[Shib-Users] Shibboleth.sso/Status gives page not found error
Harsha Vs -X (hvs - ABO Ventures at Cisco)
Hi,
I have installed shibboleth sp on Linux red hat where apache mod shib is used to intercept the requests. I am using the USC-meta data to connect to USC test IDP installation. (https://shibboleth-test.usc.edu/shibboleth-idp/SSO).
I test it in the linux box with url https://localhost/Shibboleth.sso/Status to check the configuration. And it gives me status handler xml with status as ok.
Now I test https://localhost/secure. It takes me to the idp site for authentication, and upon entering the credentials it brings me back to the url
https://localhost.localdomain/Shibboleth.sso/SAML2/POST.
Everything is fine. Now I created an actual folder as secure and placed a html file named welcome.html and tried to reach the html file with the above stated steps. I reach the page without any issues.
Thing to notice is that the URL that IDP sent me back has localhost.localdomain instead of localhost.
Now I try to test it from a different machine using the IP of the machine where my apache and shibboleth service provider is installed. The IP of the linux box is 10.64.61.81.
· I hit the URL https://10.64.61.81/secure/welcome.html
o Apache sends to shibboleth sp and shibboleth gives me 302 and redirects me to IDP
o IDP gives me login page
· I provide credentials
o Idp authenticates and sends me back with 302 and a URL à https://localhost.localdomain/Shibboleth.sso/SAML2/POST
o It is obvious that I get to see “Firefox can't find the server at localhost.localdomain.”
To fix this I changed the spconfig\applicationdefault\handlerURL to https://10.64.61.81/Shibboleth.sso instead of the default value /Shibboleth.sso
Now
· I hit the URL https://10.64.61.81/secure/welcome.html
o Apache sends to shibboleth sp and shibboleth gives me 302 and redirects me to IDP
o IDP gives me login page
· I provide credentials
o Idp authenticates and sends me back with 302 and a URL à https://localhost.localdomain/Shibboleth.sso/SAML2/POST
I see an error that
The requested URL /Shibboleth.sso/SAML2/POST was not found on this server.
Apache/2.2.3 (Red Hat) Server at localhost.localdomain Port 443
And now when I try to access
https://localhost/Shibboleth.sso/Status
it says /Shibboleth.sso/Status url was not found on the server.
So something goes wrong when I change the handler url to absolute url instead of relative url. But I cannot work on local host and I need that this set up is available within my intranet atleast.
Can someone help me here.
Thanks
Harsha
Peter Schober
> https://localhost/Shibboleth.sso/Status to check the
> configuration. And it gives me status handler xml with status as ok.
> machine where my apache and shibboleth service provider is
> installed. The IP of the linux box is 10.64.61.81.
> https://10.64.61.81/Shibboleth.sso instead of the default value
> /Shibboleth.sso
> url instead of relative url. But I cannot work on local host and I
> need that this set up is available within my intranet atleast.
change the handlerURL. Instead use a fully qualified hostname for that
maschine. The only entity that needs to resolve that machine's
hostname to an IP-address is the machine your webbrowser runs on, so
if Cisco can't afford DNS entries just add one your local hosts file.
Nota that in common deployment modes the SAML procotol endpoints for
this host will also need to be in the IdP's metadata for this SP but I
can't speak for USC's test server.
-peter
Peter Schober
> > url instead of relative url. But I cannot work on local host and I
> > need that this set up is available within my intranet atleast.
>
> Don't use localhost (with or without ".localdomain") or IP-adresses or
> change the handlerURL. Instead use a fully qualified hostname for that
> maschine. The only entity that needs to resolve that machine's
> hostname to an IP-address is the machine your webbrowser runs on, so
> if Cisco can't afford DNS entries just add one your local hosts
> file.
machine you'll need the entry to the hosts file on each machine that
accesses this webserver (cf. DNS),
-peter
Harsha Vs -X (hvs - ABO Ventures at Cisco)
No it is not working from any other system other than the m/c where I
have configured shibboleth service provider. And in that machine it was
working only when I use the localhost.localdomain in the url.
