Forwarding authentication request error 404 - ExternalAuth [SOLVED]

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Forwarding authentication request error 404 - ExternalAuth [SOLVED]

Beresford
This post was updated on .
Hi, I have configured a SP (http://sp.example.org) and an IdP (http://idp.example.org:8080). In the IdP I have the next Handler:

    <ph:LoginHandler xsi:type="ph:ExternalAuthn"
                      externalAuthnPath="http://idp.example.org:8282/index.jsp" <!-- This is located in a differente tomcat of the IdP -->
                      supportsForcedAuthentication="true">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
    </ph:LoginHandler>


When I request a protected resource in the SP I get redirected to the url:  

http://idp.example.org:8080/idp/AuthnEngine 

with the message:

ERROR

An error occurred while processing your request. Please contact your helpdesk or user ID office for assistance.

Error Message: Invalid IdP URL (HTTP 404)


I check the the link (http://idp.example.org:8282/index.jsp) and is working. I also check the log an its content is:

=========================  Log  ============================

20:54:45.904 - INFO [Shibboleth-Access:74] - 20120223T015445Z|MyIP|idp.example.org:8080|/profile/SAML2/Redirect/SSO|
20:54:45.906 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/Redirect/SSO
20:54:45.906 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler
20:54:45.906 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:344] - No login context in storage service
20:54:45.906 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:160] - Incoming request does not contain a login context, processing as first leg of request
20:54:45.907 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:312] - Decoding message with decoder binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
20:54:45.924 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relying party configuration for http://www.sp.example.org/shibboleth
20:54:45.924 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:134] - No custom relying party configuration found for http://www.sp.example.org/shibboleth, looking up configuration based on metadata groups.
20:54:45.925 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:157] - No custom or group-based relying party configuration found for http://www.sp.example.org/shibboleth. Using default relying party configuration.
20:54:45.927 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:333] - Decoded request from relying party 'http://www.sp.example.org/shibboleth'
20:54:45.927 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relying party configuration for http://www.sp.example.org/shibboleth
20:54:45.927 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:134] - No custom relying party configuration found for http://www.sp.example.org/shibboleth, looking up configuration based on metadata groups.
20:54:45.927 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:157] - No custom or group-based relying party configuration found for http://www.sp.example.org/shibboleth. Using default relying party configuration.
20:54:45.927 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:203] - Creating login context and transferring control to authentication engine
20:54:45.930 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:169] - Storing LoginContext to StorageService partition loginContexts, key cf3305ab-80b7-4372-ab1f-ba80e60a0ccf
20:54:45.930 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:216] - Redirecting user to authentication engine at http://idp.example.org:8080/idp/AuthnEngine
20:54:45.933 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:209] - Processing incoming request
20:54:45.934 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:240] - Beginning user authentication process.
20:54:45.934 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:286] - Filtering configured LoginHandlers: {urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler@27660d22, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.ExternalAuthnSystemLoginHandler@1ce84763}
20:54:45.934 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:335] - Filtering out previous session login handler because there is no existing IdP session
20:54:45.934 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:467] - Selecting appropriate login handler from filtered set {urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.ExternalAuthnSystemLoginHandler@1ce84763}
20:54:45.934 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:500] - Authenticating user with login handler of type edu.internet2.middleware.shibboleth.idp.authn.provider.ExternalAuthnSystemLoginHandler
20:54:45.935 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:169] - Storing LoginContext to StorageService partition loginContexts, key 5cfa0e87-a027-4ed2-9537-dba43699760b
20:54:45.935 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler:100] - Forwarding authentication request to http://idp.example.org:8282/index.jsp

=========================  Log  ============================

As the final line shows is forwarding to the specified url in the Handler but why is redirecting me to the url http://idp.example.org:8080/idp/AuthnEngine without showing me first the url in the handler?

I tried to change the final endpoint to a one to was located in the same tomcat of the IdP but the result is the same. Even if I try with a fictional url the result is the same.  

Any help is very appreciated.

Regards!

