Shibboleth IdP Web Login Service - Unsupported Request

Nate Klingenstein ndk at sudonym.me
Thu Sep 6 02:04:31 EDT 2018 

Fazla,

That makes a lot more sense.  Thank you for taking the time to read it
all.  Your configuration makes sense to me too.

All you need to do is start a SAML transaction with your IdP by going to a
SAML service.  If you don't have a specific SP already trusted and used,
there is a beta free testing service that you can use at https://samltest.id
.

You can upload your IdP's metadata by going to the upload page and entering
https://your.host/idp/shibboleth, or if the host doesn't have an address,
by downloading the file /opt/shibboleth-idp/metadata/idp-metadata.xml to
your computer and then uploading it to SAMLtest as a starting point.

Then, make your IdP trust SAMLtest by modifying your configuration like in
the "Download Metadata" section.

Finally, just click the IdP test button and enter the entityID of your
Shibboleth installation, and you will be redirected with a full SAML
request and you will see whether ShibCas works.

Take care,
Nate.



On Thu, Sep 6, 2018 at 4:57 AM, fazla <fazlarabby043264 at gmail.com> wrote:

> Nate.
>
> Thanks a lot for your detailed response.
>
> I am using ShibCas that delegates the authentication to an external Central
> Authentication Server.
>
>
> For that at first I have installed shibboleth IdP 3.3.3.1 with Getty and
> then I have downloaded the shibboleth IdP V 3.X plugin for authentication
> via an external CAS server from the gihub. Then from there
>
>
>     I have copied the Spring Webflow files, jsp, and included jar files
> into
> the IDP_HOME.
> 1st Copied the gradle-wrapper.jar and pasted it to
> Shibboleth\IdP\edit-webapp\WEB-INF\lib. Then copied the jsp and put it in
> Shibboleth\IdP\edit-webapp\WEB-INF\jsp. also copied the
> shibcas-authn-flow.xml and shibcas-authn-beans.xml to
> Shibboleth\IdP\flows\authn\Shibcas
>     couldn't update the IdP's web.xml. as after adding the ShibCas Auth
> Servlet I am getting a 503
>
>     <servlet>
>         <servlet-name>ShibCas Auth Servlet</servlet-name>
>
> <servlet-class>net.unicon.idp.externalauth.ShibcasAuthServlet</servlet-
> class>
>         <load-on-startup>2</load-on-startup>
>     </servlet>
>     <servlet-mapping>
>         <servlet-name>ShibCas Auth Servlet</servlet-name>
>         <url-pattern>/Authn/ExtCas/*</url-pattern>
>     </servlet-mapping>
>
> As it is optional so I have escape this step.
>
>     Updated the IdP's idp.properties file.
>
> # Regular expression matching login flows to enable, e.g.
> IPAddress|Password
> #idp.authn.flows = Password
> idp.authn.flows = Shibcas
>
> # CAS Client properties (usage loosely matches that of the Java CAS Client)
> ## CAS Server Properties
> shibcas.casServerUrlPrefix = https://cas.mycasserver.edu/cas
> shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login
>
> ## Shibboleth Server Properties
> shibcas.serverName = https://idp.myshibbolethserver.edu
>
> # By default you always get the AuthenticatedNameTranslator, add additional
> code to cover your custom needs.
> # Takes a comma separated list of fully qualified class names
> # shibcas.casToShibTranslators =
> com.your.institution.MyCustomNamedTranslatorClass
> # shibcas.parameterBuilders = com.your.institution.MyParameterBuilderClass
>
> # Specify CAS validator to use - either 'cas10', 'cas20' or 'cas30'
> (default)
> # shibcas.ticketValidatorName = cas30
>
>
> # Specify if the Relying Party/Service Provider entityId should be appended
> as a separate entityId query string parameter
> # or embedded in the "service" querystring parameter - `append` (default)
> or
> `embed`
> # shibcas.entityIdLocation = append
>
>
>     Updated the IdP's general-authn.xml file.
>
>     <util:list id="shibboleth.AvailableAuthenticationFlows">
>
>         <bean id="authn/Shibcas" parent="shibboleth.AuthenticationFlow"
>                 p:passiveAuthenticationSupported="true"
>                 p:forcedAuthenticationSupported="true"
>                 p:nonBrowserSupported="false" />
>
>
>     Rebuilded the war file.
>
> Now can you please let me know what step should I follow and how can I
> check
> whether it will delegate the authentication to cas? what should be the
> correct url to check too.
>
>
>
>
> Fazla,
>
> I think you're still conflating the two ways that Shibboleth can interact
> with CAS.
>
> It can either act as a CAS server(which is the endpoint you're accessing,
> and which does not need ShibCas) for CAS client applications using the CAS
> protocol
>
> or
>
> it can be a CAS client(ShibCas) of an actual CAS server.  ShibCas then uses
> the authentication provided by that CAS protocol transaction to perform a
> secondary assertion of user information to another service, typically using
> SAML as a protocol.
>
> I think you want Shibboleth to be a CAS client, which means the CAS server
> functionality built into Shibboleth is not relevant.  The flow through the
> system would typically be:
>
> SAML Service Provider -> Shibboleth SAML login point -> CAS Server ->
> Shibboleth ShibCas plugin -> Shibboleth SAML assertion generation -> SAML
> service provider
>
> I think you should step back and understand how you want users to flow
> through the system you're building.  There needs to be a clear vector that
> is followed.
>
> I'm not quite sure what else to write, I'm afraid.
>
> I hope this helps,
> Nate.
>
> On Thu, Sep 6, 2018 at 1:11 AM, fazla <fazlarabby043264@> wrote:
>
> > We are trying to delegate the shibboleth IdP authentication to CAS. The
> > ShibCas plugin is already added and then the service was also added in
> the
> > cas-protocol.xml. I have attached relying-party.xml
> > <http://shibboleth.1660669.n2.nabble.com/file/t398743/
> relying-party.xml>
> >  ,
> > cas-protocol.xml
> > <http://shibboleth.1660669.n2.nabble.com/file/t398743/
> cas-protocol.xml>
> > and  general-authn.xml
> > <http://shibboleth.1660669.n2.nabble.com/file/t398743/
> general-authn.xml>
> >  .
> >
> > Now if we try
> > https://localhost:8443/idp/profile/cas/login?service=
> > https://myservice.example.edu
> > instead of redirecting us to cas we are getting this error on the
> browser.
> >
> > Web Login Service - Unsupported Request
> > The application you have accessed is not registered for use with this
> > service.
> >
> >
> > This is the logs.
> >
> >
> >
> >
> >
> >
> > --
> > Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-
> > f1660767.html
> > --
> > For Consortium Member technical support, see
> https://wiki.shibboleth.net/
> > confluence/x/coFAAg
> > To unsubscribe from this list send an email to
> > users-unsubscribe@
> >
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe@
>
>
>
>
>
> --
> Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-
> f1660767.html
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180906/64d3363b/attachment.html>

More information about the users mailing list