Shibboleth handler invoked at an unconfigured location
reda sabir
sabiretude at gmail.com
Thu May 19 06:04:20 EDT 2016
Hello,
So after some research I manage to set the right shibboleth2.xml for
setting the cookies scope. Therefore, I got some strange behaviour:
- I retook the same use case : One SP and two IdP where each IdP will be
used when the user access a specific URL. So, I have two hostname pointing
at the same website: wso2.shibboleth.example.com and
openam.shibboleth.example.com.
- The httpd config look like this :
#wso2
<VirtualHost *:80>
ServerName wso2.shibboleth.example.com
DocumentRoot "/var/www/html/"
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting applicationId default
require shib-session
</Location>
<Location /Shibboleth.sso>
Satisfy Any
Allow from all
</Location>
<Location />
AuthType shibboleth
Require shibboleth
</Location>
</VirtualHost>
#openam
<VirtualHost *:80>
ServerName openam.shibboleth.example.com
DocumentRoot "/var/www/html/"
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting applicationId openam-id
require shib-session
</Location>
<Location /Shibboleth.sso>
Satisfy Any
Allow from all
</Location>
<Location />
AuthType shibboleth
Require shibboleth
</Location>
</VirtualHost>
- The shibboleth2.xml is configured like this :
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<ApplicationDefaults
entityID="sp.shibboleth.example.com"
REMOTE_USER="eppn persistent-id targeted-id">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerURL="/Shibboleth.sso"
handlerSSL="false" cookieProps="; path=/; domain=example.com; http">
<SSO entityID="wso2"
discoveryProtocol="SAMLDS" discoveryURL="
https://wso2.example.com:9443/samlsso">
SAML2
</SSO>
<Logout>SAML2 Local</Logout>
<Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<Handler type="Session" Location="/Session"
showAttributeValues="false"/>
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<MetadataProvider type="XML" validate="true"
file="/etc/shibboleth/wso2_metadata.xml"/>
<AttributeExtractor type="XML" validate="true" reloadChanges="false"
path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true"
path="attribute-policy.xml"/>
<ApplicationOverride id="openam-id">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps=";
path=/; domain=example.com; http">
<SSO entityID="openam"
discoveryProtocol="SAMLDS" discoveryURL="
http://openam.example.com:7777/openam/SSOPOST/metaAlias/idp">
SAML2
</SSO>
<Logout>SAML2 Local</Logout>
<Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<Handler type="Session" Location="/Session"
showAttributeValues="false"/>
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<MetadataProvider type="XML" validate="true"
file="/etc/shibboleth/openam_metadata.xml"/>
</ApplicationOverride>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true"
path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false"
path="protocols.xml"/>
</SPConfig>
When I try to access the website with the fqdn : wso2.shibboleth.example.com,
I succeed at authenticating to wso2. But when I access the website with
openam.shibboleth.example.com, I'm getting redirected to wso2 instead of
openam. Here's the logs of shibd.log:
2016-05-19 08:21:02 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]:
message encoded, sending redirect to client
2016-05-19 08:23:41 DEBUG Shibboleth.Listener [2]: dispatching message
(default::getHeaders::Application)
2016-05-19 08:23:41 DEBUG Shibboleth.Config [2]: timestamp of local
resource changed, elevating to a write lock
2016-05-19 08:23:41 INFO Shibboleth.Config [2]: change detected, signaling
reload thread...
2016-05-19 08:23:41 INFO Shibboleth.Config : reloading local resource...
2016-05-19 08:23:41 DEBUG Shibboleth.Config : loading configuration from
external resource...
2016-05-19 08:23:41 INFO Shibboleth.Config : loaded XML resource
(/etc/shibboleth/shibboleth2.xml)
2016-05-19 08:23:41 INFO Shibboleth.Config : Shibboleth SP Version 2.5.6
2016-05-19 08:23:41 INFO Shibboleth.Config : Library versions: log4shib
1.0.9, Xerces-C 3.1.3, XML-Security-C 1.7.3, XMLTooling-C 1.5.6, OpenSAML-C
2.5.5, Shibboleth 1.5.6
2016-05-19 08:23:41 INFO Shibboleth.Config : building
SecurityPolicyProvider of type XML...
2016-05-19 08:23:41 DEBUG Shibboleth.SecurityPolicyProvider.XML : using
local resource (/etc/shibboleth/security-policy.xml), will monitor for
changes
2016-05-19 08:23:41 DEBUG Shibboleth.SecurityPolicyProvider.XML : loading
configuration from external resource...
2016-05-19 08:23:41 INFO Shibboleth.SecurityPolicyProvider.XML : loaded XML
resource (/etc/shibboleth/security-policy.xml)
2016-05-19 08:23:41 INFO OpenSAML.SecurityPolicyRule.Conditions : building
SecurityPolicyRule of type Audience
2016-05-19 08:23:41 INFO OpenSAML.SecurityPolicyRule.Conditions : building
SecurityPolicyRule of type Audience
2016-05-19 08:23:41 INFO OpenSAML.SecurityPolicyRule.Conditions : building
SecurityPolicyRule of type Ignore
2016-05-19 08:23:41 INFO OpenSAML.SecurityPolicyRule.Conditions : building
SecurityPolicyRule of type Ignore
2016-05-19 08:23:41 INFO OpenSAML.SecurityPolicyRule.Conditions : building
SecurityPolicyRule of type Ignore
2016-05-19 08:23:41 INFO Shibboleth.Config : building ProtocolProvider of
type XML...
