Need Help regarding certificate load and IDP metadata
Tom Scavo
trscavo at gmail.com
Thu May 5 13:15:19 EDT 2016
On Wed, May 4, 2016 at 11:30 PM, Ram, Budh <budh.ram at sap.com> wrote:
>
> My mistake, this is the actual certificate which I am using.
>
> The certificate is Base64-encoded and start with BEGIN CERTIFICATE and end with END CERTIFICATE. Attaching here the certificate file.
No, the attached certificate is still not syntactically correct. The
BEGIN CERTIFICATE and END CERTIFICATE must be on their own lines.
I manually formatted the file as a valid PEM file and tried to load it
with openssl but got this error:
$ openssl x509 -text -noout -in ~/Desktop/junk6.pem
unable to load certificate
38567:error:0906D06C:PEM routines:PEM_read_bio:no start
line:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/crypto/pem/pem_lib.c:648:Expecting:
TRUSTED CERTIFICATE
This doesn't appear to be a valid certificate. If I can't load it from
the command line, that explains why the MetadataProvider is choking.
You need to configure a valid certificate of course.
Tom
> The metadataprovider configuration snippet of Shibboleth2.xml is given below
>
> <MetadataProvider type="XML" uri="https://accounts400.sap.com/saml2/metadata/accounts.sap.com"
> backingFilePath="metadata.xml" reloadInterval="7200">
> <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
> <MetadataFilter type="Signature" certificate="accounts400_idp_cert.pem"/>
> <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
> attributeName="http://macedir.org/entity-category"
> attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> attributeValue="http://refeds.org/category/hide-from-discovery" />
> </MetadataProvider>
>
> The native log gives below error
>
> 2016-05-03 08:03:25 DEBUG Shibboleth.Listener [5448] isapi_shib_extension: send completed, reading response message
> 2016-05-03 08:03:25 ERROR Shibboleth.Listener [5448] isapi_shib_extension: remoted message returned an error: No MetadataProvider available.
> 2016-05-03 08:03:25 ERROR Shibboleth.ISAPI [5448] isapi_shib_extension: No MetadataProvider available.
> 2016-05-03 08:03:25 DEBUG Shibboleth.ISAPI [5448] isapi_shib: mapped http://usphlvm2556.dmzphl.sap.corp:1080/shibboleth-sp/main.css to default
>
> Shibd.log shows below error:
>
> 2016-05-03 08:02:24 ERROR OpenSSL : error code: 151441516 in .\crypto\pem\pem_lib.c, line 701
> 2016-05-03 08:02:24 ERROR OpenSSL : error data: Expecting: CERTIFICATE
> 2016-05-03 08:02:24 ERROR OpenSAML.Metadata : caught exception while installing filters: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/accounts400_idp_cert.pem).
> 2016-05-03 08:02:24 CRIT Shibboleth.Application : error building MetadataProvider: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/accounts400_idp_cert.pem).
> 2016-05-03 08:02:24 WARN Shibboleth.Application : no MetadataProvider available, configure at least one for standard SSO usage
>
> Due to unable to load certificate, it gives "No MetadataProvider avaialbale" or there is some other reason for it.
> Please help me out in this.
>
> Regards,
> Budh Ram
>
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of users-request at shibboleth.net
> Sent: Wednesday, May 4, 2016 7:06 PM
> To: users at shibboleth.net
> Subject: users Digest, Vol 59, Issue 13
>
> Send users mailing list submissions to
> users at shibboleth.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://shibboleth.net/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
> users-request at shibboleth.net
>
> You can reach the person managing the list at
> users-owner at shibboleth.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of users digest..."
>
>
> Today's Topics:
>
> 1. Re: Redis as Storage Service for SP (Jarno Huuskonen)
> 2. RE: Need Help regarding certificate load and IDP metadata
> (Ram, Budh)
> 3. Re: Need Help regarding certificate load and IDP metadata
> (Tom Scavo)
> 4. Custom attributes to the IdP (Sowmya Vallabhajosyula)
> 5. SSO authentication for REST API calls (Sowmya Vallabhajosyula)
> 6. Re: Custom attributes to the IdP (Peter Schober)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 4 May 2016 12:04:11 +0300
> From: Jarno Huuskonen <jarno.huuskonen at uef.fi>
> To: Shib Users <users at shibboleth.net>
> Subject: Re: Redis as Storage Service for SP
> Message-ID: <20160504090411.GD18038 at jjh.uef.fi>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> On Wed, May 04, Tom Wezepoel wrote:
>> At SURF in the Netherlands we provide a Sync&Share solution for higher education based on OwnCloud in combination with Shibboleth authentication.
