Need Help regarding certificate load and IDP metadata
Ram, Budh
budh.ram at sap.com
Wed May 4 23:30:37 EDT 2016
Hi,
My mistake, this is the actual certificate which I am using.
The certificate is Base64-encoded and start with BEGIN CERTIFICATE and end with END CERTIFICATE. Attaching here the certificate file.
The metadataprovider configuration snippet of Shibboleth2.xml is given below
<MetadataProvider type="XML" uri="https://accounts400.sap.com/saml2/metadata/accounts.sap.com"
backingFilePath="metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="accounts400_idp_cert.pem"/>
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>
The native log gives below error
2016-05-03 08:03:25 DEBUG Shibboleth.Listener [5448] isapi_shib_extension: send completed, reading response message
2016-05-03 08:03:25 ERROR Shibboleth.Listener [5448] isapi_shib_extension: remoted message returned an error: No MetadataProvider available.
2016-05-03 08:03:25 ERROR Shibboleth.ISAPI [5448] isapi_shib_extension: No MetadataProvider available.
2016-05-03 08:03:25 DEBUG Shibboleth.ISAPI [5448] isapi_shib: mapped http://usphlvm2556.dmzphl.sap.corp:1080/shibboleth-sp/main.css to default
Shibd.log shows below error:
2016-05-03 08:02:24 ERROR OpenSSL : error code: 151441516 in .\crypto\pem\pem_lib.c, line 701
2016-05-03 08:02:24 ERROR OpenSSL : error data: Expecting: CERTIFICATE
2016-05-03 08:02:24 ERROR OpenSAML.Metadata : caught exception while installing filters: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/accounts400_idp_cert.pem).
2016-05-03 08:02:24 CRIT Shibboleth.Application : error building MetadataProvider: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/accounts400_idp_cert.pem).
2016-05-03 08:02:24 WARN Shibboleth.Application : no MetadataProvider available, configure at least one for standard SSO usage
Due to unable to load certificate, it gives "No MetadataProvider avaialbale" or there is some other reason for it.
Please help me out in this.
Regards,
Budh Ram
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of users-request at shibboleth.net
Sent: Wednesday, May 4, 2016 7:06 PM
To: users at shibboleth.net
Subject: users Digest, Vol 59, Issue 13
Send users mailing list submissions to
users at shibboleth.net
To subscribe or unsubscribe via the World Wide Web, visit
http://shibboleth.net/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
users-request at shibboleth.net
You can reach the person managing the list at
users-owner at shibboleth.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of users digest..."
Today's Topics:
1. Re: Redis as Storage Service for SP (Jarno Huuskonen)
2. RE: Need Help regarding certificate load and IDP metadata
(Ram, Budh)
3. Re: Need Help regarding certificate load and IDP metadata
(Tom Scavo)
4. Custom attributes to the IdP (Sowmya Vallabhajosyula)
5. SSO authentication for REST API calls (Sowmya Vallabhajosyula)
6. Re: Custom attributes to the IdP (Peter Schober)
----------------------------------------------------------------------
Message: 1
Date: Wed, 4 May 2016 12:04:11 +0300
From: Jarno Huuskonen <jarno.huuskonen at uef.fi>
To: Shib Users <users at shibboleth.net>
Subject: Re: Redis as Storage Service for SP
Message-ID: <20160504090411.GD18038 at jjh.uef.fi>
Content-Type: text/plain; charset=us-ascii
Hi,
On Wed, May 04, Tom Wezepoel wrote:
> At SURF in the Netherlands we provide a Sync&Share solution for higher education based on OwnCloud in combination with Shibboleth authentication.
> The Shibboleth sessions of all users are currently stored in a Memcached Caching system and in combination with Repcached we have a kind of replication.
> Unfortunately, the number of keys on the master and the replica are not always in sync. Next of that, the Memcached project seems to be dead.
> These days Redis is a more common solution for this kind of storage, which is also designed to be deployed in a clustered setup.
Have you tested mcrouter(https://github.com/facebook/mcrouter) instead
of repcache ? Maybe AllSyncRoute/MissFailoverRoute would keep memcached
servers in sync.
