Liferay abd Casshib
155 views
Skip to first unread message
marco.bencivenni
May 3, 2011, 10:55:54 AM5/3/11
to casshib
Dear all,
we are trying to use casshib in order to authenticate liferay against
a IDP shibboleth.
From Liferay we are correctly redirect to IDP shibboleth for the
authentication, but after that we are correctly authenticated from the
IDP we return to liferay home page as anonimus user and not logged in
We notice 2 differtent behaviours if we use for casshib the liferay
bundle tomcat or a separate tomcat.
In the first case (liferay bundle tomcat) we have a problem during the
redirection from IDP to liferay, we obtain the following error: The
requested URL /casshib/shib/liferay/Shibboleth.sso/SAML2/POST was not
found on this server.
In the second case (separate tomcat) after that we are correctly
authenticated from the IDP we return to liferay home page as anonimous
user and not logged in
Do you have any suggestions?
Below our configurations
Regards,
Marco B
######### LIFERAY #######################
----->CAS authentication
Login URL: https://halfback.cnaf.infn.it/casshib/shib/liferay/login
Logout URL: blank
Server Name: halfback.cnaf.infn.it
Server URL: https://halfback.cnaf.infn.it/casshib/shib/liferay
Service URL: http://halfback.cnaf.infn.it:8080/c/portal/login/
#########################################
######## IDP CONFIGURATION #######
-----> /opt/shibboleth-idp/conf/attribute-filter.xml
[...]
<AttributeFilterPolicy id="releasePersistentIdToAnyone">
<PolicyRequirementRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeRequesterString" value="http://
halfback.cnaf.infn.it/c/portal/login/" />
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://
halfback.cnaf.infn.it/c/portal/login/" />
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://
halfback.cnaf.infn.it/casshib/app1" />
</PolicyRequirementRule>
<AttributeRule attributeID="uid">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
[...]
-----> /opt/shibboleth-idp/conf/relying-party.xml
[...]
<MetadataProvider id="app1" xsi:type="ResourceBackedMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata">
<MetadataResource xsi:type="resource:FilesystemResource" file="/opt/
shibboleth-idp/metadata/casshib-metadata.xml" />
</MetadataProvider>
[...]
######## SP CONFIGURATION #######
-----> /etc/shibboleth/shibboleth2.xml
[...]
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="halfback.cnaf.infn.it" port="443"
scheme="https">
<PathRegex regex="casshib/shib/liferay"
applicationId="liferay" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
[...]
<ApplicationDefaults id="default" policyId="default"
entityID="https://halfback.cnaf.infn.it/shibboleth"
homeURL="https://halfback.cnaf.infn.it/index.html"
REMOTE_USER="shibattr-uid eppn persistent-id targeted-id"
signing="true" encryption="false">
<SSO entityID="https://gridlab01.cnaf.infn.it/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://
gridlab01.cnaf.infn.it/DS/WAYF">
SAML2 SAML1
</SSO>
[...]
<SessionInitiator type="Chaining" Location="/Login" isDefault="true"
id="Intranet"
relayState="cookie" entityID="https://
gridlab01.cnaf.infn.it/idp/shibboleth">
<SessionInitiator type="SAML2" defaultACSIndex="1"
template="bindingTemplate.html"/>
</SessionInitiator>
[...]
<MetadataProvider type="XML" file="idp-metadata.xml"/>
[...]
<ApplicationOverride id="liferay"
entityID="http://halfback.cnaf.infn.it:8080/c/
portal/login/"
homeURL="http://halfback.cnaf.infn.it:8080/c/
portal/login/"
REMOTE_USER="shibattr-uid">
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/casshib/shib/liferay/Shibboleth.sso"
handlerSSL="true"
exportLocation="/casshib/shib/liferay/Shibboleth.sso/
GetAssertion"
idpHistory="false" idpHistoryDays="7"
cookieProps="; path=/c/portal/login/">
</Sessions>
</ApplicationOverride>
[...]
######## CASSHIB CONFIGURATION #######
-----> /opt/tomcat/webapp/casshib/WEB-INF/classes/casshib-service-
registration.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<casShibServiceRegistrations>
<service id="http://halfback.cnaf.infn.it:8080/c/portal/login/"
appname="liferay"
passcode="96306" />
</casShibServiceRegistrations>
######## LOG FILES #######
-----> idp-process.log
14:37:59.216 - INFO [Shibboleth-Audit:950] - 20110503T123759Z|
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|
_ced679c57fcef0aaaee463a371a4094a|http://halfback.cnaf.infn.it:8080/c/
portal/login/|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://
gridlab01.cnaf.infn.it/idp/shibboleth|urn:oasis:names:tc:SAML:
2.0:bindings:HTTP-POST|_d3a0489ce4906fce84ce154020cd3408|dmichelotto|
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||
_6ff382b61feb326ea0c607bff8318184||
-----> /opt/tomcat/logs/catalina.out
2011-05-03 14:42:03,304 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading
registered services.>
2011-05-03 14:42:03,305 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 4
services.>
-----> cas.log
2011-05-03 14:54:03,304 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading
registered services.
2011-05-03 14:54:03,305 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 4
services.
