Regarding connecting ECP client with Shibboleth

winma heenatigala winma2014al at gmail.com
Thu Aug 30 00:41:15 EDT 2018 

Hi,
Thank you very much for bearing with me. I fixed that error as you
explained.
I am an University Undergraduate and I was asked to develop and ECP client
as one of my projects. For that I was advised to use an existing client
with Shibboleth IDP  and examine how it works.

Now my client works up to receiving response from the IDP .

This is the SP response
*******************************
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Header>
<paos:Request xmlns:paos="urn:liberty:paos:2003-08" S:actor="
http://schemas.xmlsoap.org/soap/actor/next" S:mustUnderstand="1"
responseConsumerURL="https://localhost/Shibboleth.sso/SAML2/ECP"
service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"/><ecp:Request
xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" IsPassive="0"
S:actor="http://schemas.xmlsoap.org/soap/actor/next"
S:mustUnderstand="1"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://localhost/shibboleth</saml:Issuer><samlp:IDPList
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><samlp:IDPEntry
ProviderID="https://idp.shibboleth.com/idp/shibboleth"/></samlp:IDPList></ecp:Request><ecp:RelayState
xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" S:actor="
http://schemas.xmlsoap.org/soap/actor/next"
S:mustUnderstand="1">ss:mem:178ef6c111d4cdc0071469d3a1a1ea749169b90e197dfc8bfed254d27ae5d8de</ecp:RelayState></S:Header><S:Body><samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://localhost/Shibboleth.sso/SAML2/ECP"
ID="_dc9887ee19356552fcc1beca79a11163" IssueInstant="2018-08-30T03:48:07Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://localhost/shibboleth</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="1"/><samlp:Scoping><samlp:IDPList><samlp:IDPEntry ProviderID="
https://idp.shibboleth.com/idp/shibboleth"/>
</samlp:IDPList></samlp:Scoping>
</samlp:AuthnRequest>
</S:Body>
</S:Envelope>


This is the IDP request
***********************************
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body><samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://localhost/Shibboleth.sso/SAML2/ECP"
ID="_dc9887ee19356552fcc1beca79a11163" IssueInstant="2018-08-30T03:48:07Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
Version="2.0"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://localhost/shibboleth</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="1"/><samlp:Scoping>
<samlp:IDPList><samlp:IDPEntry ProviderID="
https://idp.shibboleth.com/idp/shibboleth"/></samlp:IDPList>
</samlp:Scoping>
</samlp:AuthnRequest>
</S:Body>
</S:Envelope>

This is the IDP response
**************************************
?xml version="1.0" encoding="UTF-8"?>
<soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/
"><soap11:Header>
<ecp:Response AssertionConsumerServiceURL="
https://localhost/Shibboleth.sso/SAML2/ECP" soap11:actor="
http://schemas.xmlsoap.org/soap/actor/next" soap11:mustUnderstand="1"
xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"/></soap11:Header><soap11:Body><saml2p:Response
Destination="https://localhost/Shibboleth.sso/SAML2/ECP"
ID="_6283e7bea940f33435211324bd96164b"
InResponseTo="_dc9887ee19356552fcc1beca79a11163"
IssueInstant="2018-08-30T03:48:11.154Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
https://idp.shibboleth.com/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
 <ds:Reference URI="#_6283e7bea940f33435211324bd96164b">
<ds:Transforms> <ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms> <ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>5DrAN6876mNZg9RB09fX23beEILzdQ6PCv1xyyGNG0c=</ds:DigestValue>
</ds:Reference>
 </ds:SignedInfo>
  <ds:SignatureValue>

buXfeeL0UxboNLznhcSxdImGlFSIpR+CVFQm7qql46q66EWTallyftwCQW/FdLSjqOVyek0wDlee

PdYLugfxNB574GFM0ReGDJPA9coFHUKXD828Yc+oHeZXIn/X9x8S065ToXWkd8/rN9UHpxVIUkee
hixoDB5hw70AjuYscW977wOci8DHBsmPmPeUwPlTcNrJ+raSXU7Wq8mM06ktGMAzfTHZx4gam8c4

