401 error when Posting to the Idp endpoint using ECP profile.

jd jd jdregister at hotmail.fr
Wed Nov 28 03:42:21 EST 2012











I set up an IdP (2.3.8) and a SP (2.4.3) on one ubuntu 11.10 machine.
I get the example login panel in a browser to work properly when accessing documents.


Now I'm trying to run the ECP profile. I keep exactly the same configuration except that :
I'm using the python and shell client sample provided by: https://wiki.shibboleth.net/confluence/display/SHIB2/Contributions#Contributions-simplepythonand I added my own IdP endpoint : https://kamaji.idp.ch/idp/profile/SAML2/SOAP/ECP


And the Idp.war file contains a web.xml file like the one described in :
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPEnableECP


ShibUserPassAuth is defined in the login.config file of the IdP as an LDAP authentication.(the same as the one used for the browser).


When I run the example:
- the first request to the SP is fine ("request target from the SP") and it retrieves the relay_state and responseConsumer URL from the SP response.
- the second request to the IdP  end point ( a POST with the  user/password to /idp/profile/SAML2/SOAP/ECP ) is failing with a 401 error. I'm sure that the credentials are correct.I got the same error if I'm using the shell example instead of the python example.


Taking a look at the logs and the network through wireshark,, I see that :


The POST being correctly sent to the right port through ajp to catalina .
The answer from catalina being a 401 error.


I don't see any additional trace on the IdP side after that POST call.
I believed at this point that this URL would match the pattern provided in the security-constraint tag of the web.xml file andthen the authentication would be handled using the realm ShibUserPassAuth and the user/password provided in the data of the POST call.

I am a beginner in that topic, I need some help to find out what is wrong in my configuration setup.

Additional traces :

-The packet of the POST call to Catalina as seen in Wireshark:








0000  00 00 03 04 00 06 00 00 00 00 00 00 00 00 08 00   ................ 
0010  45 00 01 28 49 c0 40 00 40 06 f2 0d 7f 00 00 01   E..(I. at .@....... 
0020  7f 00 00 01 8b 67 1f 49 1f 91 c4 db 36 ad 43 b0   .....g.I....6.C. 
0030  80 18 04 01 ff 1c 00 00 01 01 08 0a 07 fd 8d 65   ...............e 
0040  07 fd 8d 64 12 34 00 f0 02 04 00 08 48 54 54 50   ...d.4......HTTP 
0050  2f 31 2e 31 00 00 1b 2f 69 64 70 2f 70 72 6f 66   /1.1.../idp/prof 
0060  69 6c 65 2f 53 41 4d 4c 32 2f 53 4f 41 50 2f 45   ile/SAML2/SOAP/E 
0070  43 50 00 00 09 31 32 37 2e 30 2e 30 2e 31 00 ff   CP...127.0.0.1.. 
0080  ff 00 0d 6b 61 6d 61 6a 69 2e 69 64 70 2e 63 68   ...kamaji.idp.ch 
0090  00 01 bb 01 00 06 a0 03 00 08 69 64 65 6e 74 69   ..........identi 
00a0  74 79 00 a0 08 00 03 36 38 36 00 a0 0b 00 0d 6b   ty.....686.....k 
00b0  61 6d 61 6a 69 2e 69 64 70 2e 63 68 00 a0 07 00   amaji.idp.ch.... 
00c0  21 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 77   !application/x-w 
00d0  77 77 2d 66 6f 72 6d 2d 75 72 6c 65 6e 63 6f 64   ww-form-urlencod 
00e0  65 64 00 a0 06 00 05 63 6c 6f 73 65 00 a0 0e 00   ed.....close.... 
00f0  11 50 79 74 68 6f 6e 2d 75 72 6c 6c 69 62 2f 32   .Python-urllib/2 
0100  2e 37 00 08 00 12 44 48 45 2d 52 53 41 2d 41 45   .7....DHE-RSA-AE 
0110  53 32 35 36 2d 53 48 41 00 0b 01 00 0a 00 0f 41   S256-SHA.......A 
0120  4a 50 5f 52 45 4d 4f 54 45 5f 50 4f 52 54 00 00   JP_REMOTE_PORT.. 
0130  05 35 33 39 32 39 00 ff                           .53929.. 

-The packet of the response from Catalina as seen in Wireshark:









Apache JServ Protocol v1.3 
    Magic: 4142 
    Length: 136 
    Code: (4) SEND HEADERS 
    RSTATUS: 401 
    RSMSG: Unauthorized 
    NHDR: 0 
  
0000  00 00 03 04 00 06 00 00 00 00 00 00 00 00 08 00   ................ 
0010  45 00 00 c0 ce d5 40 00 40 06 6d 60 7f 00 00 01   E..... at .@.m`.... 
0020  7f 00 00 01 1f 49 8b 67 36 ad 43 b0 1f 91 c5 cf   .....I.g6.C..... 
0030  80 18 04 22 fe b4 00 00 01 01 08 0a 07 fd 8d 65   ..."...........e 
0040  07 fd 8d 65 41 42 00 88 04 01 91 00 0c 55 6e 61   ...eAB.......Una 
0050  75 74 68 6f 72 69 7a 65 64 00 00 03 00 10 57 57   uthorized.....WW 
0060  57 2d 41 75 74 68 65 6e 74 69 63 61 74 65 00 00   W-Authenticate.. 
0070  1e 42 61 73 69 63 20 72 65 61 6c 6d 3d 22 53 68   .Basic realm="Sh 
0080  69 62 55 73 65 72 50 61 73 73 41 75 74 68 22 00   ibUserPassAuth". 
0090  00 0c 43 6f 6e 74 65 6e 74 2d 54 79 70 65 00 00   ..Content-Type.. 
00a0  17 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73   .text/html;chars 
00b0  65 74 3d 75 74 66 2d 38 00 00 0e 43 6f 6e 74 65   et=utf-8...Conte 
00c0  6e 74 2d 4c 65 6e 67 74 68 00 00 03 39 35 34 00   nt-Length...954. 
 




Regards,
Jean-Denis 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121128/8fca69e2/attachment.html 


More information about the users mailing list