Getting PowerFAIDS NetPartner to work with Shibboleth 3 - another attempt

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Getting PowerFAIDS NetPartner to work with Shibboleth 3 - another attempt

StormyNP
Apologies ahead of time for my newness to this board. I'm starting a new thread based on the recent one for Netpartner/Shibboleth IdP3...

Note: new IdP3 server is successfully working with other service providers.


My scenario, new netpartner server, new shibboleth server (IdP3, previously our old netpartner worked with IdP2 server).

I've tried to apply the recent recommendations on this maillist, but I can never get to my shibboleth logon page. After hitting https://mynetpartnerserver/NetPartnerStudent, the SAML goes across but after shibboleth gets it I get directed to a shib page:


The login service was unable to identify a compatible way to respond to the requested application. This is generally due to a misconfiguration on the part of the application and should be reported to the application's support team or owner. 





The logs show issue starting here (server names scrubbed)...

2018-05-17 15:19:26,883 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:65] - Profile Action SelectProfileInterceptorFlow: Moving completed flow intercept/security-policy/saml2-sso to completed set, selecting next one
2018-05-17 15:19:26,884 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:80] - Profile Action SelectProfileInterceptorFlow: No flows available to choose from
2018-05-17 15:19:26,895 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeOutboundMessageContext:149] - Profile Action InitializeOutboundMessageContext: Initialized outbound message context
2018-05-17 15:19:26,918 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:375] - Profile Action PopulateBindingAndEndpointContexts: Attempting to resolve endpoint of type {urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService for outbound message
2018-05-17 15:19:26,920 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:516] - Profile Action PopulateBindingAndEndpointContexts: Populating template endpoint for resolution from SAML AuthnRequest
2018-05-17 15:19:26,921 - WARN [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:410] - Profile Action PopulateBindingAndEndpointContexts: Unable to resolve outbound message endpoint for relying party 'NetPartner': EndpointCriterion [type={urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService, Binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, Location=https://servernamehere/NetPartnerStudent/Logon.aspx, trusted=false]
2018-05-17 15:19:26,938 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: EndpointResolutionFailed


From my Firefox developer tools, I see this:

 HTTP400: BAD REQUEST - The request could not be processed by the server due to invalid syntax.



My shibboleth configurations are as follows (relevant netpartner items only):

netpartner metadata

<EntityDescriptor entityID="NetPartner" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor
        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
        urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
    <AssertionConsumerService index="1"
        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    </SPSSODescriptor>
</EntityDescriptor>


metadata-providers.xml 

<MetadataProvider id="NetPartnerMetadata"
    xsi:type="FilesystemMetadataProvider"
    xmlns="urn:mace:shibboleth:2.0:metadata"
    metadataFile="%{idp.home}/metadata/netpartner.xml"/>


relying-party.xml

<bean id="SHA1SecurityConfig" parent="shibboleth.DefaultSecurityConfiguration"
    p:signatureSigningConfiguration-ref="shibboleth.SigningConfiguration.SHA1" />

Under RelyingPartyOverrides

<bean parent="RelyingPartyByName" c:relyingPartyIds="NetPartner">
    <property name="profileConfigurations">
        <list>
            <bean parent="Shibboleth.SSO" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML1.AttributeQuery" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML1.ArtifactResolution" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML2.ECP" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML2.Logout" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML2.AttributeQuery" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML2.ArtifactResolution" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML2.SSO"
                p:encryptAssertions="false"
                p:securityConfiguration-ref="SHA1SecurityConfig"
                p:nameIDFormatPrecedence="#{{'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'}}" />
        </list>
    </property>
</bean>


On NetPartner login tab:

SSO: yes
Identity provider url: https:/myshibserver/idp/profile/SAML2/Redirect/SSO
Protocol binding: Post
Request nameid format: [Do Not Use]
Service Provider Name: NetPartner



Any help GREATLY appreciated.
-Norm Bodnar





--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Getting PowerFAIDS NetPartner to work with Shibboleth 3 - another attempt

Tony Skalski
Try removing the "<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>" from the metadata.

I do not have this line in my config, and IIRC, removing that line is what got Carl's installation working.

ajs

On Thu, May 17, 2018 at 3:14 PM Norman Bodnar <[hidden email]> wrote:
Apologies ahead of time for my newness to this board. I'm starting a new thread based on the recent one for Netpartner/Shibboleth IdP3...

Note: new IdP3 server is successfully working with other service providers.


