15:05 2014] [D] [20810(140360018876416)] checking
[/etc/designs/aral/clientlibs.js]
[Wed Aug 27 10:15:05 2014] [D] [20810(140360018876416)] cache-action for
[/etc/designs/aral/clientlibs.js]: SPOOL
[Wed Aug 27 10:15:05 2014] [D] [20810(140360018876416)] request declined
[Wed Aug 27 10:15:05 2014] [I] [20810(140360018876416)] "GET
/etc/designs/aral/clientlibs.js" 0 - 1ms

==> /var/log/httpd/native.log <==
2014-08-27 10:15:05 DEBUG Shibboleth.Apache [20810] shib_handler: mapped
https://aral-de-amitest.navitas.bpglobal.com/etc/designs/aral/clientlibs.js
to default

==> /var/log/httpd/ssl_access_log <==
10.0.4.95 - - [27/Aug/2014:10:15:05 +0000] "GET
/etc/designs/aral/clientlibs.js HTTP/1.1" 304 -

==> /var/log/httpd/dispatcher.log <==
[Wed Aug 27 10:15:05 2014] [D] [20788(140360018876416)] Found farm
aral-website for aral-de-amitest.navitas.bpglobal.com
[Wed Aug 27 10:15:05 2014] [D] [20788(140360018876416)] checking
[/etc/designs/aral/clientlibs.css]
[Wed Aug 27 10:15:05 2014] [D] [20788(140360018876416)] cache-action for
[/etc/designs/aral/clientlibs.css]: SPOOL
[Wed Aug 27 10:15:05 2014] [D] [20788(140360018876416)] request declined
[Wed Aug 27 10:15:05 2014] [I] [20788(140360018876416)] "GET
/etc/designs/aral/clientlibs.css" 0 - 0ms

==> /var/log/httpd/native.log <==
2014-08-27 10:15:05 DEBUG Shibboleth.Apache [20788] shib_handler: mapped
https://aral-de-amitest.navitas.bpglobal.com/etc/designs/aral/clientlibs.css
to default

==> /var/log/httpd/ssl_access_log <==
10.0.4.95 - - [27/Aug/2014:10:15:05 +0000] "GET
/etc/designs/aral/clientlibs.css HTTP/1.1" 304 -

