configuring shibboleth on AWS using ELB

classic Classic list List threaded Threaded
41 messages Options
123
Reply | Threaded
Open this post in threaded view
|

configuring shibboleth on AWS using ELB

Deirdre Kirmis

Hi all…prefacing this to say that I am new to AWS and new to configuring shibboleth. I was wondering if anyone has successfully configured shibboleth on an AWS instance that is running https via a load balancer. I installed and configured shib, send/received metadata from my IDP, but when I generate my metadata file, the certs are not included, and the sp-cert.pem and sp-key.pem files did not get created. Do I still need to “configure” https locally on the server, and if so, how, and how do I fix my shib config?

 

Thanks for any help!

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: configuring shibboleth on AWS using ELB

Cantor, Scott E.
On 11/25/19, 6:30 PM, "users on behalf of Deirdre Kirmis" <[hidden email] on behalf of [hidden email]> wrote:

> the certs are not included

Metadata is solely subject to your creation and control, so it has in it what you put in it, keys included. It is not generated other than for sample purposes.

> and the sp-cert.pem and sp-key.pem files did not get created.

The supported version of the SP generates two keypairs, one for signing, and one for encryption, neither one by that name anymore.

> Do I still need to “configure” https locally on the server

What you configure it to do is what you need it to do. Most people don't offload TLS anymore, they run it on every leg, but that's not anybody else's decision to make. As long as ServerName is set correctly to account for whatever virtualization is being done, the SP doesn't care.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: configuring shibboleth on AWS using ELB

Nate Klingenstein-5
In reply to this post by Deirdre Kirmis
RE: configuring shibboleth on AWS using ELB

Deirdre,

 

For what it's worth, we've configured a lot of IdP's and SP's in AWS, including SAMLtest.  It's pretty straightforward: ELB, target groups, and instances, just wired together properly.  There's really nothing special about it.

 

I often do it for single instances just because I like having ELB in between the world and me.  It doesn't really provide anything that security groups wouldn't other than IP address obfuscation, so it's more of a security blanket than a necessary piece of infrastructure, but hey.

 

Take care,

Nate.

 

--------

 

The Art of Access ®

 

Nate Klingenstein | Principal

https://www.signet.id/

 

-----Original message-----
From: Deirdre Kirmis
Sent: Monday, November 25 2019, 4:30 pm
To: [hidden email]
Subject: configuring shibboleth on AWS using ELB

Hi all…prefacing this to say that I am new to AWS and new to configuring shibboleth. I was wondering if anyone has successfully configured shibboleth on an AWS instance that is running https via a load balancer. I installed and configured shib, send/received metadata from my IDP, but when I generate my metadata file, the certs are not included, and the sp-cert.pem and sp-key.pem files did not get created. Do I still need to “configure” https locally on the server, and if so, how, and how do I fix my shib config?

 

Thanks for any help!

 

-- 

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg

To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: configuring shibboleth on AWS using ELB

Michael A Grady
Besides what Scott and Nate have touched on, also be sure you are running a version/distribution of the Shibboleth SP meant for the specific OS base you are using on your AWS instances. I’ve seen folks try to use a CentOS rpm for the SP on Amazon Linux, and that will not lead to good things. As Scott said, really no reason not to still use TLS from the ELB to your instances, but if you choose not to, you’ll still want to “virtualize” on the web server side so the SP will still understand that HTTPS is being used to get to it.

On Nov 25, 2019, at 6:54 PM, Nate Klingenstein <[hidden email]> wrote:

Deirdre,

 

For what it's worth, we've configured a lot of IdP's and SP's in AWS, including SAMLtest.  It's pretty straightforward: ELB, target groups, and instances, just wired together properly.  There's really nothing special about it.

 

I often do it for single instances just because I like having ELB in between the world and me.  It doesn't really provide anything that security groups wouldn't other than IP address obfuscation, so it's more of a security blanket than a necessary piece of infrastructure, but hey.

 

Take care,
Nate.

 

--------

 

The Art of Access ®

 

Nate Klingenstein | Principal

 

-----Original message-----
From: Deirdre Kirmis
Sent: Monday, November 25 2019, 4:30 pm
To: [hidden email]
Subject: configuring shibboleth on AWS using ELB

Hi all…prefacing this to say that I am new to AWS and new to configuring shibboleth. I was wondering if anyone has successfully configured shibboleth on an AWS instance that is running https via a load balancer. I installed and configured shib, send/received metadata from my IDP, but when I generate my metadata file, the certs are not included, and the sp-cert.pem and sp-key.pem files did not get created. Do I still need to “configure” https locally on the server, and if so, how, and how do I fix my shib config?

 

Thanks for any help!

 

-- 

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg

To unsubscribe from this list send an email to [hidden email]

 

This email has been scanned for spam and viruses by Proofpoint Essentials. Click here to report this email as spam.


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
Michael A. Grady
IAM Architect, Unicon, Inc.





--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: configuring shibboleth on AWS using ELB

Deirdre Kirmis
In reply to this post by Nate Klingenstein-5
RE: configuring shibboleth on AWS using ELB

I figured out the certs issue…do you mind if I ask if I have set this up correctly? I have an application load balancer, listening on ports 80 and 443, directing to a target group (with currently only 1 EC2 instance registered). I set up the ELB using our AWS wildcard certificate in ACM, and did not configure anything specifically on the EC2 to enforce https and regarding certs (ssl.conf is pointing to the localhost.key and .crt files).  I guess the “wired together properly” part is where I’m stuck. I installed shib, added the Location section for it in ssl.conf, configured shibboleth2.xml with servername and to point to my metadata file, which I got from my host provider (my organization is an IDP). Added shib as an authentication provider.

