ExternalApplicationOverrides and IdP Initiated
Chris Stefano
Chris.Stefano at statpro.com
Fri Apr 24 12:14:48 EDT 2020
Hello,
I'm using an ExternalApplicationOverrides to load ApplicationOverride's from separate files for each domain I have.
I'm using Apache with mod_shib and after restarting my web server I have discovered that the respective override files (containing my ApplicationOverride configs) are not getting loaded for IdP initiated requests.
If I explicitly make an SP initiated request to the domain in question, the configuration gets loaded as expected, which can be seen in the log output.
The Shibboleth log contains a single entry for the IdP initiated request (the application ID is "eng"):
DEBUG Shibboleth.Listener [1] [eng]: dispatching message (eng/SAML2/POST)
And mod_shib reports:
[mod_shib:error] [pid 26:tid 140266233124608] [client 172.26.128.10:47912] No destination registered for incoming message addressed to (eng/SAML2/POST).
The error message reported in the web browser as follows:
shibsp::ListenerException at (https://eng.172.26.128.10.xip.io/saml/SAML2/POST)
No destination registered for incoming message addressed to (eng/SAML2/POST).
Whereas, for an SP initiated request, the Shibboleth log as follows:
...
DEBUG Shibboleth.Listener [1]: dispatching message (eng::getHeaders::Application)
INFO Shibboleth.Config [1]: application override (eng) not found, searching external sources
INFO Shibboleth.Application [1]: auto-configuring SSO initiation for protocol (SAML2)
INFO Shibboleth.Application [1]: adding SessionInitiator of type (SAML2) to chain (/Login)
INFO Shibboleth.Application [1]: auto-configuring ArtifactResolution endpoints for protocol (SAML2)
INFO Shibboleth.Application [1]: adding ArtifactResolutionService for Binding (urn:oasis:names:tc:SAML:2.0:bindings:SOAP) at (/Artifact/SOAP)
DEBUG Shibboleth.ServiceProvider [1]: registered remoted message endpoint (eng/Artifact/SOAP::run::SAML2Artifact)
INFO Shibboleth.Application [1]: auto-configuring SSO endpoints for protocol (SAML2)
INFO Shibboleth.Application [1]: adding AssertionConsumerService for Binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST) at (/SAML2/POST)
DEBUG Shibboleth.ServiceProvider [1]: registered remoted message endpoint (eng/SAML2/POST)
INFO Shibboleth.Application [1]: adding AssertionConsumerService for Binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign) at (/SAML2/POST-SimpleSign)
DEBUG Shibboleth.ServiceProvider [1]: registered remoted message endpoint (eng/SAML2/POST-SimpleSign)
INFO Shibboleth.Application [1]: adding AssertionConsumerService for Binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact) at (/SAML2/Artifact)
DEBUG Shibboleth.ServiceProvider [1]: registered remoted message endpoint (eng/SAML2/Artifact)
INFO Shibboleth.Application [1]: adding AssertionConsumerService for Binding (urn:oasis:names:tc:SAML:2.0:bindings:PAOS) at (/SAML2/ECP)
DEBUG Shibboleth.ServiceProvider [1]: registered remoted message endpoint (eng/SAML2/ECP)
DEBUG Shibboleth.ServiceProvider [1]: registered remoted message endpoint (eng/Login::run::SAML2SI)
DEBUG Shibboleth.SessionInitiator.SAML2 [1]: supporting outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
DEBUG Shibboleth.SessionInitiator.SAML2 [1]: supporting outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
DEBUG Shibboleth.SessionInitiator.SAML2 [1]: supporting outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
DEBUG Shibboleth.SessionInitiator.SAML2 [1]: supporting outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
INFO Shibboleth.Application [1]: building AttributeExtractor of type XML...
DEBUG Shibboleth.AttributeExtractor.XML [1]: using local resource (/etc/shibboleth/domains/eng-attribute-map.xml), will monitor for changes
WARN Shibboleth.AttributeExtractor.XML [1]: attribute mappings are reloadable; be sure to restart web server when adding new attribute IDs
DEBUG Shibboleth.AttributeExtractor.XML [1]: loading configuration from external resource...
INFO Shibboleth.AttributeExtractor.XML [1]: loaded XML resource (/etc/shibboleth/domains/eng-attribute-map.xml)
INFO Shibboleth.AttributeExtractor.XML [1]: creating mapping for Attribute urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
INFO Shibboleth.AttributeExtractor.XML [1]: creating mapping for Attribute firstname, Format/Namespace:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
INFO Shibboleth.AttributeExtractor.XML [1]: creating mapping for Attribute lastname, Format/Namespace:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
INFO Shibboleth.AttributeExtractor.XML [1]: creating mapping for Attribute email, Format/Namespace:urn:oasis:names:tc:SAML:2.0:attrname-format:basic
DEBUG Shibboleth.ServiceProvider [1]: registered remoted message endpoint (eng::getHeaders::Application)
INFO Shibboleth.Config [1]: storing externally defined application override (eng)
...
If it helps, I can put together a working scenario using docker/compose to replicate the issue.
Any help is appreciated!
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. Any views or opinions presented in this email are solely those of the author and might not represent those of StatPro. Warning: Although StatPro has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200424/86a12799/attachment.html>
More information about the users
mailing list