Hi,
I've been tearing my hair out with the Shibboleth 2.1 IdP and I'm not finding it easy. I was in the middle of composing this message when Francis's announcement of the release of his documentation arrived and I'm about to go away and sit in a quiet corner and digest it, I'm certain there will be some useful tips in it, although what I have to ask here might not be.
Thanks again to Francis for making this available.
In order to try and replicate what we currently have as a precursor to planning a migration I've installed both the IdP and an SP on a windows machine which is spoofed in the hosts file to be the same name as our live IdP. This is so I can try and set things up exactly how they'll be in the finished article and I'm using the same hostname, entitity ID and certificates as the real thing. I'm using Apache httpd 2.2.9 at the front with jre 1.5.0.16 and tomcat 5.5.26. These just happened to be the versions I'd had on this machine earlier and I left them there because they're in the "acceptable" list
I didn't find it too bad to get the SAML2 stuff up and going. I have it happily releasing attributes sourced through LDAP to the SP and I intend to play around with the scriptlet stuff so that I can do exactly what the live IdP does. Where things don't quite seem to work right is where you tell the SP to contact it with SAML1, so that I can ensure that any SPs out in the big bad world who do that will still be able to get through. So in the SP I'd changed the session initiator order to pick shib1 first
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
relayState="cookie" entityID="https://idp.dundee.ac.uk/shibboleth">
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
<SessionInitiator type="SAML2" defaultACSIndex="1" template="bindingTemplate.html"/>
</SessionInitiator>
When I go to a protected web page on the SP the authentication works fine, but then things go wrong, with no attributes appearing. The IdP has this in the log file:
16:16:35.580 - ERROR [org.opensaml.ws.security.provider.MandatoryAuthenticatedMessageRule:36] - Inbound message issuer was not authenticated.
16:16:35.580 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler:171] - Message did not meet security requirements
And the SP says:
2009-07-27 16:16:35 ERROR OpenSAML.SOAPClient [1]: SOAP client detected a SAML error: (samlp:Responder) (Message did not meet security requirements)
2009-07-27 16:16:35 ERROR Shibboleth.AttributeResolver.Query [1]: attribute authority returned a SAML error
Now, I've tried to work through the documentation and make sense out of the "common errors" page. From what I read it looks like I have a certificates issue, but I can't spot what. Is there a reason why the SAML2 stuff should work but not the SAML1? Changing the order of the sessioninitiator elements to put the SAML2 one above the Shib1 results in a working IdP.
I'm posting this here in the hope that someone will have seen this before or will be able to give me a hint that will set me on the right track!
Cheers
Andy
The University of Dundee is a registered Scottish charity, No: SC015096
|