SAML 2 SSO profile is not configured for relying party

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

SAML 2 SSO profile is not configured for relying party

Seiichirou Hiraoka
Hello,

I want to communicate Shibboleth-SP (SP) with Shibboleth-IdP (IdP)
  and authenticate with LDAP.

I try to access https://rhel5-vm.example.co.jp/shibboleth
and get error message as follows.
  SAML 2 SSO profile is not configured for relying party

  Pick up other message from /var/log/shibboleth/shibd.log...

14:43:30.418 - WARN [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:255] - No metadata for relying party https://rhel5-vm.example.co.jp/shibboleth, treating party as anonymous
14:43:30.418 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:174] - SAML 2 SSO profile is not configured for relying party https://rhel5-vm.example.co.jp/shibboleth
14:43:30.423 - ERROR [edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85] - Error processing profile request
edu.internet2.middleware.shibboleth.common.profile.ProfileException: SAML 2 SSO profile is not configured for relying party https://rhel5-vm.example.co.jp/shibboleth
...

I think the error message caused by relying-parth.xml configuration
problem on IdP.
But I don't know how to configure it.
Please tell me how to or another cause.
If other information required, please tell me.

My environment is following.

o IdP
  Hostname: idp.example.co.jp
  OS: Debian 5.0.1
  Tomcat 6.0.18
    /opt/tomcat
  shibboleth-identityprovider 2.1.2
    /opt/shibboleth-idp
    /opt/tomcat/webapps/idp
  Java 6u12 (by aptitude)

o SP
  Hostname: rhel5-vm.example.co.jp
  OS: RHEL 5.3
  Apache 2.2.9 (OS default)
  shibboleth 2.1 (by SRPM)

o LDAP
  Hostname: ldap.example.co.jp

My configuration is following.

-----
o IdP
-----

- Tomcat
. /opt/tomcat/conf/server.xml

    <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->
    <Connector port="8443" protocol="HTTP/1.1"
               maxHttpHeaderSize="8192" maxThreads="150"
               scheme="https" secure="true" clientAuth="want"
               SSLEnabled="true" sslProtocol="TLS"
               keystoreFile="/opt/shibboleth-idp/credentials/idp.jks"
               keystorePass="flathill"
               truststoreFile="/opt/shibboleth-idp/credentials/idp.jks"
               truststorePass="flathill"
               truststoreAlgorithm="DelegateToApplication"/>

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
         address="127.0.0.1" enableLookups="false"
         request.tomcatAuthentication="false" />

. /opt/tomcat/conf/Catalina/localhost/idp.xml

<Context docBase="/opt/shibboleth-idp/war/idp.war"
         privileged="true"
         antiResourceLocking="false"
         antiJARLocking="false"
         unpackWAR="false"

. /opt/tomcat/webapps/ROOT/idp-metadata.xml

<EntityDescriptor entityID="https://idp.example.co.jp:8443/idp/shibboleth"
                  xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
                  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                  xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
...snip...


- Shibboleth IdP
. Create SSL CERT /opt/shibboleth-idp/credentials/{idp.key,idp.crt}

. /opt/shibboleth-idp/conf/login.config
ShibUserPassAuth {
   edu.vt.middleware.ldap.jaas.LdapLoginModule required
      host="ldap.example.co.jp"
      port="389"
      ssl="false"
      tls="false"
      base="ou=user,o=example"
      userField="cn"
      subtreeSearch="false"
      serviceUser="cn=admin,ou=user,o=example"
      serviceCredential="secret";
};

. /opt/shibboleth-idp/conf/handler.xml
    <!--
    <LoginHandler xsi:type="RemoteUser">
        <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</AuthenticationMethod>
    </LoginHandler>
    -->
    <!--  Username/password login handler -->
    <LoginHandler xsi:type="UsernamePassword"
                  jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">
        <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</Authenti
cationMethod>
    </LoginHandler>

. /opt/shibboleth-idp/conf/relying-party.xml
    <AnonymousRelyingParty provider="http://idp.example.co.jp/idp/shibboleth" />

    <DefaultRelyingParty provider="http://idp.example.co.jp/idp/shibboleth"
                         defaultSigningCredentialRef="IdPCredential">

...snip...

        <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
                          metadataURL="http://idp.example.co.jp/metadata/metadata.xml"
                          backingFile="/opt/shibboleth-idp/metadata/metadata.xml">

...snip...

