Discussion:
Shibboleth Integration with google app services
Suresh Kumaravel
2010-06-24 10:20:41 UTC
Permalink
Hi,

I am suresh working as a .net developer. I need to integrate google app
services to shibboleth to one of my client .I don't know about shibboleth
.Client was set up everything in the shibboleth server and gave the following
information.

--- Apache ---



- proxy_ajp.conf : Apache configured to pass requests for the IdP into Tomcat
by adding the following line to:

ProxyPass /idp/ ajp://localhost:8009/idp/



- /etc/apache2/sites-enabled/default-ssl : Same directive as above, one of
them can be turned off

<IfModule mod_proxy_ajp.c>

ProxyRequests Off

<Proxy ajp://localhost:8009>

Allow from all

</Proxy>

ProxyPass /idp ajp://localhost:8009/idp retry=5

</IfModule>



SSLCertificateFile /etc/ssl/certs/server.crt

SSLCertificateKeyFile /etc/ssl/private/server.key ; self-signed
certificates, server requires passphrase (Pa33w0rd) at each restart

- /etc/apache2/httpd.conf - front-end IdP with basic authentication (user:
test, password: test), this can go to the default-ssl file probably :

<Location /idp/Authn/RemoteUser>

AuthType Basic

AuthName "My Identity Provider"

AuthUserFile /usr/local/idp/credentials/user.db

require valid-user

</Location> ;



--- Tomcat ---



- /etc/tomcat/server.xml, added :

request.tomcatAuthentication="false" and address="127.0.0.1" to
Tomcat's /etc/tomcat/conf/server.xml port 8009 AJP13 connector so Apache can
relay usernames to the IdP.



- /etc/default/tomcat6 :

JAVA_HOME=/usr/lib/jvm/java-6-openjdk ; path to Java modified,

JAVA_OPTS="-Djava.awt.headless=true -Xmx1024M -XX:MaxPermSize=512M" ;
memory settings,

TOMCAT6_SECURITY=no ; Tomcat could not to start with it turned on





--- IdP ---



Added Google Metadata into /usr/local/idp/metadata/google-metdata.xml :



<EntityDescriptor entityID="google.com"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

<SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">


<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFor
mat>

<AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

Location="https://www.google.com/a/edukirklees.net/acs" />

</SPSSODescriptor>

</EntityDescriptor>



Added MetaDataProvider into /usr/local/idp/conf/relaying-party.xml :



<RelyingPartyhttp://google.com/">google.com"

provider="YOUR-ENTITY-ID"

defaultSigningCredentialRef="IdPCredential">

<ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
encryptAssertions="never" encryptNameIds="never" />

</RelyingParty>



<!-- Google Metadata -->

<MetadataProvider xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"

metadataFile="IDP_HOME/metadata/google-metadata.xml"
maintainExpiredMetadata="true" />



Attribute Resolver configured in /usr/local/idp/conf/attribute-resolver.xml :



<resolver:AttributeDefinition xsi:type="PrincipalName"
xmlns="urn:mace:shibboleth:2.0:resolver:ad">

<resolver:AttributeEncoder xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"

nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />

</resolver:AttributeDefinition>



Attribute Filter configured in /usr/local/idp/conf/attribute-resolver.xml :



<AttributeFilterPolicy>

<PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="google.com" />



<AttributeRule attributeID="principal">

<PermitValueRule xsi:type="basic:ANY" />

</AttributeRule>

</AttributeFilterPolicy>


So I was set up everything in the google domain as per the instruction in your
article and configured some xml files in the shibboleth server. My domain is
"learnderby.com" . When I go to the mail apps ie
http://mail.google.com/a/learnderby.com then it will open one popup and ask me
to enter username and password, But I dont know what should enter on these
fields. How the shibboleth server know about my username and password ? Are
shibboleth server already have my username and password ? Can you please help
me on how to proceed on this ?
Looking forward your response about this exciting one.

Thanks,
Suresh.
Peter Schober
2010-06-24 10:38:54 UTC
Permalink
* Suresh Kumaravel <ksureshhpk-***@public.gmane.org> [2010-06-24 12:21]:
> --- Apache ---
> --- Tomcat ---
> --- IdP ---
> <!-- Google Metadata -->
> When I go to the mail apps ie
> http://mail.google.com/a/learnderby.com then it will open one popup
> and ask me to enter username and password, But I dont know what
> should enter on these fields. How the shibboleth server know about
> my username and password ? Are shibboleth server already have my
> username and password ? Can you please help me on how to proceed on
> this ?

Try https://spaces.internet2.edu/display/SHIB2/UnderstandingShibboleth
-peter
ksureshhpk
2010-06-29 07:03:48 UTC
Permalink
Hi Peter,

I configured shibboleth server with google apps services. But in
shibboleth server we have user.db in the following location.

<Location /idp/Authn/RemoteUser>

AuthType Basic

AuthName "My Identity Provider"

AuthUserFile /usr/local/idp/credentials/user.db

require valid-user

</Location> ;

Also I am creating the user account in google when user register from my
application . So I need to add this user account in shibboleth db
("user.db") . Can you give any idea to work on this ?

Looking forward your response .

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Integration-with-google-app-services-tp5217081p5233918.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
Peter Schober
2010-06-29 10:00:09 UTC
Permalink
* ksureshhpk <ksureshhpk-***@public.gmane.org> [2010-06-29 09:04]:
> Also I am creating the user account in google when user register from my
> application . So I need to add this user account in shibboleth db
> ("user.db") .

"user.db" is not the (or a) "shibboleth db", it's a password file for
the Apache httpd webserver (which can be used with Shibboleth, but
other than that has nothing to do with it).

If you're using SAML to authenticate users at your IdP (in this case
through the webserver bY means of the RemoteUser handler) how would
you do that without setting up credentials in that "user.db" (or any
other auth provider)?
-peter
Peter Schober
2010-06-29 10:04:57 UTC
Permalink
* ksureshhpk <ksureshhpk-***@public.gmane.org> [2010-06-29 09:04]:
> So I need to add this user account in shibboleth db
> ("user.db") . Can you give any idea to work on this ?

If you really were asking how to populate a password database for
Apache httpd, here's the official documentation:
http://httpd.apache.org/docs/2.2/en/howto/auth.html
-peter
Peter Schober
2010-06-30 09:15:22 UTC
Permalink
Please keep replies to the list.

* suresh kumar <ksureshhpk-***@public.gmane.org> [2010-06-30 06:41]:
> Is there any way to add the user to the apache password
> through our .net application ?

While this obviously has nothing to do with Shibboleth, Apache httpd's
password file is a plain text file (as you known, if you read the
documentation I pointed you to). So if you can write to a simple text
file from .net you can write an Apache httpd pasword database.
There is nothing more to it.
Now whether that (i.e., using .htpasswd files as an authentication
database for an organization) is a good idea is for you to decide.
-peter
Suresh Kumaravel
2010-06-30 15:20:19 UTC
Permalink
Hello,

I found this url when I search about shibboleth integration with google
apps services.

http://code.google.com/apis/apps/articles/shibboleth2.0.html

Very nice one. But I can't able to get the information from the below lines

"If all went well, you should now have Shibboleth 2.0 successfully
authenticating users to Google Apps. With the possible exception of a more
robust attribute resolver configuration (retrieving the Google ID from LDAP or
a database), this configuration should be well-suited for large-scale
production deployments."

Once configured everything is this work well ?

How the shibboleth idp knows about the users in google domain to authenticate
? or else how will i retrieve the google id from LDAP OR DATABASE ? how will i
set this in attribute resolver configuration ?


Thanks in advance.
Chad La Joie
2010-06-30 15:25:18 UTC
Permalink
Documentation for configuring the IdP itself are found on the Shibboleth
website.

On 6/30/10 11:20 AM, Suresh Kumaravel wrote:
> Hello,
>
> I found this url when I search about shibboleth integration with google
> apps services.
>
> http://code.google.com/apis/apps/articles/shibboleth2.0.html
>
> Very nice one. But I can't able to get the information from the below lines
>
> "If all went well, you should now have Shibboleth 2.0 successfully
> authenticating users to Google Apps. With the possible exception of a more
> robust attribute resolver configuration (retrieving the Google ID from LDAP or
> a database), this configuration should be well-suited for large-scale
> production deployments."
>
> Once configured everything is this work well ?
>
> How the shibboleth idp knows about the users in google domain to authenticate
> ? or else how will i retrieve the google id from LDAP OR DATABASE ? how will i
> set this in attribute resolver configuration ?
>
>
> Thanks in advance.
>

--
Chad La Joie
http://itumi.biz
trusted identities, delivered
s***@public.gmane.org
2010-07-01 05:16:18 UTC
Permalink
HI,

I am using our application to login to different application throught
different idp's using ukfederation metadata for the institutes who hav
registerd in uk federation .

Till now for one institute this works file..once that institute was upgraded
to shib 2 from shib 1
and they got error message as below
------------------------------------------------------------------------------
----------------------------------
"ERROR

An error occurred while processing your request. Please contact your helpdesk
or user ID office for assistance.

This service requires cookies. Please ensure that they are enabled and try
your going back to your desired resource and trying to login again.

Use of your browser's back button may cause specific errors that can be
resolved by going back to your desired resource and trying to login again.
Error Message: Message did not meet security requirements"

------------------------------------------------------------------------------
----------------------------------

I just checked that this metadata is file in ukfederation url and check log
files in our service provider.

This error occur for the "University of Gloucestershire" with idp url
"https://idp1.glos.ac.uk/entity"

Can any one tell me the solution for this please?


Thanks
Sai
Shen Hongzhou
2010-07-01 05:31:14 UTC
Permalink
Hi Sai,
Check your machine's system time, you should keep all of your machines in
time synchronization.

Shen

2010/7/1 <sai_code-***@public.gmane.org>

> HI,
>
> I am using our application to login to different application throught
> different idp's using ukfederation metadata for the institutes who hav
> registerd in uk federation .
>
> Till now for one institute this works file..once that institute was
> upgraded
> to shib 2 from shib 1
> and they got error message as below
>
> ------------------------------------------------------------------------------
> ----------------------------------
> "ERROR
>
> An error occurred while processing your request. Please contact your
> helpdesk
> or user ID office for assistance.
>
> This service requires cookies. Please ensure that they are enabled and try
> your going back to your desired resource and trying to login again.
>
> Use of your browser's back button may cause specific errors that can be
> resolved by going back to your desired resource and trying to login again.
> Error Message: Message did not meet security requirements"
>
>
> ------------------------------------------------------------------------------
> ----------------------------------
>
> I just checked that this metadata is file in ukfederation url and check log
> files in our service provider.
>
> This error occur for the "University of Gloucestershire" with idp url
> "https://idp1.glos.ac.uk/entity"
>
> Can any one tell me the solution for this please?
>
>
> Thanks
> Sai
>
s***@public.gmane.org
2010-07-01 06:23:44 UTC
Permalink
u mean to check application installed system time (server machine)

Can u detailed about this pelase?

Thanks
Sai
Shen Hongzhou
2010-07-01 06:38:12 UTC
Permalink
Yes, you should make sure that all the machines that run IDP, SP and DS have
a same system time.
I have met the same problem with you, and I resolved it by synchronizing all
the machines' system time.
Just try it.

2010/7/1 <sai_code-***@public.gmane.org>

> u mean to check application installed system time (server machine)
>
> Can u detailed about this pelase?
>
> Thanks
> Sai
>
Peter Schober
2010-07-01 06:31:41 UTC
Permalink
Sai,

Don't just reply to any email from the list unless you intend to
contribute to that specific thread. Instead, compose a new email to
the list address.
This messes up less capable mail user agents and mail archiving
software.

* sai_code-***@public.gmane.org <sai_code-***@public.gmane.org> [2010-07-01 08:22]:
> and they got error message as below

The error message listed in the subject of your mail is the second
from the top at
https://spaces.internet2.edu/display/SHIB2/NativeSPTroubleshootingCommonErrors

(This page is listed from
https://spaces.internet2.edu/display/SHIB2/Troubleshooting
which in turn is listed in the start page of the shib wiki, which is
the official documentation.)

Note that there is also UK Federation specific support available at
http://www.ukfederation.org.uk/content/Documents/FedSupport
-peter
Servesh Singh
2010-07-06 14:43:31 UTC
Permalink
Hi,

I am getting following error
The "receiver endpoint" its says
https://idp.orange.com:80/idp/profile/SAML2/Redirect/SSO. It has extra 80 port
which i did not set in metadata of IDP.

IDP has tomcat running only and no proxy. I can see in Firebug that SP
correctly redirects to https://idp.orange.com/idp/profile/SAML2/Redirect/SSO.
SSL port is 443 and there is nothing running on port 80 on IDP machine.

Any help would be highly appreciated.

19:45:55.169 - DEBUG
[org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:200] - Actual
message receiver endpoint:
https://idp.orange.com:80/idp/profile/SAML2/Redirect/SSO
19:45:55.169 - ERROR
[org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:204] - SAML
message intended destination endpoint
'https://idp.orange.com/idp/profile/SAML2/Redirect/SSO' did not match the
recipient endpoint 'https://idp.orange.com:80/idp/profile/SAML2/Redirect/SSO'
19:45:55.170 - WARN
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:316]
- Message did not meet security requirements
org.opensaml.xml.security.SecurityException: SAML message intended destination
endpoint did not match recipient endpoint
at
org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder.checkEndpointURI(B
aseSAMLMessageDecoder.java:206) [opensaml-2.3.1.jar:na]
at
org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2Me
ssageDecoder.java:71) [opensaml-2.3.1.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.decode
Request(SSOProfileHandler.java:300) [shibboleth-identityprovider-2.1.5.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.perfor
mAuthentication(SSOProfileHandler.java:166)
[shibboleth-identityprovider-2.1.5.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.proces
sRequest(SSOProfileHandler.java:143)
[shibboleth-identityprovider-2.1.5.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.proces
sRequest(SSOProfileHandler.java:1) [shibboleth-identityprovider-2.1.5.jar:na]
at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherSer
vlet.service(ProfileRequestDispatcherServlet.java:83)
[shibboleth-common-1.1.4.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
[servlet-api.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFi
lterChain.java:290) [catalina.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChai
n.java:206) [catalina.jar:na]
at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPS
essionFilter.java:77) [shibboleth-identityprovider-2.1.5.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFi
lterChain.java:235) [catalina.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChai
n.java:206) [catalina.jar:na]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java
:219) [catalina.jar:na]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java
:191) [catalina.jar:na]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
[catalina.jar:na]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[catalina.jar:na]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:1
09) [catalina.jar:na]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
[catalina.jar:na]
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
[tomcat-coyote.jar:na]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11
Protocol.java:583) [tomcat-coyote.jar:na]
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
[tomcat-coyote.jar:na]
at java.lang.Thread.run(Thread.java:619) [na:1.6.0_20]
Servesh Singh
2010-07-06 14:48:14 UTC
Permalink
AuthnRequest which idp.orange.com receives as expected and it does not have
extra port 80 in Destination URL.

<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://sp.orange.com/Shibboleth.sso/SAML2/POST"
Destination="https://idp.orange.com/idp/profile/SAML2/Redirect/SSO"
ID="_b6979a9763b2b06febdda1e6a36f80d3" IssueInstant="2010-07-06T14:15:46Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.orange.com</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="1"/>
</samlp:AuthnRequest>

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/AuthnRequest-Failed-tp5260678p5260705.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
Scott Cantor
2010-07-06 15:13:06 UTC
Permalink
> I am getting following error
> The "receiver endpoint" its says
> https://idp.orange.com:80/idp/profile/SAML2/Redirect/SSO. It has extra 80
> port which i did not set in metadata of IDP.

Then your web server believes it's running on port 80.

-- Scott
Servesh Singh
2010-07-06 15:15:56 UTC
Permalink
Hi Scott,

web server is not running on port 80, here it shows telnet

telnet idp.orange.com 80
Trying 10.77.73.10...
telnet: connect to address 10.77.73.10: Connection refused
telnet: Unable to connect to remote host: Connection refused

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/AuthnRequest-Failed-tp5260678p5260856.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
Scott Cantor
2010-07-06 15:19:32 UTC
Permalink
> web server is not running on port 80, here it shows telnet

I didn't say your web server was running on port 80, I said that it thinks
it is. That's a plain fact, since it's reporting port 80 as the result of
the servlet API.