>> The Shibboleth sessions of all users are currently stored in a Memcached Caching system and in combination with Repcached we have a kind of replication.
>> Unfortunately, the number of keys on the master and the replica are not always in sync. Next of that, the Memcached project seems to be dead.
>> These days Redis is a more common solution for this kind of storage, which is also designed to be deployed in a clustered setup.
>
> Have you tested mcrouter(https://github.com/facebook/mcrouter) instead
> of repcache ? Maybe AllSyncRoute/MissFailoverRoute would keep memcached
> servers in sync.
>
> -Jarno
>
> --
> Jarno Huuskonen
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 4 May 2016 11:37:14 +0000
> From: "Ram, Budh" <budh.ram at sap.com>
> To: "users at shibboleth.net" <users at shibboleth.net>
> Subject: RE: Need Help regarding certificate load and IDP metadata
> Message-ID:
> <dd26913cdf7a47cd91908deb1b848b6d at DEWDFE13DE01.global.corp.sap>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi,
>
> The certificate is Base64-encoded and start with BEGIN CERTIFICATE and end with END CERTIFICATE. Attaching here the certificate file.
> The metadataprovider configuration snippet of Shibboleth2.xml is given below
>
> <MetadataProvider type="XML" uri="https://accounts400.sap.com/saml2/metadata/accounts.sap.com"
> backingFilePath="metadata.xml" reloadInterval="7200">
> <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
> <MetadataFilter type="Signature" certificate="accounts400_idp_cert.pem"/>
> <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
> attributeName="http://macedir.org/entity-category"
> attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> attributeValue="http://refeds.org/category/hide-from-discovery" />
> </MetadataProvider>
>
> The native log gives below error
>
> 2016-05-03 08:03:25 DEBUG Shibboleth.Listener [5448] isapi_shib_extension: send completed, reading response message
> 2016-05-03 08:03:25 ERROR Shibboleth.Listener [5448] isapi_shib_extension: remoted message returned an error: No MetadataProvider available.
> 2016-05-03 08:03:25 ERROR Shibboleth.ISAPI [5448] isapi_shib_extension: No MetadataProvider available.
> 2016-05-03 08:03:25 DEBUG Shibboleth.ISAPI [5448] isapi_shib: mapped http://usphlvm2556.dmzphl.sap.corp:1080/shibboleth-sp/main.css to default
>
> Shibd.log shows below error:
>
> 2016-05-03 08:02:24 ERROR OpenSSL : error code: 151441516 in .\crypto\pem\pem_lib.c, line 701
> 2016-05-03 08:02:24 ERROR OpenSSL : error data: Expecting: CERTIFICATE
> 2016-05-03 08:02:24 ERROR OpenSAML.Metadata : caught exception while installing filters: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/accounts400_idp_cert.pem).
> 2016-05-03 08:02:24 CRIT Shibboleth.Application : error building MetadataProvider: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/accounts400_idp_cert.pem).
> 2016-05-03 08:02:24 WARN Shibboleth.Application : no MetadataProvider available, configure at least one for standard SSO usage
>
> Please help me out in this.
>
> Regards,
> Budh Ram
>
>
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of users-request at shibboleth.net
> Sent: Friday, April 29, 2016 4:47 PM
> To: users at shibboleth.net
> Subject: users Digest, Vol 58, Issue 174
>
> Send users mailing list submissions to
> users at shibboleth.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://shibboleth.net/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
> users-request at shibboleth.net
>
> You can reach the person managing the list at
> users-owner at shibboleth.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of users digest..."
>
>
> Today's Topics:
>
> 1. RE: clustering with HazelcastStorageService (Cantor, Scott)
> 2. Need Help regarding certificate load and IDP metadata
> configuration (Ram, Budh)
> 3. Re: Need Help regarding certificate load and IDP metadata
> configuration (Peter Schober)
> 4. Random authentication question (Robert Duncan)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 29 Apr 2016 02:08:07 +0000
> From: "Cantor, Scott" <cantor.2 at osu.edu>
> To: "Paul B. Henson" <henson at cpp.edu>
> Cc: Shib Users <users at shibboleth.net>
> Subject: RE: clustering with HazelcastStorageService
> Message-ID:
> <9846A6064BD102419D06814DD0D78DE1128E474E at CIO-TNC-D2MBX02.osuad.osu.edu>
>
> Content-Type: text/plain; charset="utf-8"
>
>> Is that a correct interpretation of what I think you're saying?
