Our SP stacks doesn't process login after IDP update from v2 to v3

Sandor Mezei smezei at orbiscommunications.com
Fri Dec 21 09:00:46 EST 2018

One of our clients has upgraded their Shib IDP to v3 and if we switch to using that IPD it somehow causes an issue with our SP stack so that it is no longer possible for users to log in.

Our SP setup (that works with IDP v2) is:

Windows Server 2012 R2 Standard
Shib SP
Apache 2.4.33
JDK 1.8.0_162x64

In Apache httpd.conf:

<Location /secure>
    AuthType shibboleth
    ShibUseHeaders On
    ShibRequestSetting requireSession 1
    require valid-user
<Location /Shibboleth.sso>
    AuthType shibboleth
    require shibboleth
<Location /Shibboleth.sso/Metadata>
    AuthType shibboleth
    require shibboleth
<Location /shibboleth>
    AuthType shibboleth
    require shibboleth

In Apache httpd-ssl.conf

  ServerName <redacted>
  DocumentRoot "${SRVROOT}/htdocs"

  ProxyPass /Shibboleth.sso !
  ProxyPass /shibboleth !
  ProxyPass /shibboleth-sp !

  ProxyIOBufferSize 65536
  ProxyPass / ajp:// retry=0
  ProxyPassReverse / ajp:// retry=0

  SSLEngine on

  SSLCertificateFile "${SRVROOT}/conf/ssl/<redacted>.crt"
  SSLCertificateKeyFile "${SRVROOT}/conf/ssl/<redacted>.key"
  SSLCertificateChainFile "${SRVROOT}/conf/ssl/<redacted>-chain.crt"

In Tomcat server.xml

<Connector address="" port="8443" proxyName="<redacted>" proxyPort="443" protocol="AJP/1.3" maxThreads="2000" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="1000" debug="0" connectionTimeout="20000" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" packetSize="65536" />

Shibboleth2.xml relevant part:

<ApplicationOverride id="<redacted>" entityID="<redacted>" attributePrefix="AJP_" REMOTE_USER="somerandomstring" signing="false" encryption="false">
            <Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="https://<redacted>/Shibboleth.sso<https://%3credacted%3e/Shibboleth.sso>" handlerSSL="true" >
                <SSO entityID="https://<redacted>/idp/shibboleth<https://%3credacted%3e/idp/shibboleth>">SAML2</SSO>
              <!--<SSO entityID="https://<redacted><https://%3credacted%3e>">SAML2</SSO>-->

                <Logout>SAML2 Local</Logout>
                <LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
                    <LogoutInitiator type="Local"/>

                <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
                <Handler type="Status" Location="/Status" acl=""/>
                <Handler type="Session" Location="/Session" showAttributeValues="false"/>
                <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>

            <Errors supportContact="noreply at email.com<mailto:noreply at email.com>"/>

            <MetadataProvider type="XML" path="idp-metadata-<redacted>.xml" reloadInterval="7200"/>
              <!--<MetadataProvider type="XML" path="idp-metadata-<redacted>new.xml" reloadInterval="7200"/>-->

            <AttributeResolver type="Query" subjectMatch="true"/>
            <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

            <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

            <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map-<redacted>.xml"/>
            <!--<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map-<redacted>new.xml"/>-->


Login process (that works):

User clicks https://<redacted>/secure<https://%3credacted%3e/secure>

Apache redirects to


User fills out username, password

IDP redirects to Apache, Apache to Tomcat, user is logged in

The problem with IDPv3:

In shibboleth2.xml we have to change 3 things (use the commented out parts instead of the live ones for SSO, MetadataProvider and AttributeExtractor) as specified by the IDPv3 provider

Login process (that fails):

User clicks https://<redacted>/secure<https://%3credacted%3e/secure>

Apache redirects to


Notice the ;jsessionid part here... This is suspect to be the cause or a symptom as it is not how it was with IDPv2

User fills out username, password

IDP redirects to Apache, Apache returns a 500 error to the browser

Invalid HTTP method (GET)

The only way we could come up with to not to have the 500 error (and also not see the jsessionid part in the URL that is suspect) is to take out the "ShibUseHeaders On" from httpd.conf, and what is expected at that point is to receive the Shib attributes as environment variables vs. HTTP headers. That doesn't happen unfortunately.

We tried every config change/setting that we can think of on our end but still haven't been able to crack this nut.

Any help/insights are greatly appreciated.

Thank you,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181221/b16a5978/attachment.html>

More information about the users mailing list