I have been trying to setup SSO to test with Shibboleth SP(2.5.5) and IDP(3.1.2) along with Apache DS(2.0M20) ; Apache WS (2.4.16) ; Tomcat7 and self-signed certificate for SSL. After so much effort I am able to integrate all these but unable to get the success page. All setup is done locally on Windows m/c. I have few challenges to overcome and need your guide for the same.
1} First, Once I am able to login successfully then how I can be able to access other Apps (URLs) without the authentication ; In short where to define Accessible Applications and restrict roles?
2) When I am trying to access via ECP (https://xample.fissso.org/idp-web/profile/SAML2/SOAP/ECP) then after entering valid uid/pwd getting the below error :
HTTP Status 403 - Access to the requested resource has been denied
IDP logs - INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategy:327] -  - Default key version has not changed, still secret1
Ap24 logs - 127.0.0.1 - - [30/Sep/2015:19:35:04 +0530] "GET /idp-web/profile/SAML2/SOAP/ECP HTTP/1.1" 403 1108
Tomcat logs - 127.0.0.1 - 123 [30/Sep/2015:19:35:04 +0530] "GET /idp-web/profile/SAML2/SOAP/ECP HTTP/1.1" 403 1108
3) When I am trying to access via login (xample.fissso.org/idp-web/login) then its redirect me to the below url for consent:
like below -
You are about to access the service:
Select an information release consent duration:…….
After accepting the consent redirected to “HTTP Status 404 - /idp-web/login” with blank page.URL (https://xample.fissso.org/idp-web/login)
4) Not sure if this is getting able to connect to ApacheDS to get authenticated because there is nothing in the DS logs when I am using below details in httpd.conf –
<Location /idp-web/*> AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user </Location>
But when I am explicitly setting the below values –
<Location /idp-web/profile/SAML2/SOAP/ECP> AuthName "LDAP FIS Test Login"
require valid-user </Location>
I am able to get below the DS logs -
[21:01:47] WARN [org.apache.directory.server.core.normalization.NormalizationInterceptor] - undefined filter based on undefined attributeType not evaluted at all. Returning empty enumeration.
This seems to be because of * at the place of uid in the given LDAP URL; not sure how to overcome with this problem.
I have tried many ways to overcome with above issues but unable to get success page. Below are config details I have provided in the setup –
Along with attribute settings changes in Relying-party.xml details are - <util:list id="shibboleth.RelyingPartyOverrides">
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://xample.fissso.org/shibboleth">
<list> <bean parent="SAML2.SSO" p:encryptAssertions="false" p:postAuthenticationFlows="attribute-release"/>
</list> </property> </bean> </util:list>
Also provided SP and IDP metadata in the metadata folder of IDP and IDP’s metadata in SP – etc / shib/ path and in the logs it is loaded successful.
I am able to see the default pages like – index and status page and able to see the request reached to tomcat when access default pages.
It will be great if you can guide me further to overcome the above said problems / deadlock and see the success.
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
|Free forum by Nabble||Edit this page|