Need to modify AuthnContextClassRef in ExternalAuth

cneberg cneberg at gmail.com
Mon Dec 21 13:38:22 EST 2015 

Does the problem happen only when you enable
shibboleth.authn.External.addDefaultPrincipals and request a specific auth
type or all of the time?  Did you create your own principal class - which
might have serialization issues?

Did this problem happen before you upgraded to 3.2.1?

-Christopher

On Mon, Dec 21, 2015 at 11:46 AM, Stefan Santesson <stefan at aaa-sec.com>
wrote:

> Tried to post this as a new thread but it doesn’t show up. Trying again in
> the original thread. Sorry for any double posting.
>
>
> I have upgraded the IdP from 3.1.1 to 3.2.1
>
> The principal is accepted:
>
> 2015-12-21 17:07:48,249 - DEBUG
> [net.shibboleth.idp.authn.impl.FinalizeAuthentication:262] - Profile Action
> FinalizeAuthentication: Principal 'http://id.elegnamnden.se/loa/1.0/loa2'
> in authentication result satisfies request for principal '
> http://id.elegnamnden.se/loa/1.0/loa2'
>
>
> The the following error appears on the next log entry:
>
> 2015-12-21 17:07:48,250 - DEBUG
> [net.shibboleth.idp.session.impl.UpdateSessionWithAuthenticationResult:221]
> - Profile Action UpdateSessionWithAuthenticationResult: Creating new
> session for principal 170001010017
> 2015-12-21 17:07:48,252 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught
> runtime exception
> net.shibboleth.utilities.java.support.logic.ConstraintViolationException:
> Storage object was not present in session
>         at
> net.shibboleth.utilities.java.support.logic.Constraint.isNotNull(Constraint.java:227)
> 2015-12-21 17:07:48,253 - WARN
> [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred
> while processing the request: RuntimeException
>
>
> I’ve spent hours trying to figure this one out, but nothing works.
> Any hint what this is caused by.
>
> /Sfefan
>
>
>
>
>
> On 19/12/15 14:41, "users on behalf of Stefan Santesson" <
> users-bounces at shibboleth.net on behalf of stefan at aaa-sec.com> wrote:
>
> >I do have a clue what the problem might be.
> >
> >I noticed that the AuthnContextClassRefPrincipal class, as well as the
> default setting for shibboleth.authn.External.addDefaultPrincipals is not
> available in version 3.1.1 but only in 3.2.0 and onward.
> >I suspect the my IdP version is too old and that I need to upgrade.
> >
> >I’ll update and see if that solves it.
> >
> >/Stefan
> >
> >
> >
> >
> >On 19/12/15 04:26, "users on behalf of Stefan Santesson" <
> users-bounces at shibboleth.net on behalf of stefan at aaa-sec.com> wrote:
> >
> >>Scott,
> >>
> >>
> >>
> >>
> >>>>
> >>>>Add an object of type AuthnContextClassRefPrincipal with the value you
> want to the Subject's principal collection.
> >>>>
> >>>>-- Scott
> >>
> >>Actually, this didn’t work.
> >>
> >>
> >>My auth/External bean is defined as:
> >>
> >><bean id="authn/External" parent="shibboleth.AuthenticationFlow"
> >>            p:nonBrowserSupported="false"
> >>            p:passiveAuthenticationSupported="false"
> >>            p:forcedAuthenticationSupported="true">
> >>            <property name="supportedPrincipals">
> >>                <util:list>
> >>                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
> c:classRef="http://id.elegnamnden.se/loa/1.0/loa2"/>
> >>                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
> c:classRef="http://id.elegnamnden.se/loa/1.0/loa3"/>
> >>                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
> c:classRef="http://id.elegnamnden.se/loa/1.0/loa4"/>
> >>                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
> c:classRef="http://id.elegnamnden.se/loa/1.0/loa2-sigmessage"/>
> >>                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
> c:classRef="http://id.elegnamnden.se/loa/1.0/loa3-sigmessage"/>
> >>                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
> c:classRef="http://id.elegnamnden.se/loa/1.0/loa4-sigmessage"/>
> >>                </util:list>
> >>            </property>
> >>        </bean>
> >>
> >>External-auth-config.xml contains:  <util:constant
> id="shibboleth.authn.External.addDefaultPrincipals"
> static-field="java.lang.Boolean.FALSE" />
> >>
> >>
> >>The AuthnRequest sends request for 2 supported class refs:
> >>
> >><saml2p:RequestedAuthnContext Comparison="exact">
> >>        <saml2:AuthnContextClassRef
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
> http://id.elegnamnden.se/loa/1.0/loa3</saml2:AuthnContextClassRef>
> >>        <saml2:AuthnContextClassRef
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
> http://id.elegnamnden.se/loa/1.0/loa3-sigmessage
> </saml2:AuthnContextClassRef>
> >>    </saml2p:RequestedAuthnContext>
> >>
> >>
> >>
> >>The External Auth module sets the
> http://id.elegnamnden.se/loa/1.0/loa3-sigmessage as the context class ref
> for the response by:
> >>
> >>Principal principal = new UsernamePrincipal(principalName);
> >>            Principal accPrincipal = new AuthnContextClassRefPrincipal("
> http://id.elegnamnden.se/loa/1.0/loa3-sigmessage");
> >>            Subject subj = new Subject();
> >>            subj.getPrincipals().add(principal);
> >>            subj.getPrincipals().add(accPrincipal);
> >>request.setAttribute(“subject", subj);
> >>
> >>
> >>But the assertion is returned with AuthnContextClassRef =
> http://id.elegnamnden.se/loa/1.0/loa3
> >>
> >>What am I doing wrong here?
> >>
> >>
> >>/Stefan
> >>
> >>
> >>
> >>
> >>
> >>
> >>--
> >>To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> >
> >--
> >To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151221/9851b833/attachment-0001.html>

More information about the users mailing list