==> /var/log/httpd/native.log <==
2014-08-27 10:15:05 DEBUG Shibboleth.Config : using local resource
(/etc/shibboleth/shibboleth2.xml), will monitor for changes
2014-08-27 10:15:05 DEBUG Shibboleth.Config : loading configuration from
external resource...
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://schemas.xmlsoap.org/soap/envelope/ with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://schemas.xmlsoap.org/ws/2005/02/trust with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://www.opensaml.org/xmltooling with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://www.w3.org/2000/09/xmldsig# with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://www.w3.org/2001/04/xmlenc# with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
xmldsig-core-schema.xsd with baseURI
/usr/share/xml/xmltooling/xenc-schema.xsd
2014-08-27 10:15:05 INFO Shibboleth.Config : reload thread started...running
when signaled
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://www.w3.org/2009/xmldsig11# with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://www.w3.org/2009/xmlenc11# with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
xmldsig-core-schema.xsd with baseURI
/usr/share/xml/xmltooling/xenc11-schema.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
xenc-schema.xsd with baseURI /usr/share/xml/xmltooling/xenc11-schema.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://www.w3.org/XML/1998/namespace with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:mace:shibboleth:1.0 with baseURI /etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
xmldsig-core-schema.xsd with baseURI
/usr/share/xml/shibboleth/shibboleth.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve xml.xsd
with baseURI /usr/share/xml/shibboleth/shibboleth.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:mace:shibboleth:2.0:afp with baseURI /etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
classpath:/schema/xmldsig-core-schema.xsd with baseURI
/usr/share/xml/shibboleth/shibboleth-2.0-afp.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : unauthorized entity
request (classpath:/schema/xmldsig-core-schema.xsd), blocking it
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:mace:shibboleth:2.0:afp:mf:basic with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
classpath:/schema/shibboleth-2.0-afp.xsd with baseURI
/usr/share/xml/shibboleth/shibboleth-2.0-afp-mf-basic.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : unauthorized entity
request (classpath:/schema/shibboleth-2.0-afp.xsd), blocking it
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:mace:shibboleth:2.0:afp:mf:saml with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
classpath:/schema/shibboleth-2.0-afp.xsd with baseURI
/usr/share/xml/shibboleth/shibboleth-2.0-afp-mf-saml.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : unauthorized entity
request (classpath:/schema/shibboleth-2.0-afp.xsd), blocking it
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:mace:shibboleth:2.0:attribute-map with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
xmldsig-core-schema.xsd with baseURI
/usr/share/xml/shibboleth/shibboleth-2.0-attribute-map.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:mace:shibboleth:2.0:native:sp:config with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
xmldsig-core-schema.xsd with baseURI
/usr/share/xml/shibboleth/shibboleth-2.0-native-sp-config.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
saml-schema-assertion-2.0.xsd with baseURI
/usr/share/xml/shibboleth/shibboleth-2.0-native-sp-config.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
with baseURI /usr/share/xml/opensaml/saml-schema-assertion-2.0.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : unauthorized entity
request
(http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd),
blocking it
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd with
baseURI /usr/share/xml/opensaml/saml-schema-assertion-2.0.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : unauthorized entity
request
(http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd),
blocking it
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
saml-schema-protocol-2.0.xsd with baseURI
/usr/share/xml/shibboleth/shibboleth-2.0-native-sp-config.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
saml-schema-assertion-2.0.xsd with baseURI
/usr/share/xml/opensaml/saml-schema-protocol-2.0.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
with baseURI /usr/share/xml/opensaml/saml-schema-protocol-2.0.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : unauthorized entity
request
(http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd),
blocking it
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
saml-schema-metadata-2.0.xsd with baseURI
/usr/share/xml/shibboleth/shibboleth-2.0-native-sp-config.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
with baseURI /usr/share/xml/opensaml/saml-schema-metadata-2.0.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : unauthorized entity
request
(http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd),
blocking it
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd with
baseURI /usr/share/xml/opensaml/saml-schema-metadata-2.0.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : unauthorized entity
request
(http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd),
blocking it
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
saml-schema-assertion-2.0.xsd with baseURI
/usr/share/xml/opensaml/saml-schema-metadata-2.0.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://www.w3.org/2001/xml.xsd with baseURI
/usr/share/xml/opensaml/saml-schema-metadata-2.0.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : unauthorized entity
request (http://www.w3.org/2001/xml.xsd), blocking it
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:mace:shibboleth:2.0:native:sp:protocols with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
xmldsig-core-schema.xsd with baseURI
/usr/share/xml/shibboleth/shibboleth-2.0-native-sp-protocols.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:mace:shibboleth:2.0:sp:notify with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
saml-schema-assertion-2.0.xsd with baseURI
/usr/share/xml/shibboleth/shibboleth-2.0-sp-notify.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
saml-schema-protocol-2.0.xsd with baseURI
/usr/share/xml/shibboleth/shibboleth-2.0-sp-notify.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:mace:shibboleth:metadata:1.0 with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
xmldsig-core-schema.xsd with baseURI
/usr/share/xml/shibboleth/shibboleth-metadata-1.0.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:1.0:assertion with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd with baseURI
/usr/share/xml/opensaml/cs-sstc-schema-assertion-1.1.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : unauthorized entity
request (http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd),
blocking it
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:1.0:protocol with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
cs-sstc-schema-assertion-1.1.xsd with baseURI
/usr/share/xml/opensaml/cs-sstc-schema-protocol-1.1.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd with baseURI
/usr/share/xml/opensaml/cs-sstc-schema-protocol-1.1.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : unauthorized entity
request (http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd),
blocking it
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:2.0:ac with baseURI /etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
saml-schema-authn-context-types-2.0.xsd with baseURI
/usr/share/xml/opensaml/saml-schema-authn-context-2.0.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:2.0:conditions:delegation with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
saml-schema-assertion-2.0.xsd with baseURI
/usr/share/xml/opensaml/sstc-saml-delegation.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
saml-schema-protocol-2.0.xsd with baseURI
/usr/share/xml/opensaml/saml-schema-ecp-2.0.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
saml-schema-assertion-2.0.xsd with baseURI
/usr/share/xml/opensaml/saml-schema-ecp-2.0.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://schemas.xmlsoap.org/soap/envelope/ with baseURI
/usr/share/xml/opensaml/saml-schema-ecp-2.0.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500 with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:2.0:protocol:ext:async-slo with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:attribute:ext with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:metadata:algsupport with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:metadata:attribute with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
saml-schema-assertion-2.0.xsd with baseURI
/usr/share/xml/opensaml/sstc-metadata-attr.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:metadata:ext:query with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
saml-schema-metadata-2.0.xsd with baseURI
/usr/share/xml/opensaml/sstc-saml-metadata-ext-query.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:metadata:rpi with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
saml-schema-metadata-2.0.xsd with baseURI
/usr/share/xml/opensaml/saml-metadata-rpi-v1.0.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://www.w3.org/2001/xml.xsd with baseURI
/usr/share/xml/opensaml/saml-metadata-rpi-v1.0.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : unauthorized entity
request (http://www.w3.org/2001/xml.xsd), blocking it
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:metadata:ui with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
saml-schema-metadata-2.0.xsd with baseURI
/usr/share/xml/opensaml/sstc-saml-metadata-ui-v1.0.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
http://www.w3.org/2001/xml.xsd with baseURI
/usr/share/xml/opensaml/sstc-saml-metadata-ui-v1.0.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : unauthorized entity
request (http://www.w3.org/2001/xml.xsd), blocking it
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
saml-schema-metadata-2.0.xsd with baseURI
/usr/share/xml/opensaml/sstc-saml-idp-discovery.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:profiles:SSO:request-init with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
saml-schema-metadata-2.0.xsd with baseURI
/usr/share/xml/opensaml/sstc-request-initiation.xsd
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:profiles:v1metadata with baseURI
/etc/shibboleth/shibboleth2.xml

