Need Help regarding certificate load and IDP metadata
Ram, Budh
budh.ram at sap.com
Wed May 4 07:37:14 EDT 2016
Hi,
The certificate is Base64-encoded and start with BEGIN CERTIFICATE and end with END CERTIFICATE. Attaching here the certificate file.
The metadataprovider configuration snippet of Shibboleth2.xml is given below
<MetadataProvider type="XML" uri="https://accounts400.sap.com/saml2/metadata/accounts.sap.com"
backingFilePath="metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="accounts400_idp_cert.pem"/>
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>
The native log gives below error
2016-05-03 08:03:25 DEBUG Shibboleth.Listener [5448] isapi_shib_extension: send completed, reading response message
2016-05-03 08:03:25 ERROR Shibboleth.Listener [5448] isapi_shib_extension: remoted message returned an error: No MetadataProvider available.
2016-05-03 08:03:25 ERROR Shibboleth.ISAPI [5448] isapi_shib_extension: No MetadataProvider available.
2016-05-03 08:03:25 DEBUG Shibboleth.ISAPI [5448] isapi_shib: mapped http://usphlvm2556.dmzphl.sap.corp:1080/shibboleth-sp/main.css to default
Shibd.log shows below error:
2016-05-03 08:02:24 ERROR OpenSSL : error code: 151441516 in .\crypto\pem\pem_lib.c, line 701
2016-05-03 08:02:24 ERROR OpenSSL : error data: Expecting: CERTIFICATE
2016-05-03 08:02:24 ERROR OpenSAML.Metadata : caught exception while installing filters: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/accounts400_idp_cert.pem).
2016-05-03 08:02:24 CRIT Shibboleth.Application : error building MetadataProvider: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/accounts400_idp_cert.pem).
2016-05-03 08:02:24 WARN Shibboleth.Application : no MetadataProvider available, configure at least one for standard SSO usage
Please help me out in this.
Regards,
Budh Ram
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of users-request at shibboleth.net
Sent: Friday, April 29, 2016 4:47 PM
To: users at shibboleth.net
Subject: users Digest, Vol 58, Issue 174
Send users mailing list submissions to
users at shibboleth.net
To subscribe or unsubscribe via the World Wide Web, visit
http://shibboleth.net/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
users-request at shibboleth.net
You can reach the person managing the list at
users-owner at shibboleth.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of users digest..."
Today's Topics:
1. RE: clustering with HazelcastStorageService (Cantor, Scott)
2. Need Help regarding certificate load and IDP metadata
configuration (Ram, Budh)
3. Re: Need Help regarding certificate load and IDP metadata
configuration (Peter Schober)
4. Random authentication question (Robert Duncan)
----------------------------------------------------------------------
Message: 1
Date: Fri, 29 Apr 2016 02:08:07 +0000
From: "Cantor, Scott" <cantor.2 at osu.edu>
To: "Paul B. Henson" <henson at cpp.edu>
Cc: Shib Users <users at shibboleth.net>
Subject: RE: clustering with HazelcastStorageService
Message-ID:
<9846A6064BD102419D06814DD0D78DE1128E474E at CIO-TNC-D2MBX02.osuad.osu.edu>
Content-Type: text/plain; charset="utf-8"
> Is that a correct interpretation of what I think you're saying?
Yes. The API doesn't provide any other way to delineate what records are being used for.
-- Scott
------------------------------
Message: 2
Date: Fri, 29 Apr 2016 05:01:38 +0000
From: "Ram, Budh" <budh.ram at sap.com>
To: "users at shibboleth.net" <users at shibboleth.net>
Subject: Need Help regarding certificate load and IDP metadata
configuration
Message-ID:
<6f66e5d2c485468a8aa5968337487fcf at DEWDFE13DE01.global.corp.sap>
Content-Type: text/plain; charset="us-ascii"
Hi,
I am using Shibboleth 2.5 (64 bit) on window server 2008. I have configured the shibboleth2.xml file for certificate and metadata provider. When I am running shibd -check command or on checking shibd.log file, I am getting below error
C:\opt\shibboleth-sp\sbin64>shibd -check
2016-04-29 00:42:40 WARN Shibboleth.Application : insecure cookieProps setting,
set to "https" for SSL/TLS-only usage
2016-04-29 00:42:40 WARN Shibboleth.Application : handlerSSL should be enabled f
or SSL/TLS-enabled web sites
2016-04-29 00:42:40 ERROR OpenSSL : error code: 151441516 in .\crypto\pem\pem_li
b.c, line 701
2016-04-29 00:42:40 ERROR OpenSSL : error data: Expecting: CERTIFICATE
2016-04-29 00:42:40 ERROR OpenSAML.Metadata : caught exception while installing
filters: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibb
oleth/sci-cert.pem).