Reply | Threaded
Open this post in threaded view
|

Re: Forwarding authentication request error 404 - ExternalAuth [SOLVED]

Beresford
 

Before attempting any of the following instructions, make a backup of your configuration files

 


Hi everyone. I Finally solved it! here's the answer (it may help somebody):

1) In the External Authentication handler set the Path to "index.jsp"

   <ph:LoginHandler xsi:type="ph:ExternalAuthn"
                      externalAuthnPath="index.jsp"
                      supportsForcedAuthentication="true"> 
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
    </ph:LoginHandler>


2) I created a Jar that was in charged of the authentication process. Inside it I added the next code:

        1.      if( "user was successfully authenticated" ){   ///Pseudocode 
        2.              request.setAttribute("forceAuthn", false);
        3.              request.setAttribute("isPassive", true);

        4.              Principal principal = new UsernamePrincipal("user_name_trying_to_authenticate");
        5.              Subject subj = new Subject();
        6.              subj.getPrincipals().add(principal);

        7.              request.setAttribute(LoginHandler.PRINCIPAL_KEY, principal);
        8.              request.setAttribute(LoginHandler.PRINCIPAL_NAME_KEY, username);
        9.              request.setAttribute(LoginHandler.SUBJECT_KEY, subj);
        10.             request.setAttribute("authnMethod", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
        11.             request.setAttribute("relyingParty", "http://www.sp.example.org/shibboleth");

        12.             AuthenticationEngine.returnToAuthenticationEngine(request, response);
        13.     } else {
        14.             request.setAttribute("loginFailed", "true"); //
        15.             request.getRequestDispatcher("/login.jsp").forward(request, response);
        16.     }

The lines 2 and 3 must matched the values set in the LoginHandler in the handler.xml file of the IdP.

According to the documentation: "the custom-developed code must then set the HttpServletRequest attributes required by the
edu.internet2.middleware.shibboleth.idp.authn.LoginHandler interface" but I believed that the only ones you
had to set were forceAuthn, isPassive, authnMethod and relyingParty but I kept recieveing in the log file the error
"Authentication failed with the error: No user identified by login handler" so to avoid this error you have to
set the values from the lines 7-9. You may be wondering what is the meaning of LoginHandler.PRINCIPAL_KEY,
LoginHandler.PRINCIPAL_NAME_KEY and LoginHandler.SUBJECT_KEY; well those are member variables of the LoginHandler interface,
if you see the code of that interface you will find:

    /** Request attribute to which user's principal should be bound. */
    public static final String PRINCIPAL_KEY = "principal";

    /** Request attribute to which user's principal name should be bound. */
    public static final String PRINCIPAL_NAME_KEY = "principal_name";

    /** Request attribute to which user's subject should be bound. */
    public static final String SUBJECT_KEY = "subject";  

Instead of LoginHandler.SUBJECT_KEY you can put the string "subject" and it will work too. Remeber that if you want to
use them you have to include the jar "shibboleth-identityprovider-2.3.5.jar"

In line 10, to be honest, I was putting the string "unspecified" (since I started using that method) but after a few
readings in the mailList (and asking to google) I found that you have to pass the whole 'definition' (if you want
to use the method 'unspecified' use this 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified')    

The line 11 is the relying party (your service provider).

The line 12 is very important (you have to include the jar shibboleth-identityprovider-2.3.5.jar in order to be able
to call this method) because continues the process of SSO.

Since the Login.jsp page checks for the attribute 'loginFailed' to show in red the message 'Credentials not recognized.'
in the line 14 I set this attibute in the request object. Since I set the failed attribute, in line 15 I make
a forward to the login.jsp to show the message to the user about an failed attemtp of authentication.

3) Once the login.jsp is loaded and you enter the username and password and hit submit you probably will end up
with an error 404 because the result page will be 'j_security_check' from the IdP. In order
to handle this path through you new jar you will have to change the web.xml file from the source folder of the idp:

    <servlet>
        <servlet-name>your_servlet</servlet-name>
        <servlet-class>you_package_name_plus_class_name</servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>your_servlet</servlet-name>
        <url-pattern>/j_security_check</url-pattern>
    </servlet-mapping>   