-Jarno
--
Jarno Huuskonen
------------------------------
Message: 2
Date: Wed, 4 May 2016 11:37:14 +0000
From: "Ram, Budh" <budh.ram at sap.com>
To: "users at shibboleth.net" <users at shibboleth.net>
Subject: RE: Need Help regarding certificate load and IDP metadata
Message-ID:
<dd26913cdf7a47cd91908deb1b848b6d at DEWDFE13DE01.global.corp.sap>
Content-Type: text/plain; charset="us-ascii"
Hi,
The certificate is Base64-encoded and start with BEGIN CERTIFICATE and end with END CERTIFICATE. Attaching here the certificate file.
The metadataprovider configuration snippet of Shibboleth2.xml is given below
<MetadataProvider type="XML" uri="https://accounts400.sap.com/saml2/metadata/accounts.sap.com"
backingFilePath="metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="accounts400_idp_cert.pem"/>
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>
The native log gives below error
2016-05-03 08:03:25 DEBUG Shibboleth.Listener [5448] isapi_shib_extension: send completed, reading response message
2016-05-03 08:03:25 ERROR Shibboleth.Listener [5448] isapi_shib_extension: remoted message returned an error: No MetadataProvider available.
2016-05-03 08:03:25 ERROR Shibboleth.ISAPI [5448] isapi_shib_extension: No MetadataProvider available.
2016-05-03 08:03:25 DEBUG Shibboleth.ISAPI [5448] isapi_shib: mapped http://usphlvm2556.dmzphl.sap.corp:1080/shibboleth-sp/main.css to default
Shibd.log shows below error:
2016-05-03 08:02:24 ERROR OpenSSL : error code: 151441516 in .\crypto\pem\pem_lib.c, line 701
2016-05-03 08:02:24 ERROR OpenSSL : error data: Expecting: CERTIFICATE
2016-05-03 08:02:24 ERROR OpenSAML.Metadata : caught exception while installing filters: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/accounts400_idp_cert.pem).
2016-05-03 08:02:24 CRIT Shibboleth.Application : error building MetadataProvider: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/accounts400_idp_cert.pem).
2016-05-03 08:02:24 WARN Shibboleth.Application : no MetadataProvider available, configure at least one for standard SSO usage
Please help me out in this.
Regards,
Budh Ram
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of users-request at shibboleth.net
Sent: Friday, April 29, 2016 4:47 PM
To: users at shibboleth.net
Subject: users Digest, Vol 58, Issue 174
Send users mailing list submissions to
users at shibboleth.net
To subscribe or unsubscribe via the World Wide Web, visit
http://shibboleth.net/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
users-request at shibboleth.net
You can reach the person managing the list at
users-owner at shibboleth.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of users digest..."
Today's Topics:
1. RE: clustering with HazelcastStorageService (Cantor, Scott)
2. Need Help regarding certificate load and IDP metadata
configuration (Ram, Budh)
3. Re: Need Help regarding certificate load and IDP metadata
configuration (Peter Schober)
4. Random authentication question (Robert Duncan)
----------------------------------------------------------------------
Message: 1
Date: Fri, 29 Apr 2016 02:08:07 +0000
From: "Cantor, Scott" <cantor.2 at osu.edu>
To: "Paul B. Henson" <henson at cpp.edu>
Cc: Shib Users <users at shibboleth.net>
Subject: RE: clustering with HazelcastStorageService
Message-ID:
<9846A6064BD102419D06814DD0D78DE1128E474E at CIO-TNC-D2MBX02.osuad.osu.edu>
Content-Type: text/plain; charset="utf-8"
> Is that a correct interpretation of what I think you're saying?
Yes. The API doesn't provide any other way to delineate what records are being used for.
