users Digest, Vol 25, Issue 4
Gilles Badouet
badouetg at uni.coventry.ac.uk
Tue Jul 2 11:46:08 EDT 2013
Thanks for your info Scott,
I configured IDP for a Username/pwd authentication method in the handler.xml file and set LDAP JAAS in the login.config as below:
ShibUserPassAuth {
edu.vt.middleware.ldap.jaas.LdapLoginModule required
host="amlib.co.uk"
base="cn=Users,DC=ADdomain,dc=institution,dc=ie"
ssl="false"
userField="samAccountName"
subtreeSearch="true"
referral="follow"
serviceUser="Administrator at ADdomain"
serviceCredential="mypwd"
;
};
In the attribute-resolver.xml, I set the LDAP connector as below:
<resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
ldapURL="ldap://amlib.co.uk" baseDN="cn=Users,DC=ADdomain,dc=institution,dc=ie"
principal="Administrator at ADdomain"
principalCredential="mypwd">
<FilterTemplate>
<![CDATA[
(samAccountName=$requestContext.principalName)
]]>
</FilterTemplate>
</resolver:DataConnector>
The IDP process log is raising an error: Configuration was not loaded for shibboleth.AttributeResolver service, error creating components. The root cause of this error was: edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolutionException: Unable to retrieve LDAP connection
I note that I am using OpenDJ 2.7 as my LDAP server.
How can I do to deal with that issue or what is the simplest approach for the authentication process.
Kind regards
Gilles Rubens Badouet
Student ID: 3940347
Faculty of Engineering and Computing
MSc Network Computing Course
Mobile: 07424486426
________________________________________
From: users-bounces at shibboleth.net [users-bounces at shibboleth.net] on behalf of users-request at shibboleth.net [users-request at shibboleth.net]
Sent: 01 July 2013 19:28
To: users at shibboleth.net
Subject: users Digest, Vol 25, Issue 4
Send users mailing list submissions to
users at shibboleth.net
To subscribe or unsubscribe via the World Wide Web, visit
http://shibboleth.net/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
users-request at shibboleth.net
You can reach the person managing the list at
users-owner at shibboleth.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of users digest..."
Today's Topics:
1. RE: Remote IdP not responding? (Cantor, Scott)
2. RE: attribute filter rule "PermitValueRule" not working
(Cantor, Scott)
3. RE: Error decoding authentication request message & SAML
response contained an error (Cantor, Scott)
4. Re: anyone have experience with OKTA ? (orph351)
5. Re: attribute filter rule "PermitValueRule" not working
(Kent Nasveschuk)
6. Re: attribute filter rule "PermitValueRule" not working
(Paul Hethmon)
----------------------------------------------------------------------
Message: 1
Date: Mon, 1 Jul 2013 17:41:28 +0000
From: "Cantor, Scott" <cantor.2 at osu.edu>
Subject: RE: Remote IdP not responding?
To: Shib Users <users at shibboleth.net>
Message-ID:
<BA63CEAE152A7742B854C678D9491383945FFC35 at CIO-KRC-D1MBX01.osuad.osu.edu>
Content-Type: text/plain; charset="us-ascii"
> 1) They sent us the proper metadata file by encrypted mail. If we are
> using SOLELY their metadata file, do we even need to have a
> MetadataProvider URI specified?
You *can't* have one specified in that event.
> If so, where will Shibd want that file to be located? Our guess is
> /etc/shibboleth but I don't see any documentation for that location.
It's etc/shibboleth (look at all the other unqualified files in the configuration).
> Does the actual fine name matter, or do we have control over that?
That's up to you.
> However, the Metadata file shows this for a SSO Redirect:
That has nothing to do with the entityID, that's a location for an endpoint.
> Should the SSO entityID then be this:
Absolutely not.
> For this to all work, should the local MetadataProvider stanza come
> before any other of the other stanzas?
Assuming you mean the XML elements in the file, most of the elements inside <ApplicationDefaults> can be in any order now.
-- Scott
------------------------------
Message: 2
Date: Mon, 1 Jul 2013 17:44:36 +0000
From: "Cantor, Scott" <cantor.2 at osu.edu>
Subject: RE: attribute filter rule "PermitValueRule" not working
To: Shib Users <users at shibboleth.net>
Message-ID:
<BA63CEAE152A7742B854C678D9491383945FFC4A at CIO-KRC-D1MBX01.osuad.osu.edu>
Content-Type: text/plain; charset="utf-8"
> I don't see where the problem is.
I have to think that's not the file it's really using, or there's a second filter policy file configured.
Or I suppose there's some weird config parsing issue, so if you can reproduce on 2.4, we can certainly take a bug report if that same file produces that error.
