Initial Setup -- Cannot Get SP and IDP Talking

Sam Agnew saa2012 at qatar-med.cornell.edu
Tue Dec 3 04:40:33 EST 2013


That is extremely helpful!

So, I have done the testshib tests and my IDP gets a green light.

On SP I am getting the following:

opensaml::FatalProfileException at (https://unixadmin.qatar-med.cornell.edu/Shibboleth.sso/SAML2/POST)

In the SP log I am seeing:

2013-12-03 10:46:24 DEBUG OpenSAML.MessageDecoder.SAML2 [2]: message from (https://idp.testshib.org/idp/shibboleth)
2013-12-03 10:46:24 DEBUG OpenSAML.MessageDecoder.SAML2 [2]: searching metadata for message issuer...
2013-12-03 10:46:24 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [2]: evaluating message flow policy (replay checking on, expiration 60)
2013-12-03 10:46:24 DEBUG XMLTooling.StorageService [2]: inserted record (_230cbdfe7380299798cda4d07ddda6f3) in context (MessageFlow) with expiration (1386058644)
2013-12-03 10:46:24 DEBUG Shibboleth.SSO.SAML2 [2]: processing message against SAML 2.0 SSO profile
2013-12-03 10:46:24 DEBUG XMLTooling.CredentialCriteria [2]: key algorithm didn't match ('AES' != 'RSA')
2013-12-03 10:46:24 DEBUG Shibboleth.SSO.SAML2 [2]: decrypted Assertion: <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8d729efc980cff99911f402d42a02721" IssueInstant="2013-12-03T07:46:24.057Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.testshib.org/idp/shibboleth</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_8d729efc980cff99911f402d42a02721"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>YInKw0cfaUenzAqZZyJz0fhxVTM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>MBESUrz8So35/yL59ScxB4VuWwsxkoQAp5XHrUtvj6/JuiCbGYiuo2yN1zumNGOmdG5LF3FWBRkeJET1oNwJ6ciQHyv/Gk2nl7HB7WKeWs78OiJZ5EABlO1h5rRYxJYIwqnFloZVuyjL3t4rUVwHO8M0tkpjbtgOxhY/Qv0HszXaUNuVivcwU5RCtqC8M5LEYJwFv0ANvArx8EL6AE8nTFpLA26wAvcFw+nP7uj8Kfee01Kr28XFHFJxqrzWWS+ZapPyeFV/k6JIgKC6hbca2gd7hKBRdBsfP31r2WGe/PVcwAJLTNu6afQYMa0kr1jqGkIbT35My5c5JYRVRcdmxw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEVMBMGA1UECBMM
UGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYDVQQKEwhUZXN0U2hpYjEZMBcG
A1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcx
CzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gx
ETAPBgNVBAoTCFRlc3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7CyVTDClcp
u93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe3OQ01Ow3yT4I+Wdg1tsT
pSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aTNPFmDixzUjoYzbGDrtAyCqA8f9CN2txI
fJnpHE6q6CmKcoLADS4UrNPlhHSzd614kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB
5/9nb0yh/ojRuJGmgMWHgWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HE
MIHBMB0GA1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ869nh8
3KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTET
MBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNoaWIxGTAXBgNVBAMTEGlkcC50ZXN0
c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5M
FfSVk98t3CT9jHZoYxd8QMRLI4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpk
OAvZZUosVkUo93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4
/SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAjGeka8nz8Jjwx
pUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr8K/qhmFT2nIQi538n6rVYLeW
j8Bbnl+ev0peYzxFyF5sQA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.testshib.org/idp/shibboleth" SPNameQualifier="https://unixadmin.qatar-med.cornell.edu/shibboleth">_7ea49dcb356fa855acffc5834717de64</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData Address="207.162.244.209" InResponseTo="_aedca934600d6c7dd42616f5678525da" NotOnOrAfter="2013-12-03T07:51:24.057Z" Recipient="https://unixadmin.qatar-med.cornell.edu/Shibboleth.sso/SAML2/POST"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2013-12-03T07:46:24.057Z" NotOnOrAfter="2013-12-03T07:51:24.057Z"><saml2:AudienceRestriction><saml2:Audience>https://unixadmin.qatar-med.cornell.edu/shibboleth</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2013-12-03T07:46:23.769Z" SessionIndex="_a5532e9a1436b7db665cb9c7ab512745"><saml2:SubjectLocality Address="207.162.244.209"/><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">alterego</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Member</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">alterego at testshib.org</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Ego</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Member at testshib.org</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Alter</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:mace:dir:entitlement:common-lib-terms</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="cn" Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Alter Ego</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.testshib.org/idp/shibboleth" SPNameQualifier="https://unixadmin.qatar-med.cornell.edu/shibboleth">9j6nnTVtlPrxSShOqLFw4ZR6mKs=</saml2:NameID></saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="telephoneNumber" Name="urn:oid:2.5.4.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">555-5555</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>
2013-12-03 10:46:24 DEBUG Shibboleth.SSO.SAML2 [2]: extracting issuer from SAML 2.0 assertion
2013-12-03 10:46:24 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [2]: evaluating message flow policy (replay checking on, expiration 60)
2013-12-03 10:46:24 DEBUG XMLTooling.StorageService [2]: inserted record (_8d729efc980cff99911f402d42a02721) in context (MessageFlow) with expiration (1386058644)
2013-12-03 10:46:24 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation [2]: assertion satisfied bearer confirmation requirements
2013-12-03 10:46:24 WARN Shibboleth.SSO.SAML2 [2]: detected a problem with assertion: Unable to establish security of incoming assertion.
2013-12-03 10:47:52 DEBUG Shibboleth.Listener [3]: dispatching message (default/SAML2/POST)
2013-12-03 10:47:52 DEBUG OpenSAML.MessageDecoder.SAML2POST [3]: validating input

I am interested in:
2013-12-03 10:46:24 DEBUG XMLTooling.CredentialCriteria [2]: key algorithm didn't match ('AES' != 'RSA')
but that message is only at DEBUG level

Do you know where I should look next?

Thanks!

Sam



On Dec 1, 2013, at 3:37 PM, Nate Klingenstein wrote:

Sam,

It doesn't require that your IdP server be on the Internet because in normal deployments the IdP and SP never directly communicate with one another.  The only requirement is that your client machine(e.g. the web browser) can talk to both the IdP and the SP, so if your client already bridges both networks, you should be set to try it out with TestShib.

Thanks,
Nate.

On Dec 1, 2013, at 12:59 AM, Sam Agnew <saa2012 at qatar-med.cornell.edu<mailto:saa2012 at qatar-med.cornell.edu>>
 wrote:

My team looked with joy at testshib until we realised the server needs to be on the internet to use it. Unfortunately, our security policies and network design don't permit any box we are building to be on DMZ or internet. Therefore we have to fix this some other way.


--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>


--
Sam Agnew
System Administrator
IT Department
Weill Cornell Medical College in Qatar



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20131203/eb2cde77/attachment-0001.html 


More information about the users mailing list