>
> Yes. The API doesn't provide any other way to delineate what records are being used for.
>
> -- Scott
>
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 29 Apr 2016 05:01:38 +0000
> From: "Ram, Budh" <budh.ram at sap.com>
> To: "users at shibboleth.net" <users at shibboleth.net>
> Subject: Need Help regarding certificate load and IDP metadata
> configuration
> Message-ID:
> <6f66e5d2c485468a8aa5968337487fcf at DEWDFE13DE01.global.corp.sap>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi,
> I am using Shibboleth 2.5 (64 bit) on window server 2008. I have configured the shibboleth2.xml file for certificate and metadata provider. When I am running shibd -check command or on checking shibd.log file, I am getting below error
>
> C:\opt\shibboleth-sp\sbin64>shibd -check
> 2016-04-29 00:42:40 WARN Shibboleth.Application : insecure cookieProps setting,
> set to "https" for SSL/TLS-only usage
> 2016-04-29 00:42:40 WARN Shibboleth.Application : handlerSSL should be enabled f
> or SSL/TLS-enabled web sites
> 2016-04-29 00:42:40 ERROR OpenSSL : error code: 151441516 in .\crypto\pem\pem_li
> b.c, line 701
> 2016-04-29 00:42:40 ERROR OpenSSL : error data: Expecting: CERTIFICATE
> 2016-04-29 00:42:40 ERROR OpenSAML.Metadata : caught exception while installing
> filters: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibb
> oleth/sci-cert.pem).
> 2016-04-29 00:42:40 CRIT Shibboleth.Application : error building MetadataProvide
> r: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/
> sci-cert.pem).
> 2016-04-29 00:42:40 WARN Shibboleth.Application : no MetadataProvider available,
> configure at least one for standard SSO usage
> overall configuration is loadable, check console for non-fatal problems
>
> My shibboleth2.xml configurations are:
>
> <SSO entityID="https://accounts400.sap.com ">
> SAML2
> </SSO>
>
> <MetadataProvider type="XML" uri="https://accounts400.sap.com/saml2/metadata/accounts.sap.com"
> backingFilePath="federation-metadata.xml" reloadInterval="7200">
> <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
> <MetadataFilter type="Signature" certificate="sci-cert.pem"/>
> <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
> attributeName="http://macedir.org/entity-category"
> attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> attributeValue="http://refeds.org/category/hide-from-discovery" />
> </MetadataProvider>
>
> This certificate file (sci-cert.pem) is available at this location. I am not sure why it is not able to load the certificate.
> IDP has registered the SP metadata at their side still it is saying that metadataprovider not available.
>
> Please help me out in this whether I am missing something in configuration.
>
> Thanks in advance.
>
> Thanks and Regards,
> Budh Ram
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://shibboleth.net/pipermail/users/attachments/20160429/d9c7d189/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 29 Apr 2016 10:59:47 +0200
> From: Peter Schober <peter.schober at univie.ac.at>
> To: users at shibboleth.net
> Subject: Re: Need Help regarding certificate load and IDP metadata
> configuration
> Message-ID: <20160429085946.GD23195 at aco.net>
> Content-Type: text/plain; charset=us-ascii
>
> * Ram, Budh <budh.ram at sap.com> [2016-04-29 07:02]:
>> 2016-04-29 00:42:40 ERROR OpenSSL : error code: 151441516 in .\crypto\pem\pem_lib.c, line 701
>> 2016-04-29 00:42:40 ERROR OpenSSL : error data: Expecting: CERTIFICATE
>> 2016-04-29 00:42:40 ERROR OpenSAML.Metadata : caught exception while installing
>> filters: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/sci-cert.pem).
>
> Well, if the file exists there (as you say) make sure that it contains
> a Base64-encoded DER certificate, and that it starts with a line like
> -----BEGIN CERTIFICATE-----
>
> -peter
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 29 Apr 2016 11:17:12 +0000
> From: Robert Duncan <Robert.Duncan at ncirl.ie>
> To: Shib Users <users at shibboleth.net>
> Subject: Random authentication question
> Message-ID:
> <DB5PR02MB11287805B9D6224414D53FCA83660 at DB5PR02MB1128.eurprd02.prod.outlook.com>
>
> Content-Type: text/plain; charset="us-ascii"
>
> We are using Shibboleth to SSO into AWS and OpenStack , neither are on domain so it's the perfect fit.
