idp login issue connecting to ldap
Jason Separovic
jseppa01 at gmail.com
Sun Aug 2 17:05:08 EDT 2015
Here¹s the config that has been modified from the defaults:
[root at dev1 conf]# more attribute-resolver.xml
<?xml version="1.0" encoding="UTF-8"?>
<resolver:AttributeResolver
xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
xmlns:sec="urn:mace:shibboleth:2.0:security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver
http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
urn:mace:shibboleth:2.0:resolver:pc
http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd
urn:mace:shibboleth:2.0:resolver:ad
http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd
urn:mace:shibboleth:2.0:resolver:dc
http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd
urn:mace:shibboleth:2.0:attribute:encoder
http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd
urn:mace:shibboleth:2.0:security
http://shibboleth.net/schema/idp/shibboleth-security.xsd">
<resolver:AttributeDefinition id="eduPersonPrincipalName"
xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
<resolver:Dependency ref="uid" />
<resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false"
/>
<resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
friendlyName="eduPersonPrincipalName" encodeType="false" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="uid" xsi:type="ad:PrincipalName">
<resolver:AttributeEncoder xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:uid" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid"
encodeType="false" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="mail" xsi:type="ad:Template">
<resolver:Dependency ref="uid" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:mail" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail"
encodeType="false" />
<ad:Template>
<![CDATA[
${uid}@jseppa.com
]]>
</ad:Template>
<ad:SourceAttribute>uid</ad:SourceAttribute>
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="eduPersonScopedAffiliation"
xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="affiliation">
<resolver:Dependency ref="staticAttributes" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
friendlyName="eduPersonScopedAffiliation" encodeType="false" />
</resolver:AttributeDefinition>
<resolver:DataConnector id="staticAttributes" xsi:type="dc:Static">
<dc:Attribute id="affiliation">
<dc:Value>member</dc:Value>
</dc:Attribute>
</resolver:DataConnector>
<resolver:AttributeDefinition xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="googleNameID"
sourceAttributeID="mail">
<resolver:Dependency ref="ldap" />
<resolver:AttributeEncoder xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</resolver:AttributeDefinition>
<resolver:DataConnector id="ldap" xsi:type="dc:LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}">
<dc:FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</dc:FilterTemplate>
</resolver:DataConnector>
</resolver:AttributeResolver>
[root at dev1 conf]# more attribute-filter.xml
<?xml version="1.0" encoding="UTF-8"?>
<afp:AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
xmlns:afp="urn:mace:shibboleth:2.0:afp"
xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp
http://shibboleth.net/schema/idp/shibboleth-afp.xsd
urn:mace:shibboleth:2.0:afp:mf:basic
http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd
urn:mace:shibboleth:2.0:afp:mf:saml
http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd">
<afp:AttributeFilterPolicy id="google.com/a/jseppa.com">
<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="google.com/a/jseppa.com" />
<afp:AttributeRule attributeID="googleNameID">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
<afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
<afp:PolicyRequirementRule xsi:type="basic:NOT">
<basic:Rule xsi:type="basic:AttributeRequesterString"
value="google.com" />
</afp:PolicyRequirementRule>
<afp:AttributeRule attributeID="transientId">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
</afp:AttributeFilterPolicyGroup>
[root at dev1 conf]# more ../metadata/google-metadata.xml
<EntityDescriptor entityID="google.com/a/jseppa.com"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDF
ormat>
<AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/jseppa.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>
[root at dev1 conf]# egrep "^idp" idp.properties
idp.additionalProperties= /conf/ldap.properties,
/conf/saml-nameid.properties, /conf/services.properties
idp.entityID= https://sso.jseppa.com/idp/shibboleth
idp.scope= jseppa.com
idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks
idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver
idp.sealer.storePassword= xxxxxxx
