Hi,
We left out a piece of Apache config in our original Shib2 build that
meant Apache wasn't actually listening on port 8443 and calls to that
port were instead going straight to Tomcat instead of via Apache.
Tomcat also came by default (at least on Linux) with a site running on
port 8443 that needed to be disabled. Our SAML 2 tests on Testshib
worked fine with only port 443 working but SAML 1 wouldn't work until we
had the 8443 site working properly as well.
I don't know if this will be your problem or not (we're using Linux and
probably different versions of all the main components) but it sounds at
least similar to the problem we had. Unfortunately I'm on leave and
don't have ready access to the server and my archived mail to look out
the specific files/e-mails related to the problem but our corrected
config basically followed the SWITCH guidelines with occasional
reference to the Internet 2 and UK Federation resources to fill in any
gaps. In particular we found the SWITCH guidelines the best at covering
the Apache and Tomcat related config.
https://www.switch.ch/aai/docs/shibboleth/SWITCH/2.1/idp/install-idp-2.1
-debian.html
Regards,
Garry
-----Original Message-----
From: Discussion list for Shibboleth developments
[mailto:[log in to unmask]] On Behalf Of Andy Swiffin
Sent: 28 July 2009 15:45
To: [log in to unmask]
Subject: Fun with Shibboleth 2?
Hi,
I've been tearing my hair out with the Shibboleth 2.1 IdP and I'm not
finding it easy. I was in the middle of composing this message when
Francis's announcement of the release of his documentation arrived and
I'm about to go away and sit in a quiet corner and digest it, I'm
certain there will be some useful tips in it, although what I have to
ask here might not be.
Thanks again to Francis for making this available.
In order to try and replicate what we currently have as a precursor to
planning a migration I've installed both the IdP and an SP on a windows
machine which is spoofed in the hosts file to be the same name as our
live IdP. This is so I can try and set things up exactly how they'll be
in the finished article and I'm using the same hostname, entitity ID and
certificates as the real thing. I'm using Apache httpd 2.2.9 at the
front with jre 1.5.0.16 and tomcat 5.5.26. These just happened to be
the versions I'd had on this machine earlier and I left them there
because they're in the "acceptable" list
I didn't find it too bad to get the SAML2 stuff up and going. I have
it happily releasing attributes sourced through LDAP to the SP and I
intend to play around with the scriptlet stuff so that I can do exactly
what the live IdP does. Where things don't quite seem to work right is
where you tell the SP to contact it with SAML1, so that I can ensure
that any SPs out in the big bad world who do that will still be able to
get through. So in the SP I'd changed the session initiator order to
pick shib1 first
<SessionInitiator type="Chaining" Location="/Login"
isDefault="true" id="Intranet"
relayState="cookie"
entityID="https://idp.dundee.ac.uk/shibboleth">
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
<SessionInitiator type="SAML2" defaultACSIndex="1"
template="bindingTemplate.html"/>
</SessionInitiator>
When I go to a protected web page on the SP the authentication works
fine, but then things go wrong, with no attributes appearing. The IdP
has this in the log file:
16:16:35.580 - ERROR
[org.opensaml.ws.security.provider.MandatoryAuthenticatedMessageRule:36]
- Inbound message issuer was not authenticated.
16:16:35.580 - ERROR
[edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryPro
fileHandler:171] - Message did not meet security requirements
And the SP says:
2009-07-27 16:16:35 ERROR OpenSAML.SOAPClient [1]: SOAP client detected
a SAML error: (samlp:Responder) (Message did not meet security
requirements)
2009-07-27 16:16:35 ERROR Shibboleth.AttributeResolver.Query [1]:
attribute authority returned a SAML error
Now, I've tried to work through the documentation and make sense out of
the "common errors" page. From what I read it looks like I have a
certificates issue, but I can't spot what. Is there a reason why the
SAML2 stuff should work but not the SAML1? Changing the order of the
sessioninitiator elements to put the SAML2 one above the Shib1 results
in a working IdP.
I'm posting this here in the hope that someone will have seen this
before or will be able to give me a hint that will set me on the right
track!
Cheers
Andy
The University of Dundee is a registered Scottish charity, No: SC015096
|