-----
o SP
-----

- Apache
. Create SSL CERT on /etc/shibboleth/{sp.key,sp.crt}

. /etc/apache2/conf/extra/shib.conf

#
# Load the SHIBBOLETH module
#
LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so

ShibConfig /etc/shibboleth/shibboleth2.xml
#
# Used for example logo and style sheet in error templates.
#
<IfModule mod_alias.c>
  <Location /shibboleth-sp>
    Allow from all
  </Location>
  Alias /shibboleth-sp/main.css /usr/share/doc/shibboleth/main.css
  Alias /shibboleth-sp/logo.jpg /usr/share/doc/shibboleth/logo.jpg
</IfModule>

. /etc/apache2/conf/extra/httpd-ssl.conf

    <Location /shibboleth>
        AuthType shibboleth
        ShibRequireSession On
        require valid-user
    </Location>

</VirtualHost>

- Shibboleth SP
. /etc/shibboleth/shibboleth2.xml

       <RelyingParty id="https://rhel5-vm.example.co.jp/shibboleth"
           provider="https://idp.example.co.jp:8443/idp/profile"
           defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
           <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
           <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
           <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
           <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
           <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
           <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
       </RelyingParty>
         <!-- Chains together all your metadata sources. -->
         <MetadataProvider type="Chaining">
             <!-- Example of remotely supplied batch of signed metadata. -->
           <MetadataProvider type="XML" uri="https://idp.example.co.jp:8443/idp-metadata.xml"
                backingFilePath="/etc/shibboleth/idp-metadata.xml" reloadInterval="7200">
       <!--
                <SignatureMetadataFilter certificate="fedsigner.pem"/>
       -->
             </MetadataProvider>

Best Regards!

- flathill
Reply | Threaded
Open this post in threaded view
|

Re: SAML 2 SSO profile is not configured for relying party

Peter Schober
* Seiichirou Hiraoka <[hidden email]> [2009-06-19 09:21]:
> 14:43:30.418 - WARN
> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:255] - No metadata for relying party https://rhel5-vm.example.co.jp/shibboleth, treating party as anonymous

Did you have a look at the documentation?
https://spaces.internet2.edu/display/SHIB2/IdPRelyingParty
-peter
Reply | Threaded
Open this post in threaded view
|

Re: SAML 2 SSO profile is not configured for relying party

Seiichirou Hiraoka
Hello peter,

Thank you for reply.

From: Peter Schober <[hidden email]>
Subject: Re: [Shib-Users] SAML 2 SSO profile is not configured for relying party
Date: Fri, 19 Jun 2009 11:56:42 +0200

> * Seiichirou Hiraoka <[hidden email]> [2009-06-19 09:21]:
> > 14:43:30.418 - WARN
> > [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:255] - No metadata for relying party https://rhel5-vm.example.co.jp/shibboleth, treating party as anonymous
>
> Did you have a look at the documentation?
> https://spaces.internet2.edu/display/SHIB2/IdPRelyingParty

Yes, I had look the document many times.
And I add following configuration to relying-party.xml

    <RelyingParty id="https://rhel5-vm.example.co.jp/shibboleth"
              provider="https://idp.example:8443/idp/profile"
              defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
        <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
        <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
        <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
        <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
        <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
        <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
    </RelyingParty>

But it does not work...

Regards!

- flathill
Reply | Threaded
Open this post in threaded view
|

Re: SAML 2 SSO profile is not configured for relying party

Peter Schober
* Seiichirou Hiraoka <[hidden email]> [2009-06-19 13:07]:

> Yes, I had look the document many times.
> And I add following configuration to relying-party.xml
>
>     <RelyingParty id="https://rhel5-vm.example.co.jp/shibboleth"
>               provider="https://idp.example:8443/idp/profile"
>               defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
>         <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
>         <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
>         <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
>         <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
>         <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
>         <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
>     </RelyingParty>

This does not address the error that the IdP has no metadata for the
SP in question. You'll also need to tell the IdP where to find
metadata for this SP:
https://spaces.internet2.edu/display/SHIB2/IdPMetadataProvider
-peter
Reply | Threaded
Open this post in threaded view
|

RE: SAML 2 SSO profile is not configured for relying party

Cantor, Scott E.
Peter Schober wrote on 2009-06-19:
>  This does not address the error that the IdP has no metadata for the SP
> in question. You'll also need to tell the IdP where to find metadata for
> this SP: https://spaces.internet2.edu/display/SHIB2/IdPMetadataProvider

In point of fact, we really need to reorganize or add something to those
topics, because people keep mistaking the notion of "Add relying party" to
mean that adding an SP somehow requires (or even implies that it's a good
idea) to constantly add RelyingParty elements, which is nonsense. It's
understandable from the wording though.

