Which handler LDAP SSO

Morris, Andi amorris at cardiffmet.ac.uk
Wed Nov 12 09:08:02 EST 2014

Ok, thanks Peter.
I'm getting somewhere with this, slowly and frustratingly so.

I have Kerberos running between my idp box and my Active Directory servers, that was the easy bit. 

I've gone through https://crypt.ncl.ac.uk/login-gateway/docs/Shibboleth_SPNEGO_Setup.pdf up until the part where the login.jsp is modded to autodetect browsers, ip addresses and relying parties, as I don't think that's necessary for my site. I've also been cross referencing these against the documentation at https://wiki.shibboleth.net/confluence/display/SHIB2/Kerberos+Login+Handler which had some confusing parts, but I think I've made it through the majority. I wasn't sure with the section at the beginning of the handler.xml in the wiki as it doesn't describe whether to add these new schemas, replace the old ones, and amend them for the shibboleth setup. I ended up putting:

<ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                        xmlns:krb="http://www.switch.ch/aai/idp/kerberos" krb:schemalocation="http://www.switch.ch/aai/idp/kerberos classpath:/schema/kerberos-login-handler.xsd"
                        xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd">

Is this correct?

However the main part I'm getting stuck on is the configuration of the attribute resolver. When restarting tomcat I get the following in the idp-process.log:
13:56:17.734 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:158] - Loading new configuration for service shibboleth.AttributeResolver
13:56:17.790 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:188] - Configuration was not loaded for shibboleth.AttributeResolver service, error creating components.  The root cause of this error was: org.xml.sax.SAXParseException: Key 'DataConnectorAttributeDefinitionDependencyRef' with value 'HTTP/servername.cardiffmet.ac.uk' not found for identity constraint of element 'AttributeResolver'.

Now clearly it doesn't like the prinicipal name here. attribute-resolver.conf has the following configuration for that part, as taken from https://wiki.shibboleth.net/confluence/display/SHIB2/Kerberos+Login+Handler+-+Attribute+resolver:
    <resolver:DataConnector id="fhnwAdmLDAP"
        principalCredential="${ldap.credential}" >
      <resolver:Dependency ref="HTTP/servername.cardiffmet.ac.uk" />
      <resolver:Dependency ref="INTERNAL.DOMAIN.AC.UK" />
(mail=$requestContext.principalName) - matches UsernamePassword Principal
&(samaccountname=${})(msSFU30NisDomain=${}) - matches Kerberos Principal
        <dc:LDAPProperty name="java.naming.referral" value="follow"/>

What have I missed here.

Thanks in advance for any help,

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: 11 November 2014 13:03
To: users at shibboleth.net
Subject: Re: Which handler LDAP SSO

* Morris, Andi <amorris at cardiffmet.ac.uk> [2014-11-11 13:44]:
> Thanks. I have UsernamePassword configured at the moment and I'm 
> having trouble getting the bind to work so that users can login, but 
> I'll continue to work on that.

This is all within the JAAS config file, login.config, as per the Shib documentation.

> However, when running against test shib I'm being shown a login 
> screen, as expected at the moment.

Yes, https://wiki.shibboleth.net/confluence/display/SHIB2/IdPUserAuthn

  Presents the user with an authentication page and then checks the
  entered username and password against an LDAP directory or Kerberos 5

So the UsernamePassword will generate HTML to collect credentials, and validate them via LDAP (or Kerberos, but that doesn't change the fact that a HTML form is rendered at the IDP).

> When I have the ldap running correctly will the users still be shown 
> this screen if they already currently have valid windows credentials


> or will I need to configure this with Kerberos? What we have at the 
> moment is users being logged on without being prompted when they 
> access a shibboleth resource internally.

You'll have to do something entirely different:


The folks from Uni Newcastle have quite complete documentation for this, IIRC, if you (or your peers from the UKfederation) don't find anything better to offer try this:
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list