AAD and IDP Shibboleth 3.0 integration

Peter Schober peter.schober at univie.ac.at
Fri Mar 13 08:32:48 EDT 2020

* Gustavo Duarte <gus.duarte at gmail.com> [2020-03-12 20:18]:
> Seeing the logs, i cant figure out what is the attribute error
> configuration.

You seriously expect other people to read your own logs on your
behalf, all 20777 lines of them?
If that's your attitude (or level of competence) you should really
look for someone else to handle setting up a SAML IDP for you.

But here are a few things to get you started:

Your LDAP config was/is incorrect:

2020-03-12 12:46:44,709 - IP - WARN [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:192] - Profile Action      ValidateUsernamePasswordAgainstLDAP: Login by ceibaltest1 at gusduarte.tech produced exception
org.ldaptive.LdapException: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'ou=people,            dc=gusduarte,dc=tech'
    at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:77)
Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]

You have undefined properties, probably from having messed up the
conf/ldap.properties file:

2020-03-12 18:18:44,302 - IP - WARN [net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:551] - Exception encountered during  context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition  with name 'myLDAP' defined in null: Could not resolve placeholder 'idp.attribute.resolver.LDAP.searchFilter' in value "%{idp.attribute.       resolver.LDAP.searchFilter}"; nested exception is java.lang.IllegalArgumentException: Could not resolve placeholder 'idp.attribute.resolver.  LDAP.searchFilter' in value "%{idp.attribute.resolver.LDAP.searchFilter}"

That's what stops your resolver from loading.

Also, your IDP does not support the NameID the SP requested:

2020-03-12 18:19:52,507 - IP - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidNameIDPolicy

Further comments (amazing, for a resolver config that's only 69 lines):

So you started by moving to the old, deprecated sytax and removed the
(modern) InputAttributeDefinition child elements, and relaced them
with (deprecated) Depency child elemenst. A choice that doesn't make
any sense to me.

You have two attribute definitions in that file and the first one
("ImmutableID") serves no purpose: It doesn't have an encoder
attached, doesn't match any attribute id in the new attribute registry
default configuration and also isn't being used by any other attribute
in the resolver. So pointless.
The other one seems confused to me: A "UserId" attribute that actually
pulls data from your "mail" attribtue in LDAP (so isn't a UserId) and
has an encoder that puts that into an attribute callesd
"IDPEmail". But at least that could work (provided the NameFormat is
correct for what the SP expects I don't know.)


More information about the users mailing list