4) I said that I created a jar, well the purpose of creating a jar was to be able to put it inside the identity
provider war file (idp.war) so I can communicate easily with the IdP. You can do this by adding you new jar (let's call it
newJar.jar :p) to the lib folder of the source folder of the IdP then you can run the installer (PLEASE BEFORE DOING
THIS MAKE A BACKUP OF YOUR CONFIGURATION FILES OR KEEP READING TO PREVENT THE OPTION OF REINSTALLATION)
 but you'll
have to re-configure the IdP. An option to prevent this is that you can add the newJar.jar to the lib (like I said before)
and build the war through ant. By doing this you'll end up with the new idp.war and the only thing you have to do is
re-deploy it to tomcat. The code I use to build the war is:

<?xml version="1.0" encoding="UTF-8"?>
<project name="Shibboleth Identity Provider" basedir="../../.." default="createWar">

    <property name="installer.dir" value="${basedir}/src/installer"/>
    <property name="resources.dir" value="${installer.dir}/resources"/>
    <property name="tools.dir" value="${basedir}/src/tools"/>
    <property name="webapp.dir" value="${basedir}/src/main/webapp"/>
    <property name="war.name" value="idp"/>

    <target name="createWar" description="Installs the identity provider software.">

        <war warfile="/folder_where_you_want_the_war/${war.name}.war" webxml="/path_to_your_custom_webXML_file/web.xml"> //
            <lib dir="/path_to_idp_sources/lib" excludes="servlet-api*.jar,jsp-api*.jar"/>
            <webinf dir="${webapp.dir}/WEB-INF" excludes="web.xml"/>
            <fileset dir="${webapp.dir}" excludes="WEB-INF/**"/>
        </war>
       
    </target>
</project>   

NOTE: The newJar.jar I don't deploy it thourgh the gui-manager but I configure the option of looking for a specific folder for the war
file. To know more about this go here: https://wiki.shibboleth.net/confluence/display/SHIB2/IdPApacheTomcatPrepare
and in the end of the page look for the title 'Using a Context Deployment Fragment'

Although it worked for me, If there's something I did wrong, any comment will be appreciated.

Regards.
Reply | Threaded
Open this post in threaded view
|

Re: Forwarding authentication request error 404 - ExternalAuth [SOLVED]

Yudhister
I am looking for on shibboleth external authentication  can any once send me basic steps which  i need to follow with JASS using oracle

Thanks,
Yudhister
Reply | Threaded
Open this post in threaded view
|

Re: Forwarding authentication request error 404 - ExternalAuth [SOLVED]

Beresford
Hi Yudhister,

You can use the official documentation that explain the basic steps: https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass

You may also use this guide that may help you too: http://www.cesnet.cz/doc/techzpravy/2008/ldap-with-shibboleth-idp-2/

Cheers!

On Oct 6, 2012, at 1:31 PM, Yudhister [via Shibboleth] wrote:

I am looking for on shibboleth external authentication  can any once send me basic steps which  i need to follow with JASS using oracle

Thanks,
Yudhister


To unsubscribe from Forwarding authentication request error 404 - ExternalAuth [SOLVED], click here.
NAML

Reply | Threaded
Open this post in threaded view
|

Re: Forwarding authentication request error 404 - ExternalAuth [SOLVED]

Yudhister
Hi,

I need to configuring the IdP for External Authentication System User Authentication, I tried to follow the instructions at https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthExternal, but have several questions.

1. Since the externalAuthnPath can only be a url under the same web context, i.e. idp.war, does it mean that I have to modify the IDP source code to add a filter/servlet?
do I have other options here?
2. My external auth process is in a different web app, it seems to me the only way to communicate from the custom filer/servlet to the external auth process is via web service. Is this the right approach and do I have other options?

Thanks,

Yudhister
Reply | Threaded
Open this post in threaded view
|

Re: Forwarding authentication request error 404 - ExternalAuth [SOLVED]

Beresford
Hi Yudhister,

I don't know a definitive and truthful answers to your questions but if you like, you can suscribe to the dev-list of shibboleth: http://shibboleth.net/community/lists.html where you can post this questions and they will give a definite and truthful answer.

Kind Regards

-Beresford

On Tue, Oct 9, 2012 at 6:30 AM, Yudhister [via Shibboleth] <[hidden email]> wrote:
Hi,

I need to configuring the IdP for External Authentication System User Authentication, I tried to follow the instructions at https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthExternal, but have several questions.

