Shibboleth v4.1.0 upgrade failure with DuoOIDC plugin for Universal Prompt support
Yang, Charles
cyang at fullerton.edu
Fri Jun 30 20:03:16 UTC 2023
Issue:
Shibboleth failed to boot. Jetty log presented this message.
================================================================
WARN [org.eclipse.jetty.webapp.WebAppContext:533] - Failed startup of context o.e.j.w.WebAppContext at 305a0c5f{Shibboleth Identity Pr
ovider,/idp,[file:///opt/jetty/temp/jetty-127_0_0_1-8008-idp_war-_idp-any-11747669412705206324/webinf/, jar:file:///opt/shibboleth-idp/war/idp.war!/],UNAVAIL
ABLE}{/opt/shibboleth-idp/war/idp.war}
org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition with name 'shibboleth.AvailableAuthenticationFlows' defined in null:
Could not resolve placeholder 'idp.authn.DuoOIDC.subjectDecorator' in value "#{getObject('%{idp.authn.DuoOIDC.subjectDecorator}'.trim())}"; nested exception
is java.lang.IllegalArgumentException: Could not resolve placeholder 'idp.authn.DuoOIDC.subjectDecorator' in value "#{getObject('%{idp.authn.DuoOIDC.subjectD
ecorator}'.trim())}".......
Caused by: java.lang.IllegalArgumentException: Could not resolve placeholder 'idp.authn.DuoOIDC.subjectDecorator' in value "#{getObject('%{idp.authn.DuoOIDC.subjectDecorator}'.trim())}"
================================================================
System versioning history: v3.3.3 -> v3.4.7 -> v3.4.8 -> v4.0.1(starting version) -> v4.1.0
Plugin installed:
bin]# ./plugin.sh -l
Plugin: net.shibboleth.oidc.common Current Version: 1.1.0
Plugin: net.shibboleth.idp.plugin.authn.duo.nimbus Current Version: 1.0.0
Module states:
bin]# ./module.sh -l
Module: idp.oidc.common.1 [ENABLED] <=== this is enabled after I installed it ..
Module: idp.authn.DuoOIDC [ENABLED] <=== this is enabled after I installed it ..
Module: idp.authn.Duo [ENABLED]
Module: idp.authn.External [ENABLED]
Module: idp.authn.Function [ENABLED]
Module: idp.authn.IPAddress [ENABLED]
Module: idp.authn.MFA [ENABLED]
Module: idp.authn.Password [ENABLED]
Module: idp.authn.RemoteUser [ENABLED]
Module: idp.authn.RemoteUserInternal [ENABLED]
Module: idp.authn.SPNEGO [ENABLED]
Module: idp.authn.X509 [DISABLED]
Module: idp.authn.Demo [DISABLED]
Module: idp.admin.Hello [DISABLED]
Module: idp.admin.UnlockKeys [ENABLED]
Module: idp.intercept.Consent [ENABLED]
Module: idp.intercept.ContextCheck [ENABLED]
Module: idp.intercept.ExpiringPassword [ENABLED]
Module: idp.intercept.Impersonate [ENABLED]
Module: idp.intercept.Warning [DISABLED]
Module: idp.profile.CAS [ENABLED]
Jetty version: 9.4.35.v20201120
Java version:
jetty]# java -version
openjdk version "11.0.14.1" 2022-02-08 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.14.1+1-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.14.1+1-LTS, mixed mode, sharing)
Steps followed:
https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631513/Upgrading
https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1374027959/DuoOIDCAuthnConfiguration
authn/DuoOIDC Flow Descriptor XML is added in conf/authn/general-authn.xml --> https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1374027959/DuoOIDCAuthnConfiguration#General-Configuration
Working workaround(which allows Jetty to boot properly and Shibboleth v4.1.0 working):
Manual removal of this line in "Flow Descriptor XML"
p:subjectDecorator-ref="#{getObject('%{idp.authn.DuoOIDC.subjectDecorator}'.trim())}"
Other attempts:
I have tried performing this upgrade path: v4.0.1-> v4.1.0 -> v4.3.1.
with v4.3.1 in place, I add both "oidc.common" and "duo.nimbus" plugins to its latest release version.
I got the same result.
Questions:
is this a known issue for an upgraded Shib system ?
Would the workaround post any issue with DuoOIDC functionalities ?
What am I missing from the upgrade process ? user error ?
Thank you for your time !
Chuck Yang
System Analyst, Infrastructure Services
Division of Information Technology
P: 657-278-5624
800 N. State College Blvd. Fullerton, CA
http://www.fullerton.edu/it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230630/9f9912b3/attachment.htm>
More information about the users
mailing list