X509 Authn in IDPv3

Mike Wiseman mike.wiseman at utoronto.ca
Wed Apr 6 08:42:00 EDT 2016 

My experience in using the idp-v3 X509AuthHandler is that a Java ‘response object’ is required by the servlet. A Java service needs to have handled the X509 authentication to generate the required object response. Apache httpd/modSSL  does not generate that object - thus the error you’re seeing. If you use Tomcat to handle the cert authentication (or Jetty I imagine), then that should work. If you require that Apache httpd handle the cert authentication, then the remote_user handler could be used to pick up the principal name.

Mike



Mike Wiseman
Manager, Information Security
Information Technology Services
University of Toronto

This email and any attachments contain privileged and / or confidential information for internal University of Toronto communication only unless otherwise indicated.




Hello,
Has anyone setup X509 Authn in IDP v3 via Apache front-end? I keep getting this exception in Tomcat logs but nothing in the IdP logs (with debug logs enabled) to indicate where it's failing.

Apr 05, 2016 3:19:23 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [X509AuthHandler] in context with path [/idp] threw exception [Error processing external authentication request] with root cause
net.shibboleth.idp.authn.ExternalAuthenticationException: No conversation state found in session for key (e1s1)
Here's what I've setup so far with Apache and Tomcat/Shibboleth on the same host.

-Enabled the authn flow in idp.properties
-Configured Apache for client certificate authentication
-Enabled Apache to forward request headers as well as '+ExportCertData'
In Apache SSL logs, I see the cert has been validated and authorization granted. So, I'm not quite sure where it's broken. Initially, I thought it was an issue with Apache not being able to validate client cert but from the SSL logs looks like it's not the issue.
Any troubleshooting or configuration guidance is greatly appreciated.

Thanks in advance,
Pradeep
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160406/4c5b3a7d/attachment-0001.html>

More information about the users mailing list