Issues configuring Multiple SPs against a single IDP all on same server

Personal nickzolnoor at gmail.com
Tue Mar 27 15:09:44 EDT 2018


Hello all, I apologize in advance if this message is lengthy but I would like to be explicit in explaining my issue.

For a while my webapp has run under one Shibboleth SP and IDP. The SP being app1.website.com/shibboleth <http://app1.website.com/shibboleth> and the idp being app1.website.com/idp/shibboleth <http://app1.website.com/idp/shibboleth>, This worked fine until users are required to login to one of the apps provided under app1.website.com/shibboleth <http://app1.website.com/shibboleth> on another device (their phone) while logged in on a browser. Doing this causes an issue, as shibboleth will attempt to log out with the incorrect session ID on the second session, never logging them out and throwing a SAML profile exception. The solution I came to after reading through the documentation was to separate my apache/ShibSP setup into multiple virtual hosts and logical service providers, but still use the same IDP to authenticate.

I have read through many mailing lists and documentation, and I believe I have set up my configurations correctly, yet I still receive errors related to my new SP’s metadata, even though I created it by copying a working, existing SP metadata and changing the hostnames.

So first: Here is my log excerpt upon trying to visit a page that should redirect to a login:

17:51:30.260 - DEBUG [PROTOCOL_MESSAGE:113] -
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest
    AssertionConsumerServiceURL="https://app2.website.com/Shibboleth.sso/SAML2/POST <https://app2.website.com/Shibboleth.sso/SAML2/POST>"
    Destination="https://app1.website.com/idp/profile/SAML2/Redirect/SSO <https://app1.website.com/idp/profile/SAML2/Redirect/SSO>"
    ID="_64038eb8ca0725cbe1f1df29e686a0f4"
    IssueInstant="2018-03-27T17:51:30Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://app2.website.com/shibboleth</saml:Issuer> <https://app2.website.com/shibboleth%3C/saml:Issuer%3E>
    <samlp:NameIDPolicy AllowCreate="1"/>
</samlp:AuthnRequest>

17:51:30.260 - WARN [org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule:81] - SPSSODescriptor role metadata for entityID 'https://app2.website.com/shibboleth <https://app2.website.com/shibboleth>' could not be resolved
17:51:30.260 - WARN [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:305] - No metadata for relying party https://app2.website.com/shibboleth <https://app2.website.com/shibboleth>, treating party as anonymous
17:51:30.260 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:222] - SAML 2 SSO profile is not configured for relying party https://app2.website.com/shibboleth <https://app2.website.com/shibboleth>

I also receive an “INVALID IDP URL (404)” webpage after the above log messages are generated.

My Shibboleth2.xml Config:

<ApplicationOverride id=“app2" entityID="https://app2.website.com/shibboleth <https://app2.website.com/shibboleth>" />

My Apache config is set up to ShibRequestSetting applicationId app2, to map to this override.

My metadata-providers.xml config:

<MetadataProvider xsi:type="FilesystemMetadataProvider"
                      id=“app2Metadata"
                      metadataFile="/opt/shibboleth-idp/metadata/mc-generated-md.xml" />

And I should note that this tag is inside a ChainingMetadataProvider, right after a working SP metadata.

So my questions are: Given the situation, is this a viable solution? I’ve seen a lot on the internet about multiple IdPs to a single SP, but not about the reverse. Can I use an IdP on the same server, but a different virtual host with my logically separated SP? Is there a better way to prevent logout errors from the same sign-on on two different browsers?

If it is a viable solution: Why does my metadata refuse to be recognized by the IdP? I’ve gone as far as copying and modifying one that works, modifying the provided example from testshib, and even modifying the auto generated metadata from app2.website.com/Shibboleth.sso/Metadata <http://app2.website.com/Shibboleth.sso/Metadata>

I’ll leave the metadata that fails to load beneath and I appreciate any help or insight I receive!!

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_fe261a8a7093587c1db68e373e4bf344cf1e1442" entityID="https://app2.website.com/shibboleth <https://app2.website.com/shibboleth>">

  <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512 <http://www.w3.org/2001/04/xmlenc#sha512>"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384 <http://www.w3.org/2001/04/xmldsig-more#sha384>"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 <http://www.w3.org/2001/04/xmlenc#sha256>"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224 <http://www.w3.org/2001/04/xmldsig-more#sha224>"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 <http://www.w3.org/2000/09/xmldsig#sha1>"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512 <http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512>"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384 <http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384>"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256 <http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256>"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224 <http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224>"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 <http://www.w3.org/2001/04/xmldsig-more#rsa-sha512>"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 <http://www.w3.org/2001/04/xmldsig-more#rsa-sha384>"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 <http://www.w3.org/2001/04/xmldsig-more#rsa-sha256>"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256 <http://www.w3.org/2009/xmldsig11#dsa-sha256>"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1 <http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1>"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1 <http://www.w3.org/2000/09/xmldsig#rsa-sha1>"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1 <http://www.w3.org/2000/09/xmldsig#dsa-sha1>"/>
  </md:Extensions>