 

I see my provider on the login page of my app, but when I try to login I get an error “The login service was unable to identify a compatible way to respond to the requested application. This is generally due to a misconfiguration on the part of the application and should be reported to the application's support team or owner.”

 

Any ideas what I missed? Thank you!

 

Deirdre Kirmis

Technology Services

Arizona State University Library

480-965-7240

 

From: users <[hidden email]> On Behalf Of Nate Klingenstein
Sent: Monday, November 25, 2019 5:54 PM
To: Shib Users <[hidden email]>
Subject: RE: configuring shibboleth on AWS using ELB

 

Deirdre,

 

For what it's worth, we've configured a lot of IdP's and SP's in AWS, including SAMLtest.  It's pretty straightforward: ELB, target groups, and instances, just wired together properly.  There's really nothing special about it.

 

I often do it for single instances just because I like having ELB in between the world and me.  It doesn't really provide anything that security groups wouldn't other than IP address obfuscation, so it's more of a security blanket than a necessary piece of infrastructure, but hey.

 

Take care,

Nate.

 

--------

 

Image removed by sender.

The Art of Access ®

 

Nate Klingenstein | Principal

https://www.signet.id/

 

-----Original message-----
From: Deirdre Kirmis
Sent: Monday, November 25 2019, 4:30 pm
To: [hidden email]
Subject: configuring shibboleth on AWS using ELB


Hi all…prefacing this to say that I am new to AWS and new to configuring shibboleth. I was wondering if anyone has successfully configured shibboleth on an AWS instance that is running https via a load balancer. I installed and configured shib, send/received metadata from my IDP, but when I generate my metadata file, the certs are not included, and the sp-cert.pem and sp-key.pem files did not get created. Do I still need to “configure” https locally on the server, and if so, how, and how do I fix my shib config?

 

Thanks for any help!

 

-- 
 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
 
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: configuring shibboleth on AWS using ELB

Nate Klingenstein-2
Deirdre,

Beware the wildcard certificate, especially as ACM is effectively free and zero maintenance.  The domain in the cookie and the certificate used for encryption to the SP are more important, but it's wise to use dedicated TLS certificates anyway.

I wouldn't have ELB listen on port 80, but instead write a redirect rule.

The error doesn't sound like a Shibboleth error. Try going to /Shibboleth.sso/Session.  I suspect it's not integrated right with the application or not receiving the right data in the assertion even though the SAML transaction is probably successful.

Best wishes,
Nate.


On Tue, Nov 26, 2019, 2:31 PM Deirdre Kirmis <[hidden email]> wrote:

I figured out the certs issue…do you mind if I ask if I have set this up correctly? I have an application load balancer, listening on ports 80 and 443, directing to a target group (with currently only 1 EC2 instance registered). I set up the ELB using our AWS wildcard certificate in ACM, and did not configure anything specifically on the EC2 to enforce https and regarding certs (ssl.conf is pointing to the localhost.key and .crt files).  I guess the “wired together properly” part is where I’m stuck. I installed shib, added the Location section for it in ssl.conf, configured shibboleth2.xml with servername and to point to my metadata file, which I got from my host provider (my organization is an IDP). Added shib as an authentication provider.

 

I see my provider on the login page of my app, but when I try to login I get an error “The login service was unable to identify a compatible way to respond to the requested application. This is generally due to a misconfiguration on the part of the application and should be reported to the application's support team or owner.”

 

Any ideas what I missed? Thank you!

 

Deirdre Kirmis

Technology Services

Arizona State University Library

480-965-7240

 

From: users <[hidden email]> On Behalf Of Nate Klingenstein
Sent: Monday, November 25, 2019 5:54 PM
To: Shib Users <[hidden email]>
Subject: RE: configuring shibboleth on AWS using ELB

 

Deirdre,

 

For what it's worth, we've configured a lot of IdP's and SP's in AWS, including SAMLtest.  It's pretty straightforward: ELB, target groups, and instances, just wired together properly.  There's really nothing special about it.

 

I often do it for single instances just because I like having ELB in between the world and me.  It doesn't really provide anything that security groups wouldn't other than IP address obfuscation, so it's more of a security blanket than a necessary piece of infrastructure, but hey.

 

Take care,

Nate.

 

--------

 

The Art of Access ®

 

Nate Klingenstein | Principal

https://www.signet.id/

 

-----Original message-----
From: Deirdre Kirmis
Sent: Monday, November 25 2019, 4:30 pm
To: [hidden email]
Subject: configuring shibboleth on AWS using ELB


Hi all…prefacing this to say that I am new to AWS and new to configuring shibboleth. I was wondering if anyone has successfully configured shibboleth on an AWS instance that is running https via a load balancer. I installed and configured shib, send/received metadata from my IDP, but when I generate my metadata file, the certs are not included, and the sp-cert.pem and sp-key.pem files did not get created. Do I still need to “configure” https locally on the server, and if so, how, and how do I fix my shib config?