-- Scott
------------------------------
Message: 2
Date: Fri, 29 Apr 2016 05:01:38 +0000
From: "Ram, Budh" <budh.ram at sap.com>
To: "users at shibboleth.net" <users at shibboleth.net>
Subject: Need Help regarding certificate load and IDP metadata
configuration
Message-ID:
<6f66e5d2c485468a8aa5968337487fcf at DEWDFE13DE01.global.corp.sap>
Content-Type: text/plain; charset="us-ascii"
Hi,
I am using Shibboleth 2.5 (64 bit) on window server 2008. I have configured the shibboleth2.xml file for certificate and metadata provider. When I am running shibd -check command or on checking shibd.log file, I am getting below error
C:\opt\shibboleth-sp\sbin64>shibd -check
2016-04-29 00:42:40 WARN Shibboleth.Application : insecure cookieProps setting,
set to "https" for SSL/TLS-only usage
2016-04-29 00:42:40 WARN Shibboleth.Application : handlerSSL should be enabled f
or SSL/TLS-enabled web sites
2016-04-29 00:42:40 ERROR OpenSSL : error code: 151441516 in .\crypto\pem\pem_li
b.c, line 701
2016-04-29 00:42:40 ERROR OpenSSL : error data: Expecting: CERTIFICATE
2016-04-29 00:42:40 ERROR OpenSAML.Metadata : caught exception while installing
filters: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibb
oleth/sci-cert.pem).
2016-04-29 00:42:40 CRIT Shibboleth.Application : error building MetadataProvide
r: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/
sci-cert.pem).
2016-04-29 00:42:40 WARN Shibboleth.Application : no MetadataProvider available,
configure at least one for standard SSO usage
overall configuration is loadable, check console for non-fatal problems
My shibboleth2.xml configurations are:
<SSO entityID="https://accounts400.sap.com ">
SAML2
</SSO>
<MetadataProvider type="XML" uri="https://accounts400.sap.com/saml2/metadata/accounts.sap.com"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="sci-cert.pem"/>
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>
This certificate file (sci-cert.pem) is available at this location. I am not sure why it is not able to load the certificate.
IDP has registered the SP metadata at their side still it is saying that metadataprovider not available.
Please help me out in this whether I am missing something in configuration.
Thanks in advance.
Thanks and Regards,
Budh Ram
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160429/d9c7d189/attachment-0001.html>
------------------------------
Message: 3
Date: Fri, 29 Apr 2016 10:59:47 +0200
From: Peter Schober <peter.schober at univie.ac.at>
To: users at shibboleth.net
Subject: Re: Need Help regarding certificate load and IDP metadata
configuration
Message-ID: <20160429085946.GD23195 at aco.net>
Content-Type: text/plain; charset=us-ascii
* Ram, Budh <budh.ram at sap.com> [2016-04-29 07:02]:
> 2016-04-29 00:42:40 ERROR OpenSSL : error code: 151441516 in .\crypto\pem\pem_lib.c, line 701
> 2016-04-29 00:42:40 ERROR OpenSSL : error data: Expecting: CERTIFICATE
> 2016-04-29 00:42:40 ERROR OpenSAML.Metadata : caught exception while installing
> filters: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/sci-cert.pem).
Well, if the file exists there (as you say) make sure that it contains
a Base64-encoded DER certificate, and that it starts with a line like
-----BEGIN CERTIFICATE-----
-peter
------------------------------
Message: 4
Date: Fri, 29 Apr 2016 11:17:12 +0000
From: Robert Duncan <Robert.Duncan at ncirl.ie>
To: Shib Users <users at shibboleth.net>
Subject: Random authentication question
Message-ID:
<DB5PR02MB11287805B9D6224414D53FCA83660 at DB5PR02MB1128.eurprd02.prod.outlook.com>
Content-Type: text/plain; charset="us-ascii"
We are using Shibboleth to SSO into AWS and OpenStack , neither are on domain so it's the perfect fit.
- but that's were domain identity ends - logging into instances uses public keys and all sense of domain-ness is gone. (no admins, keys all over the place etc.)
Instances boot from generic images, but admins can configure default boot strapping actions
Is there any role for Shibboleth for logging into cloud instances?
Thanks,
Rob.
