Remote authentication failing for IdP 3.4.6

Mathew, Sunil smathew at hbs.edu
Wed Aug 25 10:58:27 UTC 2021 

Here is the tomcat server.xml file:

<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />

  <Service name="Catalina">

    <Connector
                protocol="org.apache.coyote.http11.Http11NioProtocol"
                port="8080"
                maxThreads="200" />

    <Connector
                protocol="org.apache.coyote.http11.Http11NioProtocol"
                port="443" maxThreads="200"
                scheme="https" secure="true" SSLEnabled="true"
                keystoreFile="/opt/certs/keystore.jks" keystorePass="xxxxxxxxxxxx"
                clientAuth="false" sslProtocol="TLS"/>

    <Engine name="Catalina" defaultHost="localhost">

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

          <!-- add valve x-forwarded-for -->
          <Valve className="org.apache.catalina.valves.RemoteIpValve"
               internalProxies="10\.140\.\d{1,3}\.\d{1,3}"
               remoteIpHeader="x-forwarded-for"
               proxiesHeader="x-forwarded-by"
               protocolHeader="x-forwarded-proto"
               hostHeader="x-forwarded-host"
               trustedProxies="proxy1|proxy2|proxy3" />

          <Valve className="org.apache.catalina.valves.AccessLogValve"
               directory="/proc/self/fd" prefix="1"
               rotatable="false" pattern="%h %l %u %t "%r" %s %b remote_ip:%a x-forwarded-for:%{x-forwarded-for}i x-forwarded-host:%{x-forwarded-host}i x-forwarded-proto:%{x-forwarded-proto}i HBS_PERSON_ID: %{HBS_PERSON_ID}i " />

      </Host>
    </Engine>
  </Service>
</Server>


Please let me know if I am missing something.

Thanks, Sunil


From: users <users-bounces at shibboleth.net> on behalf of Matthew Slowe via users <users at shibboleth.net>
Reply-To: Shib Users <users at shibboleth.net>
Date: Tuesday, August 24, 2021 at 12:34 PM
To: Shib Users <users at shibboleth.net>
Cc: Matthew Slowe <Matthew.Slowe at jisc.ac.uk>
Subject: Re: Remote authentication failing for IdP 3.4.6

First, why v3?!

Second, can you see the username being passed in to the IDP? You may have missed some bits in Tomcat's config to let it pass.
Sent from my iPhone


On 24 Aug 2021, at 14:48, Mathew, Sunil <smathew at hbs.edu> wrote:
Hi,

I am installing Shibboleth IdP 3.4.6 as docker in ECS. The instance is protected by CAS. I can see in the logs that my person id is injected in the header (HBS_PERSON_ID: 388284)


10.140.158.15 - - [24/Aug/2021:13:40:32 +0000] "GET /idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZJPb4IwGMa%2FCuldShGca4SE6WEmbhphO%2ByyFHiVJtCyvsVt336gbnOHee7z531%2B6QxFU7c86WyltvDWAVrno6kV8uNDRDqjuBYokSvRAHJb8DR5WHHf9XhrtNWFromTIIKxUqu5Vtg1YFIwB1nA03YVkcraFjmlpipEW8KBuVWOLpQdTSuZ57oGW7mImg7BPt2s04w4i%2F4SqcSQ%2BZvQi3r%2FYEe7d7XZU1m2tD9jJ2s427dQSgOFpWm6Js5yEZHXIGBjUfjhdBp64QR24Vj44S3LhV%2BWjE1EL0PsYKnQCmUj4ns%2BG3nTkR9kbMwDj7ObF%2BJszmvvpCql2l9Hk59EyO%2BzbDM6TXoGg8c5vYDEswEwPxabC%2BTXY8U3ZxL%2FTxVbij9gZ%2FSi51Ta8sc%2BeLnY6FoWn05S1%2Fp9bkBYiAgjND5Z%2Fn6K%2BAs%3D&RelayState=ss%3Amem%3Adbb6174dc2ff9956c9ba1810e6b6383b3751444a2fd2f451e35840dd013fd231 HTTP/1.1" 302 - remote_ip:10.140.158.15 x-forwarded-for:199.94.1.20,10.140.158.155, 3.236.67.126 x-forwarded-host:ssodev.hbsstg.org x-forwarded-proto:https HBS_PERSON_ID: 388284
10.140.158.111 - - [24/Aug/2021:13:40:33 +0000] "GET /idp/profile/SAML2/Redirect/SSO?execution=e1s1 HTTP/1.1" 302 - remote_ip:10.140.158.111 x-forwarded-for:199.94.1.20,10.140.158.155, 3.236.67.126 x-forwarded-host:ssodev.hbsstg.org x-forwarded-proto:https HBS_PERSON_ID: 388284
10.140.158.15 - - [24/Aug/2021:13:40:33 +0000] "GET /idp/Authn/RemoteUser?conversation=e1s1 HTTP/1.1" 302 - remote_ip:10.140.158.15 x-forwarded-for:199.94.1.20,10.140.158.155, 3.236.67.126 x-forwarded-host:ssodev.hbsstg.org x-forwarded-proto:https HBS_PERSON_ID: 388284
10.140.158.111 - - [24/Aug/2021:13:40:34 +0000] "GET /idp/profile/SAML2/Redirect/SSO?execution=e1s1&_eventId_proceed=1 HTTP/1.1" 200 5059 remote_ip:10.140.158.111 x-forwarded-for:199.94.1.20,10.140.158.155, 3.236.67.126 x-forwarded-host:ssodev.hbsstg.org x-forwarded-proto:https HBS_PERSON_ID: 388284


Here is the conf/authn/remoteuser-authn-config.xml file:

    <!-- Check getRemoteUser() for identity (the typical case). -->

    <util:constant id="shibboleth.authn.RemoteUser.checkRemoteUser" static-field="java.lang.Boolean.TRUE"/>



    <!-- Populate one or both of the lists below to define HTTP headers or Servlet Attributes to check. -->



    <util:list id="shibboleth.authn.RemoteUser.checkHeaders">

        <!--

        <value>User-Identity</value>

        -->

                                <value>HBS_PERSON_ID</value>

    </util:list>



    <util:list id="shibboleth.authn.RemoteUser.checkAttributes">

        <!--

        <value>User-Identity</value>

        -->

                                <value>HBS_PERSON_ID</value>

    </util:list>



    <!-- Simple transforms to apply to username before validation. -->

    <util:constant id="shibboleth.authn.RemoteUser.Lowercase" static-field="java.lang.Boolean.FALSE"/>

    <util:constant id="shibboleth.authn.RemoteUser.Uppercase" static-field="java.lang.Boolean.FALSE"/>

    <util:constant id="shibboleth.authn.RemoteUser.Trim" static-field="java.lang.Boolean.TRUE"/>


Here is my conf/idp.properties file:
idp.authn.flows=RemoteUser


This is what I get in my SP after signing into CAS and getting redirected through IdP:
opensaml::FatalProfileException

The system encountered an error at Tue Aug 24 09:40:34 2021

To report this problem, please contact the site administrator at root at localhost<mailto:root at localhost>.

Please include the following message in any email:

opensaml::FatalProfileException at (https://rhcapdev1.hbs.edu/Shibboleth.sso/SAML2/POST)

SAML response reported an IdP error.

Error from identity provider:
Status: urn:oasis:names:tc:SAML:2.0:status:Requester
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
Message: An error occurred.


Can someone please let me know what am I missing in the setup.

Note: Our current production setup uses Apache with AJP to inject person id in the header.

Thanks for your help.

Sunil


--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210825/01849163/attachment.htm>

More information about the users mailing list