 

Thanks for any help!

 

-- 
 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
 
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

~WRD000.jpg (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: configuring shibboleth on AWS using ELB

Deirdre Kirmis

Thanks, Nate. You did suggest creating the SSL certs locally, which is what I will try next. I had already gotten so far with the ACM certs that I was trying to make that work first, but not really having luck. I’ll try your suggestions.

 

Deirdre Kirmis

Technology Services

Arizona State University Library

480-965-7240

 

From: users <[hidden email]> On Behalf Of Nate Klingenstein
Sent: Tuesday, November 26, 2019 2:41 PM
To: Shib Users <[hidden email]>
Subject: Re: configuring shibboleth on AWS using ELB

 

Deirdre,

 

Beware the wildcard certificate, especially as ACM is effectively free and zero maintenance.  The domain in the cookie and the certificate used for encryption to the SP are more important, but it's wise to use dedicated TLS certificates anyway.

 

I wouldn't have ELB listen on port 80, but instead write a redirect rule.

 

The error doesn't sound like a Shibboleth error. Try going to /Shibboleth.sso/Session.  I suspect it's not integrated right with the application or not receiving the right data in the assertion even though the SAML transaction is probably successful.

 

Best wishes,

Nate.

 

On Tue, Nov 26, 2019, 2:31 PM Deirdre Kirmis <[hidden email]> wrote:

I figured out the certs issue…do you mind if I ask if I have set this up correctly? I have an application load balancer, listening on ports 80 and 443, directing to a target group (with currently only 1 EC2 instance registered). I set up the ELB using our AWS wildcard certificate in ACM, and did not configure anything specifically on the EC2 to enforce https and regarding certs (ssl.conf is pointing to the localhost.key and .crt files).  I guess the “wired together properly” part is where I’m stuck. I installed shib, added the Location section for it in ssl.conf, configured shibboleth2.xml with servername and to point to my metadata file, which I got from my host provider (my organization is an IDP). Added shib as an authentication provider.

 

I see my provider on the login page of my app, but when I try to login I get an error “The login service was unable to identify a compatible way to respond to the requested application. This is generally due to a misconfiguration on the part of the application and should be reported to the application's support team or owner.”

 

Any ideas what I missed? Thank you!

 

Deirdre Kirmis

Technology Services

Arizona State University Library

480-965-7240

 

From: users <[hidden email]> On Behalf Of Nate Klingenstein
Sent: Monday, November 25, 2019 5:54 PM
To: Shib Users <[hidden email]>
Subject: RE: configuring shibboleth on AWS using ELB

 

Deirdre,

 

For what it's worth, we've configured a lot of IdP's and SP's in AWS, including SAMLtest.  It's pretty straightforward: ELB, target groups, and instances, just wired together properly.  There's really nothing special about it.

 

I often do it for single instances just because I like having ELB in between the world and me.  It doesn't really provide anything that security groups wouldn't other than IP address obfuscation, so it's more of a security blanket than a necessary piece of infrastructure, but hey.

 

Take care,

Nate.

 

--------

 

Image removed by sender.

The Art of Access ®

 

Nate Klingenstein | Principal

https://www.signet.id/

 

-----Original message-----
From: Deirdre Kirmis
Sent: Monday, November 25 2019, 4:30 pm
To: [hidden email]
Subject: configuring shibboleth on AWS using ELB

Hi all…prefacing this to say that I am new to AWS and new to configuring shibboleth. I was wondering if anyone has successfully configured shibboleth on an AWS instance that is running https via a load balancer. I installed and configured shib, send/received metadata from my IDP, but when I generate my metadata file, the certs are not included, and the sp-cert.pem and sp-key.pem files did not get created. Do I still need to “configure” https locally on the server, and if so, how, and how do I fix my shib config?

 

Thanks for any help!

 

-- 
 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
 
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: configuring shibboleth on AWS using ELB

Nate Klingenstein-2
ACM certs are totally fine for TLS(be sure to use 1.2) but should be dedicated per target group/external facing DNS name.  They should also be different from the SP's own encryption certificate(s).  The certificates generated during Shibboleth installation should be fine for production use, but you can make your own if you'd prefer.

The important thing is to keep data private by avoiding plain HTTP and wildcard certificates when possible and using encryption, as well as figuring out where the error is.


On Tue, Nov 26, 2019, 2:48 PM Deirdre Kirmis <[hidden email]> wrote:

Thanks, Nate. You did suggest creating the SSL certs locally, which is what I will try next. I had already gotten so far with the ACM certs that I was trying to make that work first, but not really having luck. I’ll try your suggestions.

 

Deirdre Kirmis

Technology Services

Arizona State University Library

480-965-7240

 

From: users <[hidden email]> On Behalf Of Nate Klingenstein
Sent: Tuesday, November 26, 2019 2:41 PM
To: Shib Users <[hidden email]>
Subject: Re: configuring shibboleth on AWS using ELB

 

Deirdre,

 

Beware the wildcard certificate, especially as ACM is effectively free and zero maintenance.  The domain in the cookie and the certificate used for encryption to the SP are more important, but it's wise to use dedicated TLS certificates anyway.

 

I wouldn't have ELB listen on port 80, but instead write a redirect rule.

 

The error doesn't sound like a Shibboleth error. Try going to /Shibboleth.sso/Session.  I suspect it's not integrated right with the application or not receiving the right data in the assertion even though the SAML transaction is probably successful.

