Error 403 for IdP (Jetty 9.3)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Error 403 for IdP (Jetty 9.3)

HCUK eLearning
We run Jetty 9.3 for our live and test IdPs. I've changed the URL for our test one (moving to a different subdomain, forced by our reverse proxy managers), and given Jetty the new HTTPS certificate - it seems to load fine.

But when I trigger a login attempt from the SP (Canvas in this case), I get a 403/Forbidden error:
Forbidden
You don't have permission to access /idp/profile/SAML2/Redirect/SSO on this server.

I've tried looking at jetty.log and access.log under the idp_base/logs folder, to no avail.

Any suggestions on where else to check would be appreciated.


Thanks,
Dave

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Error 403 for IdP (Jetty 9.3)

Peter Schober
* HCUK eLearning <[hidden email]> [2018-06-06 16:33]:
> We run Jetty 9.3 for our live and test IdPs. I've changed the URL for our
> test one (moving to a different subdomain, forced by our reverse proxy
> managers), and given Jetty the new HTTPS certificate - it seems to load
> fine.

You don't mention what else you've changed. Changing "the URL" for an
IDP also means having to change all the SPs it federates with.
That may come down to providing the with updated SAML 2.0 Metadata, or
it may involve manual work where metadata is not being used.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Error 403 for IdP (Jetty 9.3)

HCUK eLearning
I updated all the URLs in the IdP metadata, so they were correct, and changed the entityID in idp.properties and the metadata (it's only properly paired up with one SP anyway, Canvas, and their implementation of SAML lets me tell it where to get the metadata from - so an XML file on an HTTPS-fronted server of ours, which it knows about).
I checked the IdP logs too, no sign of errors there (or of it being hit to process any attempt).

On Wed, Jun 6, 2018 at 3:58 PM, Peter Schober <[hidden email]> wrote:
* HCUK eLearning <[hidden email]> [2018-06-06 16:33]:
> We run Jetty 9.3 for our live and test IdPs. I've changed the URL for our
> test one (moving to a different subdomain, forced by our reverse proxy
> managers), and given Jetty the new HTTPS certificate - it seems to load
> fine.

You don't mention what else you've changed. Changing "the URL" for an
IDP also means having to change all the SPs it federates with.
That may come down to providing the with updated SAML 2.0 Metadata, or
it may involve manual work where metadata is not being used.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Error 403 for IdP (Jetty 9.3)

Cantor, Scott E.
> I checked the IdP logs too, no sign of errors there (or of it being hit to process
> any attempt).

Either the error message is really Apache or a load balancer front-end or it's Jetty and the IdP isn't even running. Both cases are obvious from the look of the message and the logs.
 
-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Error 403 for IdP (Jetty 9.3)

HCUK eLearning
Good spot - looks like it's the reverse proxy. I tried it on a server, with the IP address of the IdP fed into the hosts file, and it did the login process. Will ask the admin to fix that tomorrow.

I got an error at the SP end, which is probably a mistake by me, but at least Canvas has a good debugger which will watch your SAML attempts in realtime while you're configuring a SAML IdP with it.

Thanks both.

On Wed, Jun 6, 2018 at 4:17 PM, Cantor, Scott <[hidden email]> wrote:
> I checked the IdP logs too, no sign of errors there (or of it being hit to process
> any attempt).

Either the error message is really Apache or a load balancer front-end or it's Jetty and the IdP isn't even running. Both cases are obvious from the look of the message and the logs.
 
-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]