IDP 2.4.1 ECP

MA Lanxin ma at ihep.ac.cn
Tue May 19 22:27:08 EDT 2015 

Hello,

I am trying to get ECP working with IDP 2.4.1 based on SL6.5 and Apache. I need to use LDAP authentication.

I have copied the web.xml file from /$IDP_INSTALL_HOME/shibboleth-identityprovider-2.4.1/src/main/webapp/WEB-INF/web.xml
to /opt/shibboleth-idp/conf/web.xml, I added the lines to web.xml

<security-constraint>
      <display-name>Shibboleth IdP</display-name>
      <web-resource-collection>
          <web-resource-name>ECP</web-resource-name>
          <url-pattern>/profile/SAML2/SOAP/ECP</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
          <role-name>*</role-name>
      </auth-constraint>
      <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
  </security-constraint>
 
  <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>ShibUserPassAuth</realm-name>
  </login-config>
 
<!-- Depending on the version of tomcat in use, you may also need this - a list of security roles referenced by this web application -->
 
<security-role>
    <description>The role that is required to access the ECP area</description>
    <role-name>*</role-name>
</security-role>

I have made “RemoteUser” work successfully.  I added the lines in httpd.conf

 <Location /idp/profile/SAML2/SOAP/ECP>
  #AuthType kerberos
  #AuthName "SAML2 ECP"
  #require valid-user
    AuthzLDAPAuthoritative Off
    AuthBasicProvider ldap
    AuthLDAPURL ldap://ldap.ihep.ac.cn/ou=users,dc=ihep,dc=ac,dc=cn?cn
    AuthLDAPBindDN "cn=root,dc=ihep,dc=ac,dc=cn"
    AuthLDAPBindPassword "passwd"
    Require valid-user
</Location>

I also added the  line in my idp metadata by hand
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp-test.ihep.ac.cn/idp/profile/SAML2/SOAP/ECP"/>

Restart tomcat and apache

But ECP does not work.  I link to https://idp-test.ihep.ac.cn/idp/profile/SAML2/SOAP/ECP
I get an server error.
Here is the log in apache ssl_error_log
[Wed May 20 10:00:12 2015] [crit] [client 202.122.32.43] configuration error:  couldn't perform authentication. AuthType not set!: /idp/profile/SAML2/SOAP/ECP

Do I miss some configuration ?  Please help.

Thanks a lot,
Lanxin

More information about the users mailing list