My scenario, new netpartner server, new shibboleth server (IdP3, previously our old netpartner worked with IdP2 server).

I've tried to apply the recent recommendations on this maillist, but I can never get to my shibboleth logon page. After hitting https://mynetpartnerserver/NetPartnerStudent, the SAML goes across but after shibboleth gets it I get directed to a shib page:


The login service was unable to identify a compatible way to respond to the requested application. This is generally due to a misconfiguration on the part of the application and should be reported to the application's support team or owner. 





The logs show issue starting here (server names scrubbed)...

2018-05-17 15:19:26,883 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:65] - Profile Action SelectProfileInterceptorFlow: Moving completed flow intercept/security-policy/saml2-sso to completed set, selecting next one
2018-05-17 15:19:26,884 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:80] - Profile Action SelectProfileInterceptorFlow: No flows available to choose from
2018-05-17 15:19:26,895 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeOutboundMessageContext:149] - Profile Action InitializeOutboundMessageContext: Initialized outbound message context
2018-05-17 15:19:26,918 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:375] - Profile Action PopulateBindingAndEndpointContexts: Attempting to resolve endpoint of type {urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService for outbound message
2018-05-17 15:19:26,920 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:516] - Profile Action PopulateBindingAndEndpointContexts: Populating template endpoint for resolution from SAML AuthnRequest
2018-05-17 15:19:26,921 - WARN [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:410] - Profile Action PopulateBindingAndEndpointContexts: Unable to resolve outbound message endpoint for relying party 'NetPartner': EndpointCriterion [type={urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService, Binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, Location=https://servernamehere/NetPartnerStudent/Logon.aspx, trusted=false]
2018-05-17 15:19:26,938 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: EndpointResolutionFailed


From my Firefox developer tools, I see this:

 HTTP400: BAD REQUEST - The request could not be processed by the server due to invalid syntax.



My shibboleth configurations are as follows (relevant netpartner items only):

netpartner metadata

<EntityDescriptor entityID="NetPartner" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor
        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
        urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
    <AssertionConsumerService index="1"
        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    </SPSSODescriptor>
</EntityDescriptor>


metadata-providers.xml 

<MetadataProvider id="NetPartnerMetadata"
    xsi:type="FilesystemMetadataProvider"
    xmlns="urn:mace:shibboleth:2.0:metadata"
    metadataFile="%{idp.home}/metadata/netpartner.xml"/>


relying-party.xml

<bean id="SHA1SecurityConfig" parent="shibboleth.DefaultSecurityConfiguration"
    p:signatureSigningConfiguration-ref="shibboleth.SigningConfiguration.SHA1" />

Under RelyingPartyOverrides

<bean parent="RelyingPartyByName" c:relyingPartyIds="NetPartner">
    <property name="profileConfigurations">
        <list>
            <bean parent="Shibboleth.SSO" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML1.AttributeQuery" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML1.ArtifactResolution" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML2.ECP" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML2.Logout" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML2.AttributeQuery" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML2.ArtifactResolution" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML2.SSO"
                p:encryptAssertions="false"
                p:securityConfiguration-ref="SHA1SecurityConfig"
                p:nameIDFormatPrecedence="#{{'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'}}" />
        </list>
    </property>
</bean>


On NetPartner login tab:

SSO: yes
Identity provider url: https:/myshibserver/idp/profile/SAML2/Redirect/SSO
Protocol binding: Post
Request nameid format: [Do Not Use]
Service Provider Name: NetPartner



Any help GREATLY appreciated.
-Norm Bodnar




--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
Tony Skalski
System Administrator | IT

Office: <a href="javascript:void(0);" target="_blank">507-786-3227
1510 St. Olaf Avenue Northfield, MN 55057


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Getting PowerFAIDS NetPartner to work with Shibboleth 3 - another attempt

Cantor, Scott E.
> I do not have this line in my config, and IIRC, removing that line is what got
> Carl's installation working.

That isn't possible, that has no effect whatsoever.

The error is in the log, the response endpoint in the request doesn't match the metadata.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Getting PowerFAIDS NetPartner to work with Shibboleth 3 - another attempt

StormyNP
In reply to this post by StormyNP
Thanks Scott and Tony. I figured it out (as far as getting to login, successful authentication and back to NetPartner). Typo on my part had to be corrected and an infrastructure change was needed.

Side note: I DID have to include cert info in my netpartner metadata for this to work. The original thread's example was able to get by without it. My Shibboleth IdP 3 is on Linux, using Jetty. Originally it was IdP 2 on Windows/Tomcat.

