Issue with Shibboleth
Joseph Griffiths
joseph at oar.net
Tue Feb 26 14:58:47 EST 2013
Good Morning,
We have a SAML compliant SP.
We are working with a remote Shibboleth IDP. The ASssetion and pull assertion both work. When our SP tried to contact the remote idp's AA the AA returns the following XML error:
Message did not meet security requirements
Their idp debug logs show the following:
10:28:37.856 - DEBUG [org.opensaml.util.storage.ReplayCache:92] - Attempting to acquire lock for replay cache check
10:28:37.857 - DEBUG [org.opensaml.util.storage.ReplayCache:94] - Lock acquired
10:28:37.857 - DEBUG [org.opensaml.util.storage.ReplayCache:105] - Message ID _1361806117201 was not a replay
10:28:37.857 - DEBUG [org.opensaml.util.storage.ReplayCache:132] - Writing message ID https://xxx.domain.xxx/shibboleth_1361806117201 to replay cache with expiration time 2013-02-25T10:33:37.857-05:00
10:28:37.857 - INFO [org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule:100] - SAML protocol message was not signed, skipping XML signature processing
10:28:37.858 - INFO [org.opensaml.ws.transport.http.HttpServletRequestAdapter:130] - Wrapped HTTP servlet request did not contain a client certificate
10:28:37.858 - INFO [org.opensaml.ws.security.provider.ClientCertAuthRule:104] - Inbound message transport did not contain a peer credential, skipping client certificate authentication
10:28:37.858 - ERROR [org.opensaml.ws.security.provider.MandatoryAuthenticatedMessageRule:37] - Inbound message issuer was not authenticated.
10:28:37.859 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler:180] - Message did not meet security requirements
org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
at org.opensaml.ws.security.provider.MandatoryAuthenticatedMessageRule.evaluate(MandatoryAuthenticatedMessageRule.java:38) ~[openws-1.4.3.jar:na]
at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51) ~[openws-1.4.3.jar:na]
at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132) ~[openws-1.4.3.jar:na]
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83) ~[openws-1.4.3.jar:na]
at org.opensaml.saml1.binding.decoding.BaseSAML1MessageDecoder.decode(BaseSAML1MessageDecoder.java:109) ~[opensaml-2.5.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler.decodeRequest(AttributeQueryProfileHandler.java:165) [shibboleth-identityprovider-2.3.4.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler.processRequest(AttributeQueryProfileHandler.java:88) [shibboleth-identityprovider-2.3.4.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler.processRequest(AttributeQueryProfileHandler.java:57) [shibboleth-identityprovider-2.3.4.jar:na]
at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:84) [shibboleth-common-1.3.4.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.29]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.29]
at ch.qos.logback.classic.helpers.MDCInsertingServletFilter.doFilter(MDCInsertingServletFilter.java:51) [logback-classic-0.9.29.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.29]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.29]
at ch.SWITCH.aai.uApprove.Intercepter.intercept(Intercepter.java:142) [uApprove-2.3.1.jar:na]
at ch.SWITCH.aai.uApprove.Intercepter.doFilter(Intercepter.java:113) [uApprove-2.3.1.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.29]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.29]
at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.3.4.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.29]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.29]
at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:81) [shibboleth-identityprovider-2.3.4.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.29]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.29]
at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.3.4.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.29]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.29]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:6.0.29]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.29]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470) [catalina.jar:6.0.29]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.29]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.29]
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555) [catalina.jar:6.0.29]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.29]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) [catalina.jar:6.0.29]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) [tomcat-coyote.jar:6.0.29]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) [tomcat-coyote.jar:6.0.29]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.29]
at java.lang.Thread.run(Thread.java:662) [na:1.6.0_22]
At first glance I would assume that this issue is handled via the common list https://wiki.shibboleth.net/confluence/display/SHIB2/IdPTroubleshootingCommonErrors but when we force a SAML2 connection the AA returns data to our SP. I have no idea why the 1.3 implementation of the AA is failing while the 2.0 works. Any direction anyone can provide in solving this issue would be gratefully accepted.
Thanks in advance,
Joseph H Griffiths
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130226/7b041cbb/attachment-0001.html
More information about the users
mailing list