Idp not working with sp.testshib.org
Alvarez, Dyana I
d.alvarez2 at miami.edu
Wed May 28 14:19:48 EDT 2014
Hi,
I would like to know if anyone can help me. Recently I had a Shibboleth Workshop and was able to install Shibboleth in a Virtual Machine running Windows Server 2007.
I configured my IdP to connect to the Incommon Training SP and the SP on testshib.org.
Both worked 2 months ago.
Unfortunately, time has pass by and now neither works. Right now I am trying to make my IdP work again. I had to activate windows OS with a Product ID key that we have at work. The Windows OS was only valid for a few weeks after the workshop ended.
I have revised all my steps in the configuration and everything seems to be okay. I didn't make any changes. So before I download another training IdP VM and re-install everything, I'd like to give it a shot and make this work.
I've been searching for anything similar but always there was errors in the logs. For me, there are no errors. Could it be testshib.org is down?
This is what I've done so far.
I restarted Apache Tomcat 6.0 and when I type the URL https://localhost/idp/status in a browser on the server, I get the following (partial information):
=============================================================================
### Operating Environment Information
operating_system: Windows Server 2008
operating_system_version: 6.0
operating_system_architecture: x86
jdk_version: 1.6.0_43
available_cores: 1
used_memory: 72MB
maximum_memory: 185MB
start_time: 2014-05-27T13:53:53Z
current_time: 2014-05-27T14:38:02Z
uptime: 2648855ms
### Identity Provider Information
idp_version: 2.4.0
idp_start_time: 2014-05-27T13:53:53Z
attribute_resolver_valid: true
### Relying Party Configurations
relying_party_id: anonymous
idp_entity_id: https://my.special.alvarez/idp/shibboleth
default_authentication_method: none
default_signing_tls_key:
===============================================================================================
When I check https://localhost/idp/shibboleth on the server, I get the usual IdP metadata that I had 2 months ago, which was working.
I've also checked my ports 443 and 8443:
===============================================================================================
C:\Users\Administrator>netstat -an | find "TCP" | find "LISTEN"
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8009 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8443 0.0.0.0:0 LISTENING
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING
TCP 127.0.0.1:8005 0.0.0.0:0 LISTENING
TCP 192.168.230.133:139 0.0.0.0:0 LISTENING
TCP [::]:135 [::]:0 LISTENING
TCP [::]:443 [::]:0 LISTENING
TCP [::]:445 [::]:0 LISTENING
TCP [::]:3389 [::]:0 LISTENING
TCP [::]:8009 [::]:0 LISTENING
TCP [::]:8080 [::]:0 LISTENING
TCP [::]:8443 [::]:0 LISTENING
TCP [::]:47001 [::]:0 LISTENING
TCP [::]:49152 [::]:0 LISTENING
TCP [::]:49153 [::]:0 LISTENING
TCP [::]:49154 [::]:0 LISTENING
TCP [::]:49155 [::]:0 LISTENING
TCP [::]:49156 [::]:0 LISTENING
TCP [::]:49157 [::]:0 LISTENING
===============================================================================================
I uploaded again my IdP metadata to testshib.org, and got a successful upload (though I had uploaded it 2 months ago as well).
I got my Idp from https://localhost/idp/profile/Metadata/SAML and saved it to an XML file and uploaded it.
Then I downloaded the testshib SP metadata and placed it in C:\opt\shibboleth-idp\metadata\tstshib.xml which was there since 2 months ago but I replaced the content.
Also, I had configured the INCommon training SP and TestShib
<metadata:MetadataProvider id="ShibbTrainMD" xsi:type="metadata:FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata" metadataURL="http://md.training.incommon.org/downloads/ShibTrain1-metadata.xml"
backingFile="c:\opt\shibboleth-idp\metadata\ShibTrain1-metadata.xml" />
<metadata:MetadataProvider id="TestShibMD" xsi:type="metadata:FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata" metadataURL="http://www.testshib.org/metadata/testshib-providers.xml"
backingFile="c:\opt\shibboleth-idp\metadata\tstshib.xml"/>
However, neither works. I am assuming the InCommon Training SP expired and is no longer used because it was such a long time ago. However, the testshib I expected it to work but it doesn't.
This is what I get when I go to sp.testshib.org and put https://my.special.alvarez/idp/shibboleth to test:
=============================================================
Unable to connect
Firefox can't establish a connection to the server at my.special.alvarez.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
==============================================================
I checked the firewall and it's off and I am able to surf the web using Firefox.
I checked the logs in file:///C:/Program%20Files/Apache%20Software%20Foundation/Tomcat%206.0/logs/catalina.2014-05-27.log and found no errors (partial file).
======================================
INFO: Stopping Coyote HTTP/1.1 on http-8443
May 27, 2014 8:53:47 AM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;.
May 27, 2014 8:53:48 AM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
May 27, 2014 8:53:48 AM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-443
May 27, 2014 8:53:48 AM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
May 27, 2014 8:53:48 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1308 ms
May 27, 2014 8:53:48 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
May 27, 2014 8:53:48 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.36
May 27, 2014 8:53:48 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor idp.xml
May 27, 2014 8:53:53 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory ROOT
May 27, 2014 8:53:53 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
May 27, 2014 8:53:54 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-443
May 27, 2014 8:53:54 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8443
May 27, 2014 8:53:55 AM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
May 27, 2014 8:53:55 AM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/31 config=null
May 27, 2014 8:53:55 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 7203 ms
========================================
I checked the logs in file:///C:/opt/shibboleth-idp/logs/idp-process.log and found no errors (last few lines):
========================================
08:53:53.569 - INFO [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing configuration for profile handler: SAML2SLO
08:53:53.569 - INFO [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing configuration for profile handler: SAML2AttributeQuery
08:53:53.569 - INFO [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing configuration for profile handler: SAML2ArtifactResolution
08:53:53.741 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:180] - shibboleth.HandlerManager service loaded new configuration
08:58:53.990 - INFO [edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:803] - PKIX validation info cache cleared
08:58:53.990 - INFO [edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:803] - PKIX validation info cache cleared
09:03:55.020 - INFO [edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:803] - PKIX validation info cache cleared
=========================================
This IdP installation was working before, until I put in a new Product Id.
I am not sure if it's related but if anyone can guide me how to troubleshoot since I see no errors I can search or anything that would indicate why it no longer works.
Perhaps I would need to increase the error level in the logs.
I can't think of anything else so perhaps someone can tell me what else I can do. Any help would be greatly appreciated.
Worst case I can always re-install Shibboleth (re-do the VM)
I should mention that this VM IdP worked in my laptop but I moved the VM to my PC and now it doesn't work. I also put in a new ProductID for the Windows Server to not expire.
Thanks!
Dyana Alvarez
More information about the users
mailing list