Web Login Service - Message Security Error

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Web Login Service - Message Security Error

liquid89
This post was updated on .
Hi folks,

first of all - yes i used the search - but no Topic helped me.

CentOS 7
Tomcat 7
Shibboleth 3

I have the following problem:

We have a SAML-Server for Authentication for an Application.
When i go to the URL https://portal-test.de  I get the following error
message

ERROR
[org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:200]
- Message Handler:  SAML message intended destination endpoint
'https://portal.test.de/idp/profile/SAML2/Redirect/SSO' did not match the
recipient endpoint 'http://servername:8443/idp/profile/SAML2/Redirect/SSO'

We have a Portal-URL that shows on servername:8443
https://portal.test.de --> *http://*servername:8443

So where is the Problem?
How can I solve this - maybe a Redirect to HTTPS?
Where can I best configure it?  I found nothing...

With an old Tomcat and Shibboleth it works without problems...

Thanks for help and greetings from Vienna!
Liquid




--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
Reply | Threaded
Open this post in threaded view
|

Re: Web Login Service - Message Security Error

Christopher Bongaarts
See the section on "Prepping Apache" on
https://wiki.shibboleth.net/confluence/display/SP3/Apache

particularly the bits about setting ServerName correctly and
UseCanonicalName.

On 2/14/2020 7:28 AM, liquid89 wrote:

> We have a SAML-Server for Authentication for a Application.
> When i go to the URLhttps://portal-test.de   I get the following error
> message
>
> ERROR
> [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:200]
> - Message Handler:  SAML message intended destination endpoint
> 'https://portal.test.de/idp/profile/SAML2/Redirect/SSO' did not match the
> recipient endpoint 'http://servername:8443/idp/profile/SAML2/Redirect/SSO'
>
> We have a Portal-URL that shows on servername:8443
> https://portal.test.de  --> *http://*servername:8443
>
> So where is the Problem?
> How can I solve this - maybe a Redirect to HTTPS?
> Where can I best configure it?  I found nothing...
>
> With an old Tomcat and Shibboleth it works without problems...

--
%%  Christopher A. Bongaarts   %%  [hidden email]          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Web Login Service - Message Security Error

Peter Schober
In reply to this post by liquid89
* liquid89 <[hidden email]> [2020-02-14 14:28]:
> We have a Portal-URL that shows on servername:8443
> https://portal.test.de --> *http://*servername:8443

So what's the correct public URL of your IDP server?
https://portal.test.de or http://servername:8443 ?

The metadata describing the IDP must match exactly what the web
browser sees, including exact host name and port.

Ignoring the backchannel your IDP should probably listen on the
standard HTTPS port TCP/443. Then there'd be no port numbers in
metadata or configuration anywhere.

If Tomcat listens on a different physical port on your machine
(e.g. 8443) you could use one of the tricks mentioned in the
documentation, though personally I prefer POSIX Capabilities to simply
allow unpriviledged users (i.e., the one the JVM and Tomcat run as) to
listen on priviledged ports (i.e., 443). Modern systemd can do that
out of the box (I'd have to check whether CentOS7 comes with a
sufficiently new systemd).

> With an old Tomcat and Shibboleth it works without problems...

Oh, Tomcat 7 is old.

Note that if you're installing a new IDP now (otherwise you probably
wouldn't be experiencing such fundamental errors) you should consider
starting with IDPv4 -- it may well be done while you're struggling
with installation and configuration and productionalisation.

Even if you're not going with IDPv4 right now you will need to plan
your upgrade to v4 soon after its release and IDPv4 *does* *not*
*support* Tomcat7 anymore!
https://wiki.shibboleth.net/confluence/display/IDP4/SystemRequirements
So you should be looking at a newer OS or newer container right away,
IMO.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Web Login Service - Message Security Error

liquid89
Hi Peter!

"
So what's the correct public URL of your IDP server?
https://portal.test.de or http://servername:8443 ?
"

Its https://portal.test.de/idp/ and that was the Browser shows at the Error
Message. On the very old SAML Server it works with all the Settings is used
in the new one (like idp-metadata.xml).
I have no idea what is should to do...


"Oh, Tomcat 7 is old."
Thanks for the Information. Thats the next Step then. Upgrading Tomcat :-)

Greetings from Vienna,
Liquid





--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Web Login Service - Message Security Error

liquid89
I think i found the Problem, but i have no Solution.