2016-04-29 00:42:40 CRIT Shibboleth.Application : error building MetadataProvide
r: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/
sci-cert.pem).
2016-04-29 00:42:40 WARN Shibboleth.Application : no MetadataProvider available,
configure at least one for standard SSO usage
overall configuration is loadable, check console for non-fatal problems
My shibboleth2.xml configurations are:
<SSO entityID="https://accounts400.sap.com ">
SAML2
</SSO>
<MetadataProvider type="XML" uri="https://accounts400.sap.com/saml2/metadata/accounts.sap.com"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="sci-cert.pem"/>
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>
This certificate file (sci-cert.pem) is available at this location. I am not sure why it is not able to load the certificate.
IDP has registered the SP metadata at their side still it is saying that metadataprovider not available.
Please help me out in this whether I am missing something in configuration.
Thanks in advance.
Thanks and Regards,
Budh Ram
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160429/d9c7d189/attachment-0001.html>
------------------------------
Message: 3
Date: Fri, 29 Apr 2016 10:59:47 +0200
From: Peter Schober <peter.schober at univie.ac.at>
To: users at shibboleth.net
Subject: Re: Need Help regarding certificate load and IDP metadata
configuration
Message-ID: <20160429085946.GD23195 at aco.net>
Content-Type: text/plain; charset=us-ascii
* Ram, Budh <budh.ram at sap.com> [2016-04-29 07:02]:
> 2016-04-29 00:42:40 ERROR OpenSSL : error code: 151441516 in .\crypto\pem\pem_lib.c, line 701
> 2016-04-29 00:42:40 ERROR OpenSSL : error data: Expecting: CERTIFICATE
> 2016-04-29 00:42:40 ERROR OpenSAML.Metadata : caught exception while installing
> filters: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/sci-cert.pem).
Well, if the file exists there (as you say) make sure that it contains
a Base64-encoded DER certificate, and that it starts with a line like
-----BEGIN CERTIFICATE-----
-peter
------------------------------
Message: 4
Date: Fri, 29 Apr 2016 11:17:12 +0000
From: Robert Duncan <Robert.Duncan at ncirl.ie>
To: Shib Users <users at shibboleth.net>
Subject: Random authentication question
Message-ID:
<DB5PR02MB11287805B9D6224414D53FCA83660 at DB5PR02MB1128.eurprd02.prod.outlook.com>
Content-Type: text/plain; charset="us-ascii"
We are using Shibboleth to SSO into AWS and OpenStack , neither are on domain so it's the perfect fit.
- but that's were domain identity ends - logging into instances uses public keys and all sense of domain-ness is gone. (no admins, keys all over the place etc.)
Instances boot from generic images, but admins can configure default boot strapping actions
Is there any role for Shibboleth for logging into cloud instances?
Thanks,
Rob.
________________________________
The information contained and transmitted in this e-mail is confidential information, and is intended only for the named recipient to which it is addressed. The content of this e-mail may not have been sent with the authority of National College of Ireland. Any views or opinions presented are solely those of the author and do not necessarily represent those of National College of Ireland. If the reader of this message is not the named recipient or a person responsible for delivering it to the named recipient, you are notified that the review, dissemination, distribution, transmission, printing or copying, forwarding, or any other use of this message or any part of it, including any attachments, is strictly prohibited. If you have received this communication in error, please delete the e-mail and destroy all record of this communication. Thank you for your assistance.
________________________________
------------------------------
Subject: Digest Footer
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
------------------------------
End of users Digest, Vol 58, Issue 174
**************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: accounts400_idp_cert.pem
Type: application/octet-stream
Size: 716 bytes
Desc: accounts400_idp_cert.pem
URL: <http://shibboleth.net/pipermail/users/attachments/20160504/95714f16/attachment.obj>
More information about the users
mailing list