-----> /opt/liferay/tomcat/logs/catalina.out
after login with log lever DEBUG
12:45:19,253 DEBUG [PrincipalThreadLocal:30] getName null
12:45:19,328 DEBUG [PrincipalThreadLocal:30] getName null
12:45:19,350 DEBUG [PrincipalThreadLocal:30] getName null
12:45:19,374 DEBUG [PrincipalThreadLocal:30] getName null
12:45:19,390 DEBUG [PrincipalThreadLocal:30] getName null
12:45:19,544 DEBUG [PrincipalThreadLocal:42] setName 10134
12:45:19,547 DEBUG [PrincipalThreadLocal:42] setName 10134
12:45:19,550 DEBUG [PrincipalThreadLocal:42] setName 10134
12:45:19,551 DEBUG [PrincipalThreadLocal:42] setName 10134
12:45:19,547 DEBUG [PrincipalThreadLocal:42] setName 10134
12:45:19,553 DEBUG [PrincipalThreadLocal:42] setName 10134
12:45:19,585 DEBUG [PrincipalThreadLocal:42] setName 10134
in the db of liferay under table User_ the usedId 10134 is the guest
user
we are trying to use casshib in order to authenticate liferay against
a IDP shibboleth.
From Liferay we are correctly redirect to IDP shibboleth for the
authentication, but after that we are correctly authenticated from the
IDP we return to liferay home page as anonimus user and not logged in
We notice 2 differtent behaviours if we use for casshib the liferay
bundle tomcat or a separate tomcat.
In the first case (liferay bundle tomcat) we have a problem during the
redirection from IDP to liferay, we obtain the following error: The
requested URL /casshib/shib/liferay/Shibboleth.sso/SAML2/POST was not
found on this server.
In the second case (separate tomcat) after that we are correctly
authenticated from the IDP we return to liferay home page as anonimous
user and not logged in
Do you have any suggestions?
Below our configurations
Regards,
Marco B
######### LIFERAY #######################
----->CAS authentication
Login URL: https://halfback.cnaf.infn.it/casshib/shib/liferay/login
Logout URL: blank
Server Name: halfback.cnaf.infn.it
Server URL: https://halfback.cnaf.infn.it/casshib/shib/liferay
Service URL: http://halfback.cnaf.infn.it:8080/c/portal/login/
#########################################
######## IDP CONFIGURATION #######
-----> /opt/shibboleth-idp/conf/attribute-filter.xml
[...]
<AttributeFilterPolicy id="releasePersistentIdToAnyone">
<PolicyRequirementRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeRequesterString" value="http://
halfback.cnaf.infn.it/c/portal/login/" />
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://
halfback.cnaf.infn.it/c/portal/login/" />
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://
halfback.cnaf.infn.it/casshib/app1" />
</PolicyRequirementRule>
<AttributeRule attributeID="uid">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
[...]
-----> /opt/shibboleth-idp/conf/relying-party.xml
[...]
<MetadataProvider id="app1" xsi:type="ResourceBackedMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata">
<MetadataResource xsi:type="resource:FilesystemResource" file="/opt/
shibboleth-idp/metadata/casshib-metadata.xml" />
</MetadataProvider>
[...]
######## SP CONFIGURATION #######
-----> /etc/shibboleth/shibboleth2.xml
[...]
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="halfback.cnaf.infn.it" port="443"
scheme="https">
<PathRegex regex="casshib/shib/liferay"
applicationId="liferay" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
[...]
<ApplicationDefaults id="default" policyId="default"
entityID="https://halfback.cnaf.infn.it/shibboleth"
homeURL="https://halfback.cnaf.infn.it/index.html"
REMOTE_USER="shibattr-uid eppn persistent-id targeted-id"
signing="true" encryption="false">
<SSO entityID="https://gridlab01.cnaf.infn.it/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://
gridlab01.cnaf.infn.it/DS/WAYF">
SAML2 SAML1
</SSO>
[...]
<SessionInitiator type="Chaining" Location="/Login" isDefault="true"
id="Intranet"
relayState="cookie" entityID="https://
gridlab01.cnaf.infn.it/idp/shibboleth">
<SessionInitiator type="SAML2" defaultACSIndex="1"
template="bindingTemplate.html"/>
</SessionInitiator>
[...]
<MetadataProvider type="XML" file="idp-metadata.xml"/>
[...]
<ApplicationOverride id="liferay"
entityID="http://halfback.cnaf.infn.it:8080/c/
portal/login/"
homeURL="http://halfback.cnaf.infn.it:8080/c/
portal/login/"
REMOTE_USER="shibattr-uid">
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/casshib/shib/liferay/Shibboleth.sso"
handlerSSL="true"
exportLocation="/casshib/shib/liferay/Shibboleth.sso/
GetAssertion"
idpHistory="false" idpHistoryDays="7"
cookieProps="; path=/c/portal/login/">
</Sessions>
</ApplicationOverride>
[...]