> - but that's were domain identity ends - logging into instances uses public keys and all sense of domain-ness is gone. (no admins, keys all over the place etc.)
> Instances boot from generic images, but admins can configure default boot strapping actions
> Is there any role for Shibboleth for logging into cloud instances?
>
> Thanks,
> Rob.
>
>
> ________________________________
>
> The information contained and transmitted in this e-mail is confidential information, and is intended only for the named recipient to which it is addressed. The content of this e-mail may not have been sent with the authority of National College of Ireland. Any views or opinions presented are solely those of the author and do not necessarily represent those of National College of Ireland. If the reader of this message is not the named recipient or a person responsible for delivering it to the named recipient, you are notified that the review, dissemination, distribution, transmission, printing or copying, forwarding, or any other use of this message or any part of it, including any attachments, is strictly prohibited. If you have received this communication in error, please delete the e-mail and destroy all record of this communication. Thank you for your assistance.
> ________________________________
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
> ------------------------------
>
> End of users Digest, Vol 58, Issue 174
> **************************************
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: accounts400_idp_cert.pem
> Type: application/octet-stream
> Size: 716 bytes
> Desc: accounts400_idp_cert.pem
> URL: <http://shibboleth.net/pipermail/users/attachments/20160504/95714f16/attachment-0001.obj>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 4 May 2016 07:57:09 -0400
> From: Tom Scavo <trscavo at gmail.com>
> To: Shib Users <users at shibboleth.net>
> Subject: Re: Need Help regarding certificate load and IDP metadata
> Message-ID:
> <CAEtu=dPSG2JYxvH-M7GQ64TNsHfxiUtAKjsDiRd-mqgKdvrFXQ at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> On Wed, May 4, 2016 at 7:37 AM, Ram, Budh <budh.ram at sap.com> wrote:
>>
>> The certificate is Base64-encoded and start with BEGIN CERTIFICATE and end with END CERTIFICATE. Attaching here the certificate file.
>
> The attached certificate does NOT start with BEGIN CERTIFICATE and end
> with END CERTIFICATE.
>
> Tom
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 4 May 2016 18:44:00 +0530
> From: Sowmya Vallabhajosyula <sowmya.v at zemosolabs.com>
> To: users at shibboleth.net
> Subject: Custom attributes to the IdP
> Message-ID:
> <CAMgwm3N184xh4mb9Sam30WnOoxtS9UvzkZHiYkmKo9bfLdqG0g at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> If I would like to send an extra custom attribute to IdP which I would like
> to use as ou partition of ldap. How can I achieve this?
>
> --
> Thanks and Regards,
> Sowmya Vallabhajosyula
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://shibboleth.net/pipermail/users/attachments/20160504/50bc28fb/attachment-0001.html>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 4 May 2016 18:48:36 +0530
> From: Sowmya Vallabhajosyula <sowmya.v at zemosolabs.com>
> To: users at shibboleth.net
> Subject: SSO authentication for REST API calls
> Message-ID:
> <CAMgwm3MZSjMguaMup4aAtnqrjmdmgn+dGtHK=UzodpHQLKEuBA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> How can we authenticate a REST API call using Shibboleth IdP? IdP needs to
> authenticate both users and REST API calls.
>
> --
> Thanks and Regards,
> Sowmya Vallabhajosyula
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://shibboleth.net/pipermail/users/attachments/20160504/68299542/attachment-0001.html>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 4 May 2016 15:35:50 +0200
> From: Peter Schober <peter.schober at univie.ac.at>
> To: users at shibboleth.net
> Subject: Re: Custom attributes to the IdP
> Message-ID: <20160504133550.GF23195 at aco.net>
> Content-Type: text/plain; charset=us-ascii
>
> * Sowmya Vallabhajosyula <sowmya.v at zemosolabs.com> [2016-05-04 15:14]:
>> If I would like to send an extra custom attribute to IdP which I
>> would like to use as ou partition of ldap. How can I achieve this?
>
> You want to send some part of the LDAP object's DN as a SAML
> Attribute? See Douglas' answer from yesterday about the 'entryDN'
> operational attribute. If your LDAP DSA does not support that I think
> the LDAP middleware used in the Shibboleth IDP can produce something
> with the same value internally, check the documentation.
>
> Once you have that pulled into an IDP internal attribute you can
> create a Script type attribute defintion that parses out the value
> you're looking for.
> -peter
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
> ------------------------------
>
> End of users Digest, Vol 59, Issue 13
> *************************************
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list