==> /var/log/httpd/dispatcher.log <==
[Wed Aug 27 10:15:05 2014] [D] [20788(140360018876416)] Found farm
aral-website for aral-de-amitest.navitas.bpglobal.com
[Wed Aug 27 10:15:05 2014] [D] [20788(140360018876416)] checking
[/etc/designs/aral/clientlibs/css/global/print.css]
[Wed Aug 27 10:15:05 2014] [D] [20788(140360018876416)] cache-action for
[/etc/designs/aral/clientlibs/css/global/print.css]: SPOOL
[Wed Aug 27 10:15:05 2014] [D] [20788(140360018876416)] request declined
[Wed Aug 27 10:15:05 2014] [I] [20788(140360018876416)] "GET
/etc/designs/aral/clientlibs/css/global/print.css" 0 - 0ms

==> /var/log/httpd/native.log <==
2014-08-27 10:15:05 DEBUG Shibboleth.Apache [20788] shib_handler: mapped
https://aral-de-amitest.navitas.bpglobal.com/etc/designs/aral/clientlibs/css/global/print.css
to default

==> /var/log/httpd/ssl_access_log <==
10.0.4.95 - - [27/Aug/2014:10:15:05 +0000] "GET
/etc/designs/aral/clientlibs/css/global/print.css HTTP/1.1" 304 -

==> /var/log/httpd/native.log <==
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:protocol:ext:third-party with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-27 10:15:05 DEBUG XMLTooling.ParserPool : asked to resolve
saml-schema-assertion-2.0.xsd with baseURI
/usr/share/xml/opensaml/sstc-saml-protocol-ext-thirdparty.xsd
2014-08-27 10:15:05 INFO Shibboleth.Config : loaded XML resource
(/etc/shibboleth/shibboleth2.xml)
2014-08-27 10:15:05 INFO Shibboleth.Config : Shibboleth SP Version 2.5.3
2014-08-27 10:15:05 INFO Shibboleth.Config : Library versions: log4shib
1.0.8, Xerces-C 3.1.1, XMLTooling-C 1.5.3, Shibboleth 1.5.3
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property clockSkew
(180)
2014-08-27 10:15:05 INFO Shibboleth.Config : building ListenerService of
type UnixListener...
2014-08-27 10:15:05 INFO Shibboleth.Config : no SessionCache specified,
using StorageService-backed instance
2014-08-27 10:15:05 INFO Shibboleth.Config : no RequestMapper specified,
using 'Native' plugin with empty/default map
2014-08-27 10:15:05 DEBUG Shibboleth.RequestMapper : no resource
uri/path/name supplied, will load inline configuration
2014-08-27 10:15:05 DEBUG Shibboleth.RequestMapper : loading inline
configuration...
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property
applicationId (default)
2014-08-27 10:15:05 INFO Shibboleth.Config : building ProtocolProvider of
type XML...
2014-08-27 10:15:05 DEBUG Shibboleth.ProtocolProvider.XML : using local
resource (/etc/shibboleth/protocols.xml), will not monitor for changes
2014-08-27 10:15:05 DEBUG Shibboleth.ProtocolProvider.XML : loading
configuration from external resource...
2014-08-27 10:15:05 INFO Shibboleth.ProtocolProvider.XML : loaded XML
resource (/etc/shibboleth/protocols.xml)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id (SAML2)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property path
(/SAML2/POST)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property path
(/SAML2/POST-SimpleSign)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property path
(/SAML2/Artifact)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:2.0:bindings:PAOS)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property path
(/SAML2/ECP)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id (SAML2)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:2.0:bindings:SOAP)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property path
(/SLO/SOAP)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property path
(/SLO/Redirect)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property path
(/SLO/POST)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property path
(/SLO/Artifact)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:2.0:bindings:SOAP)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property path
(/NIM/SOAP)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property path
(/NIM/Redirect)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property path
(/NIM/POST)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property path
(/NIM/Artifact)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:2.0:bindings:SOAP)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property path
(/Artifact/SOAP)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id (Shib1)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:1.0:profiles:browser-post)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property path
(/SAML/POST)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:1.0:profiles:artifact-01)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property path
(/SAML/Artifact)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id (ADFS)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id
(http://schemas.xmlsoap.org/ws/2003/07/secext)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property path
(/ADFS)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id (ADFS)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id (Local)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property
REMOTE_USER (eppn persistent-id targeted-id)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property entityID
(https://aral-de-amitest.navitas.bpglobal.com/)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property id
(default)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property
checkAddress (false)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property
cookieProps (http)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property handlerSSL
(false)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property lifetime
(28800)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property relayState
(ss:mem)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property timeout
(3600)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added nested property
set: {urn:mace:shibboleth:2.0:native:sp:config}Sessions
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property
helpLocation (/about.html)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property styleSheet
(/shibboleth-sp/main.css)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property
supportContact (***@localhost)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added nested property
set: {urn:mace:shibboleth:2.0:native:sp:config}Errors