 

Best wishes,

Nate.

 

On Tue, Nov 26, 2019, 2:31 PM Deirdre Kirmis <[hidden email]> wrote:

I figured out the certs issue…do you mind if I ask if I have set this up correctly? I have an application load balancer, listening on ports 80 and 443, directing to a target group (with currently only 1 EC2 instance registered). I set up the ELB using our AWS wildcard certificate in ACM, and did not configure anything specifically on the EC2 to enforce https and regarding certs (ssl.conf is pointing to the localhost.key and .crt files).  I guess the “wired together properly” part is where I’m stuck. I installed shib, added the Location section for it in ssl.conf, configured shibboleth2.xml with servername and to point to my metadata file, which I got from my host provider (my organization is an IDP). Added shib as an authentication provider.

 

I see my provider on the login page of my app, but when I try to login I get an error “The login service was unable to identify a compatible way to respond to the requested application. This is generally due to a misconfiguration on the part of the application and should be reported to the application's support team or owner.”

 

Any ideas what I missed? Thank you!

 

Deirdre Kirmis

Technology Services

Arizona State University Library

480-965-7240

 

From: users <[hidden email]> On Behalf Of Nate Klingenstein
Sent: Monday, November 25, 2019 5:54 PM
To: Shib Users <[hidden email]>
Subject: RE: configuring shibboleth on AWS using ELB

 

Deirdre,

 

For what it's worth, we've configured a lot of IdP's and SP's in AWS, including SAMLtest.  It's pretty straightforward: ELB, target groups, and instances, just wired together properly.  There's really nothing special about it.

 

I often do it for single instances just because I like having ELB in between the world and me.  It doesn't really provide anything that security groups wouldn't other than IP address obfuscation, so it's more of a security blanket than a necessary piece of infrastructure, but hey.

 

Take care,

Nate.

 

--------

 

The Art of Access ®

 

Nate Klingenstein | Principal

https://www.signet.id/

 

-----Original message-----
From: Deirdre Kirmis
Sent: Monday, November 25 2019, 4:30 pm
To: [hidden email]
Subject: configuring shibboleth on AWS using ELB

Hi all…prefacing this to say that I am new to AWS and new to configuring shibboleth. I was wondering if anyone has successfully configured shibboleth on an AWS instance that is running https via a load balancer. I installed and configured shib, send/received metadata from my IDP, but when I generate my metadata file, the certs are not included, and the sp-cert.pem and sp-key.pem files did not get created. Do I still need to “configure” https locally on the server, and if so, how, and how do I fix my shib config?

 

Thanks for any help!

 

-- 
 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
 
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

image001.jpg (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: configuring shibboleth on AWS using ELB

Cantor, Scott E.
In reply to this post by Deirdre Kirmis
On 11/26/19, 4:31 PM, "users on behalf of Deirdre Kirmis" <[hidden email] on behalf of [hidden email]> wrote:

> Any ideas what I missed? Thank you!

Your web server is generating an ACS response URL in its request to the IdP that is not in the metadata you gave the IdP.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: configuring shibboleth on AWS using ELB

Deirdre Kirmis
In reply to this post by Deirdre Kirmis

So just noticed that my metadata file (sent to IDP) shows all of the “Location” items for my server as http:// instead of https://. I generated the file using the URL https://<mydomain>/Shibboleth.sso/Metadata

 

And sent that file to my IDP. Any ideas why it would show http:// instead of https:// if I am using ELB listener with AWS certs?

 

Deirdre Kirmis

Technology Services

Arizona State University Library

480-965-7240

 

From: Deirdre Kirmis
Sent: Tuesday, November 26, 2019 2:48 PM
To: Shib Users <[hidden email]>
Subject: RE: configuring shibboleth on AWS using ELB

 

Thanks, Nate. You did suggest creating the SSL certs locally, which is what I will try next. I had already gotten so far with the ACM certs that I was trying to make that work first, but not really having luck. I’ll try your suggestions.

 

Deirdre Kirmis

Technology Services

Arizona State University Library

480-965-7240

 

From: users <[hidden email]> On Behalf Of Nate Klingenstein
Sent: Tuesday, November 26, 2019 2:41 PM
To: Shib Users <[hidden email]>
Subject: Re: configuring shibboleth on AWS using ELB

 

Deirdre,

 

Beware the wildcard certificate, especially as ACM is effectively free and zero maintenance.  The domain in the cookie and the certificate used for encryption to the SP are more important, but it's wise to use dedicated TLS certificates anyway.

 

I wouldn't have ELB listen on port 80, but instead write a redirect rule.

 

The error doesn't sound like a Shibboleth error. Try going to /Shibboleth.sso/Session.  I suspect it's not integrated right with the application or not receiving the right data in the assertion even though the SAML transaction is probably successful.

 

Best wishes,

Nate.

 

On Tue, Nov 26, 2019, 2:31 PM Deirdre Kirmis <[hidden email]> wrote:

I figured out the certs issue…do you mind if I ask if I have set this up correctly? I have an application load balancer, listening on ports 80 and 443, directing to a target group (with currently only 1 EC2 instance registered). I set up the ELB using our AWS wildcard certificate in ACM, and did not configure anything specifically on the EC2 to enforce https and regarding certs (ssl.conf is pointing to the localhost.key and .crt files).  I guess the “wired together properly” part is where I’m stuck. I installed shib, added the Location section for it in ssl.conf, configured shibboleth2.xml with servername and to point to my metadata file, which I got from my host provider (my organization is an IDP). Added shib as an authentication provider.