######## CASSHIB CONFIGURATION #######
-----> /opt/tomcat/webapp/casshib/WEB-INF/classes/casshib-service-
registration.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<casShibServiceRegistrations>
<service id="http://halfback.cnaf.infn.it:8080/c/portal/login/"
appname="liferay"
passcode="96306" />
</casShibServiceRegistrations>
######## LOG FILES #######
-----> idp-process.log
14:37:59.216 - INFO [Shibboleth-Audit:950] - 20110503T123759Z|
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|
_ced679c57fcef0aaaee463a371a4094a|http://halfback.cnaf.infn.it:8080/c/
portal/login/|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://
gridlab01.cnaf.infn.it/idp/shibboleth|urn:oasis:names:tc:SAML:
2.0:bindings:HTTP-POST|_d3a0489ce4906fce84ce154020cd3408|dmichelotto|
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||
_6ff382b61feb326ea0c607bff8318184||
-----> /opt/tomcat/logs/catalina.out
2011-05-03 14:42:03,304 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading
registered services.>
2011-05-03 14:42:03,305 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 4
services.>
-----> cas.log
2011-05-03 14:54:03,304 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading
registered services.
2011-05-03 14:54:03,305 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 4
services.
-----> /opt/liferay/tomcat/logs/catalina.out
after login with log lever DEBUG
12:45:19,253 DEBUG [PrincipalThreadLocal:30] getName null
12:45:19,328 DEBUG [PrincipalThreadLocal:30] getName null
12:45:19,350 DEBUG [PrincipalThreadLocal:30] getName null
12:45:19,374 DEBUG [PrincipalThreadLocal:30] getName null
12:45:19,390 DEBUG [PrincipalThreadLocal:30] getName null
12:45:19,544 DEBUG [PrincipalThreadLocal:42] setName 10134
12:45:19,547 DEBUG [PrincipalThreadLocal:42] setName 10134
12:45:19,550 DEBUG [PrincipalThreadLocal:42] setName 10134
12:45:19,551 DEBUG [PrincipalThreadLocal:42] setName 10134
12:45:19,547 DEBUG [PrincipalThreadLocal:42] setName 10134
12:45:19,553 DEBUG [PrincipalThreadLocal:42] setName 10134
12:45:19,585 DEBUG [PrincipalThreadLocal:42] setName 10134
in the db of liferay under table User_ the usedId 10134 is the guest
user
John Mitchell
May 3, 2011, 12:51:23 PM5/3/11
to cas...@googlegroups.com
Marco,
You have an entity ID mismatch. Your IdP is not releasing any
attributes to the SP that is part of casshib.
Your SPs entity ID:
http://halfback.cnaf.infn.it:8080/c/portal/login/
The IdPs attribute release policy has the following entity IDs in it:
<basic:Rule xsi:type="basic:AttributeRequesterString"
value="http://halfback.cnaf.infn.it/c/portal/login/" />
<basic:Rule xsi:type="basic:AttributeRequesterString"
value="https://halfback.cnaf.infn.it/c/portal/login/" />
<basic:Rule xsi:type="basic:AttributeRequesterString"
value="https://halfback.cnaf.infn.it/casshib/app1" />
Make sure your entity ID in the SPs metadata matches one of the above
values otherwise the IdP will not release any attributes or very few.
You can also see this in the chunk of the IdP log you included:
> 14:37:59.216 - INFO [Shibboleth-Audit:950] - 20110503T123759Z|
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|
> _ced679c57fcef0aaaee463a371a4094a|http://halfback.cnaf.infn.it:8080/c/
> portal/login/|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://
> gridlab01.cnaf.infn.it/idp/shibboleth|urn:oasis:names:tc:SAML:
> 2.0:bindings:HTTP-POST|_d3a0489ce4906fce84ce154020cd3408|dmichelotto|
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||
> _6ff382b61feb326ea0c607bff8318184||
You should see something like this:
11:37:38.571 - INFO [Shibboleth-Audit:898] -
20110427T193738Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_130393304985|http://login.proxy.library.uaf.edu/ezproxy|urn:mace:shibboleth:2.0:profiles:saml2:sso|urn:mace:incommon:alaska.edu|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_ef8f6c382ee092f2cbc2b7b9ac83e455|jpmitchell|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|eduPersonPrincipalName,eduPersonScopedAffiliation,eduPersonTargetedID.old,eduPersonEntitlement,uasystemid,uakstudentdept,transientId,uakemployeedept,eduPersonTargetedID,uakstudentcampus,uakemployeemau,|||
Notice the last thing in the log entry is the attributes released. You
do not have any attributes release in your log. Keep at it as you
appear to be close.
> --
> You received this message because you are subscribed to the Google Groups "casshib" group.
> To post to this group, send email to cas...@googlegroups.com.
> To unsubscribe from this group, send email to casshib+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/casshib?hl=en.
>
>
--
John P. Mitchell <jpmit...@alaska.edu>
907.450.8320
http://www.alaska.edu/oit/iam
marco.bencivenni
May 4, 2011, 8:54:59 AM5/4/11
to casshib
Dear John,
we correct the misconfiguration, now we have
SPs entity ID:
https://halfback.cnaf.infn.it/c/portal/login/
and IdPs attribute release policy has the following entity IDs in it:
but we continue to have the same problem: after the IDP
authentication we are redirected to
https://halfback.cnaf.infn.it/casshib/shib/liferay/Shibboleth.sso/SAML2/POST
but The page requested is not on this server.