==> /var/log/httpd/native_warn.log <==
2014-08-27 10:15:05 WARN Shibboleth.Application : insecure cookieProps
setting, set to "https" for SSL/TLS-only usage

==> /var/log/httpd/native.log <==
2014-08-27 10:15:05 WARN Shibboleth.Application : insecure cookieProps
setting, set to "https" for SSL/TLS-only usage

==> /var/log/httpd/native_warn.log <==
2014-08-27 10:15:05 WARN Shibboleth.Application : handlerSSL should be
enabled for SSL/TLS-enabled web sites

==> /var/log/httpd/native.log <==
2014-08-27 10:15:05 WARN Shibboleth.Application : handlerSSL should be
enabled for SSL/TLS-enabled web sites
2014-08-27 10:15:05 INFO Shibboleth.Application : auto-configuring SSO
initiation for protocol (SAML2)
2014-08-27 10:15:05 INFO Shibboleth.Application : adding SessionInitiator of
type (SAML2) to chain (/Login)
2014-08-27 10:15:05 INFO Shibboleth.Application : auto-configuring
ArtifactResolution endpoints for protocol (SAML2)
2014-08-27 10:15:05 INFO Shibboleth.Application : adding
ArtifactResolutionService for Binding
(urn:oasis:names:tc:SAML:2.0:bindings:SOAP) at (/Artifact/SOAP)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Binding
(urn:oasis:names:tc:SAML:2.0:bindings:SOAP)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Location
(/Artifact/SOAP)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property index (1)
2014-08-27 10:15:05 INFO Shibboleth.Application : auto-configuring SSO
endpoints for protocol (SAML2)
2014-08-27 10:15:05 INFO Shibboleth.Application : adding
AssertionConsumerService for Binding
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST) at (/SAML2/POST)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Binding
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Location
(/SAML2/POST)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property entityID
(https://accessuat.bpglobal.com/fim/sps/saml20/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=https://aral-de-amitest.navitas.bpglobal.com/&NameIdFormat=Email&AllowCreate=false)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property index (1)
2014-08-27 10:15:05 INFO Shibboleth.Application : adding
AssertionConsumerService for Binding
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign) at
(/SAML2/POST-SimpleSign)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Binding
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Location
(/SAML2/POST-SimpleSign)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property entityID
(https://accessuat.bpglobal.com/fim/sps/saml20/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=https://aral-de-amitest.navitas.bpglobal.com/&NameIdFormat=Email&AllowCreate=false)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property index (2)
2014-08-27 10:15:05 INFO Shibboleth.Application : adding
AssertionConsumerService for Binding
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact) at (/SAML2/Artifact)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Binding
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Location
(/SAML2/Artifact)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property entityID
(https://accessuat.bpglobal.com/fim/sps/saml20/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=https://aral-de-amitest.navitas.bpglobal.com/&NameIdFormat=Email&AllowCreate=false)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property index (3)
2014-08-27 10:15:05 INFO Shibboleth.Application : adding
AssertionConsumerService for Binding
(urn:oasis:names:tc:SAML:2.0:bindings:PAOS) at (/SAML2/ECP)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Binding
(urn:oasis:names:tc:SAML:2.0:bindings:PAOS)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Location
(/SAML2/ECP)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property entityID
(https://accessuat.bpglobal.com/fim/sps/saml20/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=https://aral-de-amitest.navitas.bpglobal.com/&NameIdFormat=Email&AllowCreate=false)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property index (4)
2014-08-27 10:15:05 INFO Shibboleth.Application : auto-configuring SSO
initiation for protocol (SAML1)
2014-08-27 10:15:05 INFO Shibboleth.Application : adding SessionInitiator of
type (Shib1) to chain (/Login)
2014-08-27 10:15:05 INFO Shibboleth.Application : auto-configuring SSO
endpoints for protocol (SAML1)
2014-08-27 10:15:05 INFO Shibboleth.Application : adding
AssertionConsumerService for Binding
(urn:oasis:names:tc:SAML:1.0:profiles:browser-post) at (/SAML/POST)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Binding
(urn:oasis:names:tc:SAML:1.0:profiles:browser-post)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Location
(/SAML/POST)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property entityID
(https://accessuat.bpglobal.com/fim/sps/saml20/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=https://aral-de-amitest.navitas.bpglobal.com/&NameIdFormat=Email&AllowCreate=false)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property index (5)
2014-08-27 10:15:05 INFO Shibboleth.Application : adding
AssertionConsumerService for Binding
(urn:oasis:names:tc:SAML:1.0:profiles:artifact-01) at (/SAML/Artifact)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Binding
(urn:oasis:names:tc:SAML:1.0:profiles:artifact-01)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Location
(/SAML/Artifact)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property entityID