If I had to guess, I'd say you're proxying Apache to Tomcat or some other
container using http, and the web server out front is on 443 but the Java
part is on 80.

-- Scott
Servesh Singh
2010-07-06 15:29:11 UTC
Permalink
Hi Scott,

Apache is not running in my machine. Only tomcat is running with ssl port
443 and 8443 (for SOAP). There is no non SSL HTTP connector set in my
server.xml.

I am not using ajp apache proxy.

Thanks
Servesh
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/AuthnRequest-Failed-tp5260678p5260931.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
Scott Cantor
2010-07-06 15:34:54 UTC
Permalink
> Apache is not running in my machine. Only tomcat is running with ssl port
> 443 and 8443 (for SOAP). There is no non SSL HTTP connector set in my
> server.xml.
>
> I am not using ajp apache proxy.

And yet, your web server believes it's on port 80. That part is not up for
debate, and that's all I can tell you.

-- Scott
Servesh Singh
2010-07-06 16:31:20 UTC
Permalink
Thanks Scott!!
BTW i worked with RSA earlier and implemented WS-FED and SAML2 for RSA
federation product. Also spent lot of time in j2ee server development
(glassfish and Pramati). I keep reading your blogs and article :)

This is first time i am using shibboleth in my current company and product
looks good!!! I was able to configure IDP and SP in one day.
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/AuthnRequest-Failed-tp5260678p5261269.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
Chad La Joie
2010-07-06 15:55:16 UTC
Permalink
Can you make your server.xml available? I'll give it a look and see
if anything obvious stands out. If not, you'll need to contact the
Tomcat list, this is not a Shibboleth issue.

On Tue, Jul 6, 2010 at 17:29, Servesh Singh <serveshp-***@public.gmane.org> wrote:
>
> Hi Scott,
>
> Apache is not running in my machine. Only tomcat is running with ssl port
> 443 and 8443 (for SOAP). There is no non SSL HTTP connector set in my
> server.xml.
>
> I am not using ajp apache proxy.
>
> Thanks
> Servesh
> --
> View this message in context: http://shibboleth.1660669.n2.nabble.com/AuthnRequest-Failed-tp5260678p5260931.html
> Sent from the Shibboleth - Users mailing list archive at Nabble.com.
>



--
Chad La Joie
www.itumi.biz
trusted identities, delivered
Servesh Singh
2010-07-06 16:01:59 UTC
Permalink
Sure, Please find it. only 443 and 8443 is open and ajp is not used.

<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8018" shutdown="SHUTDOWN">

<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at
/docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- JMX Support for the Tomcat server. Documentation at
/docs/non-existent.html -->
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
/>
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />

<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>

<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">

<!--The connectors can use a shared executor, you can define one or more
named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->


<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking &
non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 7777
-->
<!--Connector port="8282" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" /-->
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="7777" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<Connector port="443"
protocol="HTTP/1.1"
scheme="https"
SSLEnabled="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="/opt/shibboleth-idp/credentials/idp.jks"
keystorePass="changeit" />

<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"

SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation"
scheme="https"
SSLEnabled="true"
clientAuth="true"
sslProtocol="TLS"
keystoreFile="/opt/shibboleth-idp/credentials/idp.jks"
keystorePass="changeit" />

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8004" protocol="AJP/1.3" redirectPort="443" />


<!-- An Engine represents the entry point (within Catalina) that
processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes
them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->

<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">

<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->

<!-- The request dumper valve dumps useful debugging information about
the request and response data received and sent by Tomcat.
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-->

<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>

<!-- Define the default virtual host
Note: XML Schema validation will not work with Xerces 2.2.
-->
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">

<!-- SingleSignOn valve, share authentication between web
applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->

<!-- Access log processes all example.
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log." suffix=".txt" pattern="common"
resolveHosts="false"/>
-->

</Host>
</Engine>
</Service>
</Server>

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/AuthnRequest-Failed-tp5260678p5261117.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
Chad La Joie
2010-07-06 16:07:07 UTC
Permalink
What happens if you set the attribute 'secure="true"' as the example
connector configuration shows?

On Tue, Jul 6, 2010 at 18:01, Servesh Singh <serveshp-***@public.gmane.org> wrote:
>
> Sure, Please find it. only 443 and 8443 is open and ajp is not used.
>
> <?xml version='1.0' encoding='utf-8'?>
> <!--
>  Licensed to the Apache Software Foundation (ASF) under one or more
>  contributor license agreements.  See the NOTICE file distributed with
>  this work for additional information regarding copyright ownership.
>  The ASF licenses this file to You under the Apache License, Version 2.0
>  (the "License"); you may not use this file except in compliance with
>  the License.  You may obtain a copy of the License at
>
>      http://www.apache.org/licenses/LICENSE-2.0
>
>  Unless required by applicable law or agreed to in writing, software
>  distributed under the License is distributed on an "AS IS" BASIS,
>  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>  See the License for the specific language governing permissions and
>  limitations under the License.
> -->
> <!-- Note:  A "Server" is not itself a "Container", so you may not
>     define subcomponents such as "Valves" at this level.
>     Documentation at /docs/config/server.html
>  -->
> <Server port="8018" shutdown="SHUTDOWN">
>
>  <!--APR library loader. Documentation at /docs/apr.html -->
>  <Listener className="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="on" />
>  <!--Initialize Jasper prior to webapps are loaded. Documentation at
> /docs/jasper-howto.html -->
>  <Listener className="org.apache.catalina.core.JasperListener" />
>  <!-- JMX Support for the Tomcat server. Documentation at
> /docs/non-existent.html -->
>  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
> />
>  <Listener
> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
>
>  <!-- Global JNDI resources
>       Documentation at /docs/jndi-resources-howto.html
>  -->
>  <GlobalNamingResources>
>    <!-- Editable user database that can also be used by
>         UserDatabaseRealm to authenticate users
>    -->
>    <Resource name="UserDatabase" auth="Container"
>              type="org.apache.catalina.UserDatabase"
>              description="User database that can be updated and saved"
>              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>              pathname="conf/tomcat-users.xml" />
>  </GlobalNamingResources>
>
>  <!-- A "Service" is a collection of one or more "Connectors" that share
>       a single "Container" Note:  A "Service" is not itself a "Container",
>       so you may not define subcomponents such as "Valves" at this level.
>       Documentation at /docs/config/service.html
>   -->
>  <Service name="Catalina">
>
>    <!--The connectors can use a shared executor, you can define one or more
> named thread pools-->
>    <!--
>    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
>        maxThreads="150" minSpareThreads="4"/>
>    -->
>
>
>    <!-- A "Connector" represents an endpoint by which requests are received
>         and responses are returned. Documentation at :
>         Java HTTP Connector: /docs/config/http.html (blocking &
> non-blocking)
>         Java AJP  Connector: /docs/config/ajp.html
>         APR (HTTP/AJP) Connector: /docs/apr.html
>         Define a non-SSL HTTP/1.1 Connector on port 7777
>    -->
>    <!--Connector port="8282" protocol="HTTP/1.1"
>               connectionTimeout="20000"
>               redirectPort="443" /-->
>    <!-- A "Connector" using the shared thread pool-->
>    <!--
>    <Connector executor="tomcatThreadPool"
>               port="7777" protocol="HTTP/1.1"
>               connectionTimeout="20000"
>               redirectPort="8443" />
>    -->
>    <!-- Define a SSL HTTP/1.1 Connector on port 8443
>         This connector uses the JSSE configuration, when using APR, the
>         connector should be using the OpenSSL style configuration
>         described in the APR documentation -->
>    <!--
>    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>               maxThreads="150" scheme="https" secure="true"
>               clientAuth="false" sslProtocol="TLS" />
>    -->
> <Connector port="443"
>           protocol="HTTP/1.1"
>           scheme="https"
>           SSLEnabled="true"
>           clientAuth="false"
>           sslProtocol="TLS"
>           keystoreFile="/opt/shibboleth-idp/credentials/idp.jks"
>           keystorePass="changeit" />
>
> <Connector port="8443"
>           protocol="org.apache.coyote.http11.Http11Protocol"
>
> SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation"
>           scheme="https"
>           SSLEnabled="true"
>           clientAuth="true"
>           sslProtocol="TLS"
>           keystoreFile="/opt/shibboleth-idp/credentials/idp.jks"
>           keystorePass="changeit" />
>
>    <!-- Define an AJP 1.3 Connector on port 8009 -->
>    <Connector port="8004" protocol="AJP/1.3" redirectPort="443" />
>
>
>    <!-- An Engine represents the entry point (within Catalina) that
> processes
>         every request.  The Engine implementation for Tomcat stand alone
>         analyzes the HTTP headers included with the request, and passes
> them
>         on to the appropriate Host (virtual host).
>         Documentation at /docs/config/engine.html -->
>
>    <!-- You should set jvmRoute to support load-balancing via AJP ie :
>    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
>    -->
>    <Engine name="Catalina" defaultHost="localhost">
>
>      <!--For clustering, please take a look at documentation at:
>          /docs/cluster-howto.html  (simple how to)
>          /docs/config/cluster.html (reference documentation) -->
>      <!--
>      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
>      -->
>
>      <!-- The request dumper valve dumps useful debugging information about
>           the request and response data received and sent by Tomcat.
>           Documentation at: /docs/config/valve.html -->
>      <!--
>      <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
>      -->
>
>      <!-- This Realm uses the UserDatabase configured in the global JNDI
>           resources under the key "UserDatabase".  Any edits
>           that are performed against this UserDatabase are immediately
>           available for use by the Realm.  -->
>      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>             resourceName="UserDatabase"/>
>
>      <!-- Define the default virtual host
>           Note: XML Schema validation will not work with Xerces 2.2.
>       -->
>      <Host name="localhost"  appBase="webapps"
>            unpackWARs="true" autoDeploy="true"
>            xmlValidation="false" xmlNamespaceAware="false">
>
>        <!-- SingleSignOn valve, share authentication between web
> applications
>             Documentation at: /docs/config/valve.html -->
>        <!--
>        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
>        -->
>
>        <!-- Access log processes all example.
>             Documentation at: /docs/config/valve.html -->
>        <!--
>        <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs"
>               prefix="localhost_access_log." suffix=".txt" pattern="common"
> resolveHosts="false"/>
>        -->
>
>      </Host>
>    </Engine>
>  </Service>
> </Server>
>
> --
> View this message in context: http://shibboleth.1660669.n2.nabble.com/AuthnRequest-Failed-tp5260678p5261117.html
> Sent from the Shibboleth - Users mailing list archive at Nabble.com.
>



--
Chad La Joie
www.itumi.biz
trusted identities, delivered
Servesh Singh
2010-07-06 16:14:56 UTC
Permalink
yes, that was the trick, it works now :)

Thank you very much!!
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/AuthnRequest-Failed-tp5260678p5261178.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
t***@public.gmane.org
2010-07-08 13:33:05 UTC
Permalink
Hi,

I am trying to add the SessionIndex of an Assertion to the SP Variables.
I added the following line to attribute-map.xml but without success:

<Attribute name="SessionIndex" id="SessionIndex" />

I searched the internet for a solution but I could not find anything.
Thank you for your help.

Thomas
Scott Cantor
2010-07-08 16:10:16 UTC
Permalink
> I am trying to add the SessionIndex of an Assertion to the SP Variables.
> I added the following line to attribute-map.xml but without success:

There's currently no way to expose that, and it's certainly not an attribute
in that sense, no.

-- Scott
Sebastian Thier
2010-10-18 07:37:46 UTC
Permalink
Hello,

I was wondering, how the exact encryption process of SAML messages is going
on, because I got some issues regarding this topic. As far as I see it, the
encryption of SAML messages between SP and IdP is going on like that:

1.user tries to access a protected application
2.SP sends the user to IdP
3.user authentificates against the IdP
4.IdP sends encrypted SAML message back to SP (encryption is done with the
public RSA key of the SP private key and published in metadata)
5.SP decrypts SAML message with the private key

Is this the right approach?

Thanks in advance
Nate Klingenstein
2010-10-18 08:09:46 UTC
Permalink
Sebastian,

That's the right general idea from 30,000 feet, yes. If you'd like to
go into greater detail, I hear that there's all sorts of fun to be had
at:

http://www.w3.org/TR/xmlenc-core/

It's also possible to encrypt individual NameID or Attribute elements
within a larger, unencrypted/separately encrypted SAML assertion.
That's interesting for some use cases, but not so much for general
purposes.

Have a great day,
Nate.

On Oct 18, 2010, at 7:37 AM, Sebastian Thier wrote:

> Hello,
>
> I was wondering, how the exact encryption process of SAML messages
> is going
> on, because I got some issues regarding this topic. As far as I see
> it, the
> encryption of SAML messages between SP and IdP is going on like that:
>
> 1.user tries to access a protected application
> 2.SP sends the user to IdP
> 3.user authentificates against the IdP
> 4.IdP sends encrypted SAML message back to SP (encryption is done
> with the
> public RSA key of the SP private key and published in metadata)
> 5.SP decrypts SAML message with the private key
>
> Is this the right approach?
>
> Thanks in advance
DeeAnne Higley
2010-10-20 17:59:08 UTC
Permalink
Does anyone have experience using Shib4Moss? I tried to follow the English
version of the instructions, but it does not work (a local login is prompted
for even though I logged in successfully at the IdP and I can see the session
information).

I'm getting no helpful logging from Shib4Moss.

This might not be the correct place to post this question (I did post a
question on the Shib4Moss forum, but have received no replies).

Thanks,
DeeAnne
THIA Jean-Marie
2010-10-20 20:07:43 UTC
Permalink
Hi DeeAnn,

There is a log file, by default it is Shiboutput.log and is in the same directory as the module dll.

I think that it will be better to pursue the discussion on the project forum.

Jean Marie

> -----Original Message-----
> From: shibboleth-users-request-H4aWS73dXup+***@public.gmane.org [mailto:shibboleth-users-
> request-H4aWS73dXup+***@public.gmane.org] On Behalf Of DeeAnne Higley
> Sent: mercredi 20 octobre 2010 19:59
> To: shibboleth-users-H4aWS73dXup+***@public.gmane.org
> Subject: [Shib-Users] Shib4Moss
>
> Does anyone have experience using Shib4Moss? I tried to follow the English
> version of the instructions, but it does not work (a local login is prompted for
> even though I logged in successfully at the IdP and I can see the session
> information).
>
> I'm getting no helpful logging from Shib4Moss.
>
> This might not be the correct place to post this question (I did post a question
> on the Shib4Moss forum, but have received no replies).
>
> Thanks,
> DeeAnne
Jason Martin
2010-10-20 20:48:43 UTC
Permalink
Hello All,

I found an old post on this problem, and it's similar to mine, but there
was no specifically applicable solution.

I am deploying a shib service on an ubuntu box, I compiled from the
latest source with no errors. I have tweaked the shibboleth2.xml, and I am
running shib with /usr/sbin/shibd -c /etc/shibboleth/shibboleth2.xml
which I have edited.

When I attempt to login, I get a general error message:


shibsp::ListenerException

The system encountered an error at Wed Oct 20 14:28:20 2010

To report this problem, please contact the site administrator at
***@localhost <mailto:***@localhost>.

Please include the following message in any email:

shibsp::ListenerException at
(http://www.moodle.jolierouge.net/auth/shibboleth/index.php)

Cannot connect to shibd process, a site adminstrator should be notified.

Note, in the shibboleth2.xml, I have specified the admin email that
should be shown here...I think I have configured it very wrong.

