Remote authentication failing for IdP 3.4.6
Mathew, Sunil
smathew at hbs.edu
Tue Aug 24 13:47:45 UTC 2021
Hi,
I am installing Shibboleth IdP 3.4.6 as docker in ECS. The instance is protected by CAS. I can see in the logs that my person id is injected in the header (HBS_PERSON_ID: 388284)
10.140.158.15 - - [24/Aug/2021:13:40:32 +0000] "GET /idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZJPb4IwGMa%2FCuldShGca4SE6WEmbhphO%2ByyFHiVJtCyvsVt336gbnOHee7z531%2B6QxFU7c86WyltvDWAVrno6kV8uNDRDqjuBYokSvRAHJb8DR5WHHf9XhrtNWFromTIIKxUqu5Vtg1YFIwB1nA03YVkcraFjmlpipEW8KBuVWOLpQdTSuZ57oGW7mImg7BPt2s04w4i%2F4SqcSQ%2BZvQi3r%2FYEe7d7XZU1m2tD9jJ2s427dQSgOFpWm6Js5yEZHXIGBjUfjhdBp64QR24Vj44S3LhV%2BWjE1EL0PsYKnQCmUj4ns%2BG3nTkR9kbMwDj7ObF%2BJszmvvpCql2l9Hk59EyO%2BzbDM6TXoGg8c5vYDEswEwPxabC%2BTXY8U3ZxL%2FTxVbij9gZ%2FSi51Ta8sc%2BeLnY6FoWn05S1%2Fp9bkBYiAgjND5Z%2Fn6K%2BAs%3D&RelayState=ss%3Amem%3Adbb6174dc2ff9956c9ba1810e6b6383b3751444a2fd2f451e35840dd013fd231 HTTP/1.1" 302 - remote_ip:10.140.158.15 x-forwarded-for:199.94.1.20,10.140.158.155, 3.236.67.126 x-forwarded-host:ssodev.hbsstg.org x-forwarded-proto:https HBS_PERSON_ID: 388284
10.140.158.111 - - [24/Aug/2021:13:40:33 +0000] "GET /idp/profile/SAML2/Redirect/SSO?execution=e1s1 HTTP/1.1" 302 - remote_ip:10.140.158.111 x-forwarded-for:199.94.1.20,10.140.158.155, 3.236.67.126 x-forwarded-host:ssodev.hbsstg.org x-forwarded-proto:https HBS_PERSON_ID: 388284
10.140.158.15 - - [24/Aug/2021:13:40:33 +0000] "GET /idp/Authn/RemoteUser?conversation=e1s1 HTTP/1.1" 302 - remote_ip:10.140.158.15 x-forwarded-for:199.94.1.20,10.140.158.155, 3.236.67.126 x-forwarded-host:ssodev.hbsstg.org x-forwarded-proto:https HBS_PERSON_ID: 388284
10.140.158.111 - - [24/Aug/2021:13:40:34 +0000] "GET /idp/profile/SAML2/Redirect/SSO?execution=e1s1&_eventId_proceed=1 HTTP/1.1" 200 5059 remote_ip:10.140.158.111 x-forwarded-for:199.94.1.20,10.140.158.155, 3.236.67.126 x-forwarded-host:ssodev.hbsstg.org x-forwarded-proto:https HBS_PERSON_ID: 388284
Here is the conf/authn/remoteuser-authn-config.xml file:
<!-- Check getRemoteUser() for identity (the typical case). -->
<util:constant id="shibboleth.authn.RemoteUser.checkRemoteUser" static-field="java.lang.Boolean.TRUE"/>
<!-- Populate one or both of the lists below to define HTTP headers or Servlet Attributes to check. -->
<util:list id="shibboleth.authn.RemoteUser.checkHeaders">
<!--
<value>User-Identity</value>
-->
<value>HBS_PERSON_ID</value>
</util:list>
<util:list id="shibboleth.authn.RemoteUser.checkAttributes">
<!--
<value>User-Identity</value>
-->
<value>HBS_PERSON_ID</value>
</util:list>
<!-- Simple transforms to apply to username before validation. -->
<util:constant id="shibboleth.authn.RemoteUser.Lowercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.authn.RemoteUser.Uppercase" static-field="java.lang.Boolean.FALSE"/>
<util:constant id="shibboleth.authn.RemoteUser.Trim" static-field="java.lang.Boolean.TRUE"/>
Here is my conf/idp.properties file:
idp.authn.flows=RemoteUser
This is what I get in my SP after signing into CAS and getting redirected through IdP:
opensaml::FatalProfileException
The system encountered an error at Tue Aug 24 09:40:34 2021
To report this problem, please contact the site administrator at root at localhost<mailto:root at localhost>.
Please include the following message in any email:
opensaml::FatalProfileException at (https://rhcapdev1.hbs.edu/Shibboleth.sso/SAML2/POST)
SAML response reported an IdP error.
Error from identity provider:
Status: urn:oasis:names:tc:SAML:2.0:status:Requester
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
Message: An error occurred.
Can someone please let me know what am I missing in the setup.
Note: Our current production setup uses Apache with AJP to inject person id in the header.
Thanks for your help.
Sunil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210824/385a2eed/attachment.htm>
More information about the users
mailing list