It seems a comunication problem from Idp to Sp, but we are not able to
find the error.
Here the idp.log
14:48:07.829 - DEBUG
[org.opensaml.ws.message.encoder.BaseMessageEncoder:54] - Successfully
encoded message.
14:48:07.829 - INFO [Shibboleth-Audit:950] - 20110504T124807Z|
and here the catalina.out of casshib
2011-05-04 14:48:31,667 WARN
[org.springframework.web.servlet.PageNotFound] - <No mapping found for
HTTP request with URI [/casshib/shib/liferay/Shibboleth.sso/SAML2/
POST] in DispatcherServlet with name 'cas'>
Thanks and regards,
Marco B
> 20110427T193738Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_1303933049 85|http://login.proxy.library.uaf.edu/ezproxy|urn:mace:shibboleth:2.0:profiles:saml2:sso|urn:mace:incommon:alaska.edu|urn :oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_ef8f6c382ee092f2cbc2b7b9ac83e4 55|jpmitchell|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTrans port|eduPersonPrincipalName,eduPersonScopedAffiliation,eduPersonTargetedID. old,eduPersonEntitlement,uasystemid,uakstudentdept,transientId,uakemployeed ept,eduPersonTargetedID,uakstudentcampus,uakemployeemau,|||
> > For more options, visit this group athttp://groups.google.com/group/casshib?hl=en.
>
> --
> John P. Mitchell <jpmitch...@alaska.edu>
> 907.450.8320http://www.alaska.edu/oit/iam
we correct the misconfiguration, now we have
SPs entity ID:
https://halfback.cnaf.infn.it/c/portal/login/
and IdPs attribute release policy has the following entity IDs in it:
<basic:Rule xsi:type="basic:AttributeRequesterString"
value="https://halfback.cnaf.infn.it/c/portal/login/" />
but we continue to have the same problem: after the IDP
authentication we are redirected to
https://halfback.cnaf.infn.it/casshib/shib/liferay/Shibboleth.sso/SAML2/POST
but The page requested is not on this server.
It seems a comunication problem from Idp to Sp, but we are not able to
find the error.
Here the idp.log
14:48:07.829 - DEBUG
[org.opensaml.ws.message.encoder.BaseMessageEncoder:54] - Successfully
encoded message.
14:48:07.829 - INFO [Shibboleth-Audit:950] - 20110504T124807Z|
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|
_ce2ab81e4edb99e8983eefa9bcd3de39|https://halfback.cnaf.infn.it/c/
portal/login/|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://
gridlab01.cnaf.infn.it/idp/shibboleth|urn:oasis:names:tc:SAML:
2.0:bindings:HTTP-POST|_f5dfcbadf3b18d6e03177e9730660b25|dmichelotto|
gridlab01.cnaf.infn.it/idp/shibboleth|urn:oasis:names:tc:SAML:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||
_8efeb66f2d0dc187dd5510efe1398c2b||
and here the catalina.out of casshib
2011-05-04 14:48:31,667 WARN
[org.springframework.web.servlet.PageNotFound] - <No mapping found for
HTTP request with URI [/casshib/shib/liferay/Shibboleth.sso/SAML2/
POST] in DispatcherServlet with name 'cas'>
Thanks and regards,
Marco B
>
> --
> John P. Mitchell <jpmitch...@alaska.edu>
> 907.450.8320http://www.alaska.edu/oit/iam
John Mitchell
May 4, 2011, 12:58:53 PM5/4/11
to cas...@googlegroups.com
Marco,
Something is incorrect in the URL mapping as it says. What does your
Apache configuration look like in front of your Tomcat instance? If
the mapping was correct you should see the metadata for the SP at the
following URL:
https://halfback.cnaf.infn.it/casshib/shib/liferay/Shibboleth.sso/Metadata
> For more options, visit this group at http://groups.google.com/group/casshib?hl=en.
>
>
--
John P. Mitchell <jpmit...@alaska.edu>
907.450.8320
http://www.alaska.edu/oit/iam
marco.bencivenni
May 6, 2011, 10:28:32 AM5/6/11
to casshib
Dear John,
yes from that URL we obtain the metadata of our SP.
Now we are redirect to the Liferay after the IDP authentication, bat
we are not logged in Liferay.
Below our configuration:
Regards,
Marco B
######## CAS - LIFERAY CONFIGURATION ##########
Server Name halfback.cnaf.infn.it:8080
<afp:PolicyRequirementRule xsi:type="basic:OR">
</afp:PolicyRequirementRule>
<afp:AttributeRule attributeID="uid">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
[...]
-----> /opt/shibboleth-idp/conf/relying-party.xml
[...]
