Need to modify AuthnContextClassRef in ExternalAuth

Stefan Santesson stefan at aaa-sec.com
Mon Dec 21 12:46:27 EST 2015 

Tried to post this as a new thread but it doesn’t show up. Trying again in the original thread. Sorry for any double posting.


I have upgraded the IdP from 3.1.1 to 3.2.1

The principal is accepted:

2015-12-21 17:07:48,249 - DEBUG [net.shibboleth.idp.authn.impl.FinalizeAuthentication:262] - Profile Action FinalizeAuthentication: Principal 'http://id.elegnamnden.se/loa/1.0/loa2' in authentication result satisfies request for principal 'http://id.elegnamnden.se/loa/1.0/loa2'


The the following error appears on the next log entry:

2015-12-21 17:07:48,250 - DEBUG [net.shibboleth.idp.session.impl.UpdateSessionWithAuthenticationResult:221] - Profile Action UpdateSessionWithAuthenticationResult: Creating new session for principal 170001010017
2015-12-21 17:07:48,252 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Storage object was not present in session
	at net.shibboleth.utilities.java.support.logic.Constraint.isNotNull(Constraint.java:227)
2015-12-21 17:07:48,253 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: RuntimeException


I’ve spent hours trying to figure this one out, but nothing works.
Any hint what this is caused by.

/Sfefan





On 19/12/15 14:41, "users on behalf of Stefan Santesson" <users-bounces at shibboleth.net on behalf of stefan at aaa-sec.com> wrote:

>I do have a clue what the problem might be.
>
>I noticed that the AuthnContextClassRefPrincipal class, as well as the default setting for shibboleth.authn.External.addDefaultPrincipals is not available in version 3.1.1 but only in 3.2.0 and onward.
>I suspect the my IdP version is too old and that I need to upgrade.
>
>I’ll update and see if that solves it.
>
>/Stefan
>
>
>
>
>On 19/12/15 04:26, "users on behalf of Stefan Santesson" <users-bounces at shibboleth.net on behalf of stefan at aaa-sec.com> wrote:
>
>>Scott,
>>
>>
>>
>>
>>>>
>>>>Add an object of type AuthnContextClassRefPrincipal with the value you want to the Subject's principal collection.
>>>>
>>>>-- Scott
>>
>>Actually, this didn’t work.
>>
>>
>>My auth/External bean is defined as:
>>
>><bean id="authn/External" parent="shibboleth.AuthenticationFlow"
>>            p:nonBrowserSupported="false" 
>>            p:passiveAuthenticationSupported="false"
>>            p:forcedAuthenticationSupported="true">
>>            <property name="supportedPrincipals">
>>                <util:list>
>>                    <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://id.elegnamnden.se/loa/1.0/loa2"/>
>>                    <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://id.elegnamnden.se/loa/1.0/loa3"/>
>>                    <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://id.elegnamnden.se/loa/1.0/loa4"/>
>>                    <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://id.elegnamnden.se/loa/1.0/loa2-sigmessage"/>
>>                    <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://id.elegnamnden.se/loa/1.0/loa3-sigmessage"/>
>>                    <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://id.elegnamnden.se/loa/1.0/loa4-sigmessage"/>
>>                </util:list>
>>            </property>
>>        </bean>
>>
>>External-auth-config.xml contains:  <util:constant id="shibboleth.authn.External.addDefaultPrincipals" static-field="java.lang.Boolean.FALSE" />
>>
>>
>>The AuthnRequest sends request for 2 supported class refs:
>>
>><saml2p:RequestedAuthnContext Comparison="exact">
>>        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://id.elegnamnden.se/loa/1.0/loa3</saml2:AuthnContextClassRef>
>>        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://id.elegnamnden.se/loa/1.0/loa3-sigmessage</saml2:AuthnContextClassRef>
>>    </saml2p:RequestedAuthnContext>
>>
>>
>>
>>The External Auth module sets the http://id.elegnamnden.se/loa/1.0/loa3-sigmessage as the context class ref for the response by:
>>
>>Principal principal = new UsernamePrincipal(principalName);
>>            Principal accPrincipal = new AuthnContextClassRefPrincipal("http://id.elegnamnden.se/loa/1.0/loa3-sigmessage");
>>            Subject subj = new Subject();
>>            subj.getPrincipals().add(principal);
>>            subj.getPrincipals().add(accPrincipal);
>>request.setAttribute(“subject", subj);
>>
>>
>>But the assertion is returned with AuthnContextClassRef = http://id.elegnamnden.se/loa/1.0/loa3
>>
>>What am I doing wrong here?
>>
>>
>>/Stefan
>>
>>
>>
>>
>>
>>
>>-- 
>>To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
>-- 
>To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list