(https://accessuat.bpglobal.com/fim/sps/saml20/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=https://aral-de-amitest.navitas.bpglobal.com/&NameIdFormat=Email&AllowCreate=false)
2014-08-27 10:15:05 INFO Shibboleth.SessionCache : cleanup thread
started...run every 900 secs; timeout after 900 secs
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property index (6)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Location
(/Login)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property entityID
(https://accessuat.bpglobal.com/fim/sps/saml20/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=https://aral-de-amitest.navitas.bpglobal.com/&NameIdFormat=Email&AllowCreate=false)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property type
(SAML2)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property type
(Shib1)
2014-08-27 10:15:05 INFO Shibboleth.Application : auto-configuring Logout
initiation for protocol (SAML2)
2014-08-27 10:15:05 INFO Shibboleth.Application : adding LogoutInitiator of
type (SAML2) to chain (/Logout)
2014-08-27 10:15:05 INFO Shibboleth.Application : auto-configuring Logout
endpoints for protocol (SAML2)
2014-08-27 10:15:05 INFO Shibboleth.Application : adding SingleLogoutService
for Binding (urn:oasis:names:tc:SAML:2.0:bindings:SOAP) at (/SLO/SOAP)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Binding
(urn:oasis:names:tc:SAML:2.0:bindings:SOAP)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Location
(/SLO/SOAP)
2014-08-27 10:15:05 INFO Shibboleth.Application : adding SingleLogoutService
for Binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) at
(/SLO/Redirect)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Binding
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Location
(/SLO/Redirect)
2014-08-27 10:15:05 INFO Shibboleth.Application : adding SingleLogoutService
for Binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST) at (/SLO/POST)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Binding
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Location
(/SLO/POST)
2014-08-27 10:15:05 INFO Shibboleth.Application : adding SingleLogoutService
for Binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact) at
(/SLO/Artifact)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Binding
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Location
(/SLO/Artifact)
2014-08-27 10:15:05 INFO Shibboleth.Application : auto-configuring Logout
initiation for protocol (Local)
2014-08-27 10:15:05 INFO Shibboleth.Application : adding LogoutInitiator of
type (Local) to chain (/Logout)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Location
(/Logout)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property type
(SAML2)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property type
(Local)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Location
(/Metadata)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property signing
(false)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property type
(MetadataGenerator)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Location
(/Status)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property acl
(127.0.0.1 ::1)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property type
(Status)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Location
(/Session)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property
showAttributeValues (false)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property type
(Session)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property Location
(/DiscoFeed)
2014-08-27 10:15:05 DEBUG Shibboleth.PropertySet : added property type
(DiscoveryFeed)
2014-08-27 10:15:05 INFO Shibboleth.DiscoveryFeed : feed files will be
cached in /var/cache/shibboleth/

Kind Regards,
Junaid Akbar

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/SP-Request-not-redirecting-to-IDP-tp7605614p7606111.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

Cantor, Scott

2014-08-27 15:42:42 UTC

Post by junaidakb
I have configured my apache and shibboleth based on following link,
http://www.jeesty.com/shibboleth

Then I'd start by reading the real documentation to supplement that.

Post by junaidakb
But still when I am hitting my domain name request is not redirecting to my
IDP. Can you please suggest what I am missing here. I just want whenever I
hit my domain it should redirect to IDP if SAML token doesn't exist.

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPWontProtect

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

junaidakb

2014-08-27 20:44:59 UTC

Is there any simple answer? i have gone through many pages but still facing
issue i.e. unable to redirect traffic to idp.

I have shared my configurations logs can some point me to the issue or are
where i need to focus on?

I have going to provided document again meanwhile

Regards,
Junaid Akbar

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/SP-Request-not-redirecting-to-IDP-tp7605614p7606126.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

Cantor, Scott

2014-08-27 23:08:34 UTC

Post by junaidakb
Is there any simple answer? i have gone through many pages but still facing
issue i.e. unable to redirect traffic to idp.

The simplest answer is that you have not configured anything to protect.

You dumped a ton of logs with no context, no simple explanation of your
environment, nothing to go on. Not even a basic statement about what
you're trying to accomplish.

