Problem configuring and IdP to support anonymous relying parties

Jon Warbrick jw35 at cam.ac.uk
Wed Sep 14 16:38:49 BST 2011 

On Thu, 1 Sep 2011, Cantor, Scott wrote:

> Possible guess...define a custom security policy and link that to the
> profile handler in the Anonymous block?

Ok, this isn't turning out to be as easy as I'd hoped ('this', for anyone 
who doesn't know, is configuring Shib 2.3.3 to emulate the effect of 
setting 'allowAnonymousProviders="true"' in the <IdPConfig> element of a 
Shib 1.3 config).

So far I've added <rp:ProfileConfiguration> blocks for xsi:types 
saml:ShibbolethSSOProfile, saml:SAML1AttributeQueryProfile and 
saml:SAML1ArtifactResolutionProfile to the <rp:AnonymousRelyingParty> 
block in relying-party.xml and then used the securityPolicyRef attribute 
to link these to <security:SecurityPolicy> blocks with most of the 
<security:Rule>s removed. Copy of relying-party.xml attached.

Authentication works, but subsequent attribute queries still 
fail, still reporting "Authentication via client certificate failed".

However if I also remove most of the rules from the (default) security 
policy used by the AttributeQueryProfile in the <rp:DefaultRelyingParty> 
block then everything seems to work and attributes are returned. Careful 
examination of the log records of these two cases (copies below) suggests 
to me that the request message is always being validated against 
DefaultRelyingParty rules before the software decides that it's actually 
from an AnonymousRelyingParty.

Does that make any sense? Is it 'safe' to run with the rules removed for 
DefaultRelyingParty (will attribute release keyed on entityID be safe, for 
example)?



WithDefaultRelyingParty rules enabled:

16:10:16.540 - DEBUG 
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:127] 
- Looking up relying party configuration for 
https://mnementh.csi.cam.ac.uk/shibboleth-xx
16:10:16.540 - DEBUG 
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:133] 
- No custom relying party configuration found for 
https://mnementh.csi.cam.ac.uk/shibboleth-xx, looking up configuration 
based on metadata groups.
16:10:16.541 - DEBUG 
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:156] 
- No custom or group-based relying party configuration found for 
https://mnementh.csi.cam.ac.uk/shibboleth-xx. Using default relying party 
configuration.
16:10:16.547 - DEBUG 
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:189] 
- Forcing on-demand metadata provider refresh if necessary
16:10:16.548 - DEBUG 
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:601] 
- Attempting to retrieve trusted names from cache using index: 
[https://mnementh.csi.cam.ac.uk/shibboleth-xx,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:1.1:protocol,SIGNING]
16:10:16.548 - DEBUG 
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:604] 
- Read lock over cache acquired
16:10:16.548 - DEBUG 
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:615] 
- Read lock over cache released
16:10:16.549 - DEBUG 
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:618] 
- Unable to retrieve trusted names from cache using index: 
[https://mnementh.csi.cam.ac.uk/shibboleth-xx,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:1.1:protocol,SIGNING]
16:10:16.549 - DEBUG 
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:438] 
- Attempting to retrieve trusted names for PKIX validation from metadata 
for entity: https://mnementh.csi.cam.ac.uk/shibboleth-xx
16:10:16.549 - DEBUG 
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:672] 
- Write lock over cache acquired
16:10:16.550 - DEBUG 
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:675] 
- Added new PKIX info to entity cache with key: 
[https://mnementh.csi.cam.ac.uk/shibboleth-xx,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:1.1:protocol,SIGNING]
16:10:16.550 - DEBUG 
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:678] 
- Write lock over cache released
16:10:16.550 - DEBUG 
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:152] 
- Forcing on-demand metadata provider refresh if necessary
16:10:16.550 - DEBUG 
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:531] 
- Attempting to retrieve PKIX validation info from cache using index: 
[https://mnementh.csi.cam.ac.uk/shibboleth-xx,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:1.1:protocol,SIGNING]
16:10:16.550 - DEBUG 
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:534] 
- Read lock over cache acquired
16:10:16.551 - DEBUG 
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:545] 
- Read lock over cache released
16:10:16.551 - DEBUG 
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:548] 
- Unable to retrieve PKIX validation info from cache using index: 
[https://mnementh.csi.cam.ac.uk/shibboleth-xx,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:1.1:protocol,SIGNING]
16:10:16.551 - DEBUG 
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:259] 
- Attempting to retrieve PKIX validation info from metadata for entity: 
https://mnementh.csi.cam.ac.uk/shibboleth-xx
16:10:16.551 - DEBUG 
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:631] 
- Write lock over cache acquired
16:10:16.552 - DEBUG 
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:634] 
- Added new PKIX info to entity cache with key: 
[https://mnementh.csi.cam.ac.uk/shibboleth-xx,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:1.1:protocol,SIGNING]
16:10:16.552 - DEBUG 
[edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:637] 
- Write lock over cache released
16:10:16.552 - ERROR 
[org.opensaml.ws.security.provider.ClientCertAuthRule:156] - 
Authentication via client certificate failed for context presenter entity 
ID https://mnementh.csi.cam.ac.uk/shibboleth-xx
16:10:16.557 - WARN 
[edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler:180] 
- Message did not meet security requirements
org.opensaml.ws.security.SecurityPolicyException: Client certificate 
authentication failed for context presenter entity ID at 
org.opensaml.ws.security.provider.ClientCertAuthRule.doEvaluate(ClientCertAuthRule.java:158) 
~[openws-1.4.2.jar:na]
     [...traceback trimmed...] 
16:10:16.559 - WARN 
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:287] 
- No metadata for relying party 
https://mnementh.csi.cam.ac.uk/shibboleth-xx, treating party as anonymous



With DefaultRelyingPArty rules disabled:

16:13:54.245 - DEBUG 
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:127] 
- Looking up relying party configuration for 
https://mnementh.csi.cam.ac.uk/shibboleth-xx
16:13:54.245 - DEBUG 
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:133] 
- No custom relying party configuration found for 
https://mnementh.csi.cam.ac.uk/shibboleth-xx, looking up configuration 
based on metadata groups.
16:13:54.246 - DEBUG 
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:156] 
- No custom or group-based relying party configuration found for 
https://mnementh.csi.cam.ac.uk/shibboleth-xx. Using default relying party 
configuration.
16:13:54.249 - DEBUG 
[edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler:166] 
- Decoded request
16:13:54.250 - WARN 
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:287] 
- No metadata for relying party 
https://mnementh.csi.cam.ac.uk/shibboleth-xx, treating party as anonymous

Jon.

-- 
Jon Warbrick
Information Systems Development, Computing Service, University of Cambridge
-------------- next part --------------
A non-text attachment was scrubbed...
Name: relying-party.xml
Type: application/xml
Size: 18609 bytes
Desc: 
Url : http://shibboleth.net/pipermail/users/attachments/20110914/d3e433c8/attachment-0001.rdf

More information about the users mailing list