Problems with test IdP and SP setup

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Problems with test IdP and SP setup

simon-7
Hi,
We are about to add Shibboleth support to one of our applications, so we thought we would set up a test environment first.

The environment consists of an IdP (2.1.2) and a Native SP (2.1 I believe), the IdP is running in Tomcat 5.5 and the SP on IIS 6. They are located on the same machine.

With some effort we managed to get the SP and IdP to talk to each other, following the guide at https://spaces.internet2.edu/display/SHIB2/IdPSPLocalTestInstall - however when testing out our setup using http://sp-url:9080/secure we get the following error message:

opensaml::FatalProfileException at (http://f364.intra.infodata.se:9080/Shibboleth.sso/SAML2/POST)

SAML response contained an error.

Error from identity provider:

Status: urn:oasis:names:tc:SAML:2.0:status:Responder
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed

Looking in native.log for our SP doesn't tell us much:
2009-01-14 18:03:55 ERROR Shibboleth.Listener [756] isapi_shib_extension: remoted message returned an error: SAML response contained an error.

And shibd.log last line is this (I can't find anything that looks like an error prior to that.):
2009-01-14 18:03:55 DEBUG Shibboleth.SSO.SAML2 [1]: processing message against SAML 2.0 SSO profile

Tried to get better/more verbose OpenSAML-logging, but no game.

Anybody have an idea what might be the problem? Everything runs at some very strange ports, but they talk to each other so I don't really think that's the main issue.

Thanks in advance.
Reply | Threaded
Open this post in threaded view
|

Re: Problems with test IdP and SP setup

Nate Klingenstein
Simon,

I think your problem may be a lot more mundane than what you're  
examining.  Are you being prompted to authenticate by the IdP?  If  
not, you've probably got something wrong in your authentication  
configuration, and most likely by far is step 7 in the IdP  
installation configuration.  Especially since you've got a relatively  
complex environment, make sure you've got that in the right virtual  
host.

Either way, you'll find much better information in your IdP's idp-
process.log.

Take care,
Nate.

On 14 Jan 2009, at 17:21, <[hidden email]> wrote:

> Hi,
> We are about to add Shibboleth support to one of our applications,  
> so we thought we would set up a test environment first.
>
> The environment consists of an IdP (2.1.2) and a Native SP (2.1 I  
> believe), the IdP is running in Tomcat 5.5 and the SP on IIS 6.  
> They are located on the same machine.
>
> With some effort we managed to get the SP and IdP to talk to each  
> other, following the guide at https://spaces.internet2.edu/display/ 
> SHIB2/IdPSPLocalTestInstall - however when testing out our setup  
> using http://sp-url:9080/secure we get the following error message:
>
> opensaml::FatalProfileException at (http://f364.intra.infodata.se: 
> 9080/Shibboleth.sso/SAML2/POST)
>
> SAML response contained an error.
>
> Error from identity provider:
>
> Status: urn:oasis:names:tc:SAML:2.0:status:Responder
> Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
>
> Looking in native.log for our SP doesn't tell us much:
> 2009-01-14 18:03:55 ERROR Shibboleth.Listener [756]  
> isapi_shib_extension: remoted message returned an error: SAML  
> response contained an error.
>
> And shibd.log last line is this (I can't find anything that looks  
> like an error prior to that.):
> 2009-01-14 18:03:55 DEBUG Shibboleth.SSO.SAML2 [1]: processing  
> message against SAML 2.0 SSO profile
>
> Tried to get better/more verbose OpenSAML-logging, but no game.
>
> Anybody have an idea what might be the problem? Everything runs at  
> some very strange ports, but they talk to each other so I don't  
> really think that's the main issue.
>
> Thanks in advance.

Reply | Threaded
Open this post in threaded view
|

RE: Problems with test IdP and SP setup

simon-7
Hi, thanks for the quick reply. We wound up scrapping IIS for the moment as all the different ports was too complex. The SP runs on Apache 2.2 now. We've made quite a progress.

Still two problems remains:
 We try to protect /idp/Authn/RemoteUser as mentioned in tutorial, but we don't get any authentication dialog. It seems to authenticate us anyway and send us back to the SP.

At this point it works almost as expected, except any of the attributes we configured (by following the tutorial) is getting passed to the SP. /Shibboleth.sso/Session shows no Attributes as being set at all, despite a valid session.

The log, shibd.log has this to say:
2009-01-15 16:13:25 WARN Shibboleth.AttributeResolver.Query [1]: response from attribute authority was empty

I don't know why this is. Can it be from our mixing of HTTP and HTTPS? The SP runs without SSL on port 80, while the IdP goes through the SSL Connector defined in Tomcat (port 8443).

