Discussion:
opensaml::FatalProfileException or User login problem?
Filipa Moura
2009-04-03 14:43:46 UTC
Permalink
I'm trying to test shibb on a local environment following the steps on



When accessing "https://sp.example.com/secure"

* If on the handler.xml I un-comment the "<LoginHandler
xsi:type="RemoteUser"> " I cant seem to get a login because the message
"A valid session was not found." is always returned.. no matter if I
type a correct or incorrect password, I always get the same..



* If on the handler.xml I comment the "<LoginHandler
xsi:type="RemoteUser"> " I get the following error

opensaml::FatalProfileException at
(http://sp.example.com/Shibboleth.sso/SAML2/POST)

SAML response contained an error.

Error from identity provider:

Status: urn:oasis:names:tc:SAML:2.0:status:Responder
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed





What should I do and how can I fix this ?



Filipa Moura
Paul Hethmon
2009-04-03 14:57:06 UTC
Permalink
I¹m trying to test shibb on a local environment following the steps on
When accessing ³https://sp.example.com/secure²
· If on the handler.xml I un-comment the ³<LoginHandler
xsi:type="RemoteUser"> ³ I cant seem to get a login because the message ³A
valid session was not found.² is always returned.. no matter if I type a
correct or incorrect password, I always get the same..
Did you set up your container managed authentication?
· If on the handler.xml I comment the ³<LoginHandler
xsi:type="RemoteUser"> ³ I get the following error
opensaml::FatalProfileException at
(http://sp.example.com/Shibboleth.sso/SAML2/POST)
SAML response contained an error.
Status: urn:oasis:names:tc:SAML:2.0:status:Responder
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
What did you use to perform authentication here?

You have to configure some type of authentication. Shib, itself, doesn¹t do
authentication. It does have support for tying into several different basic
authentication mechanisms such as the container managed RemoteUser,
UsernamePassword via JAAS, and LDAP based. But since it doesn¹t know what
you have available, there is nothing there by default.

Paul

-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----

Give a man a fire and he's warm for the day. But set fire to him and he's
warm for the rest of his life.

-- Terry Pratchett, Discworld
Filipa Moura
2009-04-03 15:00:40 UTC
Permalink
Not even for local testing? I just want to see how it works, simple..
Do I really have to configure some type of authentication? If so, what
do you think is the simplest? :\



From: Paul Hethmon [mailto:paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org]
Sent: sexta-feira, 3 de Abril de 2009 15:57
To: Shibboleth Users
Subject: Re: [Shib-Users] opensaml::FatalProfileException or User login
problem?



On 4/3/09 10:43 AM, "Filipa Moura" <filipa.moura-***@public.gmane.org> wrote:

I'm trying to test shibb on a local environment following the steps on

When accessing "https://sp.example.com/secure"
* If on the handler.xml I un-comment the "<LoginHandler
xsi:type="RemoteUser"> " I cant seem to get a login because the message
"A valid session was not found." is always returned.. no matter if I
type a correct or incorrect password, I always get the same..

Did you set up your container managed authentication?


* If on the handler.xml I comment the "<LoginHandler
xsi:type="RemoteUser"> " I get the following error

opensaml::FatalProfileException at
(http://sp.example.com/Shibboleth.sso/SAML2/POST)
SAML response contained an error.
Error from identity provider:
Status: urn:oasis:names:tc:SAML:2.0:status:Responder
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed

What did you use to perform authentication here?

You have to configure some type of authentication. Shib, itself, doesn't
do authentication. It does have support for tying into several different
basic authentication mechanisms such as the container managed
RemoteUser, UsernamePassword via JAAS, and LDAP based. But since it
doesn't know what you have available, there is nothing there by default.

Paul

-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----

Give a man a fire and he's warm for the day. But set fire to him and
he's warm for the rest of his life.

-- Terry Pratchett, Discworld
Paul Hethmon
2009-04-03 15:09:22 UTC
Permalink
Not even for local testing? I just want to see how it works, simple.. Do I
really have to configure some type of authentication? If so, what do you think
is the simplest? :\
You¹ve got to configure something. Simplest depends on what you know
already. If you know how to configure the container based authentication for
the container you are running Shib in, then that¹s the simplest. I think
there is a handler in there that uses IP address, for testing, you could
allow all.

Paul

-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----

Give a man a fire and he's warm for the day. But set fire to him and he's
warm for the rest of his life.