1. Since the externalAuthnPath can only be a url under the same web context, i.e. idp.war, does it mean that I have to modify the IDP source code to add a filter/servlet?
do I have other options here?
2. My external auth process is in a different web app, it seems to me the only way to communicate from the custom filer/servlet to the external auth process is via web service. Is this the right approach and do I have other options?

Thanks,

Yudhister


To unsubscribe from Forwarding authentication request error 404 - ExternalAuth [SOLVED], click here.
NAML

Reply | Threaded
Open this post in threaded view
|

Re: Forwarding authentication request error 404 - ExternalAuth [SOLVED]

dominic
In reply to this post by Beresford
hi, Beresford,

I have followed the steps you wrote, but failed. could you please gime some gaidance? Some code snippet shows as following:

handler.xml
    <ph:LoginHandler xsi:type="ph:ExternalAuthn" externalAuthnPath="/signin.jsp"  supportsForcedAuthentication="true">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
    </ph:LoginHandler>

signin.jsp
<%@ page language="java" contentType="text/html; charset=utf-8"
    pageEncoding="utf-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
    <form action="secure/authenticate" method="POST">
        Email:<input type="text" name="email" maxlength="20" id="email" value="" />
            <br />
            pwd:<input type="password" name="password" maxlength="20" id="password" value=""><br />
            <input  type="submit" value="Commit">
    </form>
</body>
</html>


servlet configurastion in web.xml of IdP:
    <servlet>
        <servlet-name>secureResource</servlet-name>
        <servlet-class>com.auth.test.ExternalAuthServlet</servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>secureResource</servlet-name>
        <url-pattern>/secure/authenticate</url-pattern>
    </servlet-mapping>

ExternalAuthServlet.java:

public class ExternalAuthServlet extends HttpServlet {

        protected void doPost(HttpServletRequest request, HttpServletResponse response)
                        throws ServletException, IOException {
                String email=request.getParameter("email");
                String pwd=request.getParameter("password");
               
                boolean f=true;
                 if(f ){

                    request.setAttribute("forceAuthn", true);
                    request.setAttribute("isPassive", true);


                    Subject subj = new Subject();

                    //Principal principal = new UsernamePrincipal("user_name_trying_to_authenticate");
                    //subj.getPrincipals().add(principal);
                    Principal principal = new UsernamePrincipal(email+"|"+pwd);
                    subj.getPrincipals().add(new UsernamePrincipal(email+"|"+pwd));


                    request.setAttribute(LoginHandler.PRINCIPAL_KEY, principal);
                    request.setAttribute(LoginHandler.PRINCIPAL_NAME_KEY, "dominic");
                    request.setAttribute(LoginHandler.SUBJECT_KEY, subj);
                    request.setAttribute("authnMethod", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
                    request.setAttribute("relyingParty", "https://sp.csrdu.org/shibboleth");


                    AuthenticationEngine.returnToAuthenticationEngine(request, response);
            } else {
                    request.setAttribute("loginFailed", "true"); //
                    request.getRequestDispatcher("/signin.jsp").forward(request, response);
            }
        }

}
Page associated with signin.jsp

When Commit the request. Errors reportes to me. I check the idp-process.log showing as following:

07:52:06.058 - WARN [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:206] - Relying party 'https://sp.csrdu.org/shibboleth' requested the response to be returned to endpoint with ACS URL 'https://sp.csrdu.org/Shibboleth.sso/SAML2/POST'  and binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' however no endpoint, with that URL and using a supported binding,  can be found in the relying party's metadata
07:52:06.059 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:429] - No return endpoint available for relying party https://sp.csrdu.org/shibboleth
07:52:06.060 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:346] - No login context in storage service
07:52:06.060 - DEBUG [edu.internet2.middleware.shibboleth.idp.ui.ServiceContactTag:177] - No relying party, nothing to display

Any help is appreciated.

thanks.

Dominic
Thanks

Dominic
Reply | Threaded
Open this post in threaded view
|

Re: Forwarding authentication request error 404 - ExternalAuth [SOLVED]

Beresford
Hi Dominic, 

It seems that you have a problem with your relying-party's metadata. In the metadata folder of your shibboleth-idp, verify the definition of the metadata that belongs to the relying-party: https://sp.csrdu.org/shibboleth and check that is properly structured.