Post by junaidakb
I have shared my configurations logs can some point me to the issue or are
where i need to focus on?

To diagnose request processing issues, native.log is the best starting
point. If you see nothing in it on DEBUG, then your SP isn't doing
anything, which means you didn't tell it to do anything.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

junaidakb

2014-08-28 08:16:07 UTC

Hi,

If you looked at my previous inputs on this thread, specially 20 August 2014
14:51 where i have provide my configurations and summery of what i am trying
to achieve,

I am trying to achieve following simple scenario,

1. User will access specific URL e.g. https://mydomain.domain.com

2. Apache receive this request and based on entityID and virtualhost
configurations, https://mydomain.domain.com, user should be redirected to
IDP URL mentioned in shibboleth2.xml and in metadata file.

3- Once User authenticated, IDP returned with SAML Token and
Apache/Shibboleth should allow user to access actual contents e.g.
https://mydomain.domain.com

Let me share my vhost.conf and ssl.conf file configuration for my domain,

Vhost.conf
------------
<VirtualHost *:80>
ServerName aral-de-amitest.navitas.bpglobal.com
DocumentRoot /navitas/www/cq/cache/content/aral/de

AcceptPathInfo On

UseCanonicalName On

<Location />
AuthType shibboleth
Require shibboleth
ShibRequireSession On
require valid-user
ShibRequestSetting entityID
https://accessuat.bpglobal.com/fim/sps/saml20/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=http://aral-de-amitest.navitas.bpglobal.com/&NameIdFormat=Email&AllowCreate=false
#ShibCompatWith24 On
ShibRequestSetting requireSession 1
#require shib-session
</Location>

RewriteEngine On
</VirtualHost>

ssl.conf
---------
<VirtualHost *:443>
SSLEngine on
ServerName aral-de-amitest.navitas.bpglobal.com
DocumentRoot /navitas/www/cq/cache/content/aral/de

RewriteEngine On

AcceptPathInfo On

UseCanonicalName On

<Location />
AuthType shibboleth
Require shibboleth
ShibRequireSession On
require valid-user
ShibRequestSetting entityID
https://accessuat.bpglobal.com/fim/sps/saml20/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=http://aral-de-amitest.navitas.bpglobal.com/&NameIdFormat=Email&AllowCreate=false
#ShibCompatWith24 On
ShibRequestSetting requireSession 1
#require shib-session
</Location>

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
#LogLevel warn

SSLOptions +StrictRequire
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>

I would also like to share my shibboleth2.xml file configuration as well,
which i have share earlier on the same thread,

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">

<ApplicationDefaults
entityID="https://aral-de-amitest.navitas.bpglobal.com/"
REMOTE_USER="eppn persistent-id targeted-id">

<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="http">

<SSO
entityID="https://accessuat.bpglobal.com/fim/sps/saml20/saml20">
SAML2 SAML1
</SSO>

<Logout>SAML2 Local</Logout>

<Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<Handler type="Session" Location="/Session"
showAttributeValues="false"/>
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="***@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>

<MetadataProvider type="XML"
file="saml20_BP_metadata_TFIM_UAT_22AUG2013.xml"/>
<AttributeExtractor type="XML" validate="true" reloadChanges="false"
path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true"
path="attribute-policy.xml"/>
<CredentialResolver type="File" key="sp-key.pem"
certificate="sp-cert.pem"/>

</ApplicationDefaults>

<SecurityPolicyProvider type="XML" validate="true"
path="security-policy.xml"/>

<ProtocolProvider type="XML" validate="true" reloadChanges="false"
path="protocols.xml"/>

</SPConfig>

Can you look at above details and let me know if anything missing.

Regards,
Junaid Akbar

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/SP-Request-not-redirecting-to-IDP-tp7605614p7606147.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

Cantor, Scott

2014-08-28 15:04:31 UTC

Post by Cantor, Scott
ShibRequestSetting entityID
https://accessuat.bpglobal.com/fim/sps/saml20/saml20/logininitial?RequestB
inding=HTTPPost&PartnerId=http://aral-de-amitest.navitas.bpglobal.com/&Nam
eIdFormat=Email&AllowCreate=false

That is not an entityID. So my guess is there's a shibd.log message
telling you that there's no metadata defined for that entityID.

And you cannot provide parameters like that. The entityID is used to
determine the IdP, and the URL to redirect to comes from the metadata.

