ADFS + Shib 2 Idp + CAS

Fri May 1 16:55:21 EDT 2015

Thanks Scott and Michael. 

Would that mean the example for ADFS V2 here:

https://wiki.shibboleth.net/confluence/display/SHIB2/MicrosoftInterop

is wrong in showing multiple <AuthenticationMethod>s in the UsernamePassword
handler?

I thought I would use two different types of handlers for this scenario
instead of two of the same, so I tried setting the IdP to respond to the
Microsoft password method in the UsernamePassword handler in my IdP instead
of in RemoteUser:

-----------------------------------
<ph:LoginHandler xsi:type="ph:RemoteUser">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>

/ph:LoginHandler>

<ph:LoginHandler xsi:type="ph:UsernamePassword"
  jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">    
<ph:AuthenticationMethod>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</ph:AuthenticationMethod>
</ph:LoginHandler>
-----------------------------------

but I still get the same error if I go ADFS -> Shib IdP ->
https://myidp/idp/Authn/UserPassword after
the a successful auth comes back from the ldap. 

-----------------------
15:18:28.325 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:178]
- Successfully authenticated user a_test_user
15:18:28.325 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:144] -
Returning control to authentication engine
15:18:28.325 - TRACE
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:349] -
Looking up LoginContext with key
17320fe8c67551c45d84dad774fbdcc4d643fa6ae5fd544f22492a285d771703 from
StorageService parition: loginContexts
15:18:28.325 - TRACE
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:355] -
Retrieved LoginContext with key
17320fe8c67551c45d84dad774fbdcc4d643fa6ae5fd544f22492a285d771703 from
StorageService parition: loginContexts
15:18:28.325 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:209] -
Processing incoming request
15:18:28.325 - TRACE
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:349] -
Looking up LoginContext with key
17320fe8c67551c45d84dad774fbdcc4d643fa6ae5fd544f22492a285d771703 from
StorageService parition: loginContexts
15:18:28.325 - TRACE
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:355] -
Retrieved LoginContext with key
17320fe8c67551c45d84dad774fbdcc4d643fa6ae5fd544f22492a285d771703 from
StorageService parition: loginContexts
15:18:28.326 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:514] -
Completing user authentication process
15:18:28.326 - ERROR
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:529] -
Relying patry required an authentication method of
[http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password]
but the login handler performed
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
15:18:28.331 - ERROR
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:563] -
Authentication failed with the error:
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationException:
Relying patry required an authentication method of
[http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password]
but the login handler performed
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
------------------------------

I am willing to break UsernamePassword to just respond to the Microsoft
method, but it seems I have failed at that :-). 

So is it not possible for me to set the MS method in the servlet init
parameter even if it is the only one for a given handler?

Thanks for original replies. I do appreciate it. 

~Seth

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/ADFS-Shib-2-Idp-CAS-tp7614487p7614499.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.