supplied TrustEngine failed to validate SSL/TLS server certificate - while validating the saml response send by idp to SP
anuptiwary
anup.kr.tiwary at gmail.com
Fri Jul 27 07:05:30 EDT 2018
Thank you! for your response Peter.
As I can see in idp-process log. there is attribute principalId which is
released by idp but seems my attribute-mapping or some other mapping does
not hold true to pass it to SP.
I have now configured below line (where principleId is now added ) after
looking at idp-process logs.
<ApplicationDefaults entityID="http://localhost:8080/WebUI"
REMOTE_USER="principalId sn eppn persistent-id targeted-id NameID"
signing="false" encryption="false" attributePrefix="AJP_"
homeURL="http://localhost:8080/WebUI">
Please once look at below idp-process.logs if you could find something in it
and guide me through.
----idp-process.log---
16:18:27.873 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:473]
- Attribute principalId has 1 values after post-processing
16:18:27.873 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:137]
- shibboleth.AttributeResolver resolved, for principal testuser, the
attributes: [principalId]
16:18:27.873 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:71]
- shibboleth.AttributeFilterEngine filtering 1 attributes for principal
testuser
16:18:27.874 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130]
- Evaluating if filter policy releaseTransientIdToAnyone is active for
principal testuser
16:18:27.874 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:139]
- Filter policy releaseTransientIdToAnyone is active for principal testuser
16:18:27.874 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163]
- Processing permit value rule for attribute transientId for principal
testuser
16:18:27.874 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130]
- Evaluating if filter policy releaseUidToAnyone is active for principal
testuser
16:18:27.874 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:139]
- Filter policy releaseUidToAnyone is active for principal testuser
16:18:27.875 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163]
- Processing permit value rule for attribute uid for principal testuser
16:18:27.875 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130]
- Evaluating if filter policy releaseSnToAnyone is active for principal
testuser
16:18:27.875 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:139]
- Filter policy releaseSnToAnyone is active for principal testuser
16:18:27.875 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163]
- Processing permit value rule for attribute sn for principal testuser
16:18:27.875 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130]
- Evaluating if filter policy releasePrincipalIdToAnyone is active for
principal testuser
16:18:27.875 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:139]
- Filter policy releasePrincipalIdToAnyone is active for principal testuser
16:18:27.875 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163]
- Processing permit value rule for attribute principalId for principal
testuser
16:18:27.875 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109]
- Attribute principalId has 1 values after filtering
16:18:27.875 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:114]
- Filtered attributes for principal testuser. The following attributes
remain: [principalId]
16:18:27.877 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:505]
- Creating attribute statement in response to SAML request
'_28da556246a0427a1c89025c5225b37d' from relying party
'http://localhost:8080/WebUI'
16:18:27.877 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:263]
- Attribute principalId was not encoded (filtered by query, or no
SAML2AttributeEncoder attached).
16:18:27.877 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:129]
- No attributes remained after encoding and filtering by value, no attribute
statement built
16:18:27.881 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:528]
- Filtering out potential name identifier attributes which can not be
encoded by
edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
16:18:27.882 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:542]
- Retaining attribute principalId which may be encoded to via
edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
16:18:27.882 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:691]
- Selecting attribute to be encoded as a name identifier by encoder of type
edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
16:18:27.882 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:718]
- Selecting the first attribute that can be encoded in to a name identifier
16:18:27.882 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:502]
- Name identifier for relying party 'http://localhost:8080/WebUI' will be
built from attribute 'principalId'
16:18:27.883 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:868]
- Using attribute 'principalId' supporting NameID format
'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID
for relying party 'http://localhost:8080/WebUI'
16:18:27.883 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:572]
- Determining if SAML assertion to relying party
'http://localhost:8080/WebUI' should be signed
16:18:27.883 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:653]
- IdP relying party configuration 'default' indicates to sign assertions:
true
16:18:27.883 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:583]
- Determining signing credntial for assertion to relying party
'http://localhost:8080/WebUI'
16:18:27.883 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:599]
- Signing assertion to relying party http://localhost:8080/WebUI
16:18:27.924 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:331]
- secondarily indexing user session by name identifier
16:18:27.924 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:797]
- Encoding response to SAML request _28da556246a0427a1c89025c5225b37d from
relying party http://localhost:8080/WebUI
16:18:27.938 - INFO [Shibboleth-Audit:1028] -
20180727T104827Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_28da556246a0427a1c89025c5225b37d|http://localhost:8080/WebUI|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://localhost:8443/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_2e554f90055930e2a4b43827ac27cb0b|testuser|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||testuser|_e67c13cf510ab68b82e6c4486bdb8adc,|
--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
More information about the users
mailing list