This is what native.log says:

2010-10-20 14:14:22 ERROR Shibboleth.Listener [9516] shib_check_user:
socket call resulted in error (111): no message
2010-10-20 14:14:22 WARN Shibboleth.Listener [9516] shib_check_user:
cannot connect socket (53)...retrying
2010-10-20 14:14:24 ERROR Shibboleth.Listener [9516] shib_check_user:
socket call resulted in error (111): no message
2010-10-20 14:14:24 WARN Shibboleth.Listener [9516] shib_check_user:
cannot connect socket (53)...retrying
2010-10-20 14:14:28 ERROR Shibboleth.Listener [9516] shib_check_user:
socket call resulted in error (111): no message
2010-10-20 14:14:28 WARN Shibboleth.Listener [9516] shib_check_user:
cannot connect socket (53)...
2010-10-20 14:14:28 CRIT Shibboleth.Listener [9516] shib_check_user:
socket server unavailable, failing
2010-10-20 14:14:28 ERROR Shibboleth.Apache [9516] shib_check_user:
Cannot connect to shibd process, a site adminstrator should be notified.

shibboleth2.xml:

<UnixListener address="shibd.sock"/>

I am not entirely a linux newbie, but I am by no means an expert and
could definitely use some help/advice, and any pointers would be greatly
appreciated!

Thanks,
/Jason
Scott Cantor
2010-10-20 21:45:13 UTC
Permalink
> I am deploying a shib service on an ubuntu box, I compiled from the latest
> source with no errors. I have tweaked the shibboleth2.xml, and I am
> running shib with /usr/sbin/shibd -c /etc/shibboleth/shibboleth2.xml which
I
> have edited.

A source build would *never* have those kinds of file locations, it would be
in /opt or /usr/local, or whatever. Anything living in /usr/sbin or /etc
would be compiled with specific assumptions about where files live and they
would be totally invalid for a source build.

> Note, in the shibboleth2.xml, I have specified the admin email that should
> be shown here...I think I have configured it very wrong.

If you set supportContact, the error template would include it, so given
that, I would speculate that you have a broken build of mixed code that's
compiled with different "path" settings for where to find specific files
when using relative pathnames.

To be clear, you should simply never specify the path to the config file.
That alone suggests things are horked. You're mixing custom and packaged
builds of the software and you can't do that.

-- Scott
Peter Schober
2010-10-20 23:09:46 UTC
Permalink
Please don't reply to an existing thread unless you want to contribute
to that specific thread. Instead, compose a new email to the list.

* Jason Martin <jason-***@public.gmane.org> [2010-10-20 22:49]:
> I am deploying a shib service on an ubuntu box, I compiled from the
> latest source with no errors.

Why build from source at all? IIRC, with 9.04 you can use the Debian
Lenny backports as is, and beginning with 10.04 Ubuntu proper has all
you need (apt-get install libapache2-mod-shib2).
-peter
p***@public.gmane.org
2010-10-27 10:01:54 UTC
Permalink
Hi,

I've a problem when i want to install the shibboleth SP on my SLE_11.
Via Yast 'ive installed liblog4shib1, libsaml6, libxml-security-c15,
libxmltooling4 and shibboleth via the repository
http://download.opensuse.org/repositories/security:/shibboleth/SLE_11/
and the necessary libxerces-c28 via the repositroy
http://download.opensuse.org/repositories/FATE:/dbxml-2.4/SLE_11/

then when i restart the apache2 server (service apache2 restart) i've got the
next error :
httpd2-prefork: Syntax error on line 180 of /etc/apache2/httpd.conf: Syntax
error on line 99 of /etc/apache2/default-server.conf: Syntax error on line 13
of /etc/apache2/conf.d/shib.conf: Cannot load
/usr/lib/shibboleth/mod_shib_22.so into server: /usr/lib/libshibsp-lite.so.4:
undefined symbol:
_ZN11xercesc_2_817RegularExpression7matchesEPKcPNS_13MemoryManagerE

Can somebody help me to solve this problem ? Or give me some hints ?

Greetings,
Peter
Bernd Oberknapp
2010-10-27 10:35:21 UTC
Permalink
On Wed, 27 Oct 2010, pbosmans-***@public.gmane.org wrote:

> I've a problem when i want to install the shibboleth SP on my SLE_11.
> Via Yast 'ive installed liblog4shib1, libsaml6, libxml-security-c15,
> libxmltooling4 and shibboleth via the repository
> http://download.opensuse.org/repositories/security:/shibboleth/SLE_11/
> and the necessary libxerces-c28 via the repositroy
> http://download.opensuse.org/repositories/FATE:/dbxml-2.4/SLE_11/
>
> then when i restart the apache2 server (service apache2 restart) i've got the
> next error :
> httpd2-prefork: Syntax error on line 180 of /etc/apache2/httpd.conf: Syntax
> error on line 99 of /etc/apache2/default-server.conf: Syntax error on line 13
> of /etc/apache2/conf.d/shib.conf: Cannot load
> /usr/lib/shibboleth/mod_shib_22.so into server: /usr/lib/libshibsp-lite.so.4:
> undefined symbol:
> _ZN11xercesc_2_817RegularExpression7matchesEPKcPNS_13MemoryManagerE
>
> Can somebody help me to solve this problem ? Or give me some hints ?

The packages are build with libxerces-c28 from the SLE11-SDK.
You should add the SDK as an add-on and use that version.

Best regards,
Bernd

-- --------------------------------------------------------------------- --
Dipl.-Math. Bernd Oberknapp Universitaetsbibliothek Freiburg
Tel: +49-761 / 203-3852 Rempartstrasse 10-16 | Postfach 1629
Fax: +49-761 / 203-3987 79098 Freiburg | 79016 Freiburg
Salvatore Salvati
2010-11-04 09:43:45 UTC
Permalink
I've the same problem with OpenSuSE 11.3, where I can find the libxerces-c28
with that feature for OpenSuSE?
Thanks in advance.
Salvatore

list:
httpd2-prefork: Syntax error on line 174 of /etc/apache2/httpd.conf: Syntax
error on line 75 of /etc/apache2/default-server.conf: Syntax error on line 13
of /etc/apache2/conf.d/shib.conf: Cannot load
/usr/lib/shibboleth/mod_shib_22.so into server: /usr/lib/libshibsp-lite.so.4:
undefined symbol: _ZN11xercesc_2_816XMLPlatformUtils15fgMemoryManagerE
Bernd Oberknapp
2010-11-04 10:50:32 UTC
Permalink
On Thu, 4 Nov 2010, Salvatore Salvati wrote:

> I've the same problem with OpenSuSE 11.3, where I can find the libxerces-c28
> with that feature for OpenSuSE?

Since openSUSE 11.3 comes with libxerces-c-3_0 and there are no
openSUSE 11.3 RPMs availabe in the build service, I assume you've
tried to install the openSUSE 11.1 or SLES RPMs? That won't work.
You should build the SP for openSUSE 11.3 from SRPMs:
<https://spaces.internet2.edu/display/SHIB2/NativeSPLinuxSRPMBuild>

Best regards,
Bernd

-- --------------------------------------------------------------------- --
Dipl.-Math. Bernd Oberknapp Universitaetsbibliothek Freiburg
Tel: +49-761 / 203-3852 Rempartstrasse 10-16 | Postfach 1629
Fax: +49-761 / 203-3987 79098 Freiburg | 79016 Freiburg
Salvatore Salvati
2010-11-04 17:36:46 UTC
Permalink
Now it works!

Thanks

Salvatore
John Westwood
2010-11-08 14:36:39 UTC
Permalink
Hello

I am attempting to compile Shibboleth SP from source on Mandriva 2010.1 64bit.
Only I have hit a problem. I have successfully compiled and installed the
dependencies, but the make stage fails with reference to Apache.

Here are my configure parameters:

./configure --with-log4shib=/opt/shibboleth-sp --enable-apache-22
--with-apxs2=/usr/sbin/apxs --with-apr=/usr/bin/apr-1-config
--with-apu=/usr/bin/apu-1-config --prefix=/opt/shibboleth-sp

I have applied the configure patch to the configure script and I modified line
25,723 from APR_CONFIG to APU_CONFIG since it appears to be incorrect.

The errors I receive on trying to compile Shibboleth SP are:

In file included from mod_shib_22.cpp:65:
mod_apache.cpp: In member function 'virtual void
ShibTargetApache::log(shibsp::SPRequest::SPLogLevel, const std::string&)
const':
mod_apache.cpp:373: error: format not a string literal and no format arguments
In file included from mod_shib_22.cpp:65:
mod_apache.cpp: In member function 'virtual void
ShibTargetApache::setContentType(const char*)':
mod_apache.cpp:524: error: format not a string literal and no format arguments
mod_apache.cpp: In function 'int shib_post_read(request_rec*)':
mod_apache.cpp:1222: warning: unused variable 'rc'
mod_apache.cpp: In function 'void shib_child_init(apr_pool_t*, server_rec*)':
mod_apache.cpp:1318: error: format not a string literal and no format
arguments
make[2]: *** [mod_shib_22_la-mod_shib_22.lo] Error 1
make[2]: Leaving directory `/home/john/shibboleth/shibboleth-2.3.1/apache'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/john/shibboleth/shibboleth-2.3.1'
make: *** [all] Error 2

Perhaps I should try compiling from the SRPMs instead? I though I'd get some
practice in compiling from source because I will need to do so when I
eventually deploy on a Solaris machine.

Does anybody have any ideas on the problem? Any help is much appreciated,
thanks.

Regards,

John W.
Scott Cantor
2010-11-08 14:57:46 UTC
Permalink
> Does anybody have any ideas on the problem? Any help is much appreciated,
> thanks.

Did you search for the error?

http://bobthegnome.blogspot.com/2009/07/format-not-string-literal-and-no-for
mat.html

I don't have a platform that's producing that error, but I might be able to
spot an equivalent warning to see if I can fix it, so please file a bug.

As an aside, I would really appreciate it if people doing "unusual" builds
(e.g. using an unsupported platform) would use the RC for 2.4 since that's a
much better gauge of where we'll be going forward. It won't change this
error though.

-- Scott
John Westwood
2010-11-08 14:52:32 UTC
Permalink
Hi

The version I am attempting to compile is 2.3.1, sorry I forgot that!

John W.



>>> John Westwood 08/11/10 2:37 PM >>>
Hello

I am attempting to compile Shibboleth SP from source on Mandriva 2010.1
64bit.
Only I have hit a problem. I have successfully compiled and installed
the
dependencies, but the make stage fails with reference to Apache.

Here are my configure parameters:

./configure --with-log4shib=/opt/shibboleth-sp --enable-apache-22
--with-apxs2=/usr/sbin/apxs --with-apr=/usr/bin/apr-1-config
--with-apu=/usr/bin/apu-1-config --prefix=/opt/shibboleth-sp

I have applied the configure patch to the configure script and I
modified line
25,723 from APR_CONFIG to APU_CONFIG since it appears to be incorrect.

The errors I receive on trying to compile Shibboleth SP are:

In file included from mod_shib_22.cpp:65:
mod_apache.cpp: In member function 'virtual void
ShibTargetApache::log(shibsp::SPRequest::SPLogLevel, const std::string&)
const':
mod_apache.cpp:373: error: format not a string literal and no format
arguments
In file included from mod_shib_22.cpp:65:
mod_apache.cpp: In member function 'virtual void
ShibTargetApache::setContentType(const char*)':
mod_apache.cpp:524: error: format not a string literal and no format
arguments
mod_apache.cpp: In function 'int shib_post_read(request_rec*)':
mod_apache.cpp:1222: warning: unused variable 'rc'
mod_apache.cpp: In function 'void shib_child_init(apr_pool_t*,
server_rec*)':
mod_apache.cpp:1318: error: format not a string literal and no format
arguments
make[2]: *** [mod_shib_22_la-mod_shib_22.lo] Error 1
make[2]: Leaving directory
`/home/john/shibboleth/shibboleth-2.3.1/apache'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/john/shibboleth/shibboleth-2.3.1'
make: *** [all] Error 2

Perhaps I should try compiling from the SRPMs instead? I though I'd get
some
practice in compiling from source because I will need to do so when I
eventually deploy on a Solaris machine.

Does anybody have any ideas on the problem? Any help is much
appreciated,
thanks.

