IIS7 with SP-Plugin, authentication infinite loop (resolved)
Stefan König
s.koenig at uni-tuebingen.de
Tue Jul 17 05:47:48 EDT 2012
Problem resolved!!!!
I configured:
---
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="idefix.worldtalk.de" scheme="https"
authType="shibboleth" requireSession="true" />
</RequestMap>
</RequestMapper>
---
Without an ApplicationOverride later...
This does request for a session as soon as I access the host via https
(as expected).
And it does give control back to the application afterwards (without a
loop!)
THANKS A LOT, SCOTT!!
It's actually an unitentional rhyme...
But as you help lot's of people here, it's surely fine that way ;-)
Regards
Stefan
PS: Full listing for others with similar problems to compare with
original one:
--- CUR HERE---
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<!--
By default, in-memory StorageService, ReplayCache, ArtifactMap, and
SessionCache
are used. See example-shibboleth2.xml for samples of explicitly
configuring them.
-->
<!--
The InProcess section contains settings affecting web server modules.
Required for IIS, but can be removed when using other web servers.
-->
<InProcess logger="native.logger">
<ISAPI normalizeRequest="true" safeHeaderNames="true">
<!--
Maps IIS Instance ID values to the host scheme/name/port.
The name is
required so that the proper <Host> in the request map above
is found without
having to cover every possible DNS/IP combination the user
might enter.
-->
<Site id="1" name="idefix.worldtalk.de" scheme="https"/>
<!--
When the port and scheme are omitted, the HTTP request's
port and scheme are used.
If these are wrong because of virtualization, they can be
explicitly set here to
ensure proper redirect generation.
-->
</ISAPI>
</InProcess>
<!--
To customize behavior for specific resources on IIS, and to link
vhosts or
resources to ApplicationOverride settings below, use the XML syntax
below.
See
https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo for help.
Apache users should rely on web server options/commands in most
cases, and can remove the
RequestMapper element. See
https://spaces.internet2.edu/display/SHIB2/NativeSPApacheConfig
-->
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="idefix.worldtalk.de" scheme="https"
authType="shibboleth" requireSession="true" />
</RequestMap>
</RequestMapper>
<!--
The ApplicationDefaults element is where most of Shibboleth's SAML
bits are defined.
Resource requests are mapped by the RequestMapper to an
applicationId that
points into to this section (or to the defaults here).
-->
<ApplicationDefaults
entityID="urn:idefix.worldtalk.de:sp"
REMOTE_USER="eppn persistent-id targeted-id">
<!--
Controls session lifetimes, address checks, cookie handling,
and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each
of your applications.
The value defaults to /Shibboleth.sso, and should be a relative
path, with the SP computing
a relative value based on the virtual host. Using
handlerSSL="true", the default, will force
the protocol to be https. You should also add a cookieProps
setting of "; path=/; secure"
in that case. Note that while we default checkAddress to
"false", this has a negative
impact on the security of the SP. Stealing cookies/sessions is
much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
relayState="ss:mem" handlerSSL="true" cookieProps="; path=/; secure"
handlerURL="https://idefix.worldtalk.de/Shibboleth.sso">
<!--
Configures SSO for a default IdP. To allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to
discovery service.
(Set discoveryProtocol to "WAYF" for legacy Shibboleth
WAYF support.)
You can also override entityID on /Login query string, or
in RequestMap/htaccess.
-->
<SSO entityID="https://pbm12.uni-tuebingen.de/idp/shibboleth"
discoveryProtocol="SAMLDS"
discoveryURL="https://pbm12.uni-tuebingen.de/idp/DS/WAYF">
SAML2 SAML1
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate"
metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session"
showAttributeValues="true"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the
templates.
-->
<Errors supportContact="webmaster at idefix.worldtalk.de"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of remotely supplied batch of signed metadata. -->
<!--
<MetadataProvider type="XML"
uri="http://federation.org/federation-metadata.xml"
backingFilePath="federation-metadata.xml"
reloadInterval="7200">
<MetadataFilter type="RequireValidUntil"
maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="fedsigner.pem"/>
</MetadataProvider>
-->
<!-- Example of locally maintained metadata. -->
<MetadataProvider type="XML"
file="C:/opt/shibboleth-sp/etc/shibboleth/pbm12-metadata.xml"
validate="false" />
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true"
path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="false"/>
<!-- Default filtering policy for recognized attributes, lets
other data pass. -->
<AttributeFilter type="XML" validate="true"
path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="sp-key.pem"
certificate="sp-cert.pem"/>
<!--
The default settings can be overridden by creating
ApplicationOverride elements (see
the
https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride
topic).
Resource requests are mapped by web server commands, or the
RequestMapper, to an
applicationId setting.
Example of a second application (for a second vhost) that has a
different entityID.
Resources on the vhost would map to an applicationId of "admin":
-->
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate
runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true"
path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available
for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false"
path="protocols.xml"/>
</SPConfig>
--- CUR HERE---
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4480 bytes
Desc: S/MIME Kryptografische Unterschrift
Url : http://shibboleth.net/pipermail/users/attachments/20120717/c432f739/attachment.bin
More information about the users
mailing list