7EWuibVpp8U1BRav1AdovXi9SGtycmjRGsY+Zr8FVLAh1nF7nx591A6o8IaTadv9Xd015HAI0TXs
gqoeR3UuV+OiuZ6aSK9R1vaCbrAPx9Dy9O994Q==
  </ds:SignatureValue>
   <ds:KeyInfo>
   <ds:X509Data>
<ds:X509Certificate>
MIIDMzCCAhugAwIBAgIUUAFRLb2Ue/ye+8+kOSK/QKH4yKswDQYJKoZIhvcNAQELBQAwHTEbMBkG
A1UEAwwSaWRwLnNoaWJib2xldGguY29tMB4XDTE4MDgwOTA5MDY1M1oXDTM4MDgwOTA5MDY1M1ow
HTEbMBkGA1UEAwwSaWRwLnNoaWJib2xldGguY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
 CgKCAQEAupOQgM6h0AGOG8d3GRGYV41gaRERu72V2vSOXQKQExg4MzHHl8mAQFgKDRb4Y04U5cdo
UJmUFb41jF39Hwfl3J9L//rcR2sHBt2gEwQj9HAmj9itQTKvjqEusMxbMh+e8DnE3GBReFN81Ndo
 HhVpwo5tNCIdK4wNT0WLpCFyWoQtBdSMTtz+1v2pqb+hdhxBxh5KeOdJ1iGJxCqOlxv/VcDmc3F7
DahYW8GZZlKxGU37le5QkHiQDKK4Z5tS9KBTeBD9t1jjvlm08eYTxFBSCEV8UTeH/NON771GMD5A
 +8kRgniNmokoVXWZgYRZXDXE6nI1QnIOLvEkunS4vX/K7QIDAQABo2swaTAdBgNVHQ4EFgQUPp5+
OsPqu06buO1yMNn6z1DnWLUwSAYDVR0RBEEwP4ISaWRwLnNoaWJib2xldGguY29thilodHRwczov
 L2lkcC5zaGliYm9sZXRoLmNvbS9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAQEAIfmg
h3ruHVa3pHWkX5xo68DceekztFSP64Pg98nceDSlsmP5NvuCnUIBTvFuPH5xdLjLsYhE0nygq7sC

AkCe2q1WXKhI842hjDzTBIhr4MSUwkl20kAXjH6NFj/IORf1mb2oKH4JtjlzCDPQrZWq/kbIG8rX
P6lRYIZD+5NTkmukoUBBhv7AtqaaOkaFT9fslVUTHt/0Vm95pezyiU9wOniiPXt/2j+zKmw7OuvT

 uxnRKVih4hmg8f1Bo/Im0P0GPe2f5dUUwlb1tlDub239VaDv99AsiTvaZ+4mvK0l2QleIsDWuTlK
9HfxYSwgTtwvL0VUF4PJZV3kDg2cqO+y9A==</ds:X509Certificate>
</ds:X509Data></ds:KeyInfo>
</ds:Signature>
<saml2p:Status><saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
<saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
</saml2p:Status>
</saml2p:Response>
</soap11:Body>
</soap11:Envelope>

Could you please explain me whether this error happens due to failures in
my  ECP configuration in the IDP? Can you provide me some guidance to fix
this.
Thank you for replying me.

winma













On Wed, Aug 29, 2018 at 12:57 PM Peter Schober <peter.schober at univie.ac.at>
wrote:

> * winma heenatigala <winma2014al at gmail.com> [2018-08-29 05:57]:
> > To report this problem, please contact the site administrator at
> winma at test.
> [...]
> > No session initiator found with id (ECP), check requireSessionWith
> command.
>
> That seems pretty clear to me?
>
> > <Location /myservice/>
> >   AuthType shibboleth
> >   ShibRequestSetting requireSessionWith ECP
> >   Require valid-user
> > </Location>
>
> For whatever reason (what documentation are you following here?)
> you're asking the the software to initiate a session with a named
> session initiator, here called "ECP". That name is arbitrary and up to
> you, and you don't seem to have such a session initiator defined.
>
> So why are you doing this in the first place?
>
> -peter
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180830/266a0996/attachment.html>

More information about the users mailing list