 

I see my provider on the login page of my app, but when I try to login I get an error “The login service was unable to identify a compatible way to respond to the requested application. This is generally due to a misconfiguration on the part of the application and should be reported to the application's support team or owner.”

 

Any ideas what I missed? Thank you!

 

Deirdre Kirmis

Technology Services

Arizona State University Library

480-965-7240

 

From: users <[hidden email]> On Behalf Of Nate Klingenstein
Sent: Monday, November 25, 2019 5:54 PM
To: Shib Users <[hidden email]>
Subject: RE: configuring shibboleth on AWS using ELB

 

Deirdre,

 

For what it's worth, we've configured a lot of IdP's and SP's in AWS, including SAMLtest.  It's pretty straightforward: ELB, target groups, and instances, just wired together properly.  There's really nothing special about it.

 

I often do it for single instances just because I like having ELB in between the world and me.  It doesn't really provide anything that security groups wouldn't other than IP address obfuscation, so it's more of a security blanket than a necessary piece of infrastructure, but hey.

 

Take care,

Nate.

 

--------

 

Image removed by sender.

The Art of Access ®

 

Nate Klingenstein | Principal

https://www.signet.id/

 

-----Original message-----
From: Deirdre Kirmis
Sent: Monday, November 25 2019, 4:30 pm
To: [hidden email]
Subject: configuring shibboleth on AWS using ELB

Hi all…prefacing this to say that I am new to AWS and new to configuring shibboleth. I was wondering if anyone has successfully configured shibboleth on an AWS instance that is running https via a load balancer. I installed and configured shib, send/received metadata from my IDP, but when I generate my metadata file, the certs are not included, and the sp-cert.pem and sp-key.pem files did not get created. Do I still need to “configure” https locally on the server, and if so, how, and how do I fix my shib config?

 

Thanks for any help!

 

-- 
 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
 
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: configuring shibboleth on AWS using ELB

Cantor, Scott E.
On 11/27/19, 11:23 AM, "Deirdre Kirmis" <[hidden email]> wrote:

> So just noticed that my metadata file (sent to IDP) shows all of the “Location” items for my server as http:// instead of
> https://. I generated the file using the URL

It is always, without exception, a mistake to ever give metadata to anybody else that you do not personally prepare and vet, which is why the comment in the file exists.

> And sent that file to my IDP. Any ideas why it would show http:// instead of https:// if I am using ELB listener with AWS > certs?

Because the Apache server has not been configured to know what its virtual ServerName (scheme in this case) is supposed to be, and is reporting requests to itself as http and not https.

-- Scott



--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: configuring shibboleth on AWS using ELB

Deirdre Kirmis
How do I prepare the metadata myself?
Thank you Scott and Michael...I added my servername to httpd.conf (I had configured with https in http.proxy.conf and in ssl.conf, but not in http.conf). I uncommented it and modified it in that file and now my metadata shows https. Still not sure if I have everything configured to make shibboleth work, though.

I did mention originally that I am just learning some of this ... still have a long way to go.

Deirdre Kirmis
Technology Services
Arizona State University Library
480-965-7240

-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Wednesday, November 27, 2019 9:53 AM
To: Shib Users <[hidden email]>
Subject: Re: configuring shibboleth on AWS using ELB

On 11/27/19, 11:23 AM, "Deirdre Kirmis" <[hidden email]> wrote:

> So just noticed that my metadata file (sent to IDP) shows all of the
> “Location” items for my server as http:// instead of https://. I
> generated the file using the URL

It is always, without exception, a mistake to ever give metadata to anybody else that you do not personally prepare and vet, which is why the comment in the file exists.

> And sent that file to my IDP. Any ideas why it would show http:// instead of https:// if I am using ELB listener with AWS > certs?

Because the Apache server has not been configured to know what its virtual ServerName (scheme in this case) is supposed to be, and is reporting requests to itself as http and not https.

-- Scott



--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwIGaQ&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=IgAOjdWbGD2E0SroaRg1RtDRiiviX00HX2OdNKo_sAk&s=F5TXV6FlhyW-_cj3_4MiZx6cfyqeA4TK7pZFRG4eoRE&e=
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: configuring shibboleth on AWS using ELB

Cantor, Scott E.
On 11/27/19, 12:23 PM, "users on behalf of Deirdre Kirmis" <[hidden email] on behalf of [hidden email]> wrote:

> How do I prepare the metadata myself?

It's an XML file with a very defined schema and set of rules for what's in it, but that's probably obvious so the intent of the question is not 100% clear.

Speaking in general terms, a federated SP (that is, one dealing with many IdPs of different organizations) really needs to be in a federation, and federations provide metadata management systems generally, though not always.

An enterprise SP is dealing with a single IdP and the IdP operator should be providing processes to follow. For myself, I don't ask SPs to give me metadata as a rule, I just expect them to inform me of the keys and hosts through a registration process, then I assign them entityID(s) to use, and I have processes to follow when changes are needed.
 
