[Shib-Users] Shibboleth Configuration with Microsoft ISA Proxy
John Talright
We have a domain external.ourdomain.com which is located on our public webservers. There is a an ISA access rule which proxies that subdomain to internal.ourdomain.com which is an internal webserver where the appliation is being run.
The rule seems to work fine and our users are able to access the internally hosted application just fine.
But I'm having trouble getting it to work with Shibboleth. I'm fairly new to Shibboleth and have tried most of what I've found on the internet and ReverseProxy but can't seem to get it to work. I may be doing this incorrectly, I'm not sure.
The main issue is that once shibboleth authenticates it redirects to the internal webserver.
Has anyone gotten Shibboleth and ISA to work together? If so how?
Thanks.
Scott Cantor
> internal webserver.
Then you haven't virtualized the web site properly. That depends on the web
server, or in the case of IIS which doesn't support virtualization properly,
the <ISAPI>/<Site> mapping in shibboleth2.xml that supplies the host, port,
and/or scheme of the site if they don't match the physical settings.
If your application itself works, then either it isn't relying on any
redirection internally, or is using illegal relative redirects or hardcoding
the logical site information inside itself. Obviously the last two shouldn't
be tolerated in a professionally written application.
-- Scott
John Talright
The website is not virtualized, it is stored on the backend and I'm using ISA to do a proxy passthrough.
Basically the user enters through app1.example.com (which is an alias to the isa server machine lets call it isa.example.com)
When activity is detected on the ISA server coming from the alias app1.example.com it then proxies through to internalserver.example.com where the application is being stored.
Now when shibboleth finishes authenticating, it goes to internalserver.example.com which is not accessible to the public. I need it to go to app1.example.com
This configuration doesn't use virtual hosts. I can't seem to find the proper documentation that explains how I would go about doing this.
Thanks.
> The main issue is that once shibboleth authenticates it redirects to the
> internal webserver.
Scott Cantor
I assume you mean 1.3.1.
> The website is not virtualized, it is stored on the backend and I'm using
> ISA to do a proxy passthrough.
That's a virtualized server.
> Basically the user enters through app1.example.com (which is an alias to
the
> isa server machine lets call it isa.example.com)
Then by definition the web server MUST believe its hostname is
app1.example.com (with the appropriate port and scheme). If it does not,
then redirects cannot be generated without hacks that Shibboleth does not
use.
> Now when shibboleth finishes authenticating, it goes to
> internalserver.example.com which is not accessible to the public. I need
it
> to go to app1.example.com
And therefore you must tell it that its hostname is not what it believes it
to be. That depends on the web server or in the case of broken servers like
IIS on the SP configuration I already mentioned.
> This configuration doesn't use virtual hosts. I can't seem to find the
> proper documentation that explains how I would go about doing this.
Virtualization has little to do with virtual hosts.
One example of virtualization is SSL offloading, for which there is
documentation at https://spaces.internet2.edu/display/SHIB/SPNoSSL
The principle is the same regardless of the reason for the virtualization,
and some of that is out of date with regard to Apache, but the rest is
accurate.
-- Scott
Peter Schober
> One example of virtualization is SSL offloading, for which there is
> documentation at https://spaces.internet2.edu/display/SHIB/SPNoSSL
>
> The principle is the same regardless of the reason for the virtualization,
> and some of that is out of date with regard to Apache, but the rest is
> accurate.
Updated wrt Apache httpd > 2.0
cheers,
-peter
--
peter....@univie.ac.at - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140
Brian Gibson
First off, I am not well versed in administering Tomcat or working with
Java so be kind :-)
I am following the directions on the test shib site to test Shibboleth
as an idp. Here is the info on our setup.
jdk1.5.0_15
jre1.5.0_16
Tomcat 5.5.27
idp 2.1.0
Red Hat Enterprise Linux Server release 5.2
When I start up Tomcat I see the following error in the catalina.out file.
