configuring shibboleth on AWS using ELB
Deirdre Kirmis
Deirdre.Kirmis at asu.edu
Tue Dec 17 10:10:58 EST 2019
I put a ticket into AWS regarding this issue, and they looked at .har files that I generated from sessions created both with the ELB in place and without. This is their diagnosis for the issue that I'm having with the ELB and not returning back and logging the user in:
"It looks like the idp endpoint (shiboleth) is dropping the session when both the ALB cookie and application cookie is returned by ALB as its only expecting application cookie and hence not identifying a current session. Please note, ALB does not modify any headers when sending requests to the backends hence you might need to confirm with the idp provider at the moment to confirm if they might be dropping the session."
This is consistent with what I'm seeing in the logs. Does anyone know if this can be fixed at the SP (settings) or can the IDP make a change on their side?
Deirdre Kirmis
Technology Services
Arizona State University Library
480-965-7240
From: users <users-bounces at shibboleth.net> On Behalf Of Deirdre Kirmis
Sent: Sunday, December 15, 2019 11:58 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: configuring shibboleth on AWS using ELB
I am still struggling with this and trying to get it working. Shibboleth works perfectly on my server until I put it behind an AWS load balancer. Posting my configs, and wondering if anyone sees anything that could be causing an issue? I appreciate any suggestions. I am using an application load balancer in AWS and have an https listener configured with a wildcard SSL cert from ACM. I also have a "Let's Encrypt" cert configured locally on the EC2.
These are the default configs that came from the vendor, and I used them exactly as is and changed to our server name and environment:
----------------------------------------
ssl.conf:
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ServerName {{ servername }}:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile /etc/pki/tls/certs/{{ apache_ssl_cert }}
SSLCertificateKeyFile /etc/pki/tls/private/{{ apache_ssl_key }}
SSLCertificateChainFile /etc/pki/tls/certs/{{ apache_ssl_interm }}
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
# custom error document when Glassfish isn't responding
ErrorDocument 503 /503.html
ProxyPassMatch ^/503.html$ !
# don't pass paths used by rApache and TwoRavens to Glassfish
ProxyPassMatch ^/RApacheInfo$ !
ProxyPassMatch ^/custom !
ProxyPassMatch ^/dataexplore !
# don't pass paths used by Shibboleth to Glassfish
ProxyPassMatch ^/Shibboleth.sso !
ProxyPassMatch ^/shibboleth-ds !
# allow munin
ProxyPassMatch ^/munin !
# pass everything else to Glassfish
ProxyPass / ajp://localhost:8009/
<Location /shib.xhtml>
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
</Location>
ServerAlias dataverse-dev.lib.asu.edu
SSLCertificateFile {{ cert file }}
SSLCertificateKeyFile {{ key file }}
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile {{ chain file }}
</VirtualHost>
-----------------------
http.proxy.conf:
<VirtualHost *:80>
ServerName {{ servername }}
<Location "/prometheus">
ProxyPass "http://localhost:9090/prometheus"
ProxyPassReverse "http://localhost:9090/prometheus"
</Location>
<Location "/grafana">
ProxyPass "http://localhost:3000"
ProxyPassReverse "http://localhost:3000"
</Location>
# custom error document when Glassfish isn't responding
ErrorDocument 503 /503.html
ProxyPassMatch ^/503.html$ !
# don't pass paths used by rApache and TwoRavens to Glassfish
ProxyPassMatch ^/RApacheInfo$ !
ProxyPassMatch ^/custom !
ProxyPassMatch ^/dataexplore !
# don't pass paths used by Shibboleth to Glassfish
ProxyPassMatch ^/Shibboleth.sso !
ProxyPassMatch ^/shibboleth-ds !
# allow munin, if present
ProxyPassMatch ^/munin !