Regards,

John W.
Luiz Augusto
2010-11-11 03:47:53 UTC
Permalink
SGVsbG8sCgpJIGFtIGZhY2luZyB0cm91YmxlcyB3aGlsZSByZXRyaWV2aW5n
IGF0dHJpYnV0ZXMgZnJvbSBJZFAgMi54LiBXaGVuIHVzZXIgbG9ncwppbiB0
aGUgSWRQJ3MgbG9naW4gc2l0ZSBhbmQgaXQgZ2l2ZXMgYmFjayBjb250cm9s
IHRvIFNQIEkgYW0gbm90IHJlY2VpdmluZwphdHRyaWJ1dGVzICJjbiIsICJz
biIgYW5kIG90aGVycy4gU2VlaW5nIGxvZyBpdCBzYXlzOiAiV0FSTgpTaGli
Ym9sZXRoLkF0dHJpYnV0ZVJlc29sdmVyLlF1ZXJ5IFsxXTogY2FuJ3QgYXR0
ZW1wdCBhdHRyaWJ1dGUgcXVlcnksIGVpdGhlcgpubyBOYW1lSUQgb3Igbm8g
bWV0YWRhdGEgdG8gdXNlLi4uIi4KCldoZW4gYSB1c2VyIHRyaWVzIHRvIGFj
Y2VzcyBTUCB2aWEgYW4gSWRQIDEueCBpdCB3b3Jrcy4KCkkndmUgc2VlbiBv
dGhlciB0aHJlYWRzIGluIHRoaXMgZm9ydW0gZGVhbGluZyB3aXRoIHNpbWls
YXIgcHJvYmxlbSwgYW5kIEkKdHJpZWQgYWxsIHBvc3NpYmxlIGZpeGVzIHdp
dGhvdXQgc3VjY2Vzcy4KCkNvdWxkIHNvbWVvbmUgaGVscCBtZT8KCkZvbGxv
dyBtZXRhZGF0YSBhYm91dCBteSBJZFA6Cj09PT09PT09PT09PT09PT09PT09
PT09PT0KCjxFbnRpdHlEZXNjcmlwdG9yIGVudGl0eUlEPSJodHRwczovL2lk
cC5jYXBlcy5nb3YuYnIvaWRwL3NoaWJib2xldGgiCiAgICAgICAgICAgICAg
ICAgIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bWV0YWRh
dGEiCiAgICAgICAgICAgICAgICAgIHhtbG5zOmRzPSJodHRwOi8vd3d3Lncz
Lm9yZy8yMDAwLzA5L3htbGRzaWcjIgogICAgICAgICAgICAgICAgICB4bWxu
czpzaGlibWQ9InVybjptYWNlOnNoaWJib2xldGg6bWV0YWRhdGE6MS4wIgog
ICAgICAgICAgICAgICAgICB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3Jn
LzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj4KICAgIDxJRFBTU09EZXNjcmlw
dG9yIHByb3RvY29sU3VwcG9ydEVudW1lcmF0aW9uPSJ1cm46bWFjZTpzaGli
Ym9sZXRoOjEuMAp1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6cHJvdG9j
b2wgdXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj4KICAg
ICAgICA8RXh0ZW5zaW9ucz4KICAgICAgICAgICAgPHNoaWJtZDpTY29wZSBy
ZWdleHA9ImZhbHNlIj5nb3YuYnI8L3NoaWJtZDpTY29wZT4KICAgICAgICA8
L0V4dGVuc2lvbnM+CiAgICAgICAgPEtleURlc2NyaXB0b3I+CiAgICAgICAg
ICAgIDxkczpLZXlJbmZvPgogICAgICAgICAgICAgICAgPGRzOlg1MDlEYXRh
PgogICAgICAgICAgICAgICAgICAgIDxkczpYNTA5Q2VydGlmaWNhdGU+Li4u
PC9kczpYNTA5Q2VydGlmaWNhdGU+CiAgICAgICAgICAgICAgICA8L2RzOlg1
MDlEYXRhPgogICAgICAgICAgICA8L2RzOktleUluZm8+CiAgICAgICAgPC9L
ZXlEZXNjcmlwdG9yPgogICAgICAgIDxBcnRpZmFjdFJlc29sdXRpb25TZXJ2
aWNlCkJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDpiaW5k
aW5nczpTT0FQLWJpbmRpbmciCiAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAKTG9jYXRpb249Imh0dHBzOi8vaWRwLmNhcGVzLmdvdi5icjo4
NDQzL2lkcC9wcm9maWxlL1NBTUwxL1NPQVAvQXJ0aWZhY3RSZXNvbHV0Cmlv
biIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpbmRleD0i
MSIvPgogICAgICAgIDxBcnRpZmFjdFJlc29sdXRpb25TZXJ2aWNlCkJpbmRp
bmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpTT0FQ
IgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCkxvY2F0aW9u
PSJodHRwczovL2lkcC5jYXBlcy5nb3YuYnI6ODQ0My9pZHAvcHJvZmlsZS9T
QU1MMi9TT0FQL0FydGlmYWN0UmVzb2x1dAppb24iCiAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgaW5kZXg9IjIiLz4KICAgICAgICA8TmFt
ZUlERm9ybWF0PnVybjptYWNlOnNoaWJib2xldGg6MS4wOm5hbWVJZGVudGlm
aWVyPC9OYW1lSURGb3JtYXQ+CiAgICAgICAKPE5hbWVJREZvcm1hdD51cm46
b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDp0cmFuc2ll
bnQ8L05hbWVJREZvcm1hCnQ+CiAgICAgICAgPFNpbmdsZVNpZ25PblNlcnZp
Y2UKQmluZGluZz0idXJuOm1hY2U6c2hpYmJvbGV0aDoxLjA6cHJvZmlsZXM6
QXV0aG5SZXF1ZXN0IgogICAgICAgICAgICAgICAgICAgICAgICAgICAgCkxv
Y2F0aW9uPSJodHRwczovL2lkcC5jYXBlcy5nb3YuYnIvaWRwL3Byb2ZpbGUv
U2hpYmJvbGV0aC9TU08iLz4KICAgICAgICA8U2luZ2xlU2lnbk9uU2Vydmlj
ZQpCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGlu
Z3M6SFRUUC1QT1NUIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgCkxv
Y2F0aW9uPSJodHRwczovL2lkcC5jYXBlcy5nb3YuYnIvaWRwL3Byb2ZpbGUv
U0FNTDIvUE9TVC9TU08iLz4KICAgICAgICA8U2luZ2xlU2lnbk9uU2Vydmlj
ZQpCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGlu
Z3M6SFRUUC1QT1NULVNpbXBsZVNpZ24iCiAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAKTG9jYXRpb249Imh0dHBzOi8vaWRwLmNhcGVzLmdvdi5ici9p
ZHAvcHJvZmlsZS9TQU1MMi9QT1NULVNpbXBsZVNpZ24vU1NPIi8+CiAgICAg
ICAgPFNpbmdsZVNpZ25PblNlcnZpY2UKQmluZGluZz0idXJuOm9hc2lzOm5h
bWVzOnRjOlNBTUw6Mi4wOmJpbmRpbmdzOkhUVFAtUmVkaXJlY3QiCiAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAKTG9jYXRpb249Imh0dHBzOi8vaWRw
LmNhcGVzLmdvdi5ici9pZHAvcHJvZmlsZS9TQU1MMi9SZWRpcmVjdC9TU08i
Lz4KICAgIDwvSURQU1NPRGVzY3JpcHRvcj4KICAgIDxBdHRyaWJ1dGVBdXRo
b3JpdHlEZXNjcmlwdG9yCnByb3RvY29sU3VwcG9ydEVudW1lcmF0aW9uPSJ1
cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6cHJvdG9jb2wKdXJuOm9hc2lz
Om5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj4KICAgICAgICA8RXh0ZW5z
aW9ucz4KICAgICAgICAgICAgPHNoaWJtZDpTY29wZSByZWdleHA9ImZhbHNl
Ij5nb3YuYnI8L3NoaWJtZDpTY29wZT4KICAgICAgICA8L0V4dGVuc2lvbnM+
CiAgICAgICAgPEtleURlc2NyaXB0b3I+CiAgICAgICAgICAgIDxkczpLZXlJ
bmZvPgogICAgICAgICAgICAgICAgPGRzOlg1MDlEYXRhPgogICAgICAgICAg
ICAgICAgICAgIDxkczpYNTA5Q2VydGlmaWNhdGU+Li4uPC9kczpYNTA5Q2Vy
dGlmaWNhdGU+CiAgICAgICAgICAgICAgICA8L2RzOlg1MDlEYXRhPgogICAg
ICAgICAgICA8L2RzOktleUluZm8+CiAgICAgICAgPC9LZXlEZXNjcmlwdG9y
PgogICAgICAgIDxBdHRyaWJ1dGVTZXJ2aWNlCkJpbmRpbmc9InVybjpvYXNp
czpuYW1lczp0YzpTQU1MOjEuMDpiaW5kaW5nczpTT0FQLWJpbmRpbmciCiAg
ICAgICAgICAgICAgICAgICAgICAgICAKTG9jYXRpb249Imh0dHBzOi8vaWRw
LmNhcGVzLmdvdi5icjo4NDQzL2lkcC9wcm9maWxlL1NBTUwxL1NPQVAvQXR0
cmlidXRlUXVlcnkiCi8+CiAgICAgICAgPEF0dHJpYnV0ZVNlcnZpY2UgQmlu
ZGluZz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmJpbmRpbmdzOlNP
QVAiCiAgICAgICAgICAgICAgICAgICAgICAgICAKTG9jYXRpb249Imh0dHBz
Oi8vaWRwLmNhcGVzLmdvdi5icjo4NDQzL2lkcC9wcm9maWxlL1NBTUwyL1NP
QVAvQXR0cmlidXRlUXVlcnkiCi8+CiAgICAgICAgPE5hbWVJREZvcm1hdD51
cm46bWFjZTpzaGliYm9sZXRoOjEuMDpuYW1lSWRlbnRpZmllcjwvTmFtZUlE
Rm9ybWF0PgogICAgICAgCjxOYW1lSURGb3JtYXQ+dXJuOm9hc2lzOm5hbWVz
OnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50PC9OYW1lSURG
b3JtYQp0PgogICAgPC9BdHRyaWJ1dGVBdXRob3JpdHlEZXNjcmlwdG9yPgog
ICAgPE9yZ2FuaXphdGlvbj4KICAgICAgICA8T3JnYW5pemF0aW9uTmFtZSB4
bWw6bGFuZz0iZW4iPkNBUEVTIC0gQ29vcmRlbmHDp8OjbyBkZQpBcGVyZmVp
w6dvYW1lbnRvCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICBkZSBQZXNzb2FsIGRlIE7DrXZlbApTdXBlcmlvcjwvT3JnYW5pemF0
aW9uTmFtZT4KICAgICAgICA8T3JnYW5pemF0aW9uRGlzcGxheU5hbWUgeG1s
Omxhbmc9ImVuIj5DQVBFUyAtIENvb3JkZW5hw6fDo28gZGUKICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBcGVyZmVp
w6dvYW1lbnRvIGRlIFBlc3NvYWwgZGUKICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICBOw612ZWwKU3VwZXJpb3I8L09y
Z2FuaXphdGlvbkRpc3BsYXlOYW1lPgogICAgICAgIDxPcmdhbml6YXRpb25V
UkwKeG1sOmxhbmc9ImVuIj5odHRwOi8vd3d3LmNhcGVzLmdvdi5ici88L09y
Z2FuaXphdGlvblVSTD4KICAgIDwvT3JnYW5pemF0aW9uPgo8L0VudGl0eURl
c2NyaXB0b3I+CgoKQXR0cmlidXRlIHJlc29sdmVyIGF0IElkUCdzIHNpZGU6
Cj09PT09PT09PT09PT09PT09PT09PT09PT09PQoKPCEtLSBjbiAtLT4KPEF0
dHJpYnV0ZURlZmluaXRpb24gaWQ9ImNvbW1vbk5hbWUiIHR5cGU9IlNpbXBs
ZSIKICAgICAgICAgICAgICAgICAgICAgeG1sbnM9InVybjptYWNlOnNoaWJi
b2xldGg6Mi4wOnJlc29sdmVyOmFkIgogICAgICAgICAgICAgICAgICAgICBz
b3VyY2VBdHRyaWJ1dGVJRD0iY24iPgogICAgPERlcGVuZGVuY3kgcmVmPSJt
eUxEQVAiLz4KICAgIDxBdHRyaWJ1dGVFbmNvZGVyIHR5cGU9IlNBTUwxU3Ry
aW5nIgogICAgICAgICAgICAgICAgICAgICAgeG1sbnM9InVybjptYWNlOnNo
aWJib2xldGg6Mi4wOmF0dHJpYnV0ZTplbmNvZGVyIgogICAgICAgICAgICAg
ICAgICAgICAgbmFtZT0idXJuOm1hY2U6ZGlyOmF0dHJpYnV0ZS1kZWY6Y24i
Lz4KICAgIDxBdHRyaWJ1dGVFbmNvZGVyIHR5cGU9IlNBTUwyU3RyaW5nIgog
ICAgICAgICAgICAgICAgICAgICAgeG1sbnM9InVybjptYWNlOnNoaWJib2xl
dGg6Mi4wOmF0dHJpYnV0ZTplbmNvZGVyIgogICAgICAgICAgICAgICAgICAg
ICAgbmFtZT0idXJuOm9pZDoyLjUuNC4zIiBmcmllbmRseU5hbWU9ImNuIi8+
CjwvQXR0cmlidXRlRGVmaW5pdGlvbj4KICAgIApNeSBhdHRyaWJ1dGUgbWFw
IGZvciAiY24iIHByb3BlcnR5Ogo9PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT0KCiAgICA8QXR0cmlidXRlIG5hbWU9InVybjptYWNlOmRpcjphdHRy
aWJ1dGUtZGVmOmNuIiBpZD0iY24iLz4KICAgIDxBdHRyaWJ1dGUgbmFtZT0i
dXJuOm9pZDoyLjUuNC4zIiBpZD0iY24iLz4KICAgIApJIHdvdWxkIGJlIGdy
YXRlZnVsIGZvciBhbnkgaGVscC4KCkx1aXo=
Scott Cantor
2010-11-11 03:54:31 UTC
Permalink
> I am facing troubles while retrieving attributes from IdP 2.x. When user logs
> in the IdP's login site and it gives back control to SP I am not receiving
> attributes "cn", "sn" and others. Seeing log it says: "WARN
> Shibboleth.AttributeResolver.Query [1]: can't attempt attribute query, either
> no NameID or no metadata to use...".

You don't need queries with SAML 2, you just haven't released anything to the SP in your IdP's filter policies. You need to refer to the documentation and your logs.

-- Scott
Luiz Augusto Garcia da Silva
2010-11-11 11:27:22 UTC
Permalink
Chad La Joie
2010-11-11 11:36:02 UTC
Permalink
As Scott said, you need to refer to your logs. If you turn on debugging
the idp-process.log will indicate how many values it pulled in for each
attribute, whether they made it through the filtering process, and
whether they were encoded and sent to the SP.

On 11/11/10 6:27 AM, Luiz Augusto Garcia da Silva wrote:
> Hello Scott,
>
> We already tried to release the attributes via setting rules in the
> attribute-filter.xml, I forgot to mention this in the previous message.
>
> Even, with a rule that releases the attribute to anyone, it doesn't work.
>
> Follow code of attribute-filter.xml:
>
> <AttributeFilterPolicy id="releaseToCapes">
> <PolicyRequirementRule xsi:type="basic:ANY"/>
>
> <AttributeRule attributeID="eduPersonPrincipalName">
> <PermitValueRule xsi:type="basic:ANY" />
> </AttributeRule>
>
> <AttributeRule attributeID="email">
> <PermitValueRule xsi:type="basic:ANY" />
> </AttributeRule>
>
> <AttributeRule attributeID="commonName">
> <PermitValueRule xsi:type="basic:ANY" />
> </AttributeRule>
>
> <AttributeRule attributeID="surName">
> <PermitValueRule xsi:type="basic:ANY" />
> </AttributeRule>
> ....
> </AttributeFilterPolicy>
>
> Luiz
>
>
> On 11/11/2010 1:54 AM, Scott Cantor wrote:
>>> I am facing troubles while retrieving attributes from IdP 2.x. When
>>> user logs
>>> in the IdP's login site and it gives back control to SP I am not
>>> receiving
>>> attributes "cn", "sn" and others. Seeing log it says: "WARN
>>> Shibboleth.AttributeResolver.Query [1]: can't attempt attribute
>>> query, either
>>> no NameID or no metadata to use...".
>> You don't need queries with SAML 2, you just haven't released anything
>> to the SP in your IdP's filter policies. You need to refer to the
>> documentation and your logs.
>>
>> -- Scott
>>
>>
>
> __________________________________________________
> Fale com seus amigos de gra�a com o novo Yahoo! Messenger
> http://br.messenger.yahoo.com/

--
Chad La Joie
http://itumi.biz
trusted identities, delivered
Luiz Augusto Garcia da Silva
2010-11-11 12:14:09 UTC
Permalink
Chad La Joie
2010-11-11 12:34:54 UTC
Permalink
Well, you're getting a valid response back so it should be fairly clear
that the IdP received the message and was able to process it. The
incomming and outgoing bindings (transport methods) are independent of
each other in most cases.

On 11/11/10 7:14 AM, Luiz Augusto Garcia da Silva wrote:
> Hello Chad,
>
> Thank you for advice. I ask for the client to change the log level to
> investigate these issues related to attributes.
>
> Until, they give us a feed back, I have another doubt: I'm requesting
> the IdP through "AuthnRequest", sending GET to
> "https://idp/profile/Shibboleth/SSO" profile, but it is responding on
> "browser-post" profile endpoint (https://mysp/Shibboleth.sso/SAML/POST)
> of my SP. This endpoint understands SAML 2? It should respond on that
> endpoint?
>
> Luiz.
>
>
>
> On 11/11/2010 9:36 AM, Chad La Joie wrote:
>> As Scott said, you need to refer to your logs. If you turn on
>> debugging the idp-process.log will indicate how many values it pulled
>> in for each attribute, whether they made it through the filtering
>> process, and whether they were encoded and sent to the SP.
>>
>> On 11/11/10 6:27 AM, Luiz Augusto Garcia da Silva wrote:
>>> Hello Scott,
>>>
>>> We already tried to release the attributes via setting rules in the
>>> attribute-filter.xml, I forgot to mention this in the previous message.
>>>
>>> Even, with a rule that releases the attribute to anyone, it doesn't
>>> work.
>>>
>>> Follow code of attribute-filter.xml:
>>>
>>> <AttributeFilterPolicy id="releaseToCapes">
>>> <PolicyRequirementRule xsi:type="basic:ANY"/>
>>>
>>> <AttributeRule attributeID="eduPersonPrincipalName">
>>> <PermitValueRule xsi:type="basic:ANY" />
>>> </AttributeRule>
>>>
>>> <AttributeRule attributeID="email">
>>> <PermitValueRule xsi:type="basic:ANY" />
>>> </AttributeRule>
>>>
>>> <AttributeRule attributeID="commonName">
>>> <PermitValueRule xsi:type="basic:ANY" />
>>> </AttributeRule>
>>>
>>> <AttributeRule attributeID="surName">
>>> <PermitValueRule xsi:type="basic:ANY" />
>>> </AttributeRule>
>>> ....
>>> </AttributeFilterPolicy>
>>>
>>> Luiz
>>>
>>>
>>> On 11/11/2010 1:54 AM, Scott Cantor wrote:
>>>>> I am facing troubles while retrieving attributes from IdP 2.x. When
>>>>> user logs
>>>>> in the IdP's login site and it gives back control to SP I am not
>>>>> receiving
>>>>> attributes "cn", "sn" and others. Seeing log it says: "WARN
>>>>> Shibboleth.AttributeResolver.Query [1]: can't attempt attribute
>>>>> query, either
>>>>> no NameID or no metadata to use...".
>>>> You don't need queries with SAML 2, you just haven't released anything
>>>> to the SP in your IdP's filter policies. You need to refer to the
>>>> documentation and your logs.
>>>>
>>>> -- Scott
>>>>
>>>>
>>>
>>> __________________________________________________
>>> Fale com seus amigos de gra�a com o novo Yahoo! Messenger
>>> http://br.messenger.yahoo.com/
>>
>
> __________________________________________________
> Fale com seus amigos de gra�a com o novo Yahoo! Messenger
> http://br.messenger.yahoo.com/

--
Chad La Joie
http://itumi.biz
trusted identities, delivered
Luiz Augusto Garcia da Silva
2010-11-11 17:28:23 UTC
Permalink
Scott Cantor
2010-11-11 17:34:40 UTC
Permalink
> In this line, I have switched on debug at my SP, and I noticed that when
> I try to access SP resource, after do login at IdP, it prints the
> following line in log file:
>
> 2010-11-11 15:22:35 WARN Shibboleth.AttributeResolver.Query [1]: can't
> attempt attribute query, either no NameID or no metadata to use.
>
> Could someone help me in this issue?

