How to /Authn/RemoteUser with IdP 3.0
Kathy E. Wright
kewrig at clemson.edu
Sat May 16 19:00:47 EDT 2015
I cannot duplicate our current IdP 2.4 configuration which uses
*/idpAuthn/RemoteUser *with Apache ajp_proxy to delegate authentication to
our campus SSO portal as described here:
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthRemoteUser
In our test IdP v3, I have the following configuration:
/opt/shibboleth-idp/idp.properties
- idp.authn.flows= RemoteUser
- idp.authn.flows.initial = RemoteUser
Logs indicate REMOTE_USER is being used:
2015-05-16 17:37:05,610 - INFO
[net.shibboleth.idp.authn.impl.RemoteUserAuthServlet:135] -
RemoteUserAuthServlet will process REMOTE_USER, along with attributes []
and headers []
But we get the following error:
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:271] - Profile
Action SelectAuthenticationFlow: No potential flows left to choose from,
authentication will fail in the logs
>From the browser we see the following error:
Error from identity provider:
Status: urn:oasis:names:tc:SAML:2.0:status:Requester
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
Message: An error occurred.
I've just attended the first IdP 3.0 Shib InstallFest and was unable to
solve this issue during the class, although I was able to verify that our
Tomcat and Apache httpd configuration (using ajp_proxy) is working
correctly.
Are there other files in /opt/shibboleth-idp/ I should update or other
updates we are missing?
Best,
Kathy Wright
Clemson University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150516/6ad67eb6/attachment.html>
More information about the users
mailing list