-- Scott
------------------------------
Message: 3
Date: Mon, 1 Jul 2013 17:46:16 +0000
From: "Cantor, Scott" <cantor.2 at osu.edu>
Subject: RE: Error decoding authentication request message & SAML
response contained an error
To: Shib Users <users at shibboleth.net>
Message-ID:
<BA63CEAE152A7742B854C678D9491383945FFC60 at CIO-KRC-D1MBX01.osuad.osu.edu>
Content-Type: text/plain; charset="us-ascii"
> I first encountered the following problem: "Error decoding authentication
> request message" when trying to browse https://ans.247.com/secure. It
> looks like the authentication request is sent to the Idp, but no authentication
> response since the url I get back for the above error message is
> https://amlib.co.uk:8443/idp/profile/SAML2/Redirect/SSO . When I also
> looked at the shibd log, I could read "no metadata found, can't establish
> identity of issuer (https://amlib.co.uk/idp:8443/shibboleth)". I thought that
> it was an issue at the level of metadata configuration in Shibboleth2.xml file.
Those errors are very different unrelated things.
> Error from identity provider:
>
> Status: urn:oasis:names:tc:SAML:2.0:status:Responder
> Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
Your IdP has no login handler configured to do anything, apparently. Search the archive and you'll find many messages related to the issue, or more to the point just read the documentation on configuring the authentication method.
-- Scott
------------------------------
Message: 4
Date: Mon, 1 Jul 2013 11:18:01 -0700 (PDT)
From: orph351 <or at maclellan.net>
Subject: Re: anyone have experience with OKTA ?
To: users at shibboleth.net
Message-ID: <1372702681590-7588068.post at n2.nabble.com>
Content-Type: text/plain; charset=us-ascii
We use the Okta SAML sync for our SalesForce.com users. It's great having a
homepage where users can have multiple apps for the various SalesForce
instances they have to log into (i.e. support sites, portals, sandboxes,
etc.). Okta has also been useful for our Office 365 instance, which requires
a different username and password when we rolled it out. We have actually
seen a decrease in the number of locked out users since moving to Okta as
well. No advertising here, just real world experience.
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/anyone-have-experience-with-OKTA-tp7586315p7588068.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
------------------------------
Message: 5
Date: Mon, 1 Jul 2013 14:21:04 -0400 (EDT)
From: Kent Nasveschuk <knasveschuk at mbl.edu>
Subject: Re: attribute filter rule "PermitValueRule" not working
To: Shib Users <users at shibboleth.net>
Message-ID: <279954651.7185875.1372702864739.JavaMail.root at mbl.edu>
Content-Type: text/plain; charset="utf-8"
I just got 2.3.7 running, I can try on 2.4 but won't be for a while. I have a way around for my purposes right now, but that would sure come in handy.
I also tried "DenyValueRule", didn't work either, different error message. I only have 1 value to exclude, so it would be simpler to to use that.
Will keep hunting...
----- Original Message -----
From: "Scott Cantor" <cantor.2 at osu.edu>
To: "Shib Users" <users at shibboleth.net>
Sent: Monday, July 1, 2013 1:44:36 PM
Subject: RE: attribute filter rule "PermitValueRule" not working
> I don't see where the problem is.
I have to think that's not the file it's really using, or there's a second filter policy file configured.
Or I suppose there's some weird config parsing issue, so if you can reproduce on 2.4, we can certainly take a bug report if that same file produces that error.
-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130701/d287d7b2/attachment-0001.html
------------------------------
Message: 6
Date: Mon, 1 Jul 2013 18:27:53 +0000
From: Paul Hethmon <paul.hethmon at clareitysecurity.com>
Subject: Re: attribute filter rule "PermitValueRule" not working
To: Shib Users <users at shibboleth.net>
Message-ID: <CDF74224.35C1E%paul.hethmon at clareitysecurity.com>
Content-Type: text/plain; charset="us-ascii"
One thing to try is to remove all the rules in attribute-filter.xml and then slowly add them in until you get the error message. Your file was pretty small, it wouldn't take long.
Paul
From: Kent Nasveschuk <knasveschuk at mbl.edu<mailto:knasveschuk at mbl.edu>>
Reply-To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Monday, July 1, 2013 2:21 PM
To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Re: attribute filter rule "PermitValueRule" not working
I just got 2.3.7 running, I can try on 2.4 but won't be for a while. I have a way around for my purposes right now, but that would sure come in handy.
I also tried "DenyValueRule", didn't work either, different error message. I only have 1 value to exclude, so it would be simpler to to use that.
Will keep hunting...
________________________________
From: "Scott Cantor" <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>>
To: "Shib Users" <users at shibboleth.net<mailto:users at shibboleth.net>>
Sent: Monday, July 1, 2013 1:44:36 PM
Subject: RE: attribute filter rule "PermitValueRule" not working
> I don't see where the problem is.
I have to think that's not the file it's really using, or there's a second filter policy file configured.
Or I suppose there's some weird config parsing issue, so if you can reproduce on 2.4, we can certainly take a bug report if that same file produces that error.
-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130701/79d62051/attachment.html
------------------------------
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
End of users Digest, Vol 25, Issue 4
************************************
More information about the users
mailing list