<MetadataProvider id="liferay"
signing="false" encryption="false">
[...]
exportLocation="https://halfback.cnaf.infn.it/Shibboleth.sso/
GetAssertion" exportACL="127.0.0.1"
idpHistory="false" idpHistoryDays="7">
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
</SessionInitiator>
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign"
index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-
SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService Location="/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<!-- LogoutInitiators enable SP-initiated local or global/single
logout of sessions. -->
<LogoutInitiator type="Chaining" Location="/Logout"
relayState="cookie">
<LogoutInitiator type="SAML2" template="bindingTemplate.html"/
>
<LogoutInitiator type="Local"/>
</LogoutInitiator>
<!-- md:SingleLogoutService locations handle single logout (SLO)
protocol messages. -->
<md:SingleLogoutService Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="/SLO/Redirect"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="/SLO/POST"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Artifact"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!-- md:ManageNameIDService locations handle NameID management
(NIM) protocol messages. -->
<md:ManageNameIDService Location="/NIM/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:ManageNameIDService Location="/NIM/Redirect"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:ManageNameIDService Location="/NIM/POST"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:ManageNameIDService Location="/NIM/Artifact"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!--
md:ArtifactResolutionService locations resolve artifacts issued
when using the
SAML 2.0 HTTP-Artifact binding on outgoing messages, generally
uses SOAP.
-->
<md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<!-- Extension service that generates "approximate" metadata based
on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session"
showAttributeValues="false"/>
</Sessions>
[...]
<!-- this contains the service metadata for app1 and app2 -->
<MetadataProvider type="XML" file="liferay-metadata.xml"/>
<!-- this contains the metadata for our identity provider -->
homeURL="http://halfback.cnaf.infn.it:8080/en/
c/portal/login/"
appname="liferay"
passcode="101" />
c/portal/login/|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://
2.0:bindings:HTTP-POST|_3d817837f5cdc64f71f0ad9a439f455d|mbenci|
-----> /opt/tomcat/logs/catalina.out
2011-05-05 16:41:47,657 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Adding
registered service https://halfback.cnaf.infn.it/app1/>
2011-05-05 16:41:47,657 DEBUG
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Adding
registered service http://halfback.cnaf.infn.it:8080/en/c/portal/login/>
2011-05-05 16:41:47,657 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 2
services.>
-----> cas.log
2011-05-05 16:41:47,657 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - Adding
registered service https://halfback.cnaf.infn.it/app1/
2011-05-05 16:41:47,657 DEBUG
[org.jasig.cas.services.DefaultServicesManagerImpl] - Adding
registered service http://halfback.cnaf.infn.it:8080/en/c/portal/login/
2011-05-05 16:41:47,657 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 2
14:42:52,806 DEBUG [PrincipalThreadLocal:30] getName null
14:42:52,825 DEBUG [PrincipalThreadLocal:30] getName null
14:42:52,849 DEBUG [PrincipalThreadLocal:30] getName null
14:42:52,866 DEBUG [PrincipalThreadLocal:30] getName null
14:42:58,025 DEBUG [PrincipalThreadLocal:30] getName null
14:42:58,081 DEBUG [PrincipalThreadLocal:30] getName null
14:42:58,113 DEBUG [PrincipalThreadLocal:30] getName null
14:42:58,136 DEBUG [PrincipalThreadLocal:30] getName null
14:42:58,148 DEBUG [PrincipalThreadLocal:30] getName null
14:42:58,349 DEBUG [PrincipalThreadLocal:42] setName 10134
14:42:58,352 DEBUG [PrincipalThreadLocal:42] setName 10134
14:42:58,357 DEBUG [PrincipalThreadLocal:42] setName 10134
14:42:58,359 DEBUG [PrincipalThreadLocal:42] setName 10134
14:42:58,376 DEBUG [PrincipalThreadLocal:42] setName 10134
14:42:58,387 DEBUG [PrincipalThreadLocal:42] setName 10134
in the db of liferay under table User_ the usedId 10134 is the guest
user
> ...
>
> leggi tutto
yes from that URL we obtain the metadata of our SP.
Now we are redirect to the Liferay after the IDP authentication, bat
we are not logged in Liferay.
Below our configuration:
Regards,
Marco B
######## CAS - LIFERAY CONFIGURATION ##########
Server Name halfback.cnaf.infn.it:8080
######## IDP CONFIGURATION #######
-----> /opt/shibboleth-idp/conf/attribute-filter.xml
[...]
<afp:AttributeFilterPolicy id="applicazioniAmmesse">
-----> /opt/shibboleth-idp/conf/attribute-filter.xml
[...]
<afp:PolicyRequirementRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeRequesterString" value="http://
halfback.cnaf.infn.it:8080/en/c/portal/login/" />
</afp:PolicyRequirementRule>
<afp:AttributeRule attributeID="uid">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
[...]
-----> /opt/shibboleth-idp/conf/relying-party.xml
[...]
<MetadataProvider id="liferay"
xsi:type="ResourceBackedMetadataProvider" xmlns="urn:mace:shibboleth:
2.0:metadata">
<MetadataResource xsi:type="resource:FilesystemResource" file="/opt/
shibboleth-idp/metadata/liferay-metadata.xml" />
2.0:metadata">
<MetadataResource xsi:type="resource:FilesystemResource" file="/opt/
</MetadataProvider>
[...]
######## SP CONFIGURATION #######
-----> /etc/shibboleth/shibboleth2.xml
[...]
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="halfback.cnaf.infn.it" port="443"
scheme="https">
<PathRegex regex="casshib/shib/liferay"
applicationId="liferay" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
[...]
<ApplicationDefaults id="default" policyId="default"
entityID="https://halfback.cnaf.infn.it/shibboleth"
homeURL="https://halfback.cnaf.infn.it/index.html"
REMOTE_USER="eppn persistent-id targeted-id"
[...]