Also, you can check these links that may help you:




Regards,

-Beresford


On Apr 5, 2013, at 7:55 AM, dominic [via Shibboleth] <[hidden email]> wrote:

hi, Beresford,

I have followed the steps you wrote, but failed. could you please gime some gaidance? Some code snippet shows as following:

handler.xml
    <ph:LoginHandler xsi:type="ph:ExternalAuthn" externalAuthnPath="/signin.jsp"  supportsForcedAuthentication="true">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
    </ph:LoginHandler>

signin.jsp
<%@ page language="java" contentType="text/html; charset=utf-8"
    pageEncoding="utf-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
    <form action="secure/authenticate" method="POST">
        Email:<input type="text" name="email" maxlength="20" id="email" value="" />
            <br />
            pwd:<input type="password" name="password" maxlength="20" id="password" value=""><br />
            <input  type="submit" value="Commit">
    </form>
</body>
</html>


servlet configurastion in web.xml of IdP:
    <servlet>
        <servlet-name>secureResource</servlet-name>
        <servlet-class>com.auth.test.ExternalAuthServlet</servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>secureResource</servlet-name>
        <url-pattern>/secure/authenticate</url-pattern>
    </servlet-mapping>

ExternalAuthServlet.java:

public class ExternalAuthServlet extends HttpServlet {

        protected void doPost(HttpServletRequest request, HttpServletResponse response)
                        throws ServletException, IOException {
                String email=request.getParameter("email");
                String pwd=request.getParameter("password");
               
                boolean f=true;
                 if(f ){

                    request.setAttribute("forceAuthn", true);
                    request.setAttribute("isPassive", true);


                    Subject subj = new Subject();

                    //Principal principal = new UsernamePrincipal("user_name_trying_to_authenticate");
                    //subj.getPrincipals().add(principal);
                    Principal principal = new UsernamePrincipal(email+"|"+pwd);
                    subj.getPrincipals().add(new UsernamePrincipal(email+"|"+pwd));


                    request.setAttribute(LoginHandler.PRINCIPAL_KEY, principal);
                    request.setAttribute(LoginHandler.PRINCIPAL_NAME_KEY, "dominic");
                    request.setAttribute(LoginHandler.SUBJECT_KEY, subj);
                    request.setAttribute("authnMethod", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
                    request.setAttribute("relyingParty", "https://sp.csrdu.org/shibboleth");


                    AuthenticationEngine.returnToAuthenticationEngine(request, response);
            } else {
                    request.setAttribute("loginFailed", "true"); //
                    request.getRequestDispatcher("/signin.jsp").forward(request, response);
            }
        }

}
Page associated with signin.jsp

When Commit the request. Errors reportes to me. I check the idp-process.log showing as following:

07:52:06.058 - WARN [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:206] - Relying party 'https://sp.csrdu.org/shibboleth' requested the response to be returned to endpoint with ACS URL 'https://sp.csrdu.org/Shibboleth.sso/SAML2/POST'  and binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' however no endpoint, with that URL and using a supported binding,  can be found in the relying party's metadata
07:52:06.059 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:429] - No return endpoint available for relying party https://sp.csrdu.org/shibboleth
07:52:06.060 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:346] - No login context in storage service
07:52:06.060 - DEBUG [edu.internet2.middleware.shibboleth.idp.ui.ServiceContactTag:177] - No relying party, nothing to display

Any help is appreciated.

thanks.

Dominic
Thanks

Dominic



To unsubscribe from Forwarding authentication request error 404 - ExternalAuth [SOLVED], click here.
NAML

Reply | Threaded
Open this post in threaded view
|

Re: Forwarding authentication request error 404 - ExternalAuth [SOLVED]

Beresford
Hi jfu,

Can you enable Debug level in your Shib’s log, retry the login and post the error information of the log. That can shed some light on this issue.

Best,

Beresford.

On Nov 27, 2013, at 4:48 PM, jfu [via Shibboleth] <ml-node+s1660669n7591856h20@n2.nabble.com> wrote:

Hi,

We have shibboleth 2.4  as IDP, and remote SP is simpleSAMLphp.

