Hello,

 

This maybe one for the Tomcat experts J as having sent this message to the Internet2 list, that was the only suggestion I got back – it’s a Tomcat issue – but I can’t see where. So, here we go..... suggestions welcome!

 

 

I'm attempting to set up a Shib 2 IdP on Red Hat Enterprise Linux release 3 (with JRE 1.6.0_18, apache-tomcat-6.0.20 and shibboleth-identityprovider-2.1.5) but running into a problem that looks so much like a misconfiguration someplace. 

 

The problem is that at the point where the IdP would serve up the user authentication page (login.jsp) it's actually redirecting itself to a URL like this:

 

https://servername.abdn.ac.uk:80/idp/Authn/UserPassword"

 

That is, an SSL-enable endpoint but with the wrong port number - the ":80" just shouldn't be there.

 

At the same time, the idp-process log reports:

 

09:58:59.849 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:198] - Processing incoming request

09:58:59.849 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:228] - Beginning user authentication process.

09:58:59.850 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:334] - Filtering configured login handlers by requested athentication methods.

09:58:59.850 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:335] - Configured LoginHandlers: {urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler@184b3b, urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@f34a08, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@f34a08}

09:58:59.851 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:336] - Requested authentication methods: []

09:58:59.851 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:236] - Possible authentication handlers for this request: {urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler@184b3b, urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@f34a08, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@f34a08}

09:58:59.852 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:246] - Possible authentication handlers after filtering: {urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler@184b3b, urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@f34a08, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@f34a08}

09:58:59.852 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:277] - Selecting appropriate login handler for request

09:58:59.853 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:250] - Authenticating user with login handler of type edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler

09:58:59.853 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:155] - LoginContext parition: loginContexts

09:58:59.855 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:161] - LoginContext key: 10addd91-18cb-4dfa-a7e4-b78ceb0bc6a9

09:58:59.864 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler:75] - Redirecting to https://servername.abdn.ac.uk:80/idp/Authn/UserPassword

 

and as Tomcat isn't listening on port 80, the authentication process stalls.

 

We are not running any SSL-offloading stuff to cause the 443->80 port change.

 

If I do enable port 80 and https on it within Tomcat, the redirect then has somewhere to go, I can login, and attributes are delivered to the SP I've been testing with. Clearly that's not how it's supposed to work, but I'm at a loss to find the bit of configuration that's causing this.

 

Any clues or assistance appreciated.

 

John Thom

University of Aberdeen

UK

 



The University of Aberdeen is a charity registered in Scotland, No SC013683.