Yours Sincerely,
Simon Otter

Programmer, OnPosition AB

> -----Original Message-----
> From: Nate Klingenstein [mailto:[hidden email]]
> Sent: Wednesday, January 14, 2009 6:33 PM
> To: [hidden email]
> Subject: Re: [Shib-Users] Problems with test IdP and SP setup
>
> Simon,
>
> I think your problem may be a lot more mundane than what you're
> examining.  Are you being prompted to authenticate by the IdP?  If
> not, you've probably got something wrong in your authentication
> configuration, and most likely by far is step 7 in the IdP
> installation configuration.  Especially since you've got a relatively
> complex environment, make sure you've got that in the right virtual
> host.
>
> Either way, you'll find much better information in your IdP's idp-
> process.log.
>
> Take care,
> Nate.
>
> On 14 Jan 2009, at 17:21, <[hidden email]> wrote:
>
> > Hi,
> > We are about to add Shibboleth support to one of our applications,
> > so we thought we would set up a test environment first.
> >
> > The environment consists of an IdP (2.1.2) and a Native SP (2.1 I
> > believe), the IdP is running in Tomcat 5.5 and the SP on IIS 6.
> > They are located on the same machine.
> >
> > With some effort we managed to get the SP and IdP to talk to each
> > other, following the guide at https://spaces.internet2.edu/display/
> > SHIB2/IdPSPLocalTestInstall - however when testing out our setup
> > using http://sp-url:9080/secure we get the following error message:
> >
> > opensaml::FatalProfileException at (http://f364.intra.infodata.se:
> > 9080/Shibboleth.sso/SAML2/POST)
> >
> > SAML response contained an error.
> >
> > Error from identity provider:
> >
> > Status: urn:oasis:names:tc:SAML:2.0:status:Responder
> > Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
> >
> > Looking in native.log for our SP doesn't tell us much:
> > 2009-01-14 18:03:55 ERROR Shibboleth.Listener [756]
> > isapi_shib_extension: remoted message returned an error: SAML
> > response contained an error.
> >
> > And shibd.log last line is this (I can't find anything that looks
> > like an error prior to that.):
> > 2009-01-14 18:03:55 DEBUG Shibboleth.SSO.SAML2 [1]: processing
> > message against SAML 2.0 SSO profile
> >
> > Tried to get better/more verbose OpenSAML-logging, but no game.
> >
> > Anybody have an idea what might be the problem? Everything runs at
> > some very strange ports, but they talk to each other so I don't
> > really think that's the main issue.
> >
> > Thanks in advance.

Reply | Threaded
Open this post in threaded view
|

Re: Problems with test IdP and SP setup

Peter Schober
* [hidden email] <[hidden email]> [2009-01-15 17:05]:
>  We try to protect /idp/Authn/RemoteUser as mentioned in tutorial,
>  but we don't get any authentication dialog. It seems to
>  authenticate us anyway and send us back to the SP.

The User-Agent will send the credentials (used for HTTP Basic Auth) on
each subsequent request. To tets if this is the case either completely
exit your webbrowser or (if using Firefox) "Clear Private Data".

> At this point it works almost as expected, except any of the
> attributes we configured (by following the tutorial) is getting
> passed to the SP. /Shibboleth.sso/Session shows no Attributes as
> being set at all, despite a valid session.
[...]
> I don't know why this is. Can it be from our mixing of HTTP and
> HTTPS? The SP runs without SSL on port 80, while the IdP goes
> through the SSL Connector defined in Tomcat (port 8443).

No. The SP recieved an Authentication Assertion so communication from
the IdP to the SP (via the webbrowser) should be fine.

As for the port 8443 I don't know what you're doing -- the tutorial
has no mention of this and if Tomcat is only accessible via Apache
httpd (which is the case here, since Apache httpd handles the
authentication for the IdP) there is no other Connector necessary in
Tomcat expect for the AJP one.

Btw, since IdPInstall has no mention of Apache httpd anymore maybe
IdPSPLocalTestInstall should be changed as well. I guess the only
reason httpd is still in the mix there is for easy setting up a
flatfile for authentication (via htpasswd), so mybe this could be
replaced with a JAAS module for plaintext authentication (e.g. the one
from tagish[1])?

cheers,
-peter

[1] http://free.tagish.net/jaas/

--
[hidden email] - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140
Reply | Threaded
Open this post in threaded view
|

Re: Problems with test IdP and SP setup

Christopher M. Coballes
In reply to this post by simon-7
Hello Sir Simon,

Just want to ask if you have done

1)htpasswd -c -n PATH/user.db username password
ex: htpasswd -c -n C:/shibboleth-idp/Credentials/user.db  Manny Paciao


2) added this in your PATH/apache/conf/httpd.conf

<Location /shibboleth-idp/SSO>
        AuthType Basic
        AuthName "Message"
        AuthUserFile PATH/user.db
        require valid-user
    </Location>

3) so that by browsing yout "https:/domain/IDP/SSO"
it should  prompt an authentication.... just to check if it really does work..


Thanks


Christopher M. Coballes
Manila,Philippines
Reply | Threaded
Open this post in threaded view
|

Re: Problems with test IdP and SP setup

Peter Schober
* Christopher M. Coballes <[hidden email]> [2009-01-16 04:02]:

> <Location /shibboleth-idp/SSO>
>         AuthType Basic
>         AuthName "Message"
>         AuthUserFile PATH/user.db
>         require valid-user
>     </Location>
>
> 3) so that by browsing yout "https:/domain/IDP/SSO"
> it should  prompt an authentication.... just to check if it really does
> work..

No, by protecting /shibboleth-idp/SSO there will not be any basic auth
prompts when accessing /IDP/SSO
A working example is in the wiki page the original poster already
cited.

cheers,
-peter

--
[hidden email] - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140
Reply | Threaded
Open this post in threaded view
|

Re: Problems with test IdP and SP setup

Christopher M. Coballes


On Fri, Jan 16, 2009 at 12:26 AM, Peter Schober <[hidden email]> wrote:
* Christopher M. Coballes <[hidden email]> [2009-01-16 04:02]:
> <Location /shibboleth-idp/SSO>
>         AuthType Basic
>         AuthName "Message"
>         AuthUserFile PATH/user.db
>         require valid-user
>     </Location>
>
> 3) so that by browsing yout "https:/domain/IDP/SSO"
> it should  prompt an authentication.... just to check if it really does
> work..

No, by protecting /shibboleth-idp/SSO there will not be any basic auth
prompts when accessing /IDP/SSO
A working example is in the wiki page the original poster already
cited.

cheers,
-peter

--
[hidden email] - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140

Yes,I have tried it sir, during its first web access , the apache just does authenticate <Location /shibboleth-idp/SSO>??

thanks

Christopher M. Coballes
Manila,Philippines