===============================
INFO: Deploying web application archive idp.war
Nov 13, 2008 1:45:56 PM org.apache.catalina.core.StandardContext start
SEVERE: Error listenerStart
Nov 13, 2008 1:45:56 PM org.apache.catalina.core.StandardContext start
SEVERE: Context [/idp] startup failed due to previous errors
===============================
I checked the mailing list archives and most of these errors come from
either not endorsing some additional libraries but I did run the command
cp /usr/local/idp/lib/endorsed/*.jar /usr/local/tomcat/common/endorsed/
Here is what it is /usr/local/tomcat/common/endorsed
200 -rw-r--r-- 1 root root 194354 Nov 13 13:33 xml-apis-2.9.1.jar
1212 -rw-r--r-- 1 root root 1229289 Nov 13 13:33 xercesImpl-2.9.1.jar
3112 -rw-r--r-- 1 root root 3176148 Nov 13 13:33 xalan-2.7.1.jar
280 -rw-r--r-- 1 root root 278286 Nov 13 13:33 serializer-2.9.1.jar
92 -rw-r--r-- 1 root root 84091 Nov 13 13:33 resolver-2.9.1.jar
I also read it could be a permissions issue but everything I installed I
did as root so I am not sure if that could be an issue.
Here are some errors I am seeing in the
/usr/local/idp/logs/idp-process.log file
15:22:31.338 - ERROR
[edu.internet2.middleware.shibboleth.common.config.BaseService:187] -
Configuration was not loaded for
shibboleth.RelyingPartyConfigurationManager service, error creating
components. The root cause of this error was:
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean
named 'shibboleth.MetadataTrustEngine' is defined
15:22:31.345 - ERROR
[org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/idp]:3768]
- Exception sending context initialized event to listener instance of
class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'shibboleth.RelyingPartyConfigurationManager': Invocation
of init method failed; nested exception is
edu.internet2.middleware.shibboleth.common.service.ServiceException:
Configuration was not loaded for
shibboleth.RelyingPartyConfigurationManager service, error creating
components.
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1337)
[spring-beans-2.5.5.jar:2.5.5]
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:473)
[spring-beans-2.5.5.jar:2.5.5]
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
[spring-beans-2.5.5.jar:2.5.5]
at java.security.AccessController.doPrivileged(Native Method)
[na:1.5.0_16]
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
[spring-beans-2.5.5.jar:2.5.5]
at
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
[spring-beans-2.5.5.jar:2.5.5]
at
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:221)
[spring-beans-2.5.5.jar:2.5.5]
at
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
[spring-beans-2.5.5.jar:2.5.5]
at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
[spring-beans-2.5.5.jar:2.5.5]
at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164)
[spring-beans-2.5.5.jar:2.5.5]
at
org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:429)
[spring-beans-2.5.5.jar:2.5.5]
at
org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:729)
[spring-context-2.5.5.jar:2.5.5]
......
......
One problem I ran into during the Shibtest setup steps was running
sh ant.sh install
I couldn't get ant installed and working but I was able to just run
./install.sh for the idp and it didn't complain, it walked through the
script okay. Not sure if that is the cause of my problems.
Also, if someone knows of a better site for learning how to set this up
for a Tomcat/Java novice please feel free to send it my way.
Thanks for any help you might be able to offer.
Nate Klingenstein
> I couldn't get ant installed and working but I was able to just
> run ./install.sh for the idp and it didn't complain, it walked
> through the script okay. Not sure if that is the cause of my problems.
Sorry about that; this changed between 2.0 and 2.1 and I hadn't
updated the TestShib installation instructions. They should be fixed
now.
As far as your error goes, I think this is another change between 2.0
and 2.1. The default configuration in 2.1 includes a requirement
that the metadata be signed. TestShib's metadata is not signed. I'm
going to have to change the directions, but for now, please just
comment out the entire <Metadata Filter> section, starting with the
Chaining element.
Thanks for reporting all this -- I don't think any of it's your
fault. Welcome to the world of Shibboleth. :D
Nate.
Colin Bruce
Dear John et al,
I am not sure if this is the same problem but this link may be of some help.
http://technet.microsoft.com/en-us/library/cc302450.aspx
The issue is addresses is about setting the “tunnel port range” which you have to do in addition to creating rules.
Apologies if this is not about the problem you are having.
Best wishes....
Colin
NOTICE
This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee.
Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University.
Russell Beall
permission conflicts on the IdP directories. If you run tomcat as the
"tomcat" user, and this user is unable to write to the log location,
the IdP will not be able to start and this error will show up.
