Glimpse seems to break Shibboleth

[Michael Meier]

Hey,

I started using Glimpse a few days ago and like it very much. However I noticed that it breaks Shibboleth Authentication when active.

Environment:

- IIS8

- MVC 4 application

- Glimpse newest version

- Shibboleth is configured as ISAPI Module and catches all requests to /Account/Login

When I set Glimpse to any defaultRuntimePolicy other than "Off"  (even when I just use PersistResults) the login fails:

- I open /Account/Login

- The browser gets redirected to the Identity Provider website and I log in

- The browser gets redirected to my local service provider at https://hostname/Shibboleth.sso/SAML2/POST

- With Glimpse = Off the Account-Controller will be called and I can process the login with the server variables

- When Glimse = On I get the following error:

xmltooling::IOException

The system encountered an error at Fri Aug 16 13:18:32 2013

Please include the following message in any email:

xmltooling::IOException at (https://hostname/Shibboleth.sso/SAML2/POST)

Error reading request body from browser (2746).

I tried adding the uri blacklists and the trace shows that they are applied (RuntimePolicy set to 'Off' by IRuntimePolicy of type 'Glimpse.Core.Policy.UriPolicy' during RuntimeEvent 'BeginRequest'.), however I still get the error. 

      <uris>

        <add regex=".*/Shibboleth.*" />

        <add regex=".*/Account.*" />

        <add regex=".*SAML.*" />

      </uris>

I suspect that Glimpse is still injecting some data into the form post between the remote Identity Provider and my local Service Provider unless I turn it off completely, but I expected that the regex (everything related to Shibboleth runs at /Shibboleth.sso/) should have prevented that.

Has anyone an idea what could be going on or experience with Glimpse+Shibboleth? 

Here's a trace from such an error: http://pastebin.com/jzya9uAx 

regards,

Michael

[Michael Meier]

Here's a network log from chrome for such a request. I removed all hostnames (blue = my host, purple = identity provider) for security reasons. 

[Nik Molnar]

Hey Michael,

I gave this thread a little time to see if anyone had Shibboleth experience and could offer help.

I certainly do not. If you are able to figure out the root of the problem, please let us know and we'll gladly do what we can to make the two compatible. There are a few issues we are tracking right now with the way ASP.NET handled native modules which might help you.

Thanks,
Nik

On Fri, Aug 16, 2013 at 7:53 AM, Michael Meier <michael....@gmail.com> wrote:

Here's a network log from chrome for such a request. I removed all hostnames (blue = my host, purple = identity provider) for security reasons. 

--
You received this message because you are subscribed to the Google Groups "GetGlimpse-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to getglimpse-de...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Steve Ognibene]

Michael,

 

If you're troubleshooting an SSO problem, Fiddler is your friend.  Download it at fiddler2.com (onto a dev box or preferably a VM) and once it's running, connect to your SP once with Glimpse on and once with Glimpse off.  Then on the inspectors tab, open the "Raw" view on the top pane and see what gets posted to the endpoint each time (you will have to scroll back through the sessions list).  Note that you may need to trust the Fiddler certificate to decrypt the SSL-secured connections (which should only be done on a dev box).  The two posts should be practically the same, but if there are any differences, that may provide a hint as to what's going on.  If the assertions are being signed and Glimpse is modifying them in some way, that could cause the assertion to be rejected, or there could be some other thing going on.  The Fiddler text wizard is also able to deflate SAML which lets you see the actual XML of the assertion.  Either way, Fiddler will help you see what (if any) difference there is between the two posts.

 

-Steve O

[Barrie Cooper]

I have just spent 3 days tearing my hair out trying to get Shibboleth to work on my new ASP.NET MVC site.  The site is replacing an old ASP.NET Web Forms site that has been using Shibboleth successfully for years.

I have been having the same symptoms as Michael and found the following post:

http://shibboleth.1660669.n2.nabble.com/Install-Configuration-Run-Errors-td7180862i40.html

The problem in that case was an IIS Module (Telerik RadCompression) interfering with the POST body before Shibboleth could process it.  Removing that module made everything work as expected.

I don't use RadCompression but guess what, I do use Glimpse.  Removing the Glimpse module from the system.webServer section of web.config makes it work.

The important bit from the error message is "Error reading request body from browser (2746)".  The only Windows error with that number I can find is:

WSAECONNRESET

10054 (0x2746)

An existing connection was forcibly closed by the remote host.

Does that help in any way?