Problem Cyberark PVWA as SP

[Nate Klingenstein]

Yakov,

You can send redirect requests with a POSTed assertion.  It's the most common paradigm.

I'd ignore the deprecation warnings for the moment because your problem is here:

> 2019-04-19 23:48:49,196 - 184.170.232.52 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:117] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser <http://shibboleth.net/ns/profiles/saml2/sso/browser> is not available for RP configuration shibboleth.UnverifiedRelyingParty (RPID Cyberark4Hide)
> 2019-04-19 23:48:49,214 - 184.170.232.52 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration

Which means your IdP doesn't trust this SP for some reason.  If you look at the IdP logs during startup, it'll tell you about metadata errors.  I assume all the spurious URL's were added by your mail client.

Are you trusting the IdP metadata at all through metadata-providers.xml?  You can do a sanity check on either provider using SAMLtest.id if you want.

Thanks,
Nate.
 
-----Original message-----
> From: Yakov Revyakin
> Sent: Friday, April 19 2019, 3:00 pm
> To: Shib Users
> Subject: Re: Problem Cyberark PVWA as SP
> 
> 
> 
> Hi Nate,
> 
> I tried Redirect before with no success. I get a screen with Unsupported Request as well as lines in log look like:
> 
> 2019-04-19 23:46:46,301 -  - WARN [DEPRECATED:118] - XML Element SourceAttribute, (file [D:\Soft\shibboleth-idp\conf\attribute-resolver.xml]): This will be removed in the next major version of this software; replacement is by using <InputAttributeDefinition> and <InputDataConnector>
> 2019-04-19 23:46:48,618 -  - WARN [DEPRECATED:118] - Spring bean c14n/LegacyPrincipalConnector, (c14n/subject-c14n.xml): This will be removed in the next major version of this software; replacement is <remove>
> 2019-04-19 23:48:49,196 - 184.170.232.52 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:117] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser <http://shibboleth.net/ns/profiles/saml2/sso/browser> is not available for RP configuration shibboleth.UnverifiedRelyingParty (RPID Cyberark4Hide)
> 2019-04-19 23:48:49,214 - 184.170.232.52 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration
> 
> I wrote SP metadata as:
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig# <http://www.w3.org/2000/09/xmldsig#>" entityID="Cyberark4Hide" validUntil="2025-12-09T09:13:31.006Z">
>    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>       <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
>       <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://components.cyberark.local/PasswordVault/api/auth/saml/logon <https://components.cyberark.local/PasswordVault/api/auth/saml/logon>" index="0" isDefault="true"/>
>    </md:SPSSODescriptor>
> </md:EntityDescriptor>
> 
> On Fri, 19 Apr 2019 at 19:57, Nate Klingenstein <ndk at signet.id <mailto:ndk at signet.id>> wrote:
> 
> Yakov,
> 
> Youre sending a GET AuthnRequest to a POST decoder.  Pick one or the other, and Id recommend the redirect option.
> 
> Thanks,
> 
> Nate.
> 
> --
> 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg <https://wiki.shibboleth.net/confluence/x/coFAAg>
> 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net <mailto:users-unsubscribe at shibboleth.net>
> 
> --
> 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> 
>