I assumed this was SAML 2, since you're using 2.x on both ends. The first thing would probably be to fix that and use SAML 2 instead of SAML 1.

But in the meantime, either there's no AA query endpoint in their metadata, or they're sending you nothing in the SSO assertion whatsoever. They need to fix their IdP, and come back to you when they have it working with their own SPs. Otherwise you're wasting your time debugging their system.

-- Scott
s***@public.gmane.org
2010-11-12 13:44:13 UTC
Permalink
Hi Team,

I have shibboleth sp installed in server and SP is registerd in UK
federation.
Now we are able to give access to our applications to all institutes which are
in the part of uk federation.


Now i want to give access to other institutes which are not the part of uk
federation metadata.

In addition to this UK federation metadata how can we give access to other
institutes using seperate metadata.


what are the steps to configure login into application for the institutes
which are not registered with uk federation metada...


Can any one help me please?


Thanks in Advance
Sai
Peter Schober
2010-11-12 13:50:40 UTC
Permalink
* sai_code-***@public.gmane.org <sai_code-***@public.gmane.org> [2010-11-12 14:46]:
> Now i want to give access to other institutes which are not the
> part of uk federation metadata.
>
> In addition to this UK federation metadata how can we give access to
> other institutes using seperate metadata.
>
> what are the steps to configure login into application for the
> institutes which are not registered with uk federation metada...

Not a shibboleth question, and not one that can be answered
generically, as those other IdPs might have specfic rules etc.

Other than that: You exchange metadata with those other entities and
discuss required and optional attributes as used by your application
(unless this is included in your metadata aldready).
-peter
Tom Scavo
2010-11-12 14:03:39 UTC
Permalink
On Fri, Nov 12, 2010 at 7:50 AM, Peter Schober
<peter.schober-***@public.gmane.org> wrote:
> * sai_code-***@public.gmane.org <sai_code-***@public.gmane.org> [2010-11-12 14:46]:
>>
>>  what are the steps to configure login into application for the
>> institutes which are not registered with uk federation metada...
>
> Not a shibboleth question, and not one that can be answered
> generically, as those other IdPs might have specfic rules etc.

That said, here's a wiki page that describes how to configure metadata
in the SP:

https://spaces.internet2.edu/display/SHIB2/NativeSPMetadataProvider

HTH,
Tom
s***@public.gmane.org
2010-11-15 11:48:50 UTC
Permalink
yes.

I have my SP installed on server and had metadata provided as below :

<MetadataProvider type="Chaining">
<MetadataProvider type="XML"
uri="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"
backingFilePath="ukfederation-metadata.xml" reloadInterval="14400">
<SignatureMetadataFilter
certificate="ukfederation.pem"/>
</MetadataProvider>



Here for different institutes login (i.e use multiple IDP logins ) we used
redirecting to
page ~SPPath/ Shibboleth.sso/Login?entityID=~~&traget=[App_Path]


So we are redirecting to the required application site successfully through
Institute logins IDP url's which are registerd in uk federation.


Here my problem is with institutes IDP's which are not in uk federation
metadata:
------------------------------------------------------------------------------
-----------------------
So here i tried having another metadata file like
<MetadataProvider type="XML" file="testmetadata.xml" /> in the node
<MetadataProvider type="Chaining">

How we can generate EntityDescriptor element for example for "University of
Edinburh" ( we asume that it's not uk federation registerd.)
Is this meta data can be copied from another metadata file?
Or this must be given by institute IDP?
Or we have to generate entitydescriptor element for this institute as
mentioned in https://spaces.internet2.edu/display/SHIB2/MetadataForIdP ?

if last one is correct how we had KeyDescriptor information for this IDP?

Thanks in advance for your valuble response.

Thanks
Sai
Peter Schober
2010-11-15 11:52:26 UTC
Permalink
* sai_code-***@public.gmane.org <sai_code-***@public.gmane.org> [2010-11-15 12:49]:
> How we can generate EntityDescriptor element for example for
> "University of Edinburh" ( we asume that it's not uk federation
> registerd.)

That's up the IdP. You ask them for their metadata and you provide
your SP's metadata to them.
-peter
Ram Munjuluri
2010-11-13 13:20:13 UTC
Permalink
Hello,

This must have been dealt with quite a bit, I am probably missing something
very basic.

I set up Apache2.2 + JBoss 5.2 with a very simple Web App on JBoss. The app
has only a JSP page to display the request headers, attributes and the cookies
from the request. I am trying to display all this information once I get
authenticated via Shibboleth IdP. My understanding is that all the SAML
attributes in the assertion will be available via the request headers or
attributes.

I see neither the SAML nor the Shibboleth attributes being passed to the JSP
page. I do see the Cookie passed though.

On the SP, I have attributePrefix="AJP_" on the <ApplicationOverride> for the
web app containing the JSP.

The JSP has a simple scriptlet like

<%
String requestAttribute = (String)
request.getAttribute("Shib-Identity-Provider");
System.out.println("Request Attribute : " + requestAttribute);
String requestHeader = (String)
request.getHeader("Shib-Identity-Provider");
System.out.println("Request Header : " + requestHeader);
%>


to print the requestattributes on the JBoss Console. When I log in, I get
"null" for the values of the attributes/headers. If I am able to get this
working, I am sure, the SAML attributes is just reading the right attribute
names.

I am sure I am missing something on the Apache config and cant seem to figure
out the additional configuration.

thank you very much in advance.
-ram
Peter Schober
2010-11-13 13:57:04 UTC
Permalink
* Ram Munjuluri <rmunjuluri-/***@public.gmane.org> [2010-11-13 14:51]:
> On the SP, I have attributePrefix="AJP_" on the
> <ApplicationOverride> for the web app containing the JSP.

A couple of questions for you:

There is a valid session at the Shib SP (according to the logs)?
Did you try setting the prefix to "AJP-"?
What connector is this? mod_propxy_ajp?
Did you try mod_jk?
Everythings starts to work once you set `ShibUseHeaders On`?

Note that "Shib-Identity-Provider" is not a valid HTTP request header
name, so your second check will always fail IMO (these usually are
prefixed with HTTP_, are all uppercase and '-' becomes '_').
-peter
Ram Munjuluri
2010-11-13 14:27:59 UTC
Permalink
thank you very much for the response.

I am using mod_jk, I do see the shib Cookies that tells me the SP session is
active. I have also added the attributePrefix="AJP_" to the
applicationOverride.

I just added the ShibUseHeaders On directive to my apache config and now it
seems to work with all the attributes prefixed with APJ_.

Although,https://spaces.internet2.edu/display/SHIB2/NativeSPJavaInstall says
that using ShibUseHeaders On is less secure. I was am not sure exactly what
the issues are with using ShibUserHeaders On.

Are there alternatives?

thank you very much
-ram
Peter Schober
2010-11-13 16:06:29 UTC
Permalink
* Ram Munjuluri <rmunjuluri-/***@public.gmane.org> [2010-11-13 15:28]:
> I am using mod_jk, I do see the shib Cookies that tells me the SP
> session is active. I have also added the attributePrefix="AJP_" to
> the applicationOverride.

Are you sure the session is there for your ApplicationOverride as well
(i.e., you're not checking the <ApplicationDefaults>'s session by
mistake)? If in doubt, test this elsewhere without an ApplicationOverride.

Also you didn't answer this one:

> Did you try setting the prefix to "AJP-"?

With Tomcat 6 it worked fine for me with "AJP_" (and didn't with
"AJP-". YMMV).

> Although,https://spaces.internet2.edu/display/SHIB2/NativeSPJavaInstall
> says that using ShibUseHeaders On is less secure. I was am not sure
> exactly what the issues are with using ShibUserHeaders On.

HTTP request headers are transmitted from an HTTP User Agent to an
HTTP server, so the possibility exists that such headers are used to
spoof data which has /not/ been set by e.g. mod_shib. The servlet
container would be unable to tell any difference.
Though you could also include some longish random string as part of
your attributePrefix (after the AJP prefix), and check for this
specific string in the servlet, making it even more unlikely that
someone can introduce data that does not stem from a SAML assertion or
mod_shib's state.
Without `ShibUserHeaders On` the HTTP server will use/forward data
provided by mod_shib as environment variables, which an HTTP user
agent cannot spoof/induce.

But the properties of HTTP request headers and server environment
variables and all that is not specific to Shibboleth.

> Are there alternatives?

With the Shib SP there are two: ShibUseHeaders Off or On.
Depending on your use case there's also the alternative of not using
the Shibboleth SP, but some other SAML implementation in Java.
-peter
Scott Cantor
2010-11-13 17:52:52 UTC
Permalink
> HTTP request headers are transmitted from an HTTP User Agent to an
> HTTP server, so the possibility exists that such headers are used to
> spoof data which has /not/ been set by e.g. mod_shib. The servlet
> container would be unable to tell any difference.
> Though you could also include some longish random string as part of
> your attributePrefix (after the AJP prefix), and check for this
> specific string in the servlet, making it even more unlikely that
> someone can introduce data that does not stem from a SAML assertion or
> mod_shib's state.

That's essentially what the SP does iternally along with clearing any header
names it's controlling.

I have no idea if the AJP_ trick works on JBoss.

-- Scott
Ram Munjuluri
2010-11-13 20:41:29 UTC
Permalink
The only way I can get the SAML/Shib attributes displayed on my application is
through Request Headers, but adding the ShibUseHeaders On. I can't seem to get
the environment varibles path (my understanding is that by environment
variables, we mean using HttpServletRequest.getAttribute() and not the JBoss
Process Environment variables).

Emebedding

<%
System.out.println("Attr : " + (String)
request.getAttribute("Shib-Identity-Provider"));
System.out.println("Attr : " + (String) request.getAttribute("uid"));
System.out.println("Attr : " + (String) request.getAttribute("cn"));

System.out.println("Hdr : " + (String)
request.getHeader("Shib-Identity-Provider"));
System.out.println("Hdr : " + (String) request.getHeader("uid"));
System.out.println("Hdr : " + (String) request.getHeader("cn"));
%>


in my JSP and check the console log yeilds only nulls on all the 3 attributes.
I understand not using ShibUseHeaders On directive will make the
request.getHeader() to return null.

So, is there something else I need to check in either Apache 2.2 or JBoss 5.2?


thanx
-
ram
Peter Schober
2010-11-13 23:30:41 UTC
Permalink
* Ram Munjuluri <rmunjuluri-/***@public.gmane.org> [2010-11-13 21:42]:
> <%
> System.out.println("Attr : " + (String) request.getAttribute("Shib-Identity-Provider"));
> System.out.println("Attr : " + (String) request.getAttribute("uid"));
> System.out.println("Attr : " + (String) request.getAttribute("cn"));

Are you sure the attributes are there on the httpd side? They are in
the transaction log? Try setting one of the attributes as REMOTE_USER
in the relevant Application section of your shibboleth2.xml (by adding
uid, which you seem to be expecting) and see if the uid is being
written to Apache httpd's access log.
You could also look at the AJP traffic (or switch to HTTP proxying, if
you're using request headers anyway, probably makes for easier
traffic sniffing) with tcpdump/wireshark to see what's in there.

Also try looping over all attributes, though that didn't work for me, cf.
http://groups.google.com/group/shibboleth-users/msg/a4d5b03614a7fd76
http://groups.google.com/group/shibboleth-users/msg/e68bdc0bc1018bb2

> System.out.println("Hdr : " + (String) request.getHeader("Shib-Identity-Provider"));
> System.out.println("Hdr : " + (String) request.getHeader("uid"));
> System.out.println("Hdr : " + (String) request.getHeader("cn"));
> %>

I already said:

* Peter Schober <peter.schober-***@public.gmane.org> [2010-11-13 14:58]:
> Note that "Shib-Identity-Provider" is not a valid HTTP request header
> name, so your second check will always fail IMO (these usually are
> prefixed with HTTP_, are all uppercase and '-' becomes '_').

* Ram Munjuluri <rmunjuluri-/***@public.gmane.org> [2010-11-13 21:42]:
> I understand not using ShibUseHeaders On directive will make the
> request.getHeader() to return null.

For those specific headers, yes. Iterate over all headers and you'll
see some more, Shibboleth or not.
-peter
Scott Cantor
2010-11-13 23:42:30 UTC
Permalink
> Are you sure the attributes are there on the httpd side?

The one he's looking for is always there if the session is.

> I already said:
>
> * Peter Schober <peter.schober-***@public.gmane.org> [2010-11-13 14:58]:
> > Note that "Shib-Identity-Provider" is not a valid HTTP request header
> > name, so your second check will always fail IMO (these usually are
> > prefixed with HTTP_, are all uppercase and '-' becomes '_').

That's not the case with Java, it uses the "raw" names even though it's
calling them headers in the CGI sense. I don't believe any servlet APIs let
you access anything via the "HTTP_" prefix.

-- Scott
Peter Schober
2010-11-14 00:15:25 UTC
Permalink
* Scott Cantor <cantor.2-ZbGKxL/***@public.gmane.org> [2010-11-14 00:43]:
> That's not the case with Java, it uses the "raw" names even though
> it's calling them headers in the CGI sense. I don't believe any
> servlet APIs let you access anything via the "HTTP_" prefix.

I actually had "unless Java does some magic here" in there, but
removed it before submission (thinking I will eventually be corrected
if what I keep repeating is actually not the case).
YAPIKNAJ (Yet Another Proof I Know Nothing About Java),
-peter
Ram Munjuluri
2010-11-14 04:19:22 UTC
Permalink
here is the SP transaction.log output


2010-11-13 23:00:31 INFO Shibboleth-TRANSACTION [6]: New session (ID:
_75d59b3d7ccadc6079fad2c1a2fe735f) with (applicationId:
shibbolethattributedisplay) for principal from (IdP: urn:travelfederation:idp)
at (ClientAddress: 127.0.0.1) with (NameIdentifier:
_6f75beab991567b52925fcf571703f07) using (Protocol:
urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID:
_e4609d7acaaa018111d6b5ead5b8201c)
2010-11-13 23:00:31 INFO Shibboleth-TRANSACTION [6]: Cached the following
attributes with session (ID: _75d59b3d7ccadc6079fad2c1a2fe735f) for
(applicationId: shibbolethattributedisplay) {
2010-11-13 23:00:31 INFO Shibboleth-TRANSACTION [6]: uid (1 values)
2010-11-13 23:00:31 INFO Shibboleth-TRANSACTION [6]: cn (1 values)
2010-11-13 23:00:31 INFO Shibboleth-TRANSACTION [6]: street (1 values)
2010-11-13 23:00:31 INFO Shibboleth-TRANSACTION [6]: sn (1 values)
2010-11-13 23:00:31 INFO Shibboleth-TRANSACTION [6]: homePhone (1 values)
2010-11-13 23:00:31 INFO Shibboleth-TRANSACTION [6]: mail (1 values)
2010-11-13 23:00:31 INFO Shibboleth-TRANSACTION [6]: st (1 values)
2010-11-13 23:00:31 INFO Shibboleth-TRANSACTION [6]: l (1 values)
2010-11-13 23:00:31 INFO Shibboleth-TRANSACTION [6]: mobile (1 values)
2010-11-13 23:00:31 INFO Shibboleth-TRANSACTION [6]: }
2010-11-13 23:05:59 INFO Shibboleth-TRANSACTION [7]: New session (ID:
_8bcfb2ccff9ee13cc864c40015c33fba) with (applicationId:
shibbolethattributedisplay) for principal from (IdP: urn:travelfederation:idp)
at (ClientAddress: 127.0.0.1) with (NameIdentifier:
_6f75beab991567b52925fcf571703f07) using (Protocol:
urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID:
_2ec2f8d739a01f147835f1c4bd43e0f5)
2010-11-13 23:05:59 INFO Shibboleth-TRANSACTION [7]: Cached the following
attributes with session (ID: _8bcfb2ccff9ee13cc864c40015c33fba) for
(applicationId: shibbolethattributedisplay) {
2010-11-13 23:05:59 INFO Shibboleth-TRANSACTION [7]: uid (1 values)
2010-11-13 23:05:59 INFO Shibboleth-TRANSACTION [7]: cn (1 values)
2010-11-13 23:05:59 INFO Shibboleth-TRANSACTION [7]: street (1 values)
2010-11-13 23:05:59 INFO Shibboleth-TRANSACTION [7]: sn (1 values)
2010-11-13 23:05:59 INFO Shibboleth-TRANSACTION [7]: homePhone (1 values)
2010-11-13 23:05:59 INFO Shibboleth-TRANSACTION [7]: mail (1 values)
2010-11-13 23:05:59 INFO Shibboleth-TRANSACTION [7]: st (1 values)
2010-11-13 23:05:59 INFO Shibboleth-TRANSACTION [7]: l (1 values)
2010-11-13 23:05:59 INFO Shibboleth-TRANSACTION [7]: mobile (1 values)
2010-11-13 23:05:59 INFO Shibboleth-TRANSACTION [7]: }

