ECP AuthNFailed Problem

Abie abie0416 at gmail.com
Tue Nov 11 20:17:23 EST 2014 

Hi all, 

I am new to Shibboleth and struggling with getting ECP work. 

I am using Shibboleth 2.4.2 and I successfully use it to SSO to my SP
through web browser but encountered an AuthFailed problem when posting to
idp/profile/SAML2/SOAP/ECP using simple Python ECP client (by Scott K.). 

I got a 500 error as a result and I tried to print the IDP response out and
found i got an AuthNfailed from posting to local IDP. (using the same
account which could be signed in through web browser) 

<?xml version="1.0" encoding="UTF-8"?><soap11:Envelope
xmlns:soap11="http://sche
mas.xmlsoap.org/soap/envelope/"><soap11:Header><ecp:Response
xmlns:ecp="urn:oasi 
s:names:tc:SAML:2.0:profiles:SSO:ecp"
AssertionConsumerServiceURL="https://ecpva
lidator.aaf.edu.au/Shibboleth.sso/SAML2/ECP"
soap11:actor="http://schemas.xmlsoa
p.org/soap/actor/next" soap11:mustUnderstand="1"/><samlec:GeneratedKey
xmlns:sam 
lec="urn:ietf:params:xml:ns:samlec"
soap11:actor="http://schemas.xmlsoap.org/soa
p/actor/next">2MUwdFPB+I033WDtHpk3097/UoyvuFMriYIf/GmNTko=</samlec:GeneratedKey>
</soap11:Header><soap11:Body><saml2p:Response
xmlns:saml2p="urn:oasis:names:tc:S 
AML:2.0:protocol" ID="_c881cca801d5229e44d6cda9148f3321"
InResponseTo="_6639a176 
fcfaaef28d6e76b2b377a58f" IssueInstant="2014-11-12T00:29:34.540Z"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oa 
sis:names:tc:SAML:2.0:nameid-format:entity">https://win-nd37jahnc0d.corp.example
.com/idp/shibboleth</saml2:Issuer><saml2p:Status><saml2p:StatusCode
Value="urn:o 
asis:names:tc:SAML:2.0:status:Responder"><saml2p:StatusCode
Value="urn:oasis:nam 
es:tc:SAML:2.0:status:AuthnFailed"/></saml2p:StatusCode></saml2p:Status></saml2p 
:Response></soap11:Body></soap11:Envelope>

I have followed the wiki idPEnableECP and setup the realm in tomcat 

the tomcat log didn't show anything but starting-up message. 
the idp logs show some warnings: 

23:45:35.884 - INFO [Shibboleth-Access:73] -
20141111T234535Z|0:0:0:0:0:0:0:1|localhost:9443|/profile/SAML2/SOAP/ECP| 
23:45:35.885 - WARN
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SAML2ECPProfileHandler:570]
- REMOTE_USER not set, unable to set principal name 
23:45:35.885 - WARN
[org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule:81] -
SPSSODescriptor role metadata for entityID
'https://ecpvalidator.aaf.edu.au/shibboleth' could not be resolved 
23:45:35.886 - WARN
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:305]
- No metadata for relying party https://ecpvalidator.aaf.edu.au/shibboleth,
treating party as anonymous 
23:45:35.891 - INFO [Shibboleth-Audit:1028] -
20141111T234535Z|urn:oasis:names:tc:SAML:2.0:bindings:SOAP|_2dedb37aa23b52ee2d435a6469f60557|https://ecpvalidator.aaf.edu.au/shibboleth|urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp|*/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:SOAP|_e048260bcb91864196f75f26f31f7ab4||||||

BTW, forget about the https://ecpvalidator.aaf.edu.au/shibboleth thing, I 
just find it online to test my idp, the key problem is I couldn't auth 
through my local idp BEFORE it makes a signin-post to it.

Any help would be appriciated. 
  

- Abie 



--
View this message in context: http://shibboleth.1660669.n2.nabble.com/ECP-AuthNFailed-Problem-tp7608795.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.

More information about the users mailing list