Shibboleth IdP Web Login Service - Unsupported Request

Nate Klingenstein ndk at sudonym.me
Thu Sep 13 10:29:14 EDT 2018 

Fazla,

If ShibCas is enabled, then it would be redirecting you to the ShibCas
endpoint next, but your IdP is getting stuck 1 step earlier in the
process.  It won't accept an AuthnRequest message intended for a different
location than the one that Shibboleth is running at.  This is a security
check in SAML.

You need to use your real address or configure your web server so that it
believes that its name is always idp.myuni.edu, no matter what your browser
uses.  That will override the location used by the client and the message
will match the location anyway.

Take care,
Nate.

On Thu, Sep 13, 2018 at 6:32 AM, fazla <fazlarabby043264 at gmail.com> wrote:

> Nate,
>
> Thank you once again for your detail reply.
>
> I have added the meta provider for the samltest. So when I provide my
> entityId for testing after uploading my idp-metadata.xml
>
> it redirects me to
> https://idp.myuni.edu/idp/profile/SAML2/Redirect/SSO?
> SAMLRequest=fZJRT4MwFIX%2FCun7KIUZt2aQ4PbgkunIQB98MR3cSZPSYm9R9%2B%
> 2BFMeNMzN6a9pzv5Jx0gaJRLU87V%2BsdvHeAzvtqlEZ%
> 2BeohJZzU3AiVyLRpA7kqepw8bHvoBb61xpjSKeCkiWCeNXhqNXQM2B%
> 2FshS3jabWJSO9cip3Qguj7AlxXNa7nfGwWu9hENHZAhzbZ5QbxVL5FaDLRf
> r6xaX7RSOh%2Bqzm%2BOwwXt8w9Swdm9g0paKB3N8y3x1quYvEZTJqJZJGYhY%
> 2Bx2HlXhlEWsDAQDmB%2FCeS9D7GCt0QntYhIGbDYJ5hMWFUHEbxgPghfiZeead1JXUr9d32Q%
> 2FipDfF0U2GRs9g8VTm15AksWwAz8F24utr2PFz8Ak%2BW%
> 2FO4UyxXdAL9hjU8scetl5lRsny6KVKmc%2BlBeEgJozQZLT8%2FQHJNw%
> 3D%3D&RelayState=ss%3Amem%3A0fc4bb139d00808ae2fd3396bfd4
> 7333891be875fcde4bb77d65f07d8276ad88
>
>
> Of cource this will give me an error as I don't have the server yet but
> when
> I change this to
>
> https://localhost:8443/idp/profile/SAML2/Redirect/SSO?
> SAMLRequest=fZJRT4MwFIX%2FCun7KIUZt2aQ4PbgkunIQB98MR3cSZPSYm9R9%2B%
> 2BFMeNMzN6a9pzv5Jx0gaJRLU87V%2BsdvHeAzvtqlEZ%
> 2BeohJZzU3AiVyLRpA7kqepw8bHvoBb61xpjSKeCkiWCeNXhqNXQM2B%
> 2FshS3jabWJSO9cip3Qguj7AlxXNa7nfGwWu9hENHZAhzbZ5QbxVL5FaDLRf
> r6xaX7RSOh%2Bqzm%2BOwwXt8w9Swdm9g0paKB3N8y3x1quYvEZTJqJZJGYhY%
> 2Bx2HlXhlEWsDAQDmB%2FCeS9D7GCt0QntYhIGbDYJ5hMWFUHEbxgPghfiZeead1JXUr9d32Q%
> 2FipDfF0U2GRs9g8VTm15AksWwAz8F24utr2PFz8Ak%2BW%
> 2FO4UyxXdAL9hjU8scetl5lRsny6KVKmc%2BlBeEgJozQZLT8%2FQHJNw%
> 3D%3D&RelayState=ss%3Amem%3A0fc4bb139d00808ae2fd3396bfd4
> 7333891be875fcde4bb77d65f07d8276ad88
>
>
> I see this in the browser
>
>
> Replace or remove this logo
> Web Login Service - Message Security Error
> The request cannot be fulfilled because the message received does not meet
> the security requirements of the login service.
>
>
> and the server log is
>
> [org.opensaml.saml.common.binding.security.impl.
> ReceivedEndpointSecurityHandler:200]
> - Message Handler:  SAML message intended destination endpoint
> 'https://idp.myuni.edu/idp/profile/SAML2/Redirect/SSO' did not match the
> recipient endpoint 'https://localhost:8443/idp/profile/SAML2/Redirect/SSO'
>
> Does that anything to do with the following idp.properties which is
> commented out by default.
>
> # Profile flows in which the ProfileRequestContext should be exposed
> # in servlet request under the key "opensamlProfileRequestContext"
> #idp.profile.exposeProfileRequestContextInServletRequest =
> SAML2/POST/SSO,SAML2/Redirect/SSO
>
>
> It's not supposed to redirect me to the cas client? I am allowing localhost
