IDP 2.4.1 ECP

MA Lanxin ma at ihep.ac.cn
Tue May 19 23:51:52 EDT 2015 

Hello,

I did not descript clearly in my last mail.

My environment is  IDP 2.4.1 + apache-tomcat-6.0.41 + httpd-2.2.15

For my environment, How should I configure ECP ?

I remain web.xml, remove "<Location /idp/profile/SAML2/SOAP/ECP>" in httpd.conf


Restart tomcat and httpd. When I link to https://idp-test.ihep.ac.cn/idp/profile/SAML2/SOAP/ECP
I get the error in idp-process.log

11:47:59.843 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SAML2ECPProfileHandler:312] - Decoding message with decoder binding 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP'
11:47:59.843 - DEBUG [org.opensaml.saml2.binding.decoding.HandlerChainAwareHTTPSOAP11Decoder:59] - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter
11:47:59.859 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SAML2ECPProfileHandler:347] - Error decoding authentication request message
org.opensaml.ws.message.decoder.MessageDecodingException: This message decoder only supports the HTTP POST method
        at org.opensaml.saml2.binding.decoding.HTTPSOAP11Decoder.doDecode(HTTPSOAP11Decoder.java:119) ~[opensaml-2.6.2.jar:na]


11:47:59.863 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SAML2ECPProfileHandler:278] - Returning SOAP fault
edu.internet2.middleware.shibboleth.common.profile.ProfileException: Error decoding authentication request message
        at edu.internet2.middleware.shibboleth.idp.profile.saml2.SAML2ECPProfileHandler.decodeRequest(SAML2ECPProfileHandler.java:348) [shibboleth-identityprovider-2.4.1.jar:na]
        at edu.internet2.middleware.shibboleth.idp.profile.saml2.SAML2ECPProfileHandler.processRequest(SAML2ECPProfileHandler.java:222) [shibboleth-identityprovider-2.4.1.jar:na]
        at edu.internet2.middleware.shibboleth.idp.profile.saml2.SAML2ECPProfileHandler.processRequest(SAML2ECPProfileHandler.java:86) [shibboleth-identityprovider-2.4.1.jar:na]
        at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83) ~[shibboleth-common-1.4.1.jar:na]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) ~[servlet-api.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) ~[catalina.jar:6.0.41]

Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: This message decoder only supports the HTTP POST method
        at org.opensaml.saml2.binding.decoding.HTTPSOAP11Decoder.doDecode(HTTPSOAP11Decoder.java:119) ~[opensaml-2.6.2.jar:na]
        at org.opensaml.saml2.binding.decoding.HandlerChainAwareHTTPSOAP11Decoder.decode(HandlerChainAwareHTTPSOAP11Decoder.java:62) ~[opensaml-2.6.2.jar:na]
        at edu.internet2.middleware.shibboleth.idp.profile.saml2.SAML2ECPProfileHandler.decodeRequest(SAML2ECPProfileHandler.java:319) [shibboleth-identityprovider-2.4.1.jar:na]
        ... 28 common frames omitted

What is wrong? Please help
Thanks a lot
Lanxin



> -----原始邮件-----
> 发件人: "Cantor, Scott" <cantor.2 at osu.edu>
> 发送时间: 2015年5月20日 星期三
> 收件人: "Shib Users" <users at shibboleth.net>
> 抄送: 
> 主题: Re: IDP 2.4.1 ECP
> 
> On 5/20/15, 2:27 AM, "MA Lanxin" <ma at ihep.ac.cn> wrote:
> 
> 
> 
> >Hello,
> >
> >I am trying to get ECP working with IDP 2.4.1 based on SL6.5 and Apache. 
> >I need to use LDAP authentication.
> >
> >I have copied the web.xml file from 
> >/$IDP_INSTALL_HOME/shibboleth-identityprovider-2.4.1/src/main/webapp/WEB-I
> >NF/web.xml
> >to /opt/shibboleth-idp/conf/web.xml, I added the lines to web.xml
> 
> That is for use with container authentication in Tomcat. You don't use 
> that with Apache authentication.
> 
> >I have made “RemoteUser” work successfully.  I added the lines in 
> >httpd.conf
> 
> If it worked, then why are you adding this to Apache? Pick one. In fact, 
> why are you using Apache at all?
> 
> >I get an server error.
> >Here is the log in apache ssl_error_log
> >[Wed May 20 10:00:12 2015] [crit] [client 202.122.32.43] configuration 
> >error:  couldn't perform authentication. AuthType not set!: 
> >/idp/profile/SAML2/SOAP/ECP
> 
> Well, yes, that's incorrect use of Apache. You can't do authentication 
> there and not set AuthType.
> 
> -- Scott
> 
> >
> -- 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list