  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol urn:oasis:names:tc:SAML:2.0:protocol">
    <md:Extensions>
      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://app2.website.com/Shibboleth.sso/Login <https://app2.website.com/Shibboleth.sso/Login>"/>
      <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://app1.website.com/Shibboleth.sso/Login <https://app1.website.com/Shibboleth.sso/Login>" index="1"/>
    </md:Extensions>
    <md:KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig <http://www.w3.org/2000/09/xmldsig>#">
        <ds:KeyName>app1.website.com <http://app1.website.com/></ds:KeyName>
        <ds:X509Data>
          <ds:X509SubjectName>CN=app1.website.com <http://app1.website.com/></ds:X509SubjectName>
          <ds:X509Certificate>MIIDADCCAeigAwIBAgIJAIMOvKesRgyuMA0GCSqGSIb3DQEBBQUAMB4xHDAaBgNV
BAMTE3JodGVzdC5vdHN1a2FkbS5jb20wHhcNMTgwMTIyMTkzMDE2WhcNMjgwMTIw
MTkzMDE2WjAeMRwwGgYDVQQDExNyaHRlc3Qub3RzdWthZG0uY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsBHB4YrkzCJfxun8XDB6hJB4EYiM5idO
63kbu8kGrravySZfKYp8/oCoMhG8zF6Blfp+70U08UVH/dncGTvFL86RbTsmZEpa
rCeW34ndXuEF7xwHZCIqHEIIL6N6NFjpLTqgbENzrGNHe9kAGgoOuFr+S8PFri2l
kLjKNQsuh8j+a3ukbXcc7ZU2YLoi69aWqy8NVHx0sDOC8+tpKRdlPUGngslYHxmO
fi4M3GF3FdN0kLnL9aTcWgpsmqNLztBEWjYrxoaLb7cnmZgiuIJTiHIb4nVpHOS7
DxB885DcsRSlgYZCmav3Ge9k/GOj1eXj8WT/pf/NMJ13XgjKw/p/dQIDAQABo0Ew
PzAeBgNVHREEFzAVghNyaHRlc3Qub3RzdWthZG0uY29tMB0GA1UdDgQWBBRoxqL6
ylQI6VPsaXZ7tygkXGEK/jANBgkqhkiG9w0BAQUFAAOCAQEAByWM3MJbTxx3Jftb
4EB2Hcl9mdLgOCzpJcOP7+6rHxSoYSxHz1m0wuFgEYTReGGKu45AFW4J1mNBA0LO
J3EBx9JQ7mMV1d5FLgI33GHkxxqmABvgy/1uP8dGV1DTp31RNUhrQSIpG83NPaOi
PkIPcjz3jwM3slujsDtRCCqeptFFqESDMxVlacqgnhEPvWbd5KufOH2ePfxecC66
R1cZ+6Gbk9yxjCcAHMBXDzly1wH1zi1C4Q/dx9GND7QPPWYS9oRu2jAfwNZguFGg
E1Lwb+kGIqZEh2G/+oOGspvYE0N6Dc/rfl32AY3LPTPv18nmPyKfAOcWYCfi2b1Q
rl+U4w==
</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm <http://www.w3.org/2009/xmlenc11#aes128-gcm>"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm <http://www.w3.org/2009/xmlenc11#aes192-gcm>"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm <http://www.w3.org/2009/xmlenc11#aes256-gcm>"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc <http://www.w3.org/2001/04/xmlenc#aes128-cbc>"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc <http://www.w3.org/2001/04/xmlenc#aes192-cbc>"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc <http://www.w3.org/2001/04/xmlenc#aes256-cbc>"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc <http://www.w3.org/2001/04/xmlenc#tripledes-cbc>"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep <http://www.w3.org/2009/xmlenc11#rsa-oaep>"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p <http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p>"/>
    </md:KeyDescriptor>
    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://app2.website.com/Shibboleth.sso/Artifact/SOAP <https://app2.website.com/Shibboleth.sso/Artifact/SOAP>" index="1"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://app2.website.com/Shibboleth.sso/SLO/Artifact <https://app2.website.com/Shibboleth.sso/SLO/Artifact>"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://app2.website.com/Shibboleth.sso/SLO/POST <https://app2.website.com/Shibboleth.sso/SLO/POST>"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://app2.website.com/Shibboleth.sso/SLO/Redirect <https://app2.website.com/Shibboleth.sso/SLO/Redirect>"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://app2.website.com/Shibboleth.sso/SLO/SOAP <https://app2.website.com/Shibboleth.sso/SLO/SOAP>"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://app2.website.com/Shibboleth.sso/SAML/Artifact <https://app2.website.com/Shibboleth.sso/SAML/Artifact>" index="6"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://app2.website.com/Shibboleth.sso/SAML/POST <https://app2.website.com/Shibboleth.sso/SAML/POST>" index="7”/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://app2.website.com/Shibboleth.sso/SAML2/Artifact <https://app2.website.com/Shibboleth.sso/SAML2/Artifact>" index="8"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://app2.website.com/Shibboleth.sso/SAML2/ECP <https://app2.website.com/Shibboleth.sso/SAML2/ECP>" index="9"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://app2.website.com/Shibboleth.sso/SAML2/POST <https://app2.website.com/Shibboleth.sso/SAML2/POST>" index="10"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://app2.website.com/Shibboleth.sso/SAML2/POST-SimpleSign <https://app2.website.com/Shibboleth.sso/SAML2/POST-SimpleSign>" index="11"/>
  </md:SPSSODescriptor>

</md:EntityDescriptor>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180327/7e21cb49/attachment.html>


More information about the users mailing list