######## SP CONFIGURATION #######
-----> /etc/shibboleth/shibboleth2.xml
[...]
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="halfback.cnaf.infn.it" port="443"
scheme="https">
<PathRegex regex="casshib/shib/liferay"
applicationId="liferay" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
[...]
<ApplicationDefaults id="default" policyId="default"
entityID="https://halfback.cnaf.infn.it/shibboleth"
homeURL="https://halfback.cnaf.infn.it/index.html"
signing="false" encryption="false">
[...]
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/Shibboleth.sso" handlerSSL="false"
exportLocation="https://halfback.cnaf.infn.it/Shibboleth.sso/
GetAssertion" exportACL="127.0.0.1"
idpHistory="false" idpHistoryDays="7">
<SessionInitiator type="Chaining" Location="/Login"
isDefault="true" id="Intranet"
relayState="cookie" entityID="https://
gridlab01.cnaf.infn.it/idp/shibboleth">
<SessionInitiator type="SAML2" defaultACSIndex="1"
acsByIndex="false" template="bindingTemplate.html"/>
isDefault="true" id="Intranet"
relayState="cookie" entityID="https://
gridlab01.cnaf.infn.it/idp/shibboleth">
<SessionInitiator type="SAML2" defaultACSIndex="1"
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
</SessionInitiator>
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign"
index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-
SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService Location="/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<!-- LogoutInitiators enable SP-initiated local or global/single
logout of sessions. -->
<LogoutInitiator type="Chaining" Location="/Logout"
relayState="cookie">
<LogoutInitiator type="SAML2" template="bindingTemplate.html"/
>
<LogoutInitiator type="Local"/>
</LogoutInitiator>
<!-- md:SingleLogoutService locations handle single logout (SLO)
protocol messages. -->
<md:SingleLogoutService Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="/SLO/Redirect"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="/SLO/POST"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Artifact"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!-- md:ManageNameIDService locations handle NameID management
(NIM) protocol messages. -->
<md:ManageNameIDService Location="/NIM/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:ManageNameIDService Location="/NIM/Redirect"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:ManageNameIDService Location="/NIM/POST"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:ManageNameIDService Location="/NIM/Artifact"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!--
md:ArtifactResolutionService locations resolve artifacts issued
when using the
SAML 2.0 HTTP-Artifact binding on outgoing messages, generally
uses SOAP.
-->
<md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<!-- Extension service that generates "approximate" metadata based
on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session"
showAttributeValues="false"/>
</Sessions>
[...]
<!-- this contains the service metadata for app1 and app2 -->
<MetadataProvider type="XML" file="liferay-metadata.xml"/>
<!-- this contains the metadata for our identity provider -->
<MetadataProvider type="XML" file="idp-metadata.xml"/>
[...]
<ApplicationOverride id="liferay"
entityID="http://halfback.cnaf.infn.it:8080/
en/c/portal/login/"
[...]
<ApplicationOverride id="liferay"
entityID="http://halfback.cnaf.infn.it:8080/
homeURL="http://halfback.cnaf.infn.it:8080/en/
c/portal/login/"
REMOTE_USER="shibattr-uid">
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/casshib/shib/liferay/Shibboleth.sso"
handlerSSL="true"
exportLocation="/casshib/shib/liferay/Shibboleth.sso/
GetAssertion"
idpHistory="false" idpHistoryDays="7"
cookieProps="; path=/en/c/portal/login/">
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/casshib/shib/liferay/Shibboleth.sso"
handlerSSL="true"
exportLocation="/casshib/shib/liferay/Shibboleth.sso/
GetAssertion"
idpHistory="false" idpHistoryDays="7"
</Sessions>
</ApplicationOverride>
[...]
######## CASSHIB CONFIGURATION #######
-----> /opt/tomcat/webapp/casshib/WEB-INF/classes/casshib-service-
registration.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<casShibServiceRegistrations>
<service id="http://halfback.cnaf.infn.it:8080/en/c/portal/login/"
</ApplicationOverride>
[...]
######## CASSHIB CONFIGURATION #######
-----> /opt/tomcat/webapp/casshib/WEB-INF/classes/casshib-service-
registration.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<casShibServiceRegistrations>
appname="liferay"
passcode="101" />
</casShibServiceRegistrations>
######## LOG FILES #######
-----> idp-process.log
16:22:58.943 - DEBUG
######## LOG FILES #######
-----> idp-process.log
[org.opensaml.ws.message.encoder.BaseMessageEncoder:54] - Successfully
encoded message.
16:22:58.943 - INFO [Shibboleth-Audit:950] - 20110505T142258Z|
encoded message.
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|
_707389a6854361a7385791e33a7afec5|http://halfback.cnaf.infn.it:8080/en/
c/portal/login/|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://
2.0:bindings:HTTP-POST|_3d817837f5cdc64f71f0ad9a439f455d|mbenci|
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||
_f44941229bb0e84b19077229d31257ac||
-----> /opt/tomcat/logs/catalina.out
2011-05-05 16:41:47,657 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading
registered services.>
2011-05-05 16:41:47,657 DEBUG
registered services.>
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Adding
registered service https://halfback.cnaf.infn.it/app1/>
2011-05-05 16:41:47,657 DEBUG
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Adding
registered service http://halfback.cnaf.infn.it:8080/en/c/portal/login/>
2011-05-05 16:41:47,657 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 2
services.>
-----> cas.log
2011-05-05 16:41:47,657 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading
registered services.
