ECP extension needed for active clients

Nate Klingenstein ndk at internet2.edu
Sun Sep 16 21:37:12 EDT 2012 

Mauro,

It seems to me like the authentication process is failing, and you're  
repeatedly prompted to reauthenticate after the first authentication  
fails.  I have no idea where this authentication process would get  
logged, but the request likely never gets to the IdP at all, so no log  
entries in idp-process.log would not be surprising.  Tomcat is  
notorious for eating logs, but catalina.out (and tomcat.log) in  
Tomcat's logs directory would not be a bad guess.

You shouldn't need to configure or use Apache.  It can be used as a  
front-end for Tomcat, in which case it would be responsible for  
setting REMOTE_USER via some mechanism or module, but we don't  
recommend that deployment approach.  443 and 8443 are the only ports  
you should need open.

Thanks,
Nate.

On Sep 16, 2012, at 23:26 , Mauro Minella wrote:

> I re-installed everything from scratch and now the situation is a  
> little clearer, but still faulty.
>
> To recap:
> - I installed shib idp version 2.3.5
> - I have Java 6U35 (see my previous thread "credentials not  
> recognized" that I got with version 7)
> - the ecp endpoint configured in my relying party (Office 365  
> Federation Gateway) is https://shibidp.eduteamit.com/idp/profile/SAML2/SOAP/ECP
> - passive authentication DOES work
> - active client (Outlook 2010) keeps presenting the password  
> request, endless
> - if I try opening the ecp endpoint above, the browser pops up a  
> dialog box with username/pwd request, which does NOT accept my  
> credentials
> - the failed ecp authentication attempts WERE logged with "ERROR:  
> REMOTE_USER not set, unable to set principal name" BEFORE I updated  
> default web.xml. After I updated it (as follows) and re-deployed/ 
> restarted tomcat, such ecp authentication requests are not tracked  
> at all
>
> Ideas (sorry if trivial):
> - maybe apache should be configured too, in order to require Basic  
> Auth for the ECP location?
> - is Apache contacted even by the active clients, or should I make  
> sure than another port is open, rather than 443 and 8443?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120917/d743029c/attachment.html

More information about the users mailing list