The Client goes to
https://portal.test.de  --> https://portal.test.de /idp/shibboleth...but the
intern redirect doenst work and thats why the Error:
 'https://portal.test.de/idp/profile/SAML2/Redirect/SSO' did not match the
 recipient endpoint 'http://servername:8443/idp/profile/SAML2/Redirect/SSO'

arrives....but how can i fix this? We used in the old Version in the web.xml
a filter with an URL-Redirect.....

Greetings



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Web Login Service - Message Security Error

Peter Schober
* liquid89 <[hidden email]> [2020-02-17 09:47]:
> The Client goes to
> https://portal.test.de  --> https://portal.test.de /idp/shibboleth...but the
> intern redirect doenst work and thats why the Error:
>  'https://portal.test.de/idp/profile/SAML2/Redirect/SSO' did not match the
>  recipient endpoint 'http://servername:8443/idp/profile/SAML2/Redirect/SSO'

That's not a problem of a redirect not working -- which would manifest
itself in your web browser internally rendering an error message,
along the lines of not being able to connect to the server -- it's an
error message from the IDP application that the endpoint details from
the SAML don't match what it thinks is its own configuration:

The endpoint details are using http (not https), a different host name
(AFAICT, from your obfuscation attempts) and a different port (8443,
not 443). But something virtualises all those things and makes your
server available at https://portal.test.de/. no?

Tomcat's http connector allows to virtualise the scheme (http) and
also the server name and port, c.f.
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#Proxy_Support
so if there's some kind of proxy or TLS offloading involved that's
what you'd need to configure.

If there is no other system/server involved then I'd need to know how
exactly you've configured Tomcat to be able to be accessed at
https://portal.test.de/ 

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Web Login Service - Message Security Error

liquid89
Hi Peter,

so thank you first of all for the help!
I take now Tomcat8 and not 7.
I configuration and i have the Same-Configuration as with Tomcat 7 and so
the same error.
I think you are right, my Webserver-Configuration has an error.


Here some Configurations:
*Tomcat*
server.xml

    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               scheme="http"
               secure="true" clientAuth="true" maxSpareThreads="75" />


*shibboleth*

idp.properties
# Set the entityID of the IdP
idp.entityID=http://servername/idp/shibboleth

In the IDP-metadata.xml all URLS are using https://portal-test.de

How it works?

The Client has an Portal where all Web-Application are. So you can link on
an application and a redirect starts on the Application and on the IDP.


Maybe that helps.
Greeting,
Liquid89







--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Web Login Service - Message Security Error

Peter Schober
* liquid89 <[hidden email]> [2020-02-17 14:47]:
>     <Connector port="8080" protocol="HTTP/1.1"
>                connectionTimeout="20000"
>                scheme="http"
>                secure="true" clientAuth="true" maxSpareThreads="75" />

That matches none of your messages so far, which contained port 443
(implicitly in https://portal.test.de) and port 8443, but not 8080.

So (again, I have asked this already in my previous message but you
did not reply to it) if that server listens on port 8080 then what
makes that server accessible at port 443 from the outside?

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Web Login Service - Message Security Error

Christopher Bongaarts
In reply to this post by liquid89
Most likely, the fix needs to happen on the SP side, not the IdP side,
so they are sending the correct endpoint in the SAML request.

Less likely, you need to update the metadata on your IdP so it has the
correct endpoints for this SP.

On 2/17/2020 2:46 AM, liquid89 wrote:
> The Client goes to
> https://portal.test.de   -->https://portal.test.de  /idp/shibboleth...but the
> intern redirect doenst work and thats why the Error:
>   'https://portal.test.de/idp/profile/SAML2/Redirect/SSO' did not match the
>   recipient endpoint 'http://servername:8443/idp/profile/SAML2/Redirect/SSO'
>
> arrives....but how can i fix this? We used in the old Version in the web.xml
> a filter with an URL-Redirect.....

--
%%  Christopher A. Bongaarts   %%  [hidden email]          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Web Login Service - Message Security Error

liquid89
First of all - thanks for your help!
We had a Problem on the Portal-URL-Configuration from the Client. Now it
works.

Thanks for your help!



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]