2011-05-05 16:41:47,657 DEBUG
registered services.
[org.jasig.cas.services.DefaultServicesManagerImpl] - Adding
registered service https://halfback.cnaf.infn.it/app1/
2011-05-05 16:41:47,657 DEBUG
[org.jasig.cas.services.DefaultServicesManagerImpl] - Adding
registered service http://halfback.cnaf.infn.it:8080/en/c/portal/login/
2011-05-05 16:41:47,657 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 2
services.
-----> /opt/liferay/tomcat/logs/catalina.out
after login with log lever DEBUG
14:42:52,758 DEBUG [PrincipalThreadLocal:30] getName null
-----> /opt/liferay/tomcat/logs/catalina.out
after login with log lever DEBUG
14:42:52,806 DEBUG [PrincipalThreadLocal:30] getName null
14:42:52,825 DEBUG [PrincipalThreadLocal:30] getName null
14:42:52,849 DEBUG [PrincipalThreadLocal:30] getName null
14:42:52,866 DEBUG [PrincipalThreadLocal:30] getName null
14:42:58,025 DEBUG [PrincipalThreadLocal:30] getName null
14:42:58,081 DEBUG [PrincipalThreadLocal:30] getName null
14:42:58,113 DEBUG [PrincipalThreadLocal:30] getName null
14:42:58,136 DEBUG [PrincipalThreadLocal:30] getName null
14:42:58,148 DEBUG [PrincipalThreadLocal:30] getName null
14:42:58,349 DEBUG [PrincipalThreadLocal:42] setName 10134
14:42:58,352 DEBUG [PrincipalThreadLocal:42] setName 10134
14:42:58,357 DEBUG [PrincipalThreadLocal:42] setName 10134
14:42:58,359 DEBUG [PrincipalThreadLocal:42] setName 10134
14:42:58,376 DEBUG [PrincipalThreadLocal:42] setName 10134
14:42:58,387 DEBUG [PrincipalThreadLocal:42] setName 10134
in the db of liferay under table User_ the usedId 10134 is the guest
user
> On Wed, May 4, 2011 at 4:54 AM, marco.bencivenni
>
>
>
>
>
>
>
>
>
> <marco.bencive...@gmail.com> wrote:
> > Dear John,
>
> > we correct the misconfiguration, now we have
>
> > SPs entity ID:
> >https://halfback.cnaf.infn.it/c/portal/login/
>
> > and IdPs attribute release policy has the following entity IDs in it:
> > <basic:Rule xsi:type="basic:AttributeRequesterString"
> > value="https://halfback.cnaf.infn.it/c/portal/login/" />
>
> > but we continue to have the same problem: after the IDP
> > authentication we are redirected to
> >https://halfback.cnaf.infn.it/casshib/shib/liferay/Shibboleth.sso/SAM...
>
>
>
>
>
>
>
>
>
> <marco.bencive...@gmail.com> wrote:
> > Dear John,
>
> > we correct the misconfiguration, now we have
>
> > SPs entity ID:
> >https://halfback.cnaf.infn.it/c/portal/login/
>
> > and IdPs attribute release policy has the following entity IDs in it:
> > <basic:Rule xsi:type="basic:AttributeRequesterString"
> > value="https://halfback.cnaf.infn.it/c/portal/login/" />
>
> > but we continue to have the same problem: after the IDP
> > authentication we are redirected to
> > but The page requested is not on this server.
> > It seems a comunication problem from Idp to Sp, but we are not able to
> > find the error.
>
> > Here the idp.log
> > 14:48:07.829 - DEBUG
> > [org.opensaml.ws.message.encoder.BaseMessageEncoder:54] - Successfully
> > encoded message.
> > 14:48:07.829 - INFO [Shibboleth-Audit:950] - 20110504T124807Z|
> > urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|
> > _ce2ab81e4edb99e8983eefa9bcd3de39|https://halfback.cnaf.infn.it/c/
> > portal/login/|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://
> > gridlab01.cnaf.infn.it/idp/shibboleth|urn:oasis:names:tc:SAML:
> > 2.0:bindings:HTTP-POST|_f5dfcbadf3b18d6e03177e9730660b25|dmichelotto|
> > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||
> > _8efeb66f2d0dc187dd5510efe1398c2b||
>
> > and here the catalina.out of casshib
> > 2011-05-04 14:48:31,667 WARN
> > [org.springframework.web.servlet.PageNotFound] - <No mapping found for
> > HTTP request with URI [/casshib/shib/liferay/Shibboleth.sso/SAML2/
> > POST] in DispatcherServlet with name 'cas'>
>
> Something is incorrect in the URL mapping as it says. What does your
> Apache configuration look like in front of your Tomcat instance? If
> the mapping was correct you should see the metadata for the SP at the
> following URL:
>
> https://halfback.cnaf.infn.it/casshib/shib/liferay/Shibboleth.sso/Met...
