Problem Cyberark PVWA as SP
Yakov Revyakin
yrevyakin at gmail.com
Sun Apr 21 10:15:24 EDT 2019
Nate you was right, many thanks!
I felt that I missed something important. I forgot to provide certificates
that time.
Now it works properly.
On Sat, 20 Apr 2019 at 03:18, Nate Klingenstein <ndk at signet.id> wrote:
> Yakov,
>
> You can send redirect requests with a POSTed assertion. It's the most
> common paradigm.
>
> I'd ignore the deprecation warnings for the moment because your problem is
> here:
>
> > 2019-04-19 23:48:49,196 - 184.170.232.52 - WARN
> [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:117] - Profile
> Action SelectProfileConfiguration: Profile
> http://shibboleth.net/ns/profiles/saml2/sso/browser <
> http://shibboleth.net/ns/profiles/saml2/sso/browser> is not available for
> RP configuration shibboleth.UnverifiedRelyingParty (RPID Cyberark4Hide)
> > 2019-04-19 23:48:49,214 - 184.170.232.52 - WARN
> [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
> occurred while processing the request: InvalidProfileConfiguration
>
> Which means your IdP doesn't trust this SP for some reason. If you look
> at the IdP logs during startup, it'll tell you about metadata errors. I
> assume all the spurious URL's were added by your mail client.
>
> Are you trusting the IdP metadata at all through metadata-providers.xml?
> You can do a sanity check on either provider using SAMLtest.id if you want.
>
> Thanks,
> Nate.
>
> -----Original message-----
> > From: Yakov Revyakin
> > Sent: Friday, April 19 2019, 3:00 pm
> > To: Shib Users
> > Subject: Re: Problem Cyberark PVWA as SP
> >
> >
> >
> > Hi Nate,
> >
> > I tried Redirect before with no success. I get a screen with Unsupported
> Request as well as lines in log look like:
> >
> > 2019-04-19 23:46:46,301 - - WARN [DEPRECATED:118] - XML Element
> SourceAttribute, (file
> [D:\Soft\shibboleth-idp\conf\attribute-resolver.xml]): This will be removed
> in the next major version of this software; replacement is by using
> <InputAttributeDefinition> and <InputDataConnector>
> > 2019-04-19 23:46:48,618 - - WARN [DEPRECATED:118] - Spring bean
> c14n/LegacyPrincipalConnector, (c14n/subject-c14n.xml): This will be
> removed in the next major version of this software; replacement is <remove>
> > 2019-04-19 23:48:49,196 - 184.170.232.52 - WARN
> [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:117] - Profile
> Action SelectProfileConfiguration: Profile
> http://shibboleth.net/ns/profiles/saml2/sso/browser <
> http://shibboleth.net/ns/profiles/saml2/sso/browser> is not available for
> RP configuration shibboleth.UnverifiedRelyingParty (RPID Cyberark4Hide)
> > 2019-04-19 23:48:49,214 - 184.170.232.52 - WARN
> [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
> occurred while processing the request: InvalidProfileConfiguration
> >
> > I wrote SP metadata as:
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> > <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig# <
> http://www.w3.org/2000/09/xmldsig#>" entityID="Cyberark4Hide"
> validUntil="2025-12-09T09:13:31.006Z">
> > <md:SPSSODescriptor AuthnRequestsSigned="false"
> WantAssertionsSigned="true"
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
> >
> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
> > <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> https://components.cyberark.local/PasswordVault/api/auth/saml/logon <
> https://components.cyberark.local/PasswordVault/api/auth/saml/logon>"
> index="0" isDefault="true"/>
> > </md:SPSSODescriptor>
> > </md:EntityDescriptor>
> >
> > On Fri, 19 Apr 2019 at 19:57, Nate Klingenstein <ndk at signet.id <mailto:
> ndk at signet.id>> wrote:
> >
> > Yakov,
> >
> > Youre sending a GET AuthnRequest to a POST decoder. Pick one or the
> other, and Id recommend the redirect option.
> >
> > Thanks,
> >
> > Nate.
> >
> > --
> >
> > For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg <
> https://wiki.shibboleth.net/confluence/x/coFAAg>
> >
> > To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net <mailto:users-unsubscribe at shibboleth.net>
> >
> > --
> >
> > For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> >
> > To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> >
> >
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190421/3949516d/attachment.html>
More information about the users
mailing list