Russ.
On Nov 17, 2008, at 1:23 PM, Brian Gibson wrote:
> SEVERE: Error listenerStart
Brian Gibson
/usr/local/idp/conf/relying-party.xml file and commented out the
<MetadataFilter> section as suggested, here is a what it looks like now.
<!--
<MetadataFilter xsi:type="ChainingFilter"
xmlns="urn:mace:shibboleth:2.0:metadata">
<MetadataFilter xsi:type="RequiredValidUntil"
xmlns="urn:mace:shibboleth:2.0:metadata"
maxValidityInterval="604800" />
<MetadataFilter xsi:type="SignatureValidation"
xmlns="urn:mace:shibboleth:2.0:metadata"
trustEngineRef="shibboleth.MetadataTrustEngine"
requireSignedMetadata="true" />
<MetadataFilter xsi:type="EntityRoleWhiteList"
xmlns="urn:mace:shibboleth:2.0:metadata">
<RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataFilter>
-->
but when I stopped and started Tomcat I am still getting this error in
the catalina.out log file.
===========================================
Nov 19, 2008 9:43:20 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive idp.war
Nov 19, 2008 9:43:30 AM org.apache.catalina.core.StandardContext start
SEVERE: Error listenerStart
Nov 19, 2008 9:43:30 AM org.apache.catalina.core.StandardContext start
SEVERE: Context [/idp] startup failed due to previous errors
===========================================
and here is the error I am getting in the
/usr/local/idp/logs/idp-process.log file
===========================================
09:43:30.741 - ERROR
[edu.internet2.middleware.shibboleth.common.config.BaseService:187] -
Configuration was not loaded for
shibboleth.RelyingPartyConfigurationManager service, error creating
components. The root cause of this error was:
java.lang.OutOfMemoryError: Java heap space
09:43:30.753 - ERROR
[org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/idp]:3768]
- Exception sending context initialized event to listener instance of
class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'shibboleth.RelyingPartyConfigurationManager': Invocation
of init method failed; nested exception is java.lang.ClassCastException:
java.lang.OutOfMemoryError
at
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:381)
[spring-context-2.5.5.jar:2.5.5]
at
org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:255)
[spring-web-2.5.5.jar:2.5.5]
at
org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:199)
[spring-web-2.5.5.jar:2.5.5]
at
org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:45)
[spring-web-2.5.5.jar:2.5.5]
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3764)
[catalina.jar:na]
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4216)
[catalina.jar:na]
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760)
[catalina.jar:na]
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740)
[catalina.jar:na]
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544)
[catalina.jar:na]
at
org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:831)
[catalina.jar:na]
at
org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:720)
[catalina.jar:na]
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490)
[catalina.jar:na]
at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1150)
[catalina.jar:na]
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
[catalina.jar:na]
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120)
[catalina.jar:na]
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022)
[catalina.jar:na]
at
org.apache.catalina.core.StandardHost.start(StandardHost.java:736)
[catalina.jar:na]
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
[catalina.jar:na]
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
[catalina.jar:na]
at
org.apache.catalina.core.StandardService.start(StandardService.java:448)
[catalina.jar:na]
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
[catalina.jar:na]
at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
[catalina.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[na:1.5.0_16]
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
[na:1.5.0_16]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
Source) [na:1.5.0_16]
......
......
......
===========================================
Thanks for any help that you or others can provide :-)
Nate Klingenstein wrote:
> Brian,
>
> > I couldn't get ant installed and working but I was able to just
> > run ./install.sh for the idp and it didn't complain, it walked
> > through the script okay. Not sure if that is the cause of my problems.
>
> Sorry about that; this changed between 2.0 and 2.1 and I hadn't
> updated the TestShib installation instructions. They should be fixed
> now.
>
> As far as your error goes, I think this is another change between 2.0
> and 2.1. The default configuration in 2.1 includes a requirement
> that the metadata be signed. TestShib's metadata is not signed. I'm
> going to have to change the directions, but for now, please just
> comment out the entire section, starting with the
Nate Klingenstein
Brian Gibson
Switching the metdata URL like you said worked! Thanks.
I will still check out the memory allocation as you suggested.
Take care,
Brian