-- Terry Pratchett, Discworld
Filipa Moura
2009-04-03 15:16:34 UTC
Permalink
I tried this:



<LoginHandler xsi:type="IPAddress" username="ip-user"
defaultDeny="true">


<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetPro
tocol</AuthenticationMethod>

<IPEntry>192.168.16.0/8</IPEntry>

</LoginHandler>



Yet the error returned is the same

opensaml::FatalProfileException at
(http://sp.example.com/Shibboleth.sso/SAML2/POST)

SAML response contained an error.

Error from identity provider:

Status: urn:oasis:names:tc:SAML:2.0:status:Responder
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed





On the idp-process.log I get

16:15:07.432 - ERROR
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:592]
- No user identified by login handler.

16:15:07.435 - ERROR
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:554]
- Authentication failed with the error:

edu.internet2.middleware.shibboleth.idp.authn.AuthenticationException:
No user identified by login handler.

at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.valid
ateSuccessfulAuthentication(AuthenticationEngine.java:593)
[shibboleth-identityprovider-2.1.1.jar:na]

[...]



I mean, shouldn't this work? :\

From: Paul Hethmon [mailto:paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org]
Sent: sexta-feira, 3 de Abril de 2009 16:09
To: Shibboleth Users
Subject: Re: [Shib-Users] opensaml::FatalProfileException or User login
problem?



On 4/3/09 11:00 AM, "Filipa Moura" <filipa.moura-***@public.gmane.org> wrote:

Not even for local testing? I just want to see how it works, simple..
Do I really have to configure some type of authentication? If so, what
do you think is the simplest? :\


You've got to configure something. Simplest depends on what you know
already. If you know how to configure the container based authentication
for the container you are running Shib in, then that's the simplest. I
think there is a handler in there that uses IP address, for testing, you
could allow all.

Paul

-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----

Give a man a fire and he's warm for the day. But set fire to him and
he's warm for the rest of his life.

-- Terry Pratchett, Discworld
Paul Hethmon
2009-04-03 15:22:27 UTC
Permalink
<LoginHandler xsi:type="IPAddress" username="ip-user" defaultDeny="true">
<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol<
/AuthenticationMethod>
<IPEntry>192.168.16.0/8</IPEntry>
</LoginHandler>
This is where you¹ll have to dive into the wiki and see what it says. I¹ve
not used that handler myself.

Paul

-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----

Give a man a fire and he's warm for the day. But set fire to him and he's
warm for the rest of his life.

-- Terry Pratchett, Discworld
Filipa Moura
2009-04-03 15:51:24 UTC
Permalink
Yes, i've already read the documentation and its exactly how it says
there. I even defined it in the relying-party.xml as the default
authentication method (<DefaultRelyingParty
provider="https://idp.example.com/shibboleth"
defaultSigningCredentialRef="IdPCredential"
defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:Inte
rnetProtocol"> )...



(And yes Steven I know I'm being a pain in the ass with this much
emails.. but my boss is bugging me and I cannot get this to work.. it's
my 4th day installing it..and there is no site in my area that is
already running Shib...)



From: Paul Hethmon [mailto:paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org]
Sent: sexta-feira, 3 de Abril de 2009 16:22
To: Shibboleth Users
Subject: Re: [Shib-Users] opensaml::FatalProfileException or User login
problem?



On 4/3/09 11:16 AM, "Filipa Moura" <filipa.moura-***@public.gmane.org> wrote:

I tried this:

<LoginHandler xsi:type="IPAddress" username="ip-user"
defaultDeny="true">

<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetPro
tocol</AuthenticationMethod>
<IPEntry>192.168.16.0/8</IPEntry>
</LoginHandler>


This is where you'll have to dive into the wiki and see what it says.
I've not used that handler myself.

Paul

-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----

Give a man a fire and he's warm for the day. But set fire to him and
he's warm for the rest of his life.

-- Terry Pratchett, Discworld
Scott Cantor
2009-04-03 16:19:04 UTC
Permalink
Post by Filipa Moura
Yes, i've already read the documentation and its exactly how it says
there.
Post by Filipa Moura
I even defined it in the relying-party.xml as the default authentication
Did you turn up logging to DEBUG and then analyze it in detail to see what's
going wrong?

Search for any previous references to the problem in the list archive?

Try a search for earlier questions about "simple authentication for a demo"
or something like that?

-- Scott

Steven_Carmody-u5Aw1N0zcJ6HXe+
2009-04-03 15:18:52 UTC
Permalink
Post by Filipa Moura
Not even for local testing? I just want to see how it works,
simple.. Do I really have to configure some type of authentication?
If so, what do you think is the simplest? :\
is there a site in your area that is already running Shib? Might
someone from that site be willing to visit you, and work thru a basic
install?

That would probably be a much faster process to get you to where you
want to be..... rather than the email list.....
Loading...