I cant' see any info in the mod_jk.log either regarding these attributes. All
I see is the request headers as follows:

[8000:3944] [debug] jk_ajp_common.c (667): Number of headers is = 4
[8000:3944] [debug] jk_ajp_common.c (723): Header[0] [X-Powered-By] = [Servlet
2.5; JBoss-5.0/JBossWeb-2.1]
[8000:3944] [debug] jk_ajp_common.c (723): Header[1] [Set-Cookie] =
[JSESSIONID=76361735F1D25B171A15A18D73D25EA0.pictor;
Path=/shibbolethattributedisplay; Secure]
[8000:3944] [debug] jk_ajp_common.c (723): Header[2] [Content-Type] =
[text/html;charset=ISO-8859-1]
[8000:3944] [debug] jk_ajp_common.c (723): Header[3] [Content-Length] = [2986]
[8000:3944] [debug] jk_ajp_common.c (1336): received from ajp13 pos=0 len=2990
max=8192
[8000:3944] [debug] jk_ajp_common.c (1336): 0000 03 0B AA 0D 0A 0D 0A 3C 68
74 6D 6C 3E 0D 0A 3C - .......<html>..<
[8000:3944] [debug] jk_ajp_common.c (1336): 0010 68 65 61 64 3E 0D 0A 3C 74
69 74 6C 65 3E 41 74 - head>..<title>At...

None of the SP attributes from the log seem to transfer over to the JBoss
application.

thanx
-ram
Ram Munjuluri
2010-11-13 13:22:40 UTC
Permalink
I would like to configure my IdP to use the email instead of the "uid" on the
entities in my LDAP server for authenticating users. Is there a mapping or a
configuration that lets me do this?

thanx
-ram
Nate Klingenstein
2010-11-13 13:31:26 UTC
Permalink
Ram,

Yes, absolutely. You just need to change the FilterTemplate in
attribute-resolver.xml and the userFilter/userField in login.config to
use mail (or the attribute name for email in your LDAP directory)
instead of uid.

https://spaces.internet2.edu/display/SHIB2/ResolverLDAPDataConnector
https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass

Take care,
Nate.

On Nov 13, 2010, at 1:22 PM, Ram Munjuluri wrote:

> I would like to configure my IdP to use the email instead of the
> "uid" on the
> entities in my LDAP server for authenticating users. Is there a
> mapping or a
> configuration that lets me do this?
>
> thanx
> -ram
Brendan Bellina
2010-11-23 23:29:49 UTC
Permalink
We have thought about doing this as well. But we do not require mail to be unique so it wouldn't always work.

Regards,

Brendan Bellina
USC

On Nov 13, 2010, at 5:31 AM, Nate Klingenstein wrote:

> Ram,
>
> Yes, absolutely. You just need to change the FilterTemplate in attribute-resolver.xml and the userFilter/userField in login.config to use mail (or the attribute name for email in your LDAP directory) instead of uid.
>
> https://spaces.internet2.edu/display/SHIB2/ResolverLDAPDataConnector
> https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass
>
> Take care,
> Nate.
>
> On Nov 13, 2010, at 1:22 PM, Ram Munjuluri wrote:
>
>> I would like to configure my IdP to use the email instead of the "uid" on the
>> entities in my LDAP server for authenticating users. Is there a mapping or a
>> configuration that lets me do this?
>>
>> thanx
>> -ram
>
Munjuluri, Ram
2010-11-24 13:42:33 UTC
Permalink
Can you elaborate on this? Did you mean, two people can have the same email address ?

Thanx
-ram

-----Original Message-----
From: bbellina-***@public.gmane.org [mailto:bbellina-***@public.gmane.org]
Sent: Tuesday, November 23, 2010 6:30 PM
To: shibboleth-users-H4aWS73dXup+***@public.gmane.org
Subject: Re: [Shib-Users] using emailId/password for authentication

We have thought about doing this as well. But we do not require mail to be unique so it wouldn't always work.

Regards,

Brendan Bellina
USC

On Nov 13, 2010, at 5:31 AM, Nate Klingenstein wrote:

> Ram,
>
> Yes, absolutely. You just need to change the FilterTemplate in attribute-resolver.xml and the userFilter/userField in login.config to use mail (or the attribute name for email in your LDAP directory) instead of uid.
>
> https://spaces.internet2.edu/display/SHIB2/ResolverLDAPDataConnector
> https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass
>
> Take care,
> Nate.
>
> On Nov 13, 2010, at 1:22 PM, Ram Munjuluri wrote:
>
>> I would like to configure my IdP to use the email instead of the "uid" on the
>> entities in my LDAP server for authenticating users. Is there a mapping or a
>> configuration that lets me do this?
>>
>> thanx
>> -ram
>
Gregory Haverkamp
2010-11-24 17:15:36 UTC
Permalink
On Wed, Nov 24, 2010 at 5:42 AM, Munjuluri, Ram <ram.mujuluri-/CpJisCCHaDQT0dZR+***@public.gmane.org> wrote:
> Can you elaborate on this? Did you mean, two people can have the same email address ?

I can't speak to Brendan's case, but in ours, we have many objects in
the directory that share the same mail attribute. Usually, these are
role accounts, where the mail attribute is used to provide contact
info for the object.

Greg
Munjuluri, Ram
2010-11-24 18:36:13 UTC
Permalink
Emails for roles I can understand. I would see them as emails for role "owners/requesters". What I don't understand different people using the same email address to authenticate and login into a web application and expect different attributes to drive authorizations. May be I am missing something.

-ram

-----Original Message-----
From: shibboleth-users-request-H4aWS73dXup+***@public.gmane.org [mailto:shibboleth-users-request-H4aWS73dXup+***@public.gmane.org] On Behalf Of Gregory Haverkamp
Sent: Wednesday, November 24, 2010 12:16 PM
To: shibboleth-users-H4aWS73dXup+***@public.gmane.org
Subject: Re: [Shib-Users] using emailId/password for authentication

On Wed, Nov 24, 2010 at 5:42 AM, Munjuluri, Ram <ram.mujuluri-/CpJisCCHaDQT0dZR+***@public.gmane.org> wrote:
> Can you elaborate on this? Did you mean, two people can have the same email address ?

I can't speak to Brendan's case, but in ours, we have many objects in
the directory that share the same mail attribute. Usually, these are
role accounts, where the mail attribute is used to provide contact
info for the object.

Greg
Gregory Haverkamp
2010-11-24 18:56:00 UTC
Permalink
On Wed, Nov 24, 2010 at 10:36 AM, Munjuluri, Ram
<ram.mujuluri-/CpJisCCHaDQT0dZR+***@public.gmane.org> wrote:
> Emails for roles I can understand. I would see them as emails for role "owners/requesters". What I don't understand different people using the same email address to authenticate and login into a web application and expect different attributes to drive authorizations. May be I am missing something.

That wouldn't work, so you're not missing anything. And hence, email
addresses aren't being used.

If your email address are guaranteed to be unique, then the issue
doesn't apply to you.

Greg
s***@public.gmane.org
2010-11-17 23:47:49 UTC
Permalink
I have an simple app running in WebSphere 6.1. which is being shibbolethized.
When I call
https://abc.ucsf.edu/abc/_index.jsp
it first takes to login page as it should, Once I login with correct username
and password it does takes me back to the original page (
https://abc.ucsf.edu/abc/_index.jsp, in this case). This page does not thing
but just displays all the attributes from header and req. I am doing so to
check if I am getting the attributes sent my Idp. Here I am looking for 2
attributes
ucsfeduidnumber: 012348775
uid: SS1234877
But I do not see them coming along with the request. Below is the list of all
attributes that I see from _index.jsp page

------------------------------------------------------------------------------
------------
ucsfeduidnumber from ReqHeader=null
ucsfeduidnumber from ReqParam=null
uid from ReqHeader=null
uid from ReqParam=null

---------------------
All attributes From Header
Host abc.ucsf.edu
User-Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2)
Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 115
Cookie
_shibsession_64656661756c7468747470733a2f2f7678392e756373662e6564752f736869626
26f6c657468=_3763a6dded408345d6ff7192fc968c70;
ADVJSESSIONID=0000uodtOFmEPQEVtM4Ch5Wgb1J:13sdhlt0r
X-lori-time-1 1290033461882
$WSAT shibboleth
$WSIS true
$WSSC https
$WSPR HTTP/1.1
$WSRA 169.230.243.58
$WSRH 169.230.243.58
$WSRU 022348775
$WSSN vx9.ucsf.edu
$WSSP 443
Surrogate-Capability WS-ESI="ESI/1.0+"
_WS_HAPRT_WLMVERSION -1
------------------------------------------------------------------------------
------------
But When I check;
https://abc.ucsf.edu/Shibboleth.sso/Session

I do see these 2 attributes with right value in them, as below;
=========================================================
Miscellaneous
Client Address: 169.230.243.58
Identity Provider: https://xyz.ucsf.edu/idp/shibboleth
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Authentication Time: 2010-11-17T22:37:32.158Z
Authentication Context Class:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: (none)
Session Expiration (barring inactivity): 472 minute(s)

Attributes
ucsfeduidnumber: 022348775
uid: SF234877
=========================================================

Only error that I see in log is at the start up, which is below
------------------------------------------------------------------------------
-------
2010-11-08 13:51:21 INFO Shibboleth.Listener : registered remoted message
endpoint (default/Login::run::SAML2SI)
2010-11-08 13:51:21 ERROR Shibboleth.Application : caught exception processing
handler element: Unknown plugin type.
2010-11-08 13:51:21 INFO Shibboleth.Listener : registered remoted message
endpoint (default/WAYF::run::SAML2SI)
------------------------------------------------------------------------------
-------

The shibboleth version in use is 2.0 along with apache2.2. My guess here is
that Websphere is doing something (based on config) not to receive it.
Being new to Shibboleth I am not sure. Any idea what is it that causing the
attribute not to show up in the app? Any help will be highly appriciated.


Thanks
susil
Peter Schober
2010-11-18 10:45:38 UTC
Permalink
* susil.rayamajhi-MULicn+***@public.gmane.org <susil.rayamajhi-MULicn+***@public.gmane.org> [2010-11-18 11:39]:
> But I do not see them coming along with the request. Below is the
> list of all attributes that I see from _index.jsp page

* What is the protocol used between the webserver with Shibboleth and
the servlet container? HTTP or AJP?
* Do you set `ShibUseHeaders On` in the webserver for the requests
sent off to the servlet container?
* How do you try to access the attributes?
request.getAttribute() or request.getHeader()?

> The shibboleth version in use is 2.0 along with apache2.2.

Note that 2.0 is very old. 2.3.1 is current, with 2.4 just around the
corner.
-peter
s***@public.gmane.org
2010-11-18 18:40:01 UTC
Permalink
Hi,

* What is the protocol used between the webserver with Shibboleth and
the servlet container? HTTP or AJP?

->It is using HTTPS
and apache2 is integrated with wsbsphere using below in conf file

LoadModule was_ap22_module
/opt/wsphere/ApplicationServer/webserver/Plugins/bin/64bits/mod_was_ap22_http.
so
WebSpherePluginConfig
/opt/wsphere/ApplicationServer/webserver/Plugins/config/plugin-cfg.xml



* Do you set `ShibUseHeaders On` in the webserver for the requests
sent off to the servlet container?
-> I tried with both this ON and without in apache22.conf
<Location /advance>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
require valid-user
</Location>



* How do you try to access the attributes?
request.getAttribute() or request.getHeader()?
I did both request.getAttribute() and request.getHeader() to check for the
attributes(ucsfeduidnumber and uid )

The version of SP is ( Shibboleth SP Version 2.3.1 )

Thank you
s
Scott Cantor
2010-11-18 18:43:53 UTC
Permalink
> * What is the protocol used between the webserver with Shibboleth and
> the servlet container? HTTP or AJP?
>
> ->It is using HTTPS
> and apache2 is integrated with wsbsphere using below in conf file

Then you'll have to look into its documentation regarding header forwarding,
because many HTTP proxy modules don't do that automatically. WebLogic's
does, mod_proxy doesn't.

-- Scott
s***@public.gmane.org
2010-11-19 22:20:48 UTC
Permalink
Hi,
It is working now, atleast on one env. Still need to verify on other env as we
have diff app server there. Changing the config on apache22.config made a
difference. Below is the modification;
#old config
<Location /aaa>
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
</Location>
#new config and it works
<Location /aaa>
AuthType shibboleth
ShibRequireSession On
require shibboleth
ShibUseHeaders On
</Location>

The main difference seems to be in ShibRequireSession On which was missing
earlier. My initial thought was it should work without it as 'Off' here means
it is working passively as a "lazy session", which is the case in my env,
where it takes you to "/Shibboleth.sso/Login" page for auth and where this
element is turned ON. Anyway its working on this env, and hope the setup runs
smoothly on other environment as well.
If you want to know more on these setting you can get it on;
http://www.edugate.ie/Support/Technical%20Resources/Installation%20Guides/Serv
ice%20Provider%20Guides/shibboleth-2-service-provi-0
Hope this helps others. Thanks for your help.

Susil
Scott Cantor
2010-11-19 22:28:26 UTC
Permalink
> #new config and it works

That's because you turned header use on, which is a given. You can't use the
environment across a proxy.

> The main difference seems to be in ShibRequireSession On which was missing
> earlier. My initial thought was it should work without it as 'Off' here
> means it is working passively as a "lazy session", which is the case in my
env,
> where it takes you to "/Shibboleth.sso/Login" page for auth and where this
> element is turned ON.

That is correct, and has nothing to do with the problem.

-- Scott
rodger scoggin
2010-11-19 06:14:44 UTC
Permalink
Greetings,

I have production install of shibboleth that has been working very succesfully
for over a month but have run into one problem that has been stumping me for a
while...

We are running IIS 6.0 on WS 2003 with Shib 1.3.1 as an SP only config. Port
443 on the inside is taken by another webroot that we cannot displace, so our
shibboleth virtual directory is on port 8443. For now, we have used outside
port 8443 in order to not receive the "message delivered with POST to
incorrect server URL" for the port mismatch in the two URLs.

That said, I have tried many ways to fix this using the <ISAPI> directive -
all to no avail. Basically, I want outside request coming in on SSL port 443
to land on SSL port 8443 but not hear about the mismatch. I have even tried
the policyrule type="bearer" set to false with no success. Below (after sig
:) are our current settings that matter - i have tried various permutations on
the attributes of ISAPI and SITE directive...

TIA,

Rodger

<InProcess logger="native.logger">
<ISAPI normalizeRequest="true">
<Site id="1532119484" scheme="https"
name="sso.wildcardsystems.com" sslport="8443" port="8080"/>
</ISAPI>
</InProcess>

<RequestMapper type="Native" exportAssertion="true">
<RequestMap applicationId="default">
<Host name="sso.wildcardsystems.com" authType="shibboleth"
requireSession="false" scheme="https" port="8443" exportAssertion="true">
<Path name="secure" authType="shibboleth"
requireSession="false" exportAssertion="true"/>
</Host>
</RequestMap>
</RequestMapper>
Scott Cantor
2010-11-19 15:09:56 UTC
Permalink
> We are running IIS 6.0 on WS 2003 with Shib 1.3.1 as an SP only config.
> Port 443 on the inside is taken by another webroot that we cannot
displace, so
> our shibboleth virtual directory is on port 8443. For now, we have used
outside
> port 8443 in order to not receive the "message delivered with POST to
> incorrect server URL" for the port mismatch in the two URLs.