-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: configuring shibboleth on AWS using ELB

Deirdre Kirmis
Eventually, we will want to set up as a federation SP, but this is just dev at this point, so we are only configuring our org IDP.
I did find the documentation on creating the metadata schema/rules, so thanks for that direction.

Deirdre Kirmis
Technology Services
Arizona State University Library
480-965-7240

-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Wednesday, November 27, 2019 10:39 AM
To: Shib Users <[hidden email]>
Subject: Re: configuring shibboleth on AWS using ELB

On 11/27/19, 12:23 PM, "users on behalf of Deirdre Kirmis" <[hidden email] on behalf of [hidden email]> wrote:

> How do I prepare the metadata myself?

It's an XML file with a very defined schema and set of rules for what's in it, but that's probably obvious so the intent of the question is not 100% clear.

Speaking in general terms, a federated SP (that is, one dealing with many IdPs of different organizations) really needs to be in a federation, and federations provide metadata management systems generally, though not always.

An enterprise SP is dealing with a single IdP and the IdP operator should be providing processes to follow. For myself, I don't ask SPs to give me metadata as a rule, I just expect them to inform me of the keys and hosts through a registration process, then I assign them entityID(s) to use, and I have processes to follow when changes are needed.
 
-- Scott


--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=vG7jnjpCDSN0QFq4AMsIaEJhlm75brYoTFKZaSTj9Dg&s=nmaRAJ-HfEKwZBp3UslR_FH2lQ7avk7fjdY0-PNAGIA&e= 
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: configuring shibboleth on AWS using ELB

Nate Klingenstein-5
RE: configuring shibboleth on AWS using ELB

Deirdre,

 

You may find https://samltest.id/ to be a useful resource.  It's basically a fully configured SP that will let you see its logs so you can know exactly what's going on, end to end.

 

Best wishes,

Nate.

 

--------

 

The Art of Access ®

 

Nate Klingenstein | Principal

https://www.signet.id/

 

-----Original message-----
From: Deirdre Kirmis
Sent: Wednesday, November 27 2019, 12:14 pm
To: Shib Users
Subject: RE: configuring shibboleth on AWS using ELB
 
Eventually, we will want to set up as a federation SP, but this is just dev at this point, so we are only configuring our org IDP. 
I did find the documentation on creating the metadata schema/rules, so thanks for that direction. 

Deirdre Kirmis
Technology Services
Arizona State University Library
480-965-7240

-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Wednesday, November 27, 2019 10:39 AM
To: Shib Users <[hidden email]>
Subject: Re: configuring shibboleth on AWS using ELB

On 11/27/19, 12:23 PM, "users on behalf of Deirdre Kirmis" <[hidden email] on behalf of [hidden email]> wrote:

> How do I prepare the metadata myself?

It's an XML file with a very defined schema and set of rules for what's in it, but that's probably obvious so the intent of the question is not 100% clear.

Speaking in general terms, a federated SP (that is, one dealing with many IdPs of different organizations) really needs to be in a federation, and federations provide metadata management systems generally, though not always.

An enterprise SP is dealing with a single IdP and the IdP operator should be providing processes to follow. For myself, I don't ask SPs to give me metadata as a rule, I just expect them to inform me of the keys and hosts through a registration process, then I assign them entityID(s) to use, and I have processes to follow when changes are needed.
 
-- Scott


-- 
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=vG7jnjpCDSN0QFq4AMsIaEJhlm75brYoTFKZaSTj9Dg&s=nmaRAJ-HfEKwZBp3UslR_FH2lQ7avk7fjdY0-PNAGIA&e= 
To unsubscribe from this list send an email to [hidden email]
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: configuring shibboleth on AWS using ELB

Deirdre Kirmis
RE: configuring shibboleth on AWS using ELB

That is great! Thank you…it already told me that I’m missing the metadata for identity provider!

 

Deirdre Kirmis

Technology Services

Arizona State University Library

480-965-7240

 

From: users <[hidden email]> On Behalf Of Nate Klingenstein
Sent: Wednesday, November 27, 2019 4:26 PM
To: Shib Users <[hidden email]>
Subject: RE: configuring shibboleth on AWS using ELB

 

Deirdre,

 

You may find https://samltest.id/ to be a useful resource.  It's basically a fully configured SP that will let you see its logs so you can know exactly what's going on, end to end.

 

Best wishes,

Nate.

 

--------

 

Image removed by sender.

The Art of Access ®

 

Nate Klingenstein | Principal

https://www.signet.id/

 

-----Original message-----
From: Deirdre Kirmis
Sent: Wednesday, November 27 2019, 12:14 pm
To: Shib Users
Subject: RE: configuring shibboleth on AWS using ELB
 

Eventually, we will want to set up as a federation SP, but this is just dev at this point, so we are only configuring our org IDP. 
I did find the documentation on creating the metadata schema/rules, so thanks for that direction. 
 
Deirdre Kirmis
Technology Services
Arizona State University Library
480-965-7240
 
-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Wednesday, November 27, 2019 10:39 AM
To: Shib Users <[hidden email]>
Subject: Re: configuring shibboleth on AWS using ELB
 
On 11/27/19, 12:23 PM, "users on behalf of Deirdre Kirmis" <[hidden email] on behalf of [hidden email]> wrote:
 
> How do I prepare the metadata myself?
 