Post by Cantor, Scott
<SSO
entityID="https://accessuat.bpglobal.com/fim/sps/saml20/saml20">
SAML2 SAML1
</SSO>

That's fine if that's in fact the entityID, but that means that's the
entityID to use regardless of the request's vhost or URL. And you
certainly would need to use that in the Apache config if you intend to
control it from there.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

junaidakb

2014-08-28 21:21:42 UTC

Hi,

i have tried it earlier but changed entityID back to the one mentioned in
idp metadata, but still i am getting actual site contents instead of IDP
login screen. I have updated both vhost.conf and ssl.conf file with
following,

ShibRequestSetting entityID
https://accessuat.bpglobal.com/fim/sps/saml20/saml20

Can you please suggest if there is anything else wrong in my configuration.
I have tried mod_auth_mellon earlier and end to end scenario worked fine. As
we are running a PoC to finalize one module but with Shibboleht i am stuck
:(

I would appreciate if someone can suggest or point me to the issue in my
configurations mentioned in my previous post.

Regards,
Junaid Akbar

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/SP-Request-not-redirecting-to-IDP-tp7605614p7606197.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

Cantor, Scott

2014-08-28 21:42:20 UTC

Post by junaidakb
i have tried it earlier but changed entityID back to the one mentioned in
idp metadata, but still i am getting actual site contents instead of IDP
login screen.

That fits since what you had should have resulted in an error. So your
settings are not actually in effect. Apache is ignoring them, so your
problem is with Apache. Something else is probably overriding them
somewhere.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

junaidakb

2014-08-29 15:34:43 UTC

Hi,

When i hit URL, native.log is showing that its loading sibboleth2.xml file
for every sub-URL on main page but at the end it start shutting down
shibboleth. Does it sounds good to any one of you?

Please refer to following chunk of native.log file,

2014-08-29 14:46:17 DEBUG XMLTooling.ParserPool : asked to resolve
urn:oasis:names:tc:SAML:2.0:conditions:delegation with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-29 14:46:17 DEBUG XMLTooling.ParserPool : asked to resolve
urn:mace:shibboleth:2.0:native:sp:protocols with baseURI
/etc/shibboleth/shibboleth2.xml
2014-08-29 14:46:17 DEBUG Shibboleth.Apache [28473] shib_handler: mapped
https://aral-de-amitest.navitas.bpglobal.com/etc/designs/aral/fonts/aralv2l-webfont.woff
to default
2014-08-29 14:46:17 DEBUG Shibboleth.Apache [28475] shib_handler: mapped
Loading Image...

to default
2014-08-29 14:46:32 INFO Shibboleth.Config : shibboleth 2.5.3 library
shutting down
2014-08-29 14:47:16 INFO Shibboleth.Config : shibboleth 2.5.3 library
shutting down
2014-08-29 14:47:17 INFO Shibboleth.Config : shibboleth 2.5.3 library
shutting down
2014-08-29 14:47:18 INFO Shibboleth.Config : shibboleth 2.5.3 library
shutting down
2014-08-29 14:47:27 INFO Shibboleth.Config : shibboleth 2.5.3 library
shutting down
2014-08-29 14:47:28 INFO Shibboleth.Config : shibboleth 2.5.3 library
shutting down
2014-08-29 14:47:29 INFO Shibboleth.Config : shibboleth 2.5.3 library
shutting down
2014-08-29 14:47:30 INFO Shibboleth.Config : shibboleth 2.5.3 library
shutting down
2014-08-29 14:47:31 INFO Shibboleth.Config : shibboleth 2.5.3 library
shutting down

Regards,
Junaid Akbar

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/SP-Request-not-redirecting-to-IDP-tp7605614p7606243.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

Cantor, Scott

2014-08-29 17:19:29 UTC

Post by junaidakb
Hi,
When i hit URL, native.log is showing that its loading sibboleth2.xml file
for every sub-URL on main page but at the end it start shutting down
shibboleth. Does it sounds good to any one of you?

It's shutting down because Apache children are. If you're running prefork,
you should stop that, but that won't prevent it from working.

All you've proven is that the module is actually loaded, but you know that
already because you have Shib* Apache commands in place and they aren't
erroring Apache out.

I've told you what the problem is. If you want to prove me wrong, change
any of the settings in the Location block that you think is actually
taking effect and see if you can get Apache to notice. If you can, I have
no advice to give you because what you've described so far is strong
evidence that that Location block is not being applied to any requests.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

Cantor, Scott

2014-08-20 14:40:33 UTC

Post by j***@public.gmane.org
1. User will access specific URL e.g. mydomain.domain.com
2. Apache receive this request and based on entityID
https://mydomain.domain.com, user should be redirected to IDP URL.

Then you want to add ShibRequestSetting entityID <entityID> to a Location
/ block in that virtual host.

Post by j***@public.gmane.org
- I am using a domain name e.g. https://mydomain.domain.com and I used it
as entityID, do I need to use following URL as
'https://mydomain.domain.com/shibboleth?

See EntityNaming in the wiki.

Post by j***@public.gmane.org
- I am using external IDP and they provided me metadata which I have
copied in /etc/shibboleth/. I used following configuration to define this
metadata but what URL I should use and entityID under SSO? When I have
defined metadata file then do I really
need to define entityID under <sso?

