IIS7 with SP-Plugin, authentication infinite loop (resolved)

Stefan König s.koenig at uni-tuebingen.de
Tue Jul 17 05:47:48 EDT 2012


Problem resolved!!!!

I configured:
---
     <RequestMapper type="Native">
         <RequestMap applicationId="default">
             <Host name="idefix.worldtalk.de" scheme="https" 
authType="shibboleth" requireSession="true" />
         </RequestMap>
     </RequestMapper>
---

Without an ApplicationOverride later...

This does request for a session as soon as I access the host via https 
(as expected).
And it does give control back to the application afterwards (without a 
loop!)

THANKS A LOT, SCOTT!!

It's actually an unitentional rhyme...
But as you help lot's of people here, it's surely fine that way ;-)

Regards
Stefan

PS: Full listing for others with similar problems to compare with 
original one:
--- CUR HERE---
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
     xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     clockSkew="180">

     <!--
     By default, in-memory StorageService, ReplayCache, ArtifactMap, and 
SessionCache
     are used. See example-shibboleth2.xml for samples of explicitly 
configuring them.
     -->

     <!--
     The InProcess section contains settings affecting web server modules.
     Required for IIS, but can be removed when using other web servers.
     -->
     <InProcess logger="native.logger">
         <ISAPI normalizeRequest="true" safeHeaderNames="true">
             <!--
             Maps IIS Instance ID values to the host scheme/name/port. 
The name is
             required so that the proper <Host> in the request map above 
is found without
             having to cover every possible DNS/IP combination the user 
might enter.
             -->
             <Site id="1" name="idefix.worldtalk.de" scheme="https"/>
             <!--
             When the port and scheme are omitted, the HTTP request's 
port and scheme are used.
             If these are wrong because of virtualization, they can be 
explicitly set here to
             ensure proper redirect generation.
             -->
         </ISAPI>
     </InProcess>

     <!--
     To customize behavior for specific resources on IIS, and to link 
vhosts or
     resources to ApplicationOverride settings below, use the XML syntax 
below.
     See 
https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo for help.

     Apache users should rely on web server options/commands in most 
cases, and can remove the
     RequestMapper element. See 
https://spaces.internet2.edu/display/SHIB2/NativeSPApacheConfig
     -->
     <RequestMapper type="Native">
         <RequestMap applicationId="default">
             <Host name="idefix.worldtalk.de" scheme="https" 
authType="shibboleth" requireSession="true" />
         </RequestMap>
     </RequestMapper>

     <!--
     The ApplicationDefaults element is where most of Shibboleth's SAML 
bits are defined.
     Resource requests are mapped by the RequestMapper to an 
applicationId that
     points into to this section (or to the defaults here).
     -->
     <ApplicationDefaults
         entityID="urn:idefix.worldtalk.de:sp"
         REMOTE_USER="eppn persistent-id targeted-id">

         <!--
         Controls session lifetimes, address checks, cookie handling, 
and the protocol handlers.
         You MUST supply an effectively unique handlerURL value for each 
of your applications.
         The value defaults to /Shibboleth.sso, and should be a relative 
path, with the SP computing
         a relative value based on the virtual host. Using 
handlerSSL="true", the default, will force
         the protocol to be https. You should also add a cookieProps 
setting of "; path=/; secure"
         in that case. Note that while we default checkAddress to 
"false", this has a negative
         impact on the security of the SP. Stealing cookies/sessions is 
much easier with this disabled.
         -->
         <Sessions lifetime="28800" timeout="3600" checkAddress="false" 
relayState="ss:mem" handlerSSL="true" cookieProps="; path=/; secure" 
handlerURL="https://idefix.worldtalk.de/Shibboleth.sso">

             <!--
               Configures SSO for a default IdP. To allow for >1 IdP, remove
               entityID property and adjust discoveryURL to point to 
discovery service.
               (Set discoveryProtocol to "WAYF" for legacy Shibboleth 
WAYF support.)
               You can also override entityID on /Login query string, or 
in RequestMap/htaccess.
               -->
             <SSO entityID="https://pbm12.uni-tuebingen.de/idp/shibboleth"
                  discoveryProtocol="SAMLDS" 
discoveryURL="https://pbm12.uni-tuebingen.de/idp/DS/WAYF">
               SAML2 SAML1
             </SSO>

             <!-- SAML and local-only logout. -->
             <Logout>SAML2 Local</Logout>

             <!-- Extension service that generates "approximate" 
metadata based on SP configuration. -->
             <Handler type="MetadataGenerator" Location="/Metadata" 
signing="false"/>

             <!-- Status reporting service. -->
             <Handler type="Status" Location="/Status" acl="127.0.0.1"/>

             <!-- Session diagnostic service. -->
             <Handler type="Session" Location="/Session" 
showAttributeValues="true"/>

             <!-- JSON feed of discovery information. -->
             <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
         </Sessions>

         <!--
         Allows overriding of error template information/filenames. You can
         also add attributes with values that can be plugged into the 
templates.
         -->
         <Errors supportContact="webmaster at idefix.worldtalk.de"
             logoLocation="/shibboleth-sp/logo.jpg"
             styleSheet="/shibboleth-sp/main.css"/>

         <!-- Example of remotely supplied batch of signed metadata. -->
         <!--
         <MetadataProvider type="XML" 
uri="http://federation.org/federation-metadata.xml"
               backingFilePath="federation-metadata.xml" 
reloadInterval="7200">
             <MetadataFilter type="RequireValidUntil" 
maxValidityInterval="2419200"/>
             <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
         </MetadataProvider>
         -->

         <!-- Example of locally maintained metadata. -->
         <MetadataProvider type="XML" 
file="C:/opt/shibboleth-sp/etc/shibboleth/pbm12-metadata.xml" 
validate="false" />

         <!-- Map to extract attributes from SAML assertions. -->
         <AttributeExtractor type="XML" validate="true" 
path="attribute-map.xml"/>

         <!-- Use a SAML query if no attributes are supplied during SSO. -->
         <AttributeResolver type="Query" subjectMatch="false"/>

         <!-- Default filtering policy for recognized attributes, lets 
other data pass. -->
         <AttributeFilter type="XML" validate="true" 
path="attribute-policy.xml"/>

         <!-- Simple file-based resolver for using a single keypair. -->
         <CredentialResolver type="File" key="sp-key.pem" 
certificate="sp-cert.pem"/>

         <!--
         The default settings can be overridden by creating 
ApplicationOverride elements (see
         the 
https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride 
topic).
         Resource requests are mapped by web server commands, or the 
RequestMapper, to an
         applicationId setting.

         Example of a second application (for a second vhost) that has a 
different entityID.
         Resources on the vhost would map to an applicationId of "admin":
         -->
     </ApplicationDefaults>

     <!-- Policies that determine how to process and authenticate 
runtime messages. -->
     <SecurityPolicyProvider type="XML" validate="true" 
path="security-policy.xml"/>

     <!-- Low-level configuration about protocols and bindings available 
for use. -->
     <ProtocolProvider type="XML" validate="true" reloadChanges="false" 
path="protocols.xml"/>

</SPConfig>
--- CUR HERE---

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4480 bytes
Desc: S/MIME Kryptografische Unterschrift
Url : http://shibboleth.net/pipermail/users/attachments/20120717/c432f739/attachment.bin 


More information about the users mailing list