TestShib metadata issues?
Bobby Lawrence
robertl at jlab.org
Thu Apr 26 17:28:23 EDT 2018
Nate - I was able to re-produce my issue over here on a 2.4.3 version of
the Shib IdP.
Without being able to see the config for the TestShib IdP, it seems like
the issue may be related to PKIX trust. My SP signs Authn requests with
a self-signed certificate so what I'm thinking is that TestShib is
trying to validate the trust of my self signed cert and cannot.
Does the TestShib IdP config have a MetadataExplicitKeySignature trust
engine?
My 2.x IdPs all have the following signature trust engine defined (which
I think is the default) because the relying-party.xml config file has
"DO NOT EDIT BELOW THIS POINT":
<security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:SignatureChaining">
*<security:TrustEngine
id="shibboleth.SignatureMetadataExplicitKeyTrustEngine"
xsi:type="security:MetadataExplicitKeySignature"
metadataProviderRef="ShibbolethMetadata"/>*
<security:TrustEngine id="shibboleth.SignatureMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXSignature" metadataProviderRef="ShibbolethMetadata"/>
</security:TrustEngine>
If I remove the *bolded *trust engine, and only have the
SignatureMetadataPKIXTrustEngine like in the example below, I get the
exact same behavior that I see on TestShib.
<security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:SignatureChaining">
<security:TrustEngine id="shibboleth.SignatureMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXSignature" metadataProviderRef="ShibbolethMetadata"/>
</security:TrustEngine>
Can you check the TestShib config for me? If the
MetadataExplicitKeySignature trust engine isn't there, self-signed
certificates cannot be used and all certs used for signing would need to
be issued by a trusted CA...
On 4/26/2018 12:56 PM, Klingenstein, Nate wrote:
>
> The upgrade to 3 is stalled because Kevin is a vastly more competent
> sysadmin than I am and he hasn't had time to do his thing.
>
>
> I would've been slapping up versions just like I always did. We're in
> a better place.
>
> ------------------------------------------------------------------------
> *From:* users <users-bounces at shibboleth.net> on behalf of Bobby
> Lawrence <robertl at jlab.org>
> *Sent:* Thursday, April 26, 2018 7:22:30 AM
> *To:* users at shibboleth.net
> *Subject:* Re: TestShib metadata issues?
>
> So it seems that the SP side of this is good to go now, but I'm still
> having an issue on the IdP side. I'm not sure what it is yet but my
> SP works with the exact same config with other IdPs at my site. One
> of them is shibboleth idp 3.3 and one is 2.3.8 (which I'm in the
> process of retiring). I do see that TestShib is running 2.4. Seems
> odd to me that this test environment is almost a full version behind,
> but oh well..maybe a TestShib 3 will pop up sometime lol.
>
> Anyway - is it at all possible to change the TestShib IdP process log
> config and set the "org.opensaml" logger to DEBUG?
>
>
> On 4/25/2018 7:22 PM, Nate Klingenstein wrote:
>> I cleared out two uploads that were bad, but they had been there for
>> some time, and it looked like the aggregator was skipping them. The
>> SP logs appear like it was loading metadata happily without incident
>> except for a one-minute hiccup at 9:20 EDT with no obvious cause.
>>
>> I'm able to look up your IdP now and the metadata file is loading
>> without incident. I was talking with Kevin, but he stepped away
>> right before it worked, so I don't think he did anything. I don't
>> know an invocation URL for the SP, but I suspect it'll work.
>>
>> Thanks for letting us know promptly, please let me know if it doesn't
>> work for you, and I blame tommyknockers.
>>
>>
>
> --
> Bobby Lawrence (robertl at jlab.org <mailto:robertl at jlab.org>)
> Jefferson Lab MIS
> 757-269-5818
>
>
--
Bobby Lawrence (robertl at jlab.org)
Jefferson Lab MIS
757-269-5818
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180426/38170cea/attachment.html>
More information about the users
mailing list