idp.sealer.keyPassword= xxxxxxx
idp.signing.key= %{idp.home}/credentials/idp-signing.key
idp.signing.cert= %{idp.home}/credentials/idp-signing.crt
idp.encryption.key= %{idp.home}/credentials/idp-encryption.key
idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt
idp.encryption.optional = true
idp.session.enabled = true
idp.authn.flows= Password
idp.authn.flows.initial = Password
idp.status.accessPolicy= AccessByIPAddress
idp.resolvertest.accessPolicy= AccessByIPAddress
idp.reload.accessPolicy= AccessByIPAddress
idp.ui.fallbackLanguages= en,fr,de
[root at dev1 conf]# egrep "^idp" ldap.properties
idp.authn.LDAP.authenticator = bindSearchAuthenticator
idp.authn.LDAP.ldapURL = ldap://localhost:389
idp.authn.LDAP.useStartTLS = false
idp.authn.LDAP.useSSL = false
idp.authn.LDAP.connectTimeout = 3000
idp.authn.LDAP.sslConfig = jvmTrust
idp.authn.LDAP.trustCertificates =
%{idp.home}/credentials/ldap-server.crt
idp.authn.LDAP.trustStore =
%{idp.home}/credentials/ldap-server.truststore
idp.authn.LDAP.returnAttributes = cn,businessCategory,mail
idp.authn.LDAP.baseDN = ou=Users,dc=jseppa,dc=com
idp.authn.LDAP.subtreeSearch = true
idp.authn.LDAP.userFilter = (uid={user})
idp.authn.LDAP.bindDN =
cn=Manager,dc=jseppa,dc=com
idp.authn.LDAP.bindDNCredential = xxxxxxx
idp.authn.LDAP.dnFormat =
uid=%s,ou=Users,dc=jseppa,dc=com
idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN}
idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN}
idp.attribute.resolver.LDAP.bindDNCredential =
%{idp.authn.LDAP.bindDNCredential}
idp.attribute.resolver.LDAP.useStartTLS =
%{idp.authn.LDAP.useStartTLS:true}
idp.attribute.resolver.LDAP.trustCertificates =
%{idp.authn.LDAP.trustCertificates}
idp.attribute.resolver.LDAP.searchFilter =
(uid=$requestContext.principalName)
idp.pool.LDAP.minSize = 3
idp.pool.LDAP.maxSize = 10
idp.pool.LDAP.validateOnCheckout = false
idp.pool.LDAP.validatePeriodically = true
idp.pool.LDAP.validatePeriod = 300
idp.pool.LDAP.prunePeriod = 300
idp.pool.LDAP.idleTime = 600
idp.pool.LDAP.blockWaitTime = 3000
idp.pool.LDAP.failFastInitialize = false
[root at dev1 conf]# cat saml-nameid.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<util:list id="shibboleth.SAML1NameIdentifierGenerators">
<ref bean="shibboleth.SAML1TransientGenerator" />
<!--
<bean parent="shibboleth.SAML1AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" />
-->
</util:list>
<util:list id="shibboleth.SAML2NameIDGenerators">
<ref bean="shibboleth.SAML2TransientGenerator" />
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
p:attributeSourceIds="#{ {'googleNameID'} }" />
</util:list>
</beans>
[root at dev1 jetty]# more start.ini
-Xmx512m
-XX:MaxPermSize=128m
jetty.threadPool.minThreads=10
jetty.threadPool.maxThreads=200
jetty.threadPool.idleTimeout=60000
jetty.httpConfig.secureScheme=https
jetty.httpConfig.securePort=443
# jetty.httpConfig.outputBufferSize=32768
# jetty.httpConfig.outputAggregationSize=8192
# jetty.httpConfig.requestHeaderSize=8192
# jetty.httpConfig.responseHeaderSize=8192
# jetty.httpConfig.sendServerVersion=true
# jetty.httpConfig.sendDateHeader=false
# jetty.httpConfig.headerCacheSize=512
# jetty.httpConfig.delayDispatchUntilContent=true
# jetty.server.stopAtShutdown=true
# jetty.server.dumpAfterStart=false
# jetty.server.dumpBeforeStop=false
jetty.http.host=0.0.0.0
jetty.http.port=80
# jetty.http.idleTimeout=30000
# jetty.http.soLingerTime=-1
# jetty.http.acceptors=-1
# jetty.http.selectors=-1
# jetty.http.acceptorQueueSize=0
# jetty.http.acceptorPriorityDelta=0
jetty.deploy.monitoredDir=webapps
jetty.deploy.scanInterval=5
jetty.deploy.extractWars=true
--module=home-base-warning
--module=ext
--module=resources
--module=server
--module=http
--module=deploy
--module=jsp
--module=websocket
--module=jstl
--module=plus
--module=servlets
--module=annotations
--module=logging
--module=requestlog
--module=jaas
--module=security
etc/jetty-ssl-context.xml
etc/jetty-ssl.xml
etc/jetty-https.xml
Software Versions
IDP 3.1.2
java version "1.8.0_51"
JCE unlimited installed:
jetty-9.3.1.v20150714 - 14 July 2015
Centos 6.5
openldap 2.4.39-8.el6
[root at dev1 bin]# ./aacli.sh --requester google.com/a/jseppa.com --principal
jason
{
"requester": "google.com/a/jseppa.com",
"principal": "jason",
"attributes": [
{
"name": "googleNameID",
"values": [
"StringAttributeValue{value=jason at jseppa.com}" ]
}
]
}
Any hints on where to look next would be greatly appreciated? There is
clearly no ldap client request being made at all when I enter user/pass into
the login form.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150802/b66310cc/attachment-0001.html>
More information about the users
mailing list