B Da Bahia
2014-08-13 16:49:05 UTC
Hello list,
Newbie here. I'm attempting to setup a simple SAML 2.0 federation with:
IdP: MS Server 2008 R2 with ADFS 2.0
SP: MS Win 7 with Shibboleth 2.5.3 win 64
I based my tests on the following link
https://wiki.shibboleth.net/confluence/download/attachments/4358293/ADFS_and_Shib.pdf?api=v2
So far, I was able to get the SSO working (with some issues) but I'm unable
to get the Logout done. And yes, I've read the SLO issues article (not sure
I get the whole picture though)
-First the SSO issues:
Once logged in, if I close my IE10 and then reopen it again, when
requesting the /secure URL, I still have a valid session with the IdP
(different Shib session ID though) so my IdP creds are not required ( which
is undesired). If I use chrome, that behavior does not hold and my creds
are indeed requested. This happens consistently even if I clear the cache
on both browsers.
The window events registered with the IE10 case are:
1) The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
2) Special privileges assigned to new logon. (with reference to my account
in that domain)
3) An account was successfully logged on.
I'm using windows authentication at the /adfs/ls site (extended protection
off)
-Next the SLO issues:
I'm trying to logout with an invocation from my SP that looks like this:
<a href="https://mySP/Shibboleth.sso/SAML2/POST"><b>IdP Logout</b></a>
And as a response I get:
"opensaml::BindingException at (https://mySP/Shibboleth.sso/SAML2/POST)
Invalid HTTP method (GET)."
The windows event viewer shows the following events:
1) Special privileges assigned to new logon (security ID: system)
2) An account was successfully logged on (security ID: NULL)
3) An account was logged off. (security ID: system)
4) The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
5) Special privileges assigned to new logon (securityID: my domain account)
6) An account was successfully logged on. (security ID: NULL)
7) An account was logged off.(securityID: my domain account)
8) A Kerberos service ticket was requested.
Some relevant config snippets are:
Shibboleth2.xml
<SSO entityID="http://myIdP/adfs/services/trust">
<!--discoveryProtocol="SAMLDS" discoveryURL="
https://ds.example.org/DS/WAYF"> -->
SAML2 SAML1
</SSO>
<!-- SAML and local-only logout. -->
<Logout> SAML2 Local</Logout>
I was able to hook in an app proxy that shows the following events after I
tried the logout:
1) a POST to https://mySP/Shibboleth.sso/SAML2/POST with a 302 Moved
redirection
2) a GET to https://mySP/secure with a 401 Unauthorized
3) idem 2
4) a GET to https://mySP/secure with a 301 Moved Permanently
5) and a GET to https://mySP/secure with a 200 OK
I'm probably not submitting enough info for you to diagnose what I'm doing
wrong, but I'm willing to submit whatever necessary.
Any hint will be much appreciated.
Thanks!
Newbie here. I'm attempting to setup a simple SAML 2.0 federation with:
IdP: MS Server 2008 R2 with ADFS 2.0
SP: MS Win 7 with Shibboleth 2.5.3 win 64
I based my tests on the following link
https://wiki.shibboleth.net/confluence/download/attachments/4358293/ADFS_and_Shib.pdf?api=v2
So far, I was able to get the SSO working (with some issues) but I'm unable
to get the Logout done. And yes, I've read the SLO issues article (not sure
I get the whole picture though)
-First the SSO issues:
Once logged in, if I close my IE10 and then reopen it again, when
requesting the /secure URL, I still have a valid session with the IdP
(different Shib session ID though) so my IdP creds are not required ( which
is undesired). If I use chrome, that behavior does not hold and my creds
are indeed requested. This happens consistently even if I clear the cache
on both browsers.
The window events registered with the IE10 case are:
1) The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
2) Special privileges assigned to new logon. (with reference to my account
in that domain)
3) An account was successfully logged on.
I'm using windows authentication at the /adfs/ls site (extended protection
off)
-Next the SLO issues:
I'm trying to logout with an invocation from my SP that looks like this:
<a href="https://mySP/Shibboleth.sso/SAML2/POST"><b>IdP Logout</b></a>
And as a response I get:
"opensaml::BindingException at (https://mySP/Shibboleth.sso/SAML2/POST)
Invalid HTTP method (GET)."
The windows event viewer shows the following events:
1) Special privileges assigned to new logon (security ID: system)
2) An account was successfully logged on (security ID: NULL)
3) An account was logged off. (security ID: system)
4) The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
5) Special privileges assigned to new logon (securityID: my domain account)
6) An account was successfully logged on. (security ID: NULL)
7) An account was logged off.(securityID: my domain account)
8) A Kerberos service ticket was requested.
Some relevant config snippets are:
Shibboleth2.xml
<SSO entityID="http://myIdP/adfs/services/trust">
<!--discoveryProtocol="SAMLDS" discoveryURL="
https://ds.example.org/DS/WAYF"> -->
SAML2 SAML1
</SSO>
<!-- SAML and local-only logout. -->
<Logout> SAML2 Local</Logout>
I was able to hook in an app proxy that shows the following events after I
tried the logout:
1) a POST to https://mySP/Shibboleth.sso/SAML2/POST with a 302 Moved
redirection
2) a GET to https://mySP/secure with a 401 Unauthorized
3) idem 2
4) a GET to https://mySP/secure with a 301 Moved Permanently
5) and a GET to https://mySP/secure with a 200 OK
I'm probably not submitting enough info for you to diagnose what I'm doing
wrong, but I'm willing to submit whatever necessary.
Any hint will be much appreciated.
Thanks!