> in the CAS service registry
>
> This is the detail server log:
>
>  Refreshing ApplicationContext:shibboleth.MetadataResolverService: startup
> date [Thu Sep 13 03:50:44 UTC 2018]; parent: Root WebApplicationContext
> 2018-09-13 03:50:47,202 - INFO
> [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResol
> ver:504]
> - Metadata Resolver FileBackedHTTPMetadataResolver SAMLtest: New metadata
> successfully loaded for 'https://samltest.id/saml/sp'
> 2018-09-13 03:50:47,203 - INFO
> [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResol
> ver:324]
> - Metadata Resolver FileBackedHTTPMetadataResolver SAMLtest: Next refresh
> cycle for metadata provider 'https://samltest.id/saml/sp' will occur on
> '2018-09-13T06:50:45.950Z' ('2018-09-13T06:50:45.950Z' local time)
> 2018-09-13 03:50:47,215 - INFO
> [net.shibboleth.ext.spring.service.ReloadableSpringService:380] - Service
> 'shibboleth.MetadataResolverService': Completed reload and swapped in
> latest
> configuration for service 'shibboleth.MetadataResolverService'
> 2018-09-13 03:50:47,215 - INFO
> [net.shibboleth.ext.spring.service.ReloadableSpringService:387] - Service
> 'shibboleth.MetadataResolverService': Reload complete
> 2018-09-13 03:50:47,632 - INFO
> [net.shibboleth.ext.spring.service.ReloadableSpringService:380] - Service
> 'shibboleth.RelyingPartyResolverService': Completed reload and swapped in
> latest configuration for service 'shibboleth.RelyingPartyResolverService'
> 2018-09-13 03:50:47,632 - INFO
> [net.shibboleth.ext.spring.service.ReloadableSpringService:387] - Service
> 'shibboleth.RelyingPartyResolverService': Reload complete
> 2018-09-13 03:50:47,633 - INFO
> [net.shibboleth.utilities.java.support.service.
> AbstractReloadableService:199]
> - Service 'shibboleth.RelyingPartyResolverService': Reload time set to:
> 900000, starting refresh thread
> 2018-09-13 03:50:47,684 - INFO
> [net.shibboleth.utilities.java.support.service.
> AbstractReloadableService:172]
> - Service 'shibboleth.ReloadableAccessControlService': Performing initial
> load
> 2018-09-13 03:50:47,684 - INFO
> [net.shibboleth.utilities.java.support.service.
> AbstractReloadableService:258]
> - Service 'shibboleth.ReloadableAccessControlService': Reloading service
> configuration
> 2018-09-13 03:50:47,686 - INFO
> [net.shibboleth.ext.spring.util.SchemaTypeAwareXMLBeanDefiniti
> onReader:317]
> - Loading XML bean definitions from file [C:\Program Files
> (x86)\Shibboleth\IdP\conf\access-control.xml]
> 2018-09-13 03:50:47,705 - INFO
> [net.shibboleth.ext.spring.util.SchemaTypeAwareXMLBeanDefiniti
> onReader:317]
> - Loading XML bean definitions from file [C:\Program Files
> (x86)\Shibboleth\IdP\system\conf\access-control-system.xml]
> 2018-09-13 03:50:47,861 - INFO
> [net.shibboleth.ext.spring.context.FilesystemGenericApplicationCo
> ntext:583]
> - Refreshing ApplicationContext:shibboleth.ReloadableAccessControlService:
> startup date [Thu Sep 13 03:50:47 UTC 2018]; parent: Root
> WebApplicationContext
> 2018-09-13 03:50:48,080 - INFO
> [net.shibboleth.ext.spring.service.ReloadableSpringService:380] - Service
> 'shibboleth.ReloadableAccessControlService': Completed reload and swapped
> in
> latest configuration for service 'shibboleth.
> ReloadableAccessControlService'
> 2018-09-13 03:50:48,080 - INFO
> [net.shibboleth.ext.spring.service.ReloadableSpringService:387] - Service
> 'shibboleth.ReloadableAccessControlService': Reload complete