# pass everything else to Glassfish
ProxyPass / ajp://localhost:8009/
</VirtualHost>
----------------
shibboleth.xml:
<!--
This is an example shibboleth2.xml generated originally by http://testshib.org
and tweaked for Dataverse. See also:
- attribute-map.xml
- dataverse-idp-metadata.xml
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
-->
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
clockSkew="1800">
<!-- FIXME: change the entityID to your hostname. -->
<ApplicationDefaults entityID="https://dataverse.example.edu/sp"
REMOTE_USER="eppn" attributePrefix="AJP_">
<!-- You should use secure cookies if at all possible. See cookieProps in this Wiki article. -->
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions -->
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
<SSO>
SAML2 SAML1
</SSO>
<!-- SAML and local-only logout. -->
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceLogout -->
<Logout>SAML2 Local</Logout>
<!--
Handlers allow you to interact with the SP and gather more information. Try them out!
Attribute values received by the SP through SAML will be visible at:
http://dataverse.example.edu/Shibboleth.sso/Session
-->
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<!-- Session diagnostic service. -->
<!-- showAttributeValues must be set to true to see attributes at /Shibboleth.sso/Session . -->
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!-- Error pages to display to yourself if something goes horribly wrong. -->
<Errors supportContact="root at localhost" logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Loads and trusts a metadata file that describes only the Testshib IdP and how to communicate with it. -->
<!-- IdPs we want allow go in /etc/shibboleth/dataverse-idp-metadata.xml -->
<MetadataProvider type="XML" path="dataverse-idp-metadata.xml" backingFilePath="local-idp-metadata.xml" legacyOrgNames="true" reloadInterval="7200"/>
<!-- Uncomment to enable all the Research & Scholarship IdPs from InCommon -->
<!--
<MetadataProvider type="XML" url="http://md.incommon.org/InCommon/InCommon-metadata.xml" backingFilePath="InCommon-metadata.xml" maxRefreshDelay="3600">
<DiscoveryFilter type="Whitelist" matcher="EntityAttributes">
<saml:Attribute
Name="http://macedir.org/entity-category-support"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>http://id.incommon.org/category/research-and-scholarship</saml:AttributeValue<http://id.incommon.org/category/research-and-scholarship%3c/saml:AttributeValue>>
</saml:Attribute>
<saml:Attribute
Name="http://macedir.org/entity-category-support"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue<http://refeds.org/category/research-and-scholarship%3c/saml:AttributeValue>>
</saml:Attribute>
</DiscoveryFilter>
</MetadataProvider>
-->
<!-- Attribute and trust options you shouldn't need to change. -->
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Your SP generated these credentials. They're used to talk to IdP's. -->
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<!-- Security policies you shouldn't change unless you know what you're doing. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
---------------------------
I don't see any strange errors in the logs, other than this:
shibd_warn.log:
2019-12-11 16:28:25 WARN Shibboleth.Application : empty/missing cookieProps setting, set to "https" for SSL/TLS-only usage
2019-12-11 16:28:25 WARN Shibboleth.Application : handlerSSL should be enabled for SSL/TLS-enabled web sites
glassfish.log:
The SAML assertion for "Shib-Identity-Provider" was null. Please contact support.|#]
-------------------
I would appreciate any feedback that anyone can give me. Does anyone see anything in these that might cause shib to not work with AWS load balancer?
Deirdre Kirmis
Web Application Developer
Discovery Services
ASU Library
Arizona State University
480-965-7240
________________________________
From: Deirdre Kirmis <Deirdre.Kirmis at asu.edu<mailto:Deirdre.Kirmis at asu.edu>>
Sent: Tuesday, December 3, 2019 12:34 AM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Re: configuring shibboleth on AWS using ELB
Hi all...I'm still struggling with shibboleth not working on my system. Now, I'm just trying to use the samltest site that Nate sent...have uploaded my metadata to samltest, and have copied the samltest metadata to my site. Samltest shows as a provider on my site...when I login using that, it goes through the process...lets me pick rick, then takes me back to my site, but does not log in rick or create his account. If I look at the session data, it shows all of the attributes correctly...however in my server log I get an error that the attributes are null. When I try to "fetch" my site metadata, it just spins and never comes back as uploaded. When I manually upload the file, it acts like it was successful, but when I try the test it says my site is not registered. What am I doing wrong?