________________________________
The information contained and transmitted in this e-mail is confidential information, and is intended only for the named recipient to which it is addressed. The content of this e-mail may not have been sent with the authority of National College of Ireland. Any views or opinions presented are solely those of the author and do not necessarily represent those of National College of Ireland. If the reader of this message is not the named recipient or a person responsible for delivering it to the named recipient, you are notified that the review, dissemination, distribution, transmission, printing or copying, forwarding, or any other use of this message or any part of it, including any attachments, is strictly prohibited. If you have received this communication in error, please delete the e-mail and destroy all record of this communication. Thank you for your assistance.
________________________________
------------------------------
Subject: Digest Footer
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
------------------------------
End of users Digest, Vol 58, Issue 174
**************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: accounts400_idp_cert.pem
Type: application/octet-stream
Size: 716 bytes
Desc: accounts400_idp_cert.pem
URL: <http://shibboleth.net/pipermail/users/attachments/20160504/95714f16/attachment-0001.obj>
------------------------------
Message: 3
Date: Wed, 4 May 2016 07:57:09 -0400
From: Tom Scavo <trscavo at gmail.com>
To: Shib Users <users at shibboleth.net>
Subject: Re: Need Help regarding certificate load and IDP metadata
Message-ID:
<CAEtu=dPSG2JYxvH-M7GQ64TNsHfxiUtAKjsDiRd-mqgKdvrFXQ at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
On Wed, May 4, 2016 at 7:37 AM, Ram, Budh <budh.ram at sap.com> wrote:
>
> The certificate is Base64-encoded and start with BEGIN CERTIFICATE and end with END CERTIFICATE. Attaching here the certificate file.
The attached certificate does NOT start with BEGIN CERTIFICATE and end
with END CERTIFICATE.
Tom
------------------------------
Message: 4
Date: Wed, 4 May 2016 18:44:00 +0530
From: Sowmya Vallabhajosyula <sowmya.v at zemosolabs.com>
To: users at shibboleth.net
Subject: Custom attributes to the IdP
Message-ID:
<CAMgwm3N184xh4mb9Sam30WnOoxtS9UvzkZHiYkmKo9bfLdqG0g at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi,
If I would like to send an extra custom attribute to IdP which I would like
to use as ou partition of ldap. How can I achieve this?
--
Thanks and Regards,
Sowmya Vallabhajosyula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160504/50bc28fb/attachment-0001.html>
------------------------------
Message: 5
Date: Wed, 4 May 2016 18:48:36 +0530
From: Sowmya Vallabhajosyula <sowmya.v at zemosolabs.com>
To: users at shibboleth.net
Subject: SSO authentication for REST API calls
Message-ID:
<CAMgwm3MZSjMguaMup4aAtnqrjmdmgn+dGtHK=UzodpHQLKEuBA at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi,
How can we authenticate a REST API call using Shibboleth IdP? IdP needs to
authenticate both users and REST API calls.
--
Thanks and Regards,
Sowmya Vallabhajosyula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160504/68299542/attachment-0001.html>
------------------------------
Message: 6
Date: Wed, 4 May 2016 15:35:50 +0200
From: Peter Schober <peter.schober at univie.ac.at>
To: users at shibboleth.net
Subject: Re: Custom attributes to the IdP
Message-ID: <20160504133550.GF23195 at aco.net>
Content-Type: text/plain; charset=us-ascii
* Sowmya Vallabhajosyula <sowmya.v at zemosolabs.com> [2016-05-04 15:14]:
> If I would like to send an extra custom attribute to IdP which I
> would like to use as ou partition of ldap. How can I achieve this?
You want to send some part of the LDAP object's DN as a SAML
Attribute? See Douglas' answer from yesterday about the 'entryDN'
operational attribute. If your LDAP DSA does not support that I think
the LDAP middleware used in the Shibboleth IDP can produce something
with the same value internally, check the documentation.
Once you have that pulled into an IDP internal attribute you can
create a Script type attribute defintion that parses out the value
you're looking for.
-peter
------------------------------
Subject: Digest Footer
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
------------------------------
End of users Digest, Vol 59, Issue 13
*************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: accounts400_idp_cert.pem
Type: application/octet-stream
Size: 772 bytes
Desc: accounts400_idp_cert.pem
URL: <http://shibboleth.net/pipermail/users/attachments/20160505/03b0447d/attachment-0001.obj>
More information about the users
mailing list