Shibboleth 2.4.4 User Authentication

Mon May 25 18:30:12 EDT 2015

Hi, I have installed Shibboleth 2.4.4 and can't make it worlking iwth
a SP or Shibtest.org

I think I am missing the authentication configuration part.
I am trying to follow this:

https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass

So I have configured "Defining the Login Handler" like this:

<!--  Username/password login handler -->
    <ph:LoginHandler xsi:type="ph:UsernamePassword"

jaasConfigurationLocation="file:///usr/local/saml/shibboleth-idp/conf/login.config">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
    </ph:LoginHandler>

login.config:

ShibUserPassAuth {

edu.vt.middleware.ldap.jaas.LdapLoginModule required
      ldapUrl="ldap://localhost:389"
      baseDn="ou=people,dc=mydomain,dc=com,dc=ar"
      ssl="false"
      userFilter="uid={0}";
};

I know there must be some place to configure the login page, or this
instructions tell about some web.xml file, but I don't see how to
configure this.

Can you guide me how to configure user/password authentication and the
way to setup a login page?

Thanks,
Andres.

2015-05-20 18:09 GMT-03:00 Emilio Penna <emilio.penna at seciu.edu.uy>:
>
> Scott, thanks for the explanation.
>
> With respect to ppolicy control, I thinks there's some limitation in the
> control handling in ValidateUsernamePasswordAgainstLDAP, let me explain:
>
> As you said, in case of bind success (and accountState not null), the
> message generated is:
> String.format("%s:%s:%s", "ACCOUNT_WARNING", response.getResultCode(),
> response.getMessage())
>
> In bind failure, the message is
> String.format("%s:%s:%s", state.getError(), response.getResultCode(),
> response.getMessage())
>
>
> The difference: if bind success, the state.getError() isn't
> "propagated", so you "lose" it for catching any error code, and maybe
> adapt flow accordingly mapping the error code to some event.
>
> One example is the control for forcing password reset, in that case, the
> bind success, and the control is informed by ldaptive in state.getError
> (state.getError=CHANGE_AFTER_RESET in this case). The generated message
> in this case, I guess that is something like
> "ACCOUNT_WARNING:SUCCESS:null",  it don't have the errorCode
> "CHANGE_AFTER_RESET", so you don't have the chance to detect it as
> result of the action and adapt the flow.
>
>
> Emilio
>
>
> El 19/05/2015 a las 11:03 p.m., Cantor, Scott escribió:
>
>>> Given the message generated in ValidateUsernamePasswordAgainstLDAP:189,
>>> I think that I don't have the error code to map/catch in
>>> password-auth-config (or somewhere else), for trying to change the flow
>>> to deny user login...
>>
>> Well, I think the main operation there is the bind. If that succeeds, I
>> don't think anything you put into the map of messages is going to make it
>> actually fail, but the ACCOUNT_WARNING string looks like it's just part of
>> the default message being built:
>>
>> String.format("%s:%s:%s", "ACCOUNT_WARNING", response.getResultCode(),
>>       response.getMessage())
>>
>> That may be too aggresively mapped to ExpiringPassword because it looks
>> like that will happen no matter what the Code or Message values are. I
>> don't know if that's intentional or not, but the mappings are obviously
>> not anything we care about, they should be whatever you need.
>>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-- 
Andrés Yacopino