I followed the steps you mentioned in the post, but after I submitted the form, I got the following error:

14:41:31.603 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:447] - No return endpoint available for relying party http://SP_IP_Address/simplesamlphp/www/module.php/saml/sp/metadata.php/default-sp


here is my source code

==== ExternalAuth Config in handler.xml=====

<ph:LoginHandler xsi:type="ph:ExternalAuthn" externalAuthnPath="index.jsp" supportsForcedAuthentication="true">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
    </ph:LoginHandler>


========= shibboleth IDP initiated link ============
Test new link

========== index.jsp ==================
<%@ page language="java" contentType="text/html; charset=utf-8"
    pageEncoding="utf-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Test Tranzlogic</title>
</head>
<body>
    <form action="/idp/servlet/externalAuth" method="POST">
        Username:<input type="text" name="username" maxlength="20" id="username" value="" />
            <br />
            pwd:<input type="password" name="password" maxlength="20" id="password" value=""><br />
            <input  type="submit" value="Commit">
    </form>
</body>
</html>

=========== Java Servlet ==============

public void doPost(HttpServletRequest request, HttpServletResponse response)
                        throws ServletException, IOException {
               
             String username=request.getParameter("username");
         String pwd=request.getParameter("password");
         
         boolean authenticated=true;

// do authentication here
          if(authenticated){

             request.setAttribute("forceAuthn", true);
             request.setAttribute("isPassive", true);


             Principal principal = new UsernamePrincipal(username);
             Subject subj = new Subject();
             subj.getPrincipals().add(principal);
           
             request.setAttribute(LoginHandler.PRINCIPAL_KEY, principal);
             request.setAttribute(LoginHandler.PRINCIPAL_NAME_KEY, username);
             request.setAttribute(LoginHandler.SUBJECT_KEY, subj);
             request.setAttribute("authnMethod", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
             request.setAttribute("relyingParty", "http://SP_IP_Address/simplesamlphp/www/module.php/saml/sp/metadata.php/default-sp");
             
             // required fields that need to login to SP portal
             request.setAttribute("ID1", "1000003");
             request.setAttribute("ID2", "");
             request.setAttribute("UserType", "I");

             AuthenticationEngine.returnToAuthenticationEngine(request, response);
             
     } else {
             request.setAttribute("loginFailed", "true"); //
             request.getRequestDispatcher("/index.jsp").forward(request, response);
     }
 }

===== Detail information of SP ======

EntityID: http://SP_IP_Address/simplesamlphp/www/module.php/saml/sp/metadata.php/default-sp
AssertionConsumerService: http://SP_IP_Address/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/default-sp
RelayState : http://SP_IP_Address/simplesamlphp/www/module.php/core/webhome/saml_auth_index.php


IDP entity ID is entityID="https://test.mycompany.com/idp/shibboleth"
===== Part of my IDP metadata ===========
 <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://test.mycompany.com:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1" /> 
  <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://test.mycompany.com:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2" /> 
  <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://test.mycompany.com/idp/profile/SAML2/Redirect/SLO" /> 
  <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test.mycompany.com/idp/profile/SAML2/POST/SLO" /> 
  <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://test.mycompany.com:8443/idp/profile/SAML2/SOAP/SLO" /> 
  <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> 
  <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> 
  <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://test.mycompany.com/idp/profile/Shibboleth/SSO" /> 
  <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test.mycompany.com/idp/profile/SAML2/POST/SSO" /> 
  <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://test.mycompany.com/idp/profile/SAML2/POST-SimpleSign/SSO" /> 
  <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://test.mycompany.com/idp/profile/SAML2/Redirect/SSO" /> 


Can someone help me on this?

Thank you.

If you reply to this email, your message will be added to the discussion below:
http://shibboleth.1660669.n2.nabble.com/Forwarding-authentication-request-error-404-ExternalAuth-SOLVED-tp7310618p7591856.html
To unsubscribe from Forwarding authentication request error 404 - ExternalAuth [SOLVED], click here.
NAML
jfu
Reply | Threaded
Open this post in threaded view
|

Re: Forwarding authentication request error 404 - ExternalAuth [SOLVED]

jfu
Thank you very much for reply.

I have moved this question to shibboleth users list.

http://shibboleth.1660669.n2.nabble.com/SAML-response-error-No-return-endpoint-available-for-relying-party-tc7591912.html

Can you help me from that post?

Thanks.