You need a default there, or you need a discovery service, or you need to
guarantee that ever request will have an entityID content/request setting
in effect so that the default one never gets used.

Post by j***@public.gmane.org
- Few documentations saying that use this type of url,
https://myidp.domain.com/idp/shibboleth? We have different URL in
metadata than why we need to define it here?

There is no documentation anywhere that says to use that type of URL
unless the system you're working with is named by such a URL.

EntityIDs are names. Names of other SAML systems are not assigned by you.
If you help me understand what it is that you don't understand about that,
then I can help you.

Post by j***@public.gmane.org
- After defining all these property how request will route to idp once
use hit https://mydomain.domain.com?

If you do what I said to do at the top, then a request to a vhost will use
the metadata for the entityID specified to lookup the right endpoint to
redirect to.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

j***@public.gmane.org

2014-08-20 15:57:37 UTC

-Defined following under virtual host location section, still not working
ShibRequestSetting entityID https://idpURL...
Or
ShibRequestSetting entityID https://mydomain...

- Generally which property involved in redirecting request to idp? Is it
in shibboleth2.xml or virtual host?

Kind Regards,
Junaid Akbar

Post by Cantor, Scott

Post by j***@public.gmane.org
1. User will access specific URL e.g. mydomain.domain.com
2. Apache receive this request and based on entityID
https://mydomain.domain.com, user should be redirected to IDP URL.

Then you want to add ShibRequestSetting entityID <entityID> to a Location
/ block in that virtual host.

Post by j***@public.gmane.org
- I am using a domain name e.g. https://mydomain.domain.com and I used it
as entityID, do I need to use following URL as
'https://mydomain.domain.com/shibboleth?

See EntityNaming in the wiki.

Post by j***@public.gmane.org
- I am using external IDP and they provided me metadata which I have
copied in /etc/shibboleth/. I used following configuration to define this
metadata but what URL I should use and entityID under SSO? When I have
defined metadata file then do I really
need to define entityID under <sso?

You need a default there, or you need a discovery service, or you need to
guarantee that ever request will have an entityID content/request setting
in effect so that the default one never gets used.

Post by j***@public.gmane.org
- Few documentations saying that use this type of url,
https://myidp.domain.com/idp/shibboleth? We have different URL in
metadata than why we need to define it here?

There is no documentation anywhere that says to use that type of URL
unless the system you're working with is named by such a URL.
EntityIDs are names. Names of other SAML systems are not assigned by you.
If you help me understand what it is that you don't understand about that,
then I can help you.

Post by j***@public.gmane.org
- After defining all these property how request will route to idp once
use hit https://mydomain.domain.com?

If you do what I said to do at the top, then a request to a vhost will use
the metadata for the entityID specified to lookup the right endpoint to
redirect to.
-- Scott
--
To unsubscribe from this list send an email to

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

www.wipro.com

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

Cantor, Scott

2014-08-20 20:04:12 UTC

Post by j***@public.gmane.org
-Defined following under virtual host location section, still not working

That doesn't change the answer to your question.

Post by j***@public.gmane.org
- Generally which property involved in redirecting request to idp? Is it
in shibboleth2.xml or virtual host?

Every value usable in Apache is a content setting that is documented in
the wiki material on the RequestMap, which the htaccess hooks essentially
override/replace on Apache.

So the answer is either or both.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

19 Replies
255 Views
Permalink to this page
Disable enhanced parsing

Thread Navigation

j***@public.gmane.org 2014-08-18 08:42:09 UTC

Cantor, Scott 2014-08-18 13:27:56 UTC

j***@public.gmane.org 2014-08-20 13:51:11 UTC

Dave Perry 2014-08-20 14:15:56 UTC

j***@public.gmane.org 2014-08-20 14:23:56 UTC

Dave Perry 2014-08-21 15:04:17 UTC

Cantor, Scott 2014-08-21 15:07:54 UTC

junaidakb 2014-08-27 15:12:48 UTC

Cantor, Scott 2014-08-27 15:42:42 UTC

junaidakb 2014-08-27 20:44:59 UTC

Cantor, Scott 2014-08-27 23:08:34 UTC

junaidakb 2014-08-28 08:16:07 UTC

Cantor, Scott 2014-08-28 15:04:31 UTC

junaidakb 2014-08-28 21:21:42 UTC

Cantor, Scott 2014-08-28 21:42:20 UTC

junaidakb 2014-08-29 15:34:43 UTC

Cantor, Scott 2014-08-29 17:19:29 UTC

Cantor, Scott 2014-08-20 14:40:33 UTC

j***@public.gmane.org 2014-08-20 15:57:37 UTC

Cantor, Scott 2014-08-20 20:04:12 UTC

about - legalese

Loading...