Unable to get through the login page with default ECP settings

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Unable to get through the login page with default ECP settings

Himanshu Gaur

Hi Team,


I have been trying to setup SSO to test with Shibboleth SP(2.5.5) and IDP(3.1.2) along with Apache DS(2.0M20) ; Apache WS (2.4.16) ; Tomcat7 and self-signed certificate for SSL. After so much effort I am able to integrate all these but unable to get the success page. All setup is done locally on Windows m/c. I have few challenges to overcome and need your guide for the same.


1} First, Once I am able to login successfully then how I can be able to access other Apps (URLs) without the authentication ; In short where to define Accessible Applications and restrict roles?


2) When I am trying to access via ECP (https://xample.fissso.org/idp-web/profile/SAML2/SOAP/ECP)  then after entering valid uid/pwd getting the below error :

HTTP Status 403 - Access to the requested resource has been denied

IDP logs - INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategy:327] - [] - Default key version has not changed, still secret1

Ap24 logs - - - [30/Sep/2015:19:35:04 +0530] "GET /idp-web/profile/SAML2/SOAP/ECP HTTP/1.1" 403 1108

Tomcat logs - - 123 [30/Sep/2015:19:35:04 +0530] "GET /idp-web/profile/SAML2/SOAP/ECP HTTP/1.1" 403 1108


3) When I am trying to access via login (xample.fissso.org/idp-web/login) then its redirect me to the below url for consent:


like below -

You are about to access the service:

Information to be Provided to Service

cn                                                           123        

eduPersonPrincipalName            [hidden email]              

mail                                                        [hidden email]          

sn                                                           123        

uid                                                          123

Select an information release consent duration:…….

After accepting the consent redirected to “HTTP Status 404 - /idp-web/login” with blank page.URL (https://xample.fissso.org/idp-web/login)


4) Not sure if this is getting able to connect to ApacheDS to get authenticated because there is nothing in the DS logs when I am using below details in httpd.conf –

<Location /idp-web/*>    AuthType shibboleth

                   ShibRequestSetting requireSession 1

                   ShibUseHeaders On

                   require valid-user         </Location>

But when I am explicitly setting the below values –

<Location /idp-web/profile/SAML2/SOAP/ECP>  AuthName "LDAP FIS Test Login"

                AuthType Basic

                AuthBasicProvider ldap

AuthLDAPURL ldap://ads.fissso.org:10389/ou=users,ou=system?*??(objectClass=*)

                AuthLDAPBindAuthoritative off

                LDAPReferrals Off

require valid-user            </Location>

I am able to get below the DS logs -

[21:01:47] WARN [org.apache.directory.server.core.normalization.NormalizationInterceptor] - undefined filter based on undefined attributeType not evaluted at all.  Returning empty enumeration.

This seems to be because of * at the place of uid in the given LDAP URL; not sure how to overcome with this problem.


I have tried many ways to overcome with above issues but unable to get success page.  Below are config details I have provided in the setup –

IDP Properties


idp.entityID= https://xample.fissso.org/idp-web/shibboleth

idp.scope= FNFIS.com

idp.views = %{idp.home}/views

idp.authn.flows= RemoteUserInternal

idp.authn.favorSSO = true



idp.authn.LDAP.authenticator= adAuthenticator

idp.authn.LDAP.ldapURL  = ldap://ads.fissso.org:10389

idp.authn.LDAP.useStartTLS     = false

idp.authn.LDAP.useSSL          = false

idp.authn.LDAP.sslConfig      = jvmTrust

idp.authn.LDAP.baseDN  =  ou=users,ou=system

idp.authn.LDAP.bindDN   = uid=321

idp.authn.LDAP.bindDNCredential   = test#ldap

idp.authn.LDAP.returnAttributes= uid,cn,sn

idp.authn.LDAP.subtreeSearch      = true

idp.authn.LDAP.userFilter       = (uid={user})

idp.authn.LDAP.dnFormat= uid=%s,ou=users,ou=system


Along with attribute settings changes in Relying-party.xml details are  - <util:list id="shibboleth.RelyingPartyOverrides">

        <bean parent="RelyingPartyByName" c:relyingPartyIds="https://xample.fissso.org/shibboleth">

            <property name="profileConfigurations">

                <list>                  <bean parent="SAML2.SSO" p:encryptAssertions="false" p:postAuthenticationFlows="attribute-release"/>

                </list>            </property>        </bean>    </util:list>

Also provided SP and IDP metadata in the metadata folder of IDP and  IDP’s metadata in SP – etc / shib/ path and in the logs it is loaded successful.


I am able to see the default pages like – index and status page and able to see the request reached to tomcat when access default pages.


It will be great if you can guide me further to overcome the above said problems / deadlock and see the success.


Best Regards,

Himanshu Gaur


The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.