ECP extension needed for active clients

Mauro Minella Mauro.Minella at microsoft.com
Sun Sep 16 19:26:23 EDT 2012


I re-installed everything from scratch and now the situation is a little clearer, but still faulty.

To recap:
- I installed shib idp version 2.3.5
- I have Java 6U35 (see my previous thread "credentials not recognized" that I got with version 7)
- the ecp endpoint configured in my relying party (Office 365 Federation Gateway) is https://shibidp.eduteamit.com/idp/profile/SAML2/SOAP/ECP
- passive authentication DOES work
- active client (Outlook 2010) keeps presenting the password request, endless
- if I try opening the ecp endpoint above, the browser pops up a dialog box with username/pwd request, which does NOT accept my credentials
- the failed ecp authentication attempts WERE logged with "ERROR: REMOTE_USER not set, unable to set principal name" BEFORE I updated default web.xml. After I updated it (as follows) and re-deployed/restarted tomcat, such ecp authentication requests are not tracked at all

Ideas (sorry if trivial):
- maybe apache should be configured too, in order to require Basic Auth for the ECP location?
- is Apache contacted even by the active clients, or should I make sure than another port is open, rather than 443 and 8443?

Any help, really really appreciated

Mauro

Here is the part I added to web.xml

------------------
<security-constraint>
  <display-name>Shibboleth IdP</display-name>
  <web-resource-collection>
       <web-resource-name>ECP</web-resource-name>
       <url-pattern>/profile/SAML2/SOAP/ECP</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
  </web-resource-collection>

  <auth-constraint>
    <role-name>*</role-name> 
  </auth-constraint>

  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>

</security-constraint>

<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>ShibUserPassAuth</realm-name>
</login-config> 
------------------



More information about the users mailing list