-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: SAML 2 SSO profile is not configured for relying party

Seiichirou Hiraoka
In reply to this post by Peter Schober
Hello,

From: Peter Schober <[hidden email]>
Subject: Re: [Shib-Users] SAML 2 SSO profile is not configured for relying party
Date: Fri, 19 Jun 2009 13:40:17 +0200

> * Seiichirou Hiraoka <[hidden email]> [2009-06-19 13:07]:
> > Yes, I had look the document many times.
> > And I add following configuration to relying-party.xml
> >
> >     <RelyingParty id="https://rhel5-vm.example.co.jp/shibboleth"
> >               provider="https://idp.example:8443/idp/profile"
> >               defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
> >         <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
> >         <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
> >         <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
> >         <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
> >         <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
> >         <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
> >     </RelyingParty>
>
> This does not address the error that the IdP has no metadata for the
> SP in question. You'll also need to tell the IdP where to find
> metadata for this SP:
> https://spaces.internet2.edu/display/SHIB2/IdPMetadataProvider

Do I need to edit whether relying-party.xml or
idp-metadata.xml to tell the IdP where to find
metadata for my SP (rhel5-vm) ?

I do not understand relevance and how it work
of relying-party.xml and idp-metadata.xml well.

I am sorry by an unpolished question.

- flathill
Reply | Threaded
Open this post in threaded view
|

Re: SAML 2 SSO profile is not configured for relying party

Peter Schober
* Seiichirou Hiraoka <[hidden email]> [2009-06-19 16:14]:
> > This does not address the error that the IdP has no metadata for the
> > SP in question. You'll also need to tell the IdP where to find
> > metadata for this SP:
> > https://spaces.internet2.edu/display/SHIB2/IdPMetadataProvider
>
> Do I need to edit whether relying-party.xml or
> idp-metadata.xml to tell the IdP where to find
> metadata for my SP (rhel5-vm) ?

Following IdPMetadataProvider you need to define a metadata provider
in relying-party.xml, yes. The wiki page is full of examples, for a
simple test a Filesystem Metadata Provider would suffice.
-peter
Reply | Threaded
Open this post in threaded view
|

RE: SAML 2 SSO profile is not configured for relyingparty

Deepesh Shah
Peter,

do you have an example file for relying-party.xml for testing with
http://www.testshib.org/ ?


Regards,

Deepesh



-----Original Message-----
From: Peter Schober [mailto:[hidden email]]
Sent: 19 June 2009 15:20
To: [hidden email]
Subject: Re: [Shib-Users] SAML 2 SSO profile is not configured for
relyingparty

* Seiichirou Hiraoka <[hidden email]> [2009-06-19 16:14]:
> > This does not address the error that the IdP has no metadata for the
> > SP in question. You'll also need to tell the IdP where to find
> > metadata for this SP:
> > https://spaces.internet2.edu/display/SHIB2/IdPMetadataProvider
>
> Do I need to edit whether relying-party.xml or
> idp-metadata.xml to tell the IdP where to find
> metadata for my SP (rhel5-vm) ?

Following IdPMetadataProvider you need to define a metadata provider
in relying-party.xml, yes. The wiki page is full of examples, for a
simple test a Filesystem Metadata Provider would suffice.
-peter

______________________________________________________________________
This communication is from Primal Pictures Ltd., a company registered in England and Wales with registration No. 02622298 and registered office: 4th Floor, Tennyson House, 159-165 Great Portland Street, London, W1W 5PA, UK. VAT registration No. 648874577.

This e-mail is confidential and may be privileged. It may be read, copied and used only by the intended recipient. If you have received it in error, please contact the sender immediately by return e-mail or by telephoning +44(0)20 7637 1010. Please then delete the e-mail and do not disclose its contents to any person.
This email has been scanned for Primal Pictures by the MessageLabs Email Security System.
______________________________________________________________________
Reply | Threaded
Open this post in threaded view
|

Re: SAML 2 SSO profile is not configured for relyingparty

Peter Schober
* Deepesh Shah <[hidden email]> [2009-06-19 16:27]:
> do you have an example file for relying-party.xml for testing with
> http://www.testshib.org/ ?

Just get the metadata TestShib tells you to get, put it in a place for
the IdP to find (e.g. metadata/ ) and configure a metadata provider as
per IdPMetadataProvider (in the wiki).
Copying and pasting from the wiki (and adjusting a single filesystem
path) is not different than copying and pasting from an email, I'd
say.
-peter
Reply | Threaded
Open this post in threaded view
|

RE: SAML 2 SSO profile is not configured for relyingparty

Cantor, Scott E.
In reply to this post by Deepesh Shah
Deepesh Shah wrote on 2009-06-19:
> Peter,
>
> do you have an example file for relying-party.xml for testing with
> http://www.testshib.org/ ?

Testshib *gives* you the configuration material to use when you register
with it.

-- Scott