It's an XML file with a very defined schema and set of rules for what's in it, but that's probably obvious so the intent of the question is not 100% clear.
 
Speaking in general terms, a federated SP (that is, one dealing with many IdPs of different organizations) really needs to be in a federation, and federations provide metadata management systems generally, though not always.
 
An enterprise SP is dealing with a single IdP and the IdP operator should be providing processes to follow. For myself, I don't ask SPs to give me metadata as a rule, I just expect them to inform me of the keys and hosts through a registration process, then I assign them entityID(s) to use, and I have processes to follow when changes are needed.
 
-- Scott
 
 
-- 
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=vG7jnjpCDSN0QFq4AMsIaEJhlm75brYoTFKZaSTj9Dg&s=nmaRAJ-HfEKwZBp3UslR_FH2lQ7avk7fjdY0-PNAGIA&e= 
To unsubscribe from this list send an email to [hidden email]
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: configuring shibboleth on AWS using ELB

Deirdre Kirmis
Hi all...I'm still struggling with shibboleth not working on my system. Now, I'm just trying to use the samltest site that Nate sent...have uploaded my metadata to samltest, and have copied the samltest metadata to my site. Samltest shows as a provider on my site...when I login using that, it goes through the process...lets me pick rick, then takes me back to my site, but does not log in rick or create his account. If I look at the session data, it shows all of the attributes correctly...however in my server log I get an error that the attributes are null.  When I try to "fetch" my site metadata, it just spins and never comes back as uploaded. When I manually upload the file, it acts like it was successful, but when I try the test it says my site is not registered. What am I doing wrong?

Deirdre Kirmis
Web Application Developer
Discovery Services
ASU Library
Arizona State University 
480-965-7240

From: users <[hidden email]> on behalf of Deirdre Kirmis <[hidden email]>
Sent: Wednesday, November 27, 2019 4:30 PM
To: Shib Users <[hidden email]>
Subject: RE: configuring shibboleth on AWS using ELB
 

That is great! Thank you…it already told me that I’m missing the metadata for identity provider!

 

Deirdre Kirmis

Technology Services

Arizona State University Library

480-965-7240

 

From: users <[hidden email]> On Behalf Of Nate Klingenstein
Sent: Wednesday, November 27, 2019 4:26 PM
To: Shib Users <[hidden email]>
Subject: RE: configuring shibboleth on AWS using ELB

 

Deirdre,

 

You may find https://samltest.id/ to be a useful resource.  It's basically a fully configured SP that will let you see its logs so you can know exactly what's going on, end to end.

 

Best wishes,

Nate.

 

--------

 

Image removed by sender.

The Art of Access ®

 

Nate Klingenstein | Principal

https://www.signet.id/

 

-----Original message-----
From: Deirdre Kirmis
Sent: Wednesday, November 27 2019, 12:14 pm
To: Shib Users
Subject: RE: configuring shibboleth on AWS using ELB
 

Eventually, we will want to set up as a federation SP, but this is just dev at this point, so we are only configuring our org IDP. 
I did find the documentation on creating the metadata schema/rules, so thanks for that direction. 
 
Deirdre Kirmis
Technology Services
Arizona State University Library
480-965-7240
 
-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Wednesday, November 27, 2019 10:39 AM
To: Shib Users <[hidden email]>
Subject: Re: configuring shibboleth on AWS using ELB
 
On 11/27/19, 12:23 PM, "users on behalf of Deirdre Kirmis" <[hidden email] on behalf of [hidden email]> wrote:
 
> How do I prepare the metadata myself?
 
It's an XML file with a very defined schema and set of rules for what's in it, but that's probably obvious so the intent of the question is not 100% clear.
 
Speaking in general terms, a federated SP (that is, one dealing with many IdPs of different organizations) really needs to be in a federation, and federations provide metadata management systems generally, though not always.
 
An enterprise SP is dealing with a single IdP and the IdP operator should be providing processes to follow. For myself, I don't ask SPs to give me metadata as a rule, I just expect them to inform me of the keys and hosts through a registration process, then I assign them entityID(s) to use, and I have processes to follow when changes are needed.
 
-- Scott
 
 
-- 
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=vG7jnjpCDSN0QFq4AMsIaEJhlm75brYoTFKZaSTj9Dg&s=nmaRAJ-HfEKwZBp3UslR_FH2lQ7avk7fjdY0-PNAGIA&e= 
To unsubscribe from this list send an email to [hidden email]
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: configuring shibboleth on AWS using ELB

Nate Klingenstein-2
Deirdre,

I think you're nearly there. Uncomment the attributes you'd like to receive in attribute-map.xml and wire up Shibboleth to your application or a test page at /secure and I predict success.  Thanks for your diligence!

Best,
Nate.


On Tue, Dec 3, 2019, 12:35 AM Deirdre Kirmis <[hidden email]> wrote:
Hi all...I'm still struggling with shibboleth not working on my system. Now, I'm just trying to use the samltest site that Nate sent...have uploaded my metadata to samltest, and have copied the samltest metadata to my site. Samltest shows as a provider on my site...when I login using that, it goes through the process...lets me pick rick, then takes me back to my site, but does not log in rick or create his account. If I look at the session data, it shows all of the attributes correctly...however in my server log I get an error that the attributes are null.  When I try to "fetch" my site metadata, it just spins and never comes back as uploaded. When I manually upload the file, it acts like it was successful, but when I try the test it says my site is not registered. What am I doing wrong?