Deirdre Kirmis
Web Application Developer
Discovery Services
ASU Library
Arizona State University
480-965-7240
________________________________
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> on behalf of Deirdre Kirmis <Deirdre.Kirmis at asu.edu<mailto:Deirdre.Kirmis at asu.edu>>
Sent: Wednesday, November 27, 2019 4:30 PM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: RE: configuring shibboleth on AWS using ELB
That is great! Thank you...it already told me that I'm missing the metadata for identity provider!
Deirdre Kirmis
Technology Services
Arizona State University Library
480-965-7240
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> On Behalf Of Nate Klingenstein
Sent: Wednesday, November 27, 2019 4:26 PM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: RE: configuring shibboleth on AWS using ELB
Deirdre,
You may find https://samltest.id/<https://urldefense.proofpoint.com/v2/url?u=https-3A__samltest.id_&d=DwMFaQ&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=-p3_HucMP6fgoiaOsqwQOGvonEwN8AdOsl8FKuiYMeE&s=WLLruzqa9leUxPFfkRtb0oUfHYVehAPdDs_2-golteE&e=> to be a useful resource. It's basically a fully configured SP that will let you see its logs so you can know exactly what's going on, end to end.
Best wishes,
Nate.
--------
[Image removed by sender.]
The Art of Access (r)
Nate Klingenstein | Principal
https://www.signet.id/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.signet.id_&d=DwMFaQ&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=-p3_HucMP6fgoiaOsqwQOGvonEwN8AdOsl8FKuiYMeE&s=TGTv1t1GponuoVksgNyxYaNUwB0-U-468uHc-FilIgw&e=>
-----Original message-----
From: Deirdre Kirmis
Sent: Wednesday, November 27 2019, 12:14 pm
To: Shib Users
Subject: RE: configuring shibboleth on AWS using ELB
Eventually, we will want to set up as a federation SP, but this is just dev at this point, so we are only configuring our org IDP.
I did find the documentation on creating the metadata schema/rules, so thanks for that direction.
Deirdre Kirmis
Technology Services
Arizona State University Library
480-965-7240
-----Original Message-----
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> On Behalf Of Cantor, Scott
Sent: Wednesday, November 27, 2019 10:39 AM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Re: configuring shibboleth on AWS using ELB
On 11/27/19, 12:23 PM, "users on behalf of Deirdre Kirmis" <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> on behalf of Deirdre.Kirmis at asu.edu<mailto:Deirdre.Kirmis at asu.edu>> wrote:
> How do I prepare the metadata myself?
It's an XML file with a very defined schema and set of rules for what's in it, but that's probably obvious so the intent of the question is not 100% clear.
Speaking in general terms, a federated SP (that is, one dealing with many IdPs of different organizations) really needs to be in a federation, and federations provide metadata management systems generally, though not always.
An enterprise SP is dealing with a single IdP and the IdP operator should be providing processes to follow. For myself, I don't ask SPs to give me metadata as a rule, I just expect them to inform me of the keys and hosts through a registration process, then I assign them entityID(s) to use, and I have processes to follow when changes are needed.
-- Scott
--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=vG7jnjpCDSN0QFq4AMsIaEJhlm75brYoTFKZaSTj9Dg&s=nmaRAJ-HfEKwZBp3UslR_FH2lQ7avk7fjdY0-PNAGIA&e=
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwMFaQ&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=-p3_HucMP6fgoiaOsqwQOGvonEwN8AdOsl8FKuiYMeE&s=k8dS6UKC2v800qaZG6IlByEGw4QGJlOB7ZLSlCG9I0c&e=>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191217/c78c42bb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 823 bytes
Desc: image001.jpg
URL: <http://shibboleth.net/pipermail/users/attachments/20191217/c78c42bb/attachment.jpg>
More information about the users
mailing list