> 2018-09-13 03:50:48,080 - INFO
> [net.shibboleth.utilities.java.support.service.
> AbstractReloadableService:199]
> - Service 'shibboleth.ReloadableAccessControlService': Reload time set to:
> 300000, starting refresh thread
> 2018-09-13 03:50:48,095 - INFO
> [net.shibboleth.utilities.java.support.service.
> AbstractReloadableService:172]
> - Service 'shibboleth.ReloadableCASServiceRegistry': Performing initial
> load
> 2018-09-13 03:50:48,095 - INFO
> [net.shibboleth.utilities.java.support.service.
> AbstractReloadableService:258]
> - Service 'shibboleth.ReloadableCASServiceRegistry': Reloading service
> configuration
> 2018-09-13 03:50:48,095 - INFO
> [net.shibboleth.ext.spring.util.SchemaTypeAwareXMLBeanDefiniti
> onReader:317]
> - Loading XML bean definitions from file [C:\Program Files
> (x86)\Shibboleth\IdP\conf\cas-protocol.xml]
> 2018-09-13 03:50:48,314 - INFO
> [net.shibboleth.ext.spring.context.FilesystemGenericApplicationCo
> ntext:583]
> - Refreshing ApplicationContext:shibboleth.ReloadableCASServiceRegistry:
> startup date [Thu Sep 13 03:50:48 UTC 2018]; parent: Root
> WebApplicationContext
> 2018-09-13 03:50:48,408 - INFO
> [net.shibboleth.ext.spring.service.ReloadableSpringService:380] - Service
> 'shibboleth.ReloadableCASServiceRegistry': Completed reload and swapped in
> latest configuration for service 'shibboleth.ReloadableCASServiceRegistry'
> 2018-09-13 03:50:48,408 - INFO
> [net.shibboleth.ext.spring.service.ReloadableSpringService:387] - Service
> 'shibboleth.ReloadableCASServiceRegistry': Reload complete
> 2018-09-13 03:50:48,408 - INFO
> [net.shibboleth.utilities.java.support.service.
> AbstractReloadableService:199]
> - Service 'shibboleth.ReloadableCASServiceRegistry': Reload time set to:
> 900000, starting refresh thread
> 2018-09-13 03:50:49,627 - INFO
> [net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext:583] -
> Refreshing WebApplicationContext for namespace 'idp-servlet': startup date
> [Thu Sep 13 03:50:49 UTC 2018]; parent: Root WebApplicationContext
> 2018-09-13 03:50:51,330 - INFO
> [net.shibboleth.idp.authn.impl.RemoteUserAuthServlet:193] -
> RemoteUserAuthServlet will process REMOTE_USER, along with attributes []
> and
> headers []
> 2018-09-13 03:51:37,455 - ERROR
> [org.opensaml.saml.common.binding.security.impl.
> ReceivedEndpointSecurityHandler:200]
> - Message Handler:  SAML message intended destination endpoint
> 'https://idp.myuni.edu/idp/profile/SAML2/Redirect/SSO' did not match the
> recipient endpoint 'https://localhost:8443/idp/profile/SAML2/Redirect/SSO'
> 2018-09-13 03:51:37,673 - WARN
> [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:202] -
> Profile
> Action WebFlowMessageHandlerAdaptor: Exception handling message
> org.opensaml.messaging.handler.MessageHandlerException: SAML message
> failed
> received endpoint check
>         at
> org.opensaml.saml.common.binding.security.impl.
> ReceivedEndpointSecurityHandler.checkEndpointURI(
> ReceivedEndpointSecurityHandler.java:202)
> 2018-09-13 03:51:37,689 - WARN
> [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
> occurred while processing the request: MessageAuthenticationError
>
>
>
>
> --
> Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-
> f1660767.html
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180913/228b9291/attachment.html>

More information about the users mailing list