Unless you have a load balancer or proxy, there is no "outside" or "inside",
there's just "the port". You can't virtualize requests just "because". That
would cause the redirects to get rewritten to a physical request you can't
handle.

> That said, I have tried many ways to fix this using the <ISAPI> directive
-
> all to no avail. Basically, I want outside request coming in on SSL port
> 443 to land on SSL port 8443 but not hear about the mismatch.

If the request is physically SSL, then the sslport setting will determine
the logical port, otherwise the port setting is used.

> <InProcess logger="native.logger">
> <ISAPI normalizeRequest="true">
> <Site id="1532119484" scheme="https"
> name="sso.wildcardsystems.com" sslport="8443" port="8080"/>

That will cause non-SSL requests to be treated as
https://sso.wildcardsystems.com:8080 and SSL requests as
https://sso.wildcardsystems.com:8443

You can see that in native.log on DEBUG.

-- Scott
Scoggin, Rodger
2010-11-19 15:17:22 UTC
Permalink
Exactly, you are right on. This is behind a load balancer and port
virtualization is the method being used (for 10 years now) by our
Microsoft infested datacenter. So on the "outside" traffic is directed
to 443 on the external VIP and PATted to 8443 inside as that is the port
the vdir in IIS is located on that has the shabby filter.

The request is physically SSL. I am probably mis-understanding the
intent behind the various port attributes on the ISAPI directive, I
though somehow they might override the physical destination URL having a
port of 443 with the logical value of 8443 for the recipient URL when I
set sslport to 8443.

Anyway to tell Shibby to ignore the port differences, re-map them, etc.?



-----Original Message-----
From: shibboleth-users-request-H4aWS73dXup+***@public.gmane.org
[mailto:shibboleth-users-request-H4aWS73dXup+***@public.gmane.org] On Behalf Of Scott
Cantor
Sent: Friday, November 19, 2010 10:10 AM
To: shibboleth-users-H4aWS73dXup+***@public.gmane.org
Subject: RE: [Shib-Users] IIS Port Virtualization BindingException

> We are running IIS 6.0 on WS 2003 with Shib 1.3.1 as an SP only
config.
> Port 443 on the inside is taken by another webroot that we cannot
displace, so
> our shibboleth virtual directory is on port 8443. For now, we have
used
outside
> port 8443 in order to not receive the "message delivered with POST to
> incorrect server URL" for the port mismatch in the two URLs.

Unless you have a load balancer or proxy, there is no "outside" or
"inside",
there's just "the port". You can't virtualize requests just "because".
That
would cause the redirects to get rewritten to a physical request you
can't
handle.

> That said, I have tried many ways to fix this using the <ISAPI>
directive
-
> all to no avail. Basically, I want outside request coming in on SSL
port
> 443 to land on SSL port 8443 but not hear about the mismatch.

If the request is physically SSL, then the sslport setting will
determine
the logical port, otherwise the port setting is used.

> <InProcess logger="native.logger">
> <ISAPI normalizeRequest="true">
> <Site id="1532119484" scheme="https"
> name="sso.wildcardsystems.com" sslport="8443" port="8080"/>

That will cause non-SSL requests to be treated as
https://sso.wildcardsystems.com:8080 and SSL requests as
https://sso.wildcardsystems.com:8443

You can see that in native.log on DEBUG.

-- Scott


_____________

The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
_____________
Scott Cantor
2010-11-19 15:24:52 UTC
Permalink
> The request is physically SSL. I am probably mis-understanding the
> intent behind the various port attributes on the ISAPI directive, I
> though somehow they might override the physical destination URL having a
> port of 443 with the logical value of 8443 for the recipient URL when I
> set sslport to 8443.

It does.

> Anyway to tell Shibby to ignore the port differences, re-map them, etc.?

That is how. So your instance ID is wrong or in some other respect that is
not the configuration it's using.

Again, you have the logs.

-- Scott
Scott Cantor
2010-11-19 15:26:20 UTC
Permalink
> The request is physically SSL.

Key point...that means it's physically seen as SSL by *IIS*. If you're
offloading, there's a very good chance it is not SSL there. That means it's
physically http and logically https (and thus you need the scheme override
also).

-- Scott
Scoggin, Rodger
2010-11-19 15:51:05 UTC
Permalink
Thanks, no offloading, it is SSL at port 8443 coming into the
webservers. Been trying to get them to buy SSL accelerators but not a
priority.

I ran a un-succesful "hit" from outside 443 and a good one from 8443 and
checked the native.log [debug]... I don't see any differences in the
first parts just before the failure message and just before the
successful processing. Double checked Site ID - all good - you can see
thsat in the IIS log as well. Config is as I sent... http logs from
IIS show the two different calls as well (first part - relevant data
only). Any ideas on how to troubleshoot? Does the W3SVC need to be in
the siteID - all examples show just the number like in the IIS
metabase...

Thanks Scott - starting to look at source code as well to see if I can
understand.

#Date: 2010-11-19 15:30:18
#Fields: date time siteID cs-method cs-uri-stem cs-uri-query s-port
cs-host sc-status
*FAILED CALL*
2010-11-19 15:30:18 W3SVC1532119484 POST /Shibboleth.sso/SAML2/POST -
8443 sso.wildcardsystems.com 200
*GOOD CALL*
2010-11-19 15:30:27 W3SVC1532119484 POST /Shibboleth.sso/SAML2/POST -
8443 sso.wildcardsystems.com:8443 200

*FAILED CALL*
2010-11-19 10:30:14 DEBUG Shibboleth.ISAPI [3024] isapi_shib: mapped
https://sso.wildcardsystems.com:8443/Shibboleth.sso/SAML2/POST to
default
2010-11-19 10:30:15 DEBUG Shibboleth.ISAPI [3024] isapi_shib_extension:
mapped https://sso.wildcardsystems.com:8443/Shibboleth.sso/SAML2/POST to
default
2010-11-19 10:30:15 DEBUG Shibboleth.Listener [3024]
isapi_shib_extension: sending message (default/SAML2/POST)
2010-11-19 10:30:15 DEBUG Shibboleth.Listener [3024]
isapi_shib_extension: send completed, reading response message
2010-11-19 10:30:18 ERROR Shibboleth.Listener [3024]
isapi_shib_extension: remoted message returned an error: SAML message
delivered with POST to incorrect server URL.
2010-11-19 10:30:18 ERROR Shibboleth.ISAPI [3024] isapi_shib_extension:
SAML message delivered with POST to incorrect server URL.

*GOOD CALL*
2010-11-19 10:30:19 DEBUG Shibboleth.ISAPI [3024] isapi_shib: mapped
https://sso.wildcardsystems.com:8443/index.cfm to default
2010-11-19 10:30:26 DEBUG Shibboleth.ISAPI [3024] isapi_shib: mapped
https://sso.wildcardsystems.com:8443/Shibboleth.sso/SAML2/POST to
default
2010-11-19 10:30:26 DEBUG Shibboleth.ISAPI [3024] isapi_shib_extension:
mapped https://sso.wildcardsystems.com:8443/Shibboleth.sso/SAML2/POST to
default
2010-11-19 10:30:26 DEBUG Shibboleth.Listener [3024]
isapi_shib_extension: sending message (default/SAML2/POST)
2010-11-19 10:30:26 DEBUG Shibboleth.Listener [3024]
isapi_shib_extension: send completed, reading response message
2010-11-19 10:30:27 DEBUG Shibboleth.ISAPI [3024] isapi_shib: mapped
https://sso.wildcardsystems.com:8443/ to default
2010-11-19 10:30:27 DEBUG Shibboleth.SessionCache [3024] isapi_shib:
searching local cache for session (_cd519d9a1909213188e61a79ce134623)
2010-11-19 10:30:27 DEBUG Shibboleth.SessionCache [3024] isapi_shib:
session not found locally, remoting the search
2010-11-19 10:30:27 DEBUG Shibboleth.Listener [3024] isapi_shib: sending
message (find::StorageService::SessionCache)
2010-11-19 10:30:27 DEBUG Shibboleth.Listener [3024] isapi_shib: send
completed, reading response message
2010-11-19 10:30:27 DEBUG Shibboleth.SessionCache [3024] isapi_shib:
comparing client address 75.204.49.10 against 75.204.49.10
2010-11-19 10:30:27 DEBUG Shibboleth.ServiceProvider [3024] isapi_shib:
doAuthentication succeeded
2010-11-19 10:30:27 DEBUG Shibboleth.SessionCache [3024] isapi_shib:
unmarshalled attribute (ID: SSOID) with 1 value
2010-11-19 10:30:27 DEBUG Shibboleth.SessionCache [3024] isapi_shib:
unmarshalled attribute (ID: SSOAPPID) with 1 value
2010-11-19 10:30:28 DEBUG Shibboleth.SessionCache [3024] isapi_shib:
searching local cache for session (_cd519d9a1909213188e61a79ce134623)
2010-11-19 10:30:28 DEBUG Shibboleth.SessionCache [3024] isapi_shib:
session found locally, validating it for use
2010-11-19 10:30:28 DEBUG Shibboleth.SessionCache [3024] isapi_shib:
comparing client address 75.204.49.10 against 75.204.49.10
2010-11-19 10:30:28 DEBUG Shibboleth.Listener [3024] isapi_shib: sending
message (touch::StorageService::SessionCache)
2010-11-19 10:30:28 DEBUG Shibboleth.Listener [3024] isapi_shib: send
completed, reading response message
2010-11-19 10:30:28 DEBUG Shibboleth.ServiceProvider [3024] isapi_shib:
doAuthentication succeeded

-----Original Message-----
From: shibboleth-users-request-H4aWS73dXup+***@public.gmane.org
[mailto:shibboleth-users-request-H4aWS73dXup+***@public.gmane.org] On Behalf Of Scott
Cantor
Sent: Friday, November 19, 2010 10:26 AM
To: shibboleth-users-H4aWS73dXup+***@public.gmane.org
Subject: RE: [Shib-Users] IIS Port Virtualization BindingException

> The request is physically SSL.

Key point...that means it's physically seen as SSL by *IIS*. If you're
offloading, there's a very good chance it is not SSL there. That means
it's
physically http and logically https (and thus you need the scheme
override
also).

-- Scott


_____________

The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
_____________
Scoggin, Rodger
2010-11-19 15:55:44 UTC
Permalink
ERRATA:

In *GOOD CALL* from native.log - first line with index.cfm is not
relevant data - part of test call...

-----Original Message-----
From: shibboleth-users-request-H4aWS73dXup+***@public.gmane.org
[mailto:shibboleth-users-request-H4aWS73dXup+***@public.gmane.org] On Behalf Of Scoggin,
Rodger
Sent: Friday, November 19, 2010 10:51 AM
To: shibboleth-users-H4aWS73dXup+***@public.gmane.org
Subject: RE: [Shib-Users] IIS Port Virtualization BindingException

Thanks, no offloading, it is SSL at port 8443 coming into the
webservers. Been trying to get them to buy SSL accelerators but not a
priority.

I ran a un-succesful "hit" from outside 443 and a good one from 8443 and
checked the native.log [debug]... I don't see any differences in the
first parts just before the failure message and just before the
successful processing. Double checked Site ID - all good - you can see
thsat in the IIS log as well. Config is as I sent... http logs from
IIS show the two different calls as well (first part - relevant data
only). Any ideas on how to troubleshoot? Does the W3SVC need to be in
the siteID - all examples show just the number like in the IIS
metabase...

Thanks Scott - starting to look at source code as well to see if I can
understand.

#Date: 2010-11-19 15:30:18
#Fields: date time siteID cs-method cs-uri-stem cs-uri-query s-port
cs-host sc-status
*FAILED CALL*
2010-11-19 15:30:18 W3SVC1532119484 POST /Shibboleth.sso/SAML2/POST -
8443 sso.wildcardsystems.com 200
*GOOD CALL*
2010-11-19 15:30:27 W3SVC1532119484 POST /Shibboleth.sso/SAML2/POST -
8443 sso.wildcardsystems.com:8443 200

*FAILED CALL*
2010-11-19 10:30:14 DEBUG Shibboleth.ISAPI [3024] isapi_shib: mapped
https://sso.wildcardsystems.com:8443/Shibboleth.sso/SAML2/POST to
default
2010-11-19 10:30:15 DEBUG Shibboleth.ISAPI [3024] isapi_shib_extension:
mapped https://sso.wildcardsystems.com:8443/Shibboleth.sso/SAML2/POST to
default
2010-11-19 10:30:15 DEBUG Shibboleth.Listener [3024]
isapi_shib_extension: sending message (default/SAML2/POST)
2010-11-19 10:30:15 DEBUG Shibboleth.Listener [3024]
isapi_shib_extension: send completed, reading response message
2010-11-19 10:30:18 ERROR Shibboleth.Listener [3024]
isapi_shib_extension: remoted message returned an error: SAML message
delivered with POST to incorrect server URL.
2010-11-19 10:30:18 ERROR Shibboleth.ISAPI [3024] isapi_shib_extension:
SAML message delivered with POST to incorrect server URL.

*GOOD CALL*
2010-11-19 10:30:19 DEBUG Shibboleth.ISAPI [3024] isapi_shib: mapped
https://sso.wildcardsystems.com:8443/index.cfm to default
2010-11-19 10:30:26 DEBUG Shibboleth.ISAPI [3024] isapi_shib: mapped
https://sso.wildcardsystems.com:8443/Shibboleth.sso/SAML2/POST to
default
2010-11-19 10:30:26 DEBUG Shibboleth.ISAPI [3024] isapi_shib_extension:
mapped https://sso.wildcardsystems.com:8443/Shibboleth.sso/SAML2/POST to
default
2010-11-19 10:30:26 DEBUG Shibboleth.Listener [3024]
isapi_shib_extension: sending message (default/SAML2/POST)
2010-11-19 10:30:26 DEBUG Shibboleth.Listener [3024]
isapi_shib_extension: send completed, reading response message
2010-11-19 10:30:27 DEBUG Shibboleth.ISAPI [3024] isapi_shib: mapped
https://sso.wildcardsystems.com:8443/ to default
2010-11-19 10:30:27 DEBUG Shibboleth.SessionCache [3024] isapi_shib:
searching local cache for session (_cd519d9a1909213188e61a79ce134623)
2010-11-19 10:30:27 DEBUG Shibboleth.SessionCache [3024] isapi_shib:
session not found locally, remoting the search
2010-11-19 10:30:27 DEBUG Shibboleth.Listener [3024] isapi_shib: sending
message (find::StorageService::SessionCache)
2010-11-19 10:30:27 DEBUG Shibboleth.Listener [3024] isapi_shib: send
completed, reading response message
2010-11-19 10:30:27 DEBUG Shibboleth.SessionCache [3024] isapi_shib:
comparing client address 75.204.49.10 against 75.204.49.10
2010-11-19 10:30:27 DEBUG Shibboleth.ServiceProvider [3024] isapi_shib:
doAuthentication succeeded
2010-11-19 10:30:27 DEBUG Shibboleth.SessionCache [3024] isapi_shib:
unmarshalled attribute (ID: SSOID) with 1 value
2010-11-19 10:30:27 DEBUG Shibboleth.SessionCache [3024] isapi_shib:
unmarshalled attribute (ID: SSOAPPID) with 1 value
2010-11-19 10:30:28 DEBUG Shibboleth.SessionCache [3024] isapi_shib:
searching local cache for session (_cd519d9a1909213188e61a79ce134623)
2010-11-19 10:30:28 DEBUG Shibboleth.SessionCache [3024] isapi_shib:
session found locally, validating it for use
2010-11-19 10:30:28 DEBUG Shibboleth.SessionCache [3024] isapi_shib:
comparing client address 75.204.49.10 against 75.204.49.10
2010-11-19 10:30:28 DEBUG Shibboleth.Listener [3024] isapi_shib: sending
message (touch::StorageService::SessionCache)
2010-11-19 10:30:28 DEBUG Shibboleth.Listener [3024] isapi_shib: send
completed, reading response message
2010-11-19 10:30:28 DEBUG Shibboleth.ServiceProvider [3024] isapi_shib:
doAuthentication succeeded

-----Original Message-----
From: shibboleth-users-request-H4aWS73dXup+***@public.gmane.org
[mailto:shibboleth-users-request-H4aWS73dXup+***@public.gmane.org] On Behalf Of Scott
Cantor
Sent: Friday, November 19, 2010 10:26 AM
To: shibboleth-users-H4aWS73dXup+***@public.gmane.org
Subject: RE: [Shib-Users] IIS Port Virtualization BindingException

> The request is physically SSL.