> > It seems a comunication problem from Idp to Sp, but we are not able to
> > find the error.
>
> > Here the idp.log
> > 14:48:07.829 - DEBUG
> > [org.opensaml.ws.message.encoder.BaseMessageEncoder:54] - Successfully
> > encoded message.
> > 14:48:07.829 - INFO [Shibboleth-Audit:950] - 20110504T124807Z|
> > urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|
> > _ce2ab81e4edb99e8983eefa9bcd3de39|https://halfback.cnaf.infn.it/c/
> > portal/login/|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://
> > gridlab01.cnaf.infn.it/idp/shibboleth|urn:oasis:names:tc:SAML:
> > 2.0:bindings:HTTP-POST|_f5dfcbadf3b18d6e03177e9730660b25|dmichelotto|
> > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||
> > _8efeb66f2d0dc187dd5510efe1398c2b||
>
> > and here the catalina.out of casshib
> > 2011-05-04 14:48:31,667 WARN
> > [org.springframework.web.servlet.PageNotFound] - <No mapping found for
> > HTTP request with URI [/casshib/shib/liferay/Shibboleth.sso/SAML2/
> > POST] in DispatcherServlet with name 'cas'>
>
> Something is incorrect in the URL mapping as it says. What does your
> Apache configuration look like in front of your Tomcat instance? If
> the mapping was correct you should see the metadata for the SP at the
> following URL:
>
>
> leggi tutto
John Mitchell
May 6, 2011, 2:03:36 PM5/6/11
to cas...@googlegroups.com
Marco,
After logging in can you open the following URL and see some
session info like the following:
https://halfback.cnaf.infn.it/casshib/shib/liferay/Shibboleth.sso/Session
Miscellaneous
Client Address: 137.229.12.89
Identity Provider: urn:mace:incommon:alaska.edu
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Authentication Time: 2011-05-06T18:00:55.656Z
Authentication Context Class:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: (none)
Session Expiration (barring inactivity): 479 minute(s)
Attributes
eppn: 1 value(s)
If so then I am out of ideas. Maybe try to integrate Liferay with
SimpleSAMLPHP? It supports protocol bridging like this natively and is
really easy to setup.
Marco Bencivenni
May 9, 2011, 8:34:35 AM5/9/11
to cas...@googlegroups.com
Dear John,
if we try the link you have suggested we don't see any attributes, maybe this is the real problem...
Miscellaneous
Client Address: 172.16.10.25
Identity Provider: https://gridlab01.cnaf.infn.it/idp/shibboleth
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Authentication Time: 2011-05-09T09:37:27.977Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: (none)
Session Expiration (barring inactivity): 458 minute(s)
Attributes
and these are the idp logs:
2011-05-09 14:32:08 DEBUG OpenSAML.MessageDecoder.SAML2 [8]: extracting issuer from SAML 2.0 protocol message
2011-05-09 14:32:08 DEBUG OpenSAML.MessageDecoder.SAML2 [8]: message from (https://gridlab01.cnaf.infn.it/idp/shibboleth)
2011-05-09 14:32:08 DEBUG OpenSAML.MessageDecoder.SAML2 [8]: searching metadata for message issuer...
2011-05-09 14:32:08 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [8]: evaluating message flow policy (replay checking on, expiration 60)
2011-05-09 14:32:08 DEBUG XMLTooling.StorageService [8]: inserted record (_aba0cb09806516a8e326ce5e69329a0b) in context (MessageFlow) with expiration (1304944567)
2011-05-09 14:32:08 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [8]: evaluating message flow policy (replay checking on, expiration 60)
2011-05-09 14:32:08 DEBUG XMLTooling.StorageService [8]: inserted record (_b844f80b31e83669f0e360f873307773) in context (MessageFlow) with expiration (1304944567)
2011-05-09 14:32:08 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [8]: validating signature profile
2011-05-09 14:32:08 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [8]: signature verified against message issuer
2011-05-09 14:32:08 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation [8]: assertion satisfied bearer confirmation requirements
2011-05-09 14:32:08 WARN Shibboleth.AttributeResolver.Query [8]: can't attempt attribute query, either no NameID or no metadata to use
2011-05-09 14:32:08 DEBUG Shibboleth.SessionCache [8]: creating new session
2011-05-09 14:32:08 DEBUG Shibboleth.SessionCache [8]: storing new session...
2011-05-09 14:32:08 DEBUG XMLTooling.StorageService [8]: inserted record (session) in context (_c5738b934a49453d9e8a936165076870) with expiration (1304947928)
2011-05-09 14:32:08 DEBUG XMLTooling.StorageService [8]: inserted record (_b844f80b31e83669f0e360f873307773) in context (_c5738b934a49453d9e8a936165076870) with expiration (1304947928)
2011-05-09 14:32:08 INFO Shibboleth.SessionCache [8]: new session created: ID (_c5738b934a49453d9e8a936165076870) IdP (https://gridlab01.cnaf.infn.it/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (172.16.10.25)
Regards,
Marco B
2011/5/6 John Mitchell <jpmit...@alaska.edu>
Reply all
Reply to author
Forward
0 new messages