Fatal error when authenticationg with Shibboleth

182 views
Skip to first unread message

Alexandre Abreu

unread,
Mar 3, 2020, 7:09:10 AM3/3/20
to Dataverse Users Community
Hi guys,

I'm having troubles with Shibboleth... When I try to authenticate I am getting an erro message (attached).
Idk the cause... It was working well till friday...
Does anyone can help, please?

best regards, 
Alexandre
Capturar.PNG

Leonhard Maylein

unread,
Mar 3, 2020, 7:23:32 AM3/3/20
to dataverse...@googlegroups.com
I strongly suspect a problem of the shibboleth configuration. Did you
have a look at the log file of the service provider (maybe shibd.log)?
Is it possible that one of the certificates involved has expired?

"signature could not be verified"

Leonhard Maylein



Am 03.03.20 um 13:09 schrieb Alexandre Abreu:
> --
> You received this message because you are subscribed to the Google
> Groups "Dataverse Users Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to dataverse-commu...@googlegroups.com
> <mailto:dataverse-commu...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/dataverse-community/00e0bb10-bc1e-42b1-96ee-d4490bc7b2f4%40googlegroups.com
> <https://groups.google.com/d/msgid/dataverse-community/00e0bb10-bc1e-42b1-96ee-d4490bc7b2f4%40googlegroups.com?utm_medium=email&utm_source=footer>.


Alexandre Abreu

unread,
Mar 3, 2020, 7:24:50 AM3/3/20
to Dataverse Users Community
Another info from transaction.log
Below, please, see part of transaction.log, in GREEN is log when shibboleth was working well, and in RED is the log when shibboleth started to not work...

2020-02-28 17:11:46 INFO Shibboleth-TRANSACTION [100] [default]: New session (ID: _0ed2935ff839d0932895c680bfad4ce9) with (applicationId: default) for principal from (IdP: http://example/adfs/services/trust) at (ClientAddress: 10.24.4.76) with (NameIdentifier: none) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: _da67cfae-4710-4dfb-bd12-cf8e283c99a1)
2020-02-28 17:11:46 INFO Shibboleth-TRANSACTION [100] [default]: Cached the following attributes with session (ID: _0ed2935ff839d0932895c680bfad4ce9) for (applicationId: default) {
2020-02-28 17:11:46 INFO Shibboleth-TRANSACTION [100] [default]:        eppn (1 values)
2020-02-28 17:11:46 INFO Shibboleth-TRANSACTION [100] [default]:        givenName (1 values)
2020-02-28 17:11:46 INFO Shibboleth-TRANSACTION [100] [default]:        sn (1 values)
2020-02-28 17:11:46 INFO Shibboleth-TRANSACTION [100] [default]:        mail (1 values)
2020-02-28 17:11:46 INFO Shibboleth-TRANSACTION [100] [default]: }
2020-03-02 08:32:42 INFO Shibboleth-TRANSACTION [105] [default]: New session (ID: ) with (applicationId: default) for principal from (IdP: http://example/adfs/services/trust) at (ClientAddress: 10.24.4.66) with (NameIdentifier: none) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: )
2020-03-02 08:32:42 INFO Shibboleth-TRANSACTION [105] [default]: Cached the following attributes with session (ID: ) for (applicationId: default) {
2020-03-02 08:32:42 INFO Shibboleth-TRANSACTION [105] [default]: }
Message has been deleted

Alexandre Abreu

unread,
Mar 3, 2020, 7:34:46 AM3/3/20
to Dataverse Users Community
Hi Leonhard

From Shibd.log I have the following:

$
2020-03-03 08:19:05 DEBUG Shibboleth.SSO.SAML2 [20] [default]: extracting issuer from SAML 2.0 assertion
2020-03-03 08:19:05 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [20] [default]: evaluating message flow policy (replay checking on, expiration 60)
2020-03-03 08:19:05 DEBUG XMLTooling.StorageService [20] [default]: inserted record (_1063dee8-57f5-4685-9c69-cd21ff00ed8c) in context (MessageFlow) with expiration (1$
2020-03-03 08:19:05 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [20] [default]: validating signature profile
2020-03-03 08:19:05 DEBUG XMLTooling.CredentialCriteria [20] [default]: keys didn't match
2020-03-03 08:19:05 DEBUG XMLTooling.CredentialCriteria [20] [default]: keys didn't match
2020-03-03 08:19:05 DEBUG XMLTooling.TrustEngine.ExplicitKey [20] [default]: unable to validate signature, no credentials available from peer
2020-03-03 08:19:05 DEBUG XMLTooling.TrustEngine.PKIX [20] [default]: validating signature using certificate from within the signature
2020-03-03 08:19:05 DEBUG XMLTooling.TrustEngine.PKIX [20] [default]: signature verified with key inside signature, attempting certificate validation...
2020-03-03 08:19:05 DEBUG XMLTooling.TrustEngine.PKIX [20] [default]: checking that the certificate name is acceptable
2020-03-03 08:19:05 DEBUG XMLTooling.TrustEngine.PKIX [20] [default]: adding to list of trusted names (http://example.br/adfs/services/trust)
2020-03-03 08:19:05 DEBUG XMLTooling.TrustEngine.PKIX [20] [default]: certificate subject: CN=ADFS Signing - example.br
2020-03-03 08:19:05 DEBUG XMLTooling.TrustEngine.PKIX [20] [default]: unable to match DN, trying TLS subjectAltName match
2020-03-03 08:19:05 DEBUG XMLTooling.TrustEngine.PKIX [20] [default]: unable to match subjectAltName, trying TLS CN match
2020-03-03 08:19:05 ERROR XMLTooling.TrustEngine.PKIX [20] [default]: certificate name was not acceptable

