AAD and IDP Shibboleth 3.0 integration
Gustavo Duarte
gus.duarte at gmail.com
Fri Mar 13 10:31:19 EDT 2020
Thanks Peter for taking a time and respond.
Your are right I have not enough Shibboleth background needed to do this
task. I'm going to looking for someone to help me.
Regards.
El vie., 13 mar. 2020 a las 9:33, Peter Schober (<peter.schober at univie.ac.at>)
escribió:
> * Gustavo Duarte <gus.duarte at gmail.com> [2020-03-12 20:18]:
> > Seeing the logs, i cant figure out what is the attribute error
> > configuration.
>
> You seriously expect other people to read your own logs on your
> behalf, all 20777 lines of them?
> If that's your attitude (or level of competence) you should really
> look for someone else to handle setting up a SAML IDP for you.
>
> But here are a few things to get you started:
>
> Your LDAP config was/is incorrect:
>
> 2020-03-12 12:46:44,709 - IP - WARN
> [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:192] -
> Profile Action ValidateUsernamePasswordAgainstLDAP: Login by
> ceibaltest1 at gusduarte.tech produced exception
> org.ldaptive.LdapException: javax.naming.NameNotFoundException: [LDAP:
> error code 32 - No Such Object]; remaining name 'ou=people,
> dc=gusduarte,dc=tech'
> at
> org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:77)
> Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - No
> Such Object]
>
> You have undefined properties, probably from having messed up the
> conf/ldap.properties file:
>
> 2020-03-12 18:18:44,302 - IP - WARN
> [net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:551]
> - Exception encountered during context initialization - cancelling refresh
> attempt: org.springframework.beans.factory.BeanDefinitionStoreException:
> Invalid bean definition with name 'myLDAP' defined in null: Could not
> resolve placeholder 'idp.attribute.resolver.LDAP.searchFilter' in value
> "%{idp.attribute. resolver.LDAP.searchFilter}"; nested exception is
> java.lang.IllegalArgumentException: Could not resolve placeholder
> 'idp.attribute.resolver. LDAP.searchFilter' in value
> "%{idp.attribute.resolver.LDAP.searchFilter}"
>
> That's what stops your resolver from loading.
>
> Also, your IDP does not support the NameID the SP requested:
>
> 2020-03-12 18:19:52,507 - IP - WARN
> [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
> occurred while processing the request: InvalidNameIDPolicy
>
> Further comments (amazing, for a resolver config that's only 69 lines):
>
> So you started by moving to the old, deprecated sytax and removed the
> (modern) InputAttributeDefinition child elements, and relaced them
> with (deprecated) Depency child elemenst. A choice that doesn't make
> any sense to me.
>
> You have two attribute definitions in that file and the first one
> ("ImmutableID") serves no purpose: It doesn't have an encoder
> attached, doesn't match any attribute id in the new attribute registry
> default configuration and also isn't being used by any other attribute
> in the resolver. So pointless.
> The other one seems confused to me: A "UserId" attribute that actually
> pulls data from your "mail" attribtue in LDAP (so isn't a UserId) and
> has an encoder that puts that into an attribute callesd
> "IDPEmail". But at least that could work (provided the NameFormat is
> correct for what the SP expects I don't know.)
>
> -peter
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200313/847ebfec/attachment.html>
More information about the users
mailing list