Key point...that means it's physically seen as SSL by *IIS*. If you're
offloading, there's a very good chance it is not SSL there. That means
it's
physically http and logically https (and thus you need the scheme
override
also).

-- Scott


_____________

The information contained in this message is proprietary and/or
confidential. If you are not the intended recipient, please: (i) delete
the message and all copies; (ii) do not disclose, distribute or use the
message in any manner; and (iii) notify the sender immediately. In
addition, please be aware that any message addressed to our domain is
subject to archiving and review by persons other than the intended
recipient. Thank you.
_____________

_____________

The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
_____________
Scoggin, Rodger
2010-11-19 18:07:47 UTC
Permalink
Ok, found the problem with a couple of comments and a BONUS question (I
know, you love this):

1. Had to restart IIS when I changed the ISAPI directive, found that in
the install notes but it wasn't mentioned at:

https://spaces.internet2.edu/display/SHIB2/NativeSPISAPI

But, I should have known, I have to restart IIS for other changes but I
saw in the source code how this part was written and realized the hooks
were there.

2. Now that the logical mapping was in place, the port attr on the host
directive in the requestmapper has to use the logical not physical.
Elegant and makes sense, and took me 1 minute to figure out after I
found that IIS restart thingy.

Now, my config is:

<ISAPI normalizeRequest="true">
<Site id="1532119484" scheme="https"
name="sso.wildcardsystems.com" sslport="443"/>
</ISAPI>

And,

<Host name="sso.wildcardsystems.com" authType="shibboleth"
requireSession="false" scheme="https" port="443"
exportAssertion="true">
</Host>

Bonus question:

Anyway, without changing my IIS config (which I am considering) to have
both 8443 and 443 on outside work at same time while all our customers
"rollover" the new port in their system? Need to minimize downtime...

Thanks!

Rodger

-----Original Message-----
From: shibboleth-users-request-H4aWS73dXup+***@public.gmane.org
[mailto:shibboleth-users-request-H4aWS73dXup+***@public.gmane.org] On Behalf Of Scott
Cantor
Sent: Friday, November 19, 2010 10:26 AM
To: shibboleth-users-H4aWS73dXup+***@public.gmane.org
Subject: RE: [Shib-Users] IIS Port Virtualization BindingException

> The request is physically SSL.

Key point...that means it's physically seen as SSL by *IIS*. If you're
offloading, there's a very good chance it is not SSL there. That means
it's
physically http and logically https (and thus you need the scheme
override
also).

-- Scott


_____________

The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
_____________
Scott Cantor
2010-11-19 18:18:42 UTC
Permalink
> 1. Had to restart IIS when I changed the ISAPI directive, found that in
> the install notes but it wasn't mentioned at:
>
> https://spaces.internet2.edu/display/SHIB2/NativeSPISAPI

I'll add it, thanks.

> 2. Now that the logical mapping was in place, the port attr on the host
> directive in the requestmapper has to use the logical not physical.
> Elegant and makes sense, and took me 1 minute to figure out after I
> found that IIS restart thingy.

Yes. Basically the Site element produces the effective request URI, and the
map is written in terms of that.

> Anyway, without changing my IIS config (which I am considering) to have
> both 8443 and 443 on outside work at same time while all our customers
> "rollover" the new port in their system? Need to minimize downtime...

Sorry, I think there's a grammar error there and I'm not sure I understand
the question....could you rephrase?

-- Scott
Scoggin, Rodger
2010-11-19 18:33:38 UTC
Permalink
LOL, thanks, late night last night :)

Is there anyway, without changing my IIS config, to have both 8443 and
443 on the outside work at same time? Our customers will need to
"rollover" to the new port in their system after we change and several
systems with several customers will have to change. Their clients would
be impacted in the meantime, need to minimize downtime...

-----Original Message-----
From: shibboleth-users-request-H4aWS73dXup+***@public.gmane.org
[mailto:shibboleth-users-request-H4aWS73dXup+***@public.gmane.org] On Behalf Of Scott
Cantor
Sent: Friday, November 19, 2010 1:19 PM
To: shibboleth-users-H4aWS73dXup+***@public.gmane.org
Subject: RE: [Shib-Users] IIS Port Virtualization BindingException

> 1. Had to restart IIS when I changed the ISAPI directive, found that
in
> the install notes but it wasn't mentioned at:
>
> https://spaces.internet2.edu/display/SHIB2/NativeSPISAPI

I'll add it, thanks.

> 2. Now that the logical mapping was in place, the port attr on the
host
> directive in the requestmapper has to use the logical not physical.
> Elegant and makes sense, and took me 1 minute to figure out after I
> found that IIS restart thingy.

Yes. Basically the Site element produces the effective request URI, and
the
map is written in terms of that.

> Anyway, without changing my IIS config (which I am considering) to
have
> both 8443 and 443 on outside work at same time while all our customers
> "rollover" the new port in their system? Need to minimize downtime...

Sorry, I think there's a grammar error there and I'm not sure I
understand
the question....could you rephrase?

-- Scott


_____________

The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
_____________
Peter Schober
2010-11-19 18:38:38 UTC
Permalink
* Scoggin, Rodger <Rodger.Scoggin-/Lv4ykeZ0xsS+***@public.gmane.org> [2010-11-19 19:34]:
> Is there anyway, without changing my IIS config, to have both 8443 and
> 443 on the outside work at same time?

Provided the webserver part is done, add an additional mapping to your
RequestMap, and additional endpoints to the metadata describing this
service provider (so all protocol endpoints are available at https/443
and https/8443),
-peter
Scoggin, Rodger
2010-11-19 18:59:01 UTC
Permalink
Thanks, tried that (I think) and the isapi directive appraently wants a
separate site ID. I tested (with a separate site id) and it works,
config looks like this:

<ISAPI normalizeRequest="true">
<Site id="1532119484" scheme="https"
name="sso.wildcardsystems.com" sslport="443"/>
<Site id="76256781" scheme="https"
name="sso.wildcardsystems.com" sslport="8443"/>
</ISAPI>
<RequestMap applicationId="default">
<Host name="sso.wildcardsystems.com" authType="shibboleth"
requireSession="false" scheme="https" port="443"
exportAssertion="true">
</Host>
<Host name="sso.wildcardsystems.com" authType="shibboleth"
requireSession="false" scheme="https" port="8443"
exportAssertion="true">
</Host>
</RequestMap>

What are you suggesting specifically? This is what I tried before and I
got the message about the enpoints not matching...

<ISAPI normalizeRequest="true">
<Site id="1532119484" scheme="https"
name="sso.wildcardsystems.com" sslport="443"/>
<Site id="1532119484" scheme="https"
name="sso.wildcardsystems.com" sslport="8443"/>
</ISAPI>
<RequestMap applicationId="default">
<Host name="sso.wildcardsystems.com" authType="shibboleth"
requireSession="false" scheme="https" port="443"
exportAssertion="true">
</Host>
<Host name="sso.wildcardsystems.com" authType="shibboleth"
requireSession="false" scheme="https" port="8443"
exportAssertion="true">
</Host>
</RequestMap>

Are you referring to another location in the shibboleth2.xml file when
you say endpoints in the metadata?

Thanks!!

-----Original Message-----
From: shibboleth-users-request-H4aWS73dXup+***@public.gmane.org
[mailto:shibboleth-users-request-H4aWS73dXup+***@public.gmane.org] On Behalf Of Peter
Schober
Sent: Friday, November 19, 2010 1:39 PM
To: shibboleth-users-H4aWS73dXup+***@public.gmane.org
Subject: Re: [Shib-Users] IIS Port Virtualization BindingException

* Scoggin, Rodger <Rodger.Scoggin-/Lv4ykeZ0xsS+***@public.gmane.org> [2010-11-19 19:34]:
> Is there anyway, without changing my IIS config, to have both 8443 and
> 443 on the outside work at same time?

Provided the webserver part is done, add an additional mapping to your
RequestMap, and additional endpoints to the metadata describing this
service provider (so all protocol endpoints are available at https/443
and https/8443),
-peter

_____________

The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
_____________
Peter Schober
2010-11-19 20:57:08 UTC
Permalink
* Scoggin, Rodger <Rodger.Scoggin-/Lv4ykeZ0xsS+***@public.gmane.org> [2010-11-19 20:00]:
> Are you referring to another location in the shibboleth2.xml file
> when you say endpoints in the metadata?

I was referring to the metadata describing your service provider, so
that would be the SAML V2.0 metadata you give to the IdP.
But I'm not sure I've followed the thread close enough to know whether
this is relevent in your deployment, and I also don't know what the
metadata for your SP looks like now.
If it works as it is, forget I even mentioned something ;)
-peter
Scott Cantor
2010-11-19 19:00:23 UTC
Permalink
> Is there anyway, without changing my IIS config, to have both 8443 and
> 443 on the outside work at same time? Our customers will need to
> "rollover" to the new port in their system after we change and several
> systems with several customers will have to change. Their clients would
> be impacted in the meantime, need to minimize downtime...

If you have two separate outside ports routed to the same physical site, the
SP can't virtualize that correctly because it doesn't know which logical
settings to use. You'd need different internal sites, I think.

-- Scott
Scoggin, Rodger
2010-11-19 20:00:59 UTC
Permalink
Thanks, all - we'll add a new site ID and live with it. We will be
closing the port after the conversion anyways.

Again, thanks, and... BTW, Shibboleth rocks.


-----Original Message-----
From: shibboleth-users-request-H4aWS73dXup+***@public.gmane.org
[mailto:shibboleth-users-request-H4aWS73dXup+***@public.gmane.org] On Behalf Of Scott
Cantor
Sent: Friday, November 19, 2010 2:00 PM
To: shibboleth-users-H4aWS73dXup+***@public.gmane.org
Subject: RE: [Shib-Users] IIS Port Virtualization BindingException

> Is there anyway, without changing my IIS config, to have both 8443 and
> 443 on the outside work at same time? Our customers will need to
> "rollover" to the new port in their system after we change and several
> systems with several customers will have to change. Their clients
would
> be impacted in the meantime, need to minimize downtime...

If you have two separate outside ports routed to the same physical site,
the
SP can't virtualize that correctly because it doesn't know which logical
settings to use. You'd need different internal sites, I think.

-- Scott


_____________

The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
_____________
Scoggin, Rodger
2010-11-20 00:31:38 UTC
Permalink
Thanks Peter, we don't push metadata out to the iDp - but thanks!

----- Original Message -----
From: shibboleth-users-***@internet2.edu <shibboleth-users-***@internet2.edu>
To: shibboleth-***@internet2.edu <shibboleth-***@internet2.edu>
Sent: Fri Nov 19 14:57:08 2010
Subject: Re: [Shib-Users] IIS Port Virtualization BindingException

* Scoggin, Rodger <***@fisglobal.com> [2010-11-19 20:00]:
> Are you referring to another location in the shibboleth2.xml file
> when you say endpoints in the metadata?

I was referring to the metadata describing your service provider, so
that would be the SAML V2.0 metadata you give to the IdP.
But I'm not sure I've followed the thread close enough to know whether
this is relevent in your deployment, and I also don't know what the
metadata for your SP looks like now.
If it works as it is, forget I even mentioned something ;)
-peter


_____________

The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
_____________
rodger scoggin
2010-12-08 21:16:42 UTC
Permalink
Recently our iDp issued a new certificate to us (the SP). The old one was
still valid as was the new one (a renewal as the old one was to soon expire)
but we could not find a way to use both at the same time so that the switch
over could be totally at the liesure of the iDp. Effectively we had to have a
specific time to "roll-in" the new cert, have the issuer test, etc. Any ideas
on how to configure the entitydescriptors to allow "stand-in" certs or maybe
failover to the backing file until the new cert is actually used?

Thanks,
Rodger Scoggin
Cantor, Scott E.
2010-12-08 21:19:31 UTC
Permalink
> Recently our iDp issued a new certificate to us (the SP). The old one was
> still valid as was the new one (a renewal as the old one was to soon expire)
> but we could not find a way to use both at the same time so that the switch
> over could be totally at the liesure of the iDp.

If they're both in the metadata, you're done. Assuming you're using Shibboleth.

> Effectively we had to have a
> specific time to "roll-in" the new cert, have the issuer test, etc.

If you're using Shibboleth, you don't have to do that.

-- Scott
Robb III, George B.
2010-12-08 21:28:34 UTC
Permalink
Is there anything particular that needs to be done, syntax wise, to allow dual certs (old & new)?

Amazing useful tid-bit.

Thanks again,

George

-----Original Message-----
From: shibboleth-users-request-H4aWS73dXup+***@public.gmane.org [mailto:shibboleth-users-request-H4aWS73dXup+***@public.gmane.org] On Behalf Of Cantor, Scott E.
Sent: Wednesday, December 08, 2010 3:20 PM
To: shibboleth-users-H4aWS73dXup+***@public.gmane.org
Subject: RE: [Shib-Users] iDp metadata certificate rollover

> Recently our iDp issued a new certificate to us (the SP). The old one
> was still valid as was the new one (a renewal as the old one was to
> soon expire) but we could not find a way to use both at the same time
> so that the switch over could be totally at the liesure of the iDp.

If they're both in the metadata, you're done. Assuming you're using Shibboleth.

> Effectively we had to have a
> specific time to "roll-in" the new cert, have the issuer test, etc.

If you're using Shibboleth, you don't have to do that.

-- Scott
Cantor, Scott E.
2010-12-08 21:41:57 UTC
Permalink
> Is there anything particular that needs to be done, syntax wise, to allow dual
> certs (old & new)?

Depends entirely on which trust engine is being relied on to do the work.

-- Scott
Scoggin, Rodger
2010-12-08 21:31:01 UTC
Permalink
Thanks, Scott..

So if we had a _current_ chain of certs for the SP and CurrCert1 was the
current about to expire cert and we had a new cert, NewCert1 - could it
look like this:

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
NewCert1
</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>
CurrCert1
</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>
CurrCert2
</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>
CurrCert3
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>

Rodger

-----Original Message-----
From: shibboleth-users-request-H4aWS73dXup+***@public.gmane.org
[mailto:shibboleth-users-request-H4aWS73dXup+***@public.gmane.org] On Behalf Of Cantor,
Scott E.
Sent: Wednesday, December 08, 2010 4:20 PM
To: shibboleth-users-H4aWS73dXup+***@public.gmane.org
Subject: RE: [Shib-Users] iDp metadata certificate rollover

> Recently our iDp issued a new certificate to us (the SP). The old one
was
> still valid as was the new one (a renewal as the old one was to soon
expire)
> but we could not find a way to use both at the same time so that the
switch
> over could be totally at the liesure of the iDp.

If they're both in the metadata, you're done. Assuming you're using
Shibboleth.

> Effectively we had to have a
> specific time to "roll-in" the new cert, have the issuer test, etc.

If you're using Shibboleth, you don't have to do that.

-- Scott

_____________

The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
_____________
Cantor, Scott E.
2010-12-08 21:37:21 UTC
Permalink
> So if we had a _current_ chain of certs for the SP and CurrCert1 was the
> current about to expire cert and we had a new cert, NewCert1 - could it
> look like this:

No, not at all, you use multiple KeyDescriptors in the metadata, one key per descriptor, and there is no chain necessary. The recommended trust model does not involve certificates and their content, validity, issuer, etc. is irrelevant.

I have no specifics on your chosen trust arrangements, federation scenario, or anything else, but the point is that "if you do it the way we tell people, it just works".

-- Scott
Loading...