Deirdre Kirmis
Web Application Developer
Discovery Services
ASU Library
Arizona State University 
480-965-7240

From: users <[hidden email]> on behalf of Deirdre Kirmis <[hidden email]>
Sent: Wednesday, November 27, 2019 4:30 PM
To: Shib Users <[hidden email]>
Subject: RE: configuring shibboleth on AWS using ELB
 

That is great! Thank you…it already told me that I’m missing the metadata for identity provider!

 

Deirdre Kirmis

Technology Services

Arizona State University Library

480-965-7240

 

From: users <[hidden email]> On Behalf Of Nate Klingenstein
Sent: Wednesday, November 27, 2019 4:26 PM
To: Shib Users <[hidden email]>
Subject: RE: configuring shibboleth on AWS using ELB

 

Deirdre,

 

You may find https://samltest.id/ to be a useful resource.  It's basically a fully configured SP that will let you see its logs so you can know exactly what's going on, end to end.

 

Best wishes,

Nate.

 

--------

 

The Art of Access ®

 

Nate Klingenstein | Principal

https://www.signet.id/

 

-----Original message-----
From: Deirdre Kirmis
Sent: Wednesday, November 27 2019, 12:14 pm
To: Shib Users
Subject: RE: configuring shibboleth on AWS using ELB
 

Eventually, we will want to set up as a federation SP, but this is just dev at this point, so we are only configuring our org IDP. 
I did find the documentation on creating the metadata schema/rules, so thanks for that direction. 
 
Deirdre Kirmis
Technology Services
Arizona State University Library
480-965-7240
 
-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Wednesday, November 27, 2019 10:39 AM
To: Shib Users <[hidden email]>
Subject: Re: configuring shibboleth on AWS using ELB
 
On 11/27/19, 12:23 PM, "users on behalf of Deirdre Kirmis" <[hidden email] on behalf of [hidden email]> wrote:
 
> How do I prepare the metadata myself?
 
It's an XML file with a very defined schema and set of rules for what's in it, but that's probably obvious so the intent of the question is not 100% clear.
 
Speaking in general terms, a federated SP (that is, one dealing with many IdPs of different organizations) really needs to be in a federation, and federations provide metadata management systems generally, though not always.
 
An enterprise SP is dealing with a single IdP and the IdP operator should be providing processes to follow. For myself, I don't ask SPs to give me metadata as a rule, I just expect them to inform me of the keys and hosts through a registration process, then I assign them entityID(s) to use, and I have processes to follow when changes are needed.
 
-- Scott
 
 
-- 
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=vG7jnjpCDSN0QFq4AMsIaEJhlm75brYoTFKZaSTj9Dg&s=nmaRAJ-HfEKwZBp3UslR_FH2lQ7avk7fjdY0-PNAGIA&e= 
To unsubscribe from this list send an email to [hidden email]
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

~WRD000.jpg (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: configuring shibboleth on AWS using ELB

Nate Klingenstein-5
In reply to this post by Deirdre Kirmis
RE: configuring shibboleth on AWS using ELB

Deirdre,

 

> however in my server log I get an error that the attributes are null.  When I try to "fetch" my site metadata, it just spins and never comes back as uploaded. When I manually upload the file, it acts like it was successful, but when I try the test it says my site is not registered. What am I doing wrong?

 

Sorry, in my haste, I missed this part of your message.  It's most likely that your site is behind a load balancer(obviously) and SAMLtest can't issue queries directly to individual nodes behind a load balancer.  Even if it could, it would receive the wrong answer.  Alternative possibilities exist, but this one looks pretty clear.  Get the virtualization on your instance to match ELB and then type in ELB as your IdP address.

 

You'd eventually have to do this with any IdP, so this is far from a fruitless exercise.

 

Take care,

Nate.


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: configuring shibboleth on AWS using ELB

Deirdre Kirmis
Nate, thank you so much for your response. Yes, my instance is behind a load-balancer, but I have a DNS entry pointing to the ELB AWS domain, which is what I am using for my SP address. What do you mean by "Get the virtualization on your instance to match ELB"? Will I be able to make this work?
Thank you!

Deirdre Kirmis
Web Application Developer
Discovery Services
ASU Library
Arizona State University 
480-965-7240

From: users <[hidden email]> on behalf of Nate Klingenstein <[hidden email]>
Sent: Tuesday, December 3, 2019 2:11 AM
To: Shib Users <[hidden email]>
Subject: RE: configuring shibboleth on AWS using ELB
 

Deirdre,

 

> however in my server log I get an error that the attributes are null.  When I try to "fetch" my site metadata, it just spins and never comes back as uploaded. When I manually upload the file, it acts like it was successful, but when I try the test it says my site is not registered. What am I doing wrong?

 

Sorry, in my haste, I missed this part of your message.  It's most likely that your site is behind a load balancer(obviously) and SAMLtest can't issue queries directly to individual nodes behind a load balancer.  Even if it could, it would receive the wrong answer.  Alternative possibilities exist, but this one looks pretty clear.  Get the virtualization on your instance to match ELB and then type in ELB as your IdP address.

 

You'd eventually have to do this with any IdP, so this is far from a fruitless exercise.

 

Take care,

Nate.


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
123