2016-05-19 08:23:41 DEBUG Shibboleth.ProtocolProvider.XML : using local
resource (/etc/shibboleth/protocols.xml), will not monitor for changes
2016-05-19 08:23:41 DEBUG Shibboleth.ProtocolProvider.XML : loading
configuration from external resource...
2016-05-19 08:23:41 INFO Shibboleth.ProtocolProvider.XML : loaded XML
resource (/etc/shibboleth/protocols.xml)
2016-05-19 08:23:41 WARN Shibboleth.Application : custom cookieProps
setting should include "; secure" for SSL/TLS-only usage
2016-05-19 08:23:41 WARN Shibboleth.Application : handlerSSL should be
enabled for SSL/TLS-enabled web sites
2016-05-19 08:23:41 INFO Shibboleth.Application : auto-configuring SSO
initiation for protocol (SAML2)
2016-05-19 08:23:41 INFO Shibboleth.Application : adding SessionInitiator
of type (SAML2) to chain (/Login)
2016-05-19 08:23:41 DEBUG Shibboleth.Listener [2]: dispatching message
(default/Login::run::SAML2SI)
2016-05-19 08:23:41 DEBUG XMLTooling.StorageService [2]: inserted record
(e09ae8b56591fbb67d836cb31addb597d1ecbb9615fc821dd0d46fe69d1c37ea) in
context (RelayState) with expiration (1463646821)
2016-05-19 08:23:41 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [2]:
validating input
2016-05-19 08:23:41 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [2]:
marshalling, deflating, base64-encoding the message
2016-05-19 08:23:41 DEBUG XMLTooling.XMLObject [2]: starting to marshal
samlp:AuthnRequest
2016-05-19 08:23:41 DEBUG XMLTooling.XMLObject [2]: creating root element
to marshall
2016-05-19 08:23:41 DEBUG XMLTooling.XMLObject [2]: marshalling namespace
attributes for XMLObject
2016-05-19 08:23:41 DEBUG XMLTooling.XMLObject [2]: marshalling text and
child elements for XMLObject
2016-05-19 08:23:41 DEBUG XMLTooling.XMLObject [2]: starting to marshalling
saml:Issuer
2016-05-19 08:23:41 DEBUG XMLTooling.XMLObject [2]: creating root element
to marshall
2016-05-19 08:23:41 DEBUG XMLTooling.XMLObject [2]: marshalling namespace
attributes for XMLObject
2016-05-19 08:23:41 DEBUG XMLTooling.XMLObject [2]: marshalling text and
child elements for XMLObject
2016-05-19 08:23:41 DEBUG XMLTooling.XMLObject [2]: caching DOM for
XMLObject
2016-05-19 08:23:41 DEBUG XMLTooling.XMLObject [2]: starting to marshalling
samlp:NameIDPolicy
2016-05-19 08:23:41 DEBUG XMLTooling.XMLObject [2]: creating root element
to marshall
2016-05-19 08:23:41 DEBUG XMLTooling.XMLObject [2]: marshalling namespace
attributes for XMLObject
2016-05-19 08:23:41 DEBUG XMLTooling.XMLObject [2]: marshalling text and
child elements for XMLObject
2016-05-19 08:23:41 INFO Shibboleth.Application : auto-configuring
ArtifactResolution endpoints for protocol (SAML2)
2016-05-19 08:23:41 INFO Shibboleth.Application : adding
ArtifactResolutionService for Binding
(urn:oasis:names:tc:SAML:2.0:bindings:SOAP) at (/Artifact/SOAP)
2016-05-19 08:23:41 INFO Shibboleth.Listener : registered remoted message
endpoint (default/Artifact/SOAP::run::SAML2Artifact)
2016-05-19 08:23:41 INFO Shibboleth.Application : auto-configuring SSO
endpoints for protocol (SAML2)
2016-05-19 08:23:41 INFO Shibboleth.Application : adding
AssertionConsumerService for Binding
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST) at (/SAML2/POST)
2016-05-19 08:23:41 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SAML2/POST)
2016-05-19 08:23:41 INFO Shibboleth.Application : adding
AssertionConsumerService for Binding
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign) at
(/SAML2/POST-SimpleSign)
2016-05-19 08:23:41 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SAML2/POST-SimpleSign)
2016-05-19 08:23:41 INFO Shibboleth.Application : adding
AssertionConsumerService for Binding
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact) at (/SAML2/Artifact)
2016-05-19 08:23:41 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SAML2/Artifact)
2016-05-19 08:23:41 INFO Shibboleth.Application : adding
AssertionConsumerService for Binding
(urn:oasis:names:tc:SAML:2.0:bindings:PAOS) at (/SAML2/ECP)
2016-05-19 08:23:41 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SAML2/ECP)
2016-05-19 08:23:41 INFO Shibboleth.Application : adding SessionInitiator
of type (SAMLDS) to chain (/Login)
2016-05-19 08:23:41 INFO Shibboleth.Listener : registered remoted message
endpoint (default/Login::run::SAML2SI)
2016-05-19 08:23:41 INFO Shibboleth.SecurityPolicyProvider.XML : reload
thread started...running when signaled
2016-05-19 08:23:41 DEBUG XMLTooling.XMLObject [2]: caching DOM for
XMLObject
2016-05-19 08:23:41 DEBUG XMLTooling.XMLObject [2]: caching DOM for
XMLObject (document is bound)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160519/93124761/attachment-0001.html>
More information about the users
mailing list