ECP extension needed for active clients
Mauro Minella
Mauro.Minella at microsoft.com
Sun Sep 16 19:26:23 EDT 2012
I re-installed everything from scratch and now the situation is a little clearer, but still faulty.
To recap:
- I installed shib idp version 2.3.5
- I have Java 6U35 (see my previous thread "credentials not recognized" that I got with version 7)
- the ecp endpoint configured in my relying party (Office 365 Federation Gateway) is https://shibidp.eduteamit.com/idp/profile/SAML2/SOAP/ECP
- passive authentication DOES work
- active client (Outlook 2010) keeps presenting the password request, endless
- if I try opening the ecp endpoint above, the browser pops up a dialog box with username/pwd request, which does NOT accept my credentials
- the failed ecp authentication attempts WERE logged with "ERROR: REMOTE_USER not set, unable to set principal name" BEFORE I updated default web.xml. After I updated it (as follows) and re-deployed/restarted tomcat, such ecp authentication requests are not tracked at all
Ideas (sorry if trivial):
- maybe apache should be configured too, in order to require Basic Auth for the ECP location?
- is Apache contacted even by the active clients, or should I make sure than another port is open, rather than 443 and 8443?
Any help, really really appreciated
Mauro
Here is the part I added to web.xml
------------------
<security-constraint>
<display-name>Shibboleth IdP</display-name>
<web-resource-collection>
<web-resource-name>ECP</web-resource-name>
<url-pattern>/profile/SAML2/SOAP/ECP</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ShibUserPassAuth</realm-name>
</login-config>
------------------
More information about the users
mailing list