Em terça-feira, 3 de março de 2020 09:23:32 UTC-3, Leonhard Maylein escreveu:
I strongly suspect a problem of the shibboleth configuration. Did you
have a look at the log file of the service provider (maybe shibd.log)?
Is it possible that one of the certificates involved has expired?

"signature could not be verified"

Leonhard Maylein



Am 03.03.20 um 13:09 schrieb Alexandre Abreu:
> Hi guys,
>
> I'm having troubles with Shibboleth... When I try to authenticate I am
> getting an erro message (attached).
> Idk the cause... It was working well till friday...
> Does anyone can help, please?
>
> best regards,
> Alexandre
>
> --
> You received this message because you are subscribed to the Google
> Groups "Dataverse Users Community" group.
> To unsubscribe from this group and stop receiving emails from it, send

Maylein, Leonhard

unread,
Mar 3, 2020, 7:43:56 AM3/3/20
to Dataverse Users Community

I'm not an expert on shibboleth. But it seems to me there's something wrong with your certificates.


Leonhard Maylein


Von: dataverse...@googlegroups.com <dataverse...@googlegroups.com> im Auftrag von Alexandre Abreu <alsanti...@gmail.com>
Gesendet: Dienstag, 3. März 2020 13:34
An: Dataverse Users Community
Betreff: Re: [Dataverse-Users] Fatal error when authenticationg with Shibboleth
 
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/90128e0b-9e75-4d8f-9288-672f6cd6c2c1%40googlegroups.com.

Don Sizemore

unread,
Mar 3, 2020, 8:15:51 AM3/3/20
to dataverse...@googlegroups.com
Alexandre,

In IRC you said Shibboleth authentication was working well until you enabled an additional DNS service:

Have you verified that your browser, Shib SP, and Glassfish instance are all seeing the same response for each DNS record in play?

Donald

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/90128e0b-9e75-4d8f-9288-672f6cd6c2c1%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/1583239433391.42031%40ub.uni-heidelberg.de.

Alexandre Abreu

unread,
Mar 3, 2020, 8:23:34 AM3/3/20
to Dataverse Users Community
Is there a way to renew the certificates?
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

Alexandre Abreu

unread,
Mar 3, 2020, 9:12:14 AM3/3/20
to Dataverse Users Community
Hi Don,
Yes, they are responding to the same DNS...

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

Alexandre Abreu

unread,
Mar 3, 2020, 1:34:56 PM3/3/20
to Dataverse Users Community
I restored a snapshot of the serve from last friday (last moment I saw it working) just to see if the problem was internal... and after that the problem is still there... so probably it came from outside... now I have to discover from where the problem came... If someone has a suggestion, please, contact me here :-)

thanks in advance.

Philip Durbin

unread,
Mar 4, 2020, 9:00:15 AM3/4/20
to dataverse...@googlegroups.com
Alexandre, can you please start a thread on the shib users mailing list? I'm on there and will jump in as well: https://shibboleth.net/mailman/listinfo/users

That reminds me. In https://chat.dataverse.org they* call me Mr. Shib and now Oliver comes along and is Mr. OIDC, a NEXT GENERATION data repository technology according to https://ngr.coar-repositories.org/technology/

No fair!

Phil

p.s. At PIDapoolaza I told Paul Welk he's very welcome to advertise his COAR conference that's coming up in the closest city to Machu Picchu! Who's going? Pontificia Universidad Católica del Perú ( http://datos.pucp.edu.pe ) perhaps? The conference sounded absolutely amazing.


Hi Don,

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/e5a5ed9a-b47b-4f4b-966e-61fe6eea08cf%40googlegroups.com.


--

Alexandre Abreu

unread,
Mar 4, 2020, 9:24:08 AM3/4/20
to Dataverse Users Community
Sure, Mr. Shib  :-)
I'm struggling with this Shib...
Hi Don,

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

Alexandre Abreu

unread,
Mar 4, 2020, 9:25:43 AM3/4/20
to Dataverse Users Community
I just subscribed there. I will open a thread there asap.
Thanks Philip

Alexandre Abreu

unread,
Mar 6, 2020, 6:20:35 AM3/6/20
to Dataverse Users Community
I solved the problem. ADFS changed the token certificates (encryption and signing) then I updated the information about the certificates in FederationMetadata.xml :-)


Em terça-feira, 3 de março de 2020 09:09:10 UTC-3, Alexandre Abreu escreveu:
Reply all
Reply to author
Forward
0 new messages