On Thu, May 17, 2018 at 4:14 PM, Norman Bodnar <[hidden email]> wrote:
Apologies ahead of time for my newness to this board. I'm starting a new thread based on the recent one for Netpartner/Shibboleth IdP3...

Note: new IdP3 server is successfully working with other service providers.


My scenario, new netpartner server, new shibboleth server (IdP3, previously our old netpartner worked with IdP2 server).

I've tried to apply the recent recommendations on this maillist, but I can never get to my shibboleth logon page. After hitting https://mynetpartnerserver/NetPartnerStudent, the SAML goes across but after shibboleth gets it I get directed to a shib page:


The login service was unable to identify a compatible way to respond to the requested application. This is generally due to a misconfiguration on the part of the application and should be reported to the application's support team or owner. 





The logs show issue starting here (server names scrubbed)...

2018-05-17 15:19:26,883 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:65] - Profile Action SelectProfileInterceptorFlow: Moving completed flow intercept/security-policy/saml2-sso to completed set, selecting next one
2018-05-17 15:19:26,884 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:80] - Profile Action SelectProfileInterceptorFlow: No flows available to choose from
2018-05-17 15:19:26,895 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeOutboundMessageContext:149] - Profile Action InitializeOutboundMessageContext: Initialized outbound message context
2018-05-17 15:19:26,918 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:375] - Profile Action PopulateBindingAndEndpointContexts: Attempting to resolve endpoint of type {urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService for outbound message
2018-05-17 15:19:26,920 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:516] - Profile Action PopulateBindingAndEndpointContexts: Populating template endpoint for resolution from SAML AuthnRequest
2018-05-17 15:19:26,921 - WARN [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:410] - Profile Action PopulateBindingAndEndpointContexts: Unable to resolve outbound message endpoint for relying party 'NetPartner': EndpointCriterion [type={urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService, Binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, Location=https://servernamehere/NetPartnerStudent/Logon.aspx, trusted=false]
2018-05-17 15:19:26,938 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: EndpointResolutionFailed


From my Firefox developer tools, I see this:

 HTTP400: BAD REQUEST - The request could not be processed by the server due to invalid syntax.



My shibboleth configurations are as follows (relevant netpartner items only):

netpartner metadata

<EntityDescriptor entityID="NetPartner" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor
        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
        urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
    <AssertionConsumerService index="1"
        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    </SPSSODescriptor>
</EntityDescriptor>


metadata-providers.xml 

<MetadataProvider id="NetPartnerMetadata"
    xsi:type="FilesystemMetadataProvider"
    xmlns="urn:mace:shibboleth:2.0:metadata"
    metadataFile="%{idp.home}/metadata/netpartner.xml"/>


relying-party.xml

<bean id="SHA1SecurityConfig" parent="shibboleth.DefaultSecurityConfiguration"
    p:signatureSigningConfiguration-ref="shibboleth.SigningConfiguration.SHA1" />

Under RelyingPartyOverrides

<bean parent="RelyingPartyByName" c:relyingPartyIds="NetPartner">
    <property name="profileConfigurations">
        <list>
            <bean parent="Shibboleth.SSO" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML1.AttributeQuery" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML1.ArtifactResolution" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML2.ECP" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML2.Logout" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML2.AttributeQuery" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML2.ArtifactResolution" p:securityConfiguration-ref="SHA1SecurityConfig" />
            <bean parent="SAML2.SSO"
                p:encryptAssertions="false"
                p:securityConfiguration-ref="SHA1SecurityConfig"
                p:nameIDFormatPrecedence="#{{'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'}}" />
        </list>
    </property>
</bean>


On NetPartner login tab:

SSO: yes
Identity provider url: https:/myshibserver/idp/profile/SAML2/Redirect/SSO
Protocol binding: Post
Request nameid format: [Do Not Use]
Service Provider Name: NetPartner



Any help GREATLY appreciated.
-Norm Bodnar






--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Getting PowerFAIDS NetPartner to work with Shibboleth 3 - another attempt

Peter Schober
* Norman Bodnar <[hidden email]> [2018-05-21 15:06]:
> Side note: I DID have to include cert info in my netpartner metadata
> for this to work. The original thread's example was able to get by
> without it.

As you configured your IDP to NOT encrypt anything to that SP that
doesn't make a lot of sense: The SP's cert wouldn't service any
purpose during SSO.
But of course you WANT the IDP to encrypt data to the SP, so you WANT
to have a suitable cert in the SP's metadata.
-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]