Being said that, I requested to create a DNS name from our network
department, and then it was created. After one day of the dns name
creation, now I test it with dns name it started working. And even if I
use my IP address it is working absolutely fine.
So is this change fixed the issue?? And why it took one day for the
change to reflect?? If it can work on IP address now, why it didn't work
earlier??
Can you through some light on these questions so that I would be clear
on whatz happening here.
Thanks for the help
Harsha
Scott Cantor
> have configured shibboleth service provider. And in that machine it was
> working only when I use the localhost.localdomain in the url.
server and configure it as appropriate, and provide metadata to the IdP that
is correct for that name information.
How you do that is up to you, and DNS is irrelevant. Names only matter when
they have to be resolved and you can do that via the client and /etc/hosts.
Your problems are due to misconfiguring your web server, metadata, or both.
If you think you can run a web server correctly without it knowing it's
name, that's the root of your confusion.
We do not advise people to mess with localhost, IP addresses, etc. because
if they run into problems, they won't know enough to fix them. Anything and
everything will work just fine (back channel connectivity aside) if you know
what you're doing and you configure your web servers properly. If you don't,
it won't.
-- Scott
Harsha Vs -X (hvs - ABO Ventures at Cisco)
I agree with you that I don't have enough knowledge on configuring web
server, but my question was that the request to the secured resource is
being intercepted by webserver (apache webserver's mod_shib module) and
being forwarded to Shibboleth Service provider, from where based on the
meta data configuration SP forwards the client to the IDP's login page.
This says that my configuration of webserver if all well.
But when the IDP responds and sends back the request through post to
Service provider, SAML2/POST, webserver is not able to reach the service
provider.
That is why I was not sure what was going wrong. But after I heard from
peter I requested my network team to set up a DNS name for my server and
after 20 hours or so, things fall in place and application works fine
from any system in the intranet.
Thanks for suggestions from both of you.
Regards
Harsha
-----Original Message-----
From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Friday, April 30, 2010 11:19 PM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Shibboleth.sso/Status gives page not found
error
Peter Schober
> server, but my question was that the request to the secured resource is
> being intercepted by webserver (apache webserver's mod_shib module) and
> being forwarded to Shibboleth Service provider, from where based on the
> meta data configuration SP forwards the client to the IDP's login page.
> This says that my configuration of webserver if all well.
AuthnRequest to the IdP. The SP relies on the webserver it runs in to
know its own name. Since there is no way for the software to decide
what is "right" in any given deployment, the SP will happily continue
to redirect and generate messages, even if those will contain false
information (based on webserver config).
-peter
Harsha Vs -X (hvs - ABO Ventures at Cisco)
So with setting up of the DNS name to this system it is all working fine
now. Do you still advice me to take care of anything. But it all works
fine now.
Thanks
harsha
-----Original Message-----
From: Peter Schober [mailto:peter....@univie.ac.at]
Sent: Monday, May 03, 2010 1:02 PM
To: shibbole...@internet2.edu
error
Scott Cantor
> server, but my question was that the request to the secured resource is
> being intercepted by webserver (apache webserver's mod_shib module) and
> being forwarded to Shibboleth Service provider, from where based on the
> meta data configuration SP forwards the client to the IDP's login page.
> This says that my configuration of webserver if all well.
isn't factually true, as Peter said. Getting to the IdP says nothing about
how the SP web server is configured or whether it can properly generate
self-referential URLs back to itself.
> But when the IDP responds and sends back the request through post to
> Service provider, SAML2/POST, webserver is not able to reach the service
> provider.
"reach" apart from the fact that the redirections back to the SP were
incorrect because your web server did not know its own name.
All of this is covered in detail in the web server specific documentation in
the wiki.
-- Scott