[Shib-Users] Any clue on opensaml::BindingException Invalid HTTP method (GET)?
freh...@slingmedia.com
===================================================
opensaml::BindingException
The system encountered an error at Wed Sep 9 16:59:12 2009
To report this problem, please contact the site administrator at root@localhost.
Please include the following message in any email:
opensaml::BindingException at (http://intvm02.sling.com/Shibboleth.sso/SAML2/POST)
Invalid HTTP method (GET).
===================================================
Was trying to make our SP & IDP talk each other.
Any help would be greatly appreciated
Thanks
Faizel
Paul Hethmon
separate URL's for the different profiles. Check the IdP log for errors, it
will flag that pretty specifically if that is the issue.
On 9/9/09 8:10 PM, "freh...@slingmedia.com" <freh...@slingmedia.com>
wrote:
-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----
God does not play dice with the universe; He plays an ineffable game of his
own devising, which might be compared, from the perspective of any of the
other players, to being involved in an obscure and complex version of poker
in a pitch dark room, with blank cards, for infinite stakes, with a dealer
who won't tell you the rules, and who smiles all the time.
-- Terry Pratchett, Good Omens
Russ Allbery
I get this problem with the POST endpoint if I use the NoScript Firefox
extension, unless I let it do an unsafe reload of the page. Not sure if
that's what you're seeing, but it might be a pointer in the right
direction.
--
Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/>
Faizel Rehiman
I'm in the effort of a "proof of concept installation", have been doing
the following after getting the TestShib configurations working
1) shibboleth2.xml :- changed the SessionInitiator entityID to my SP
2) uploaded my TestShib SP metadata to my local IDP
Objective being, make my SP talk to my local IDP. Anything wrong in that
approach?
Can you guys please have a look on my SP metadata published to my local
IDP
=========================================================
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="http://intsecure.sling.com/shibboleth-sp"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol
urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:KeyDescriptor>
<ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Certificate
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
MIIC+jCCAeKgAwIBAgIJANWfypNWwLqLMA0GCSqGSIb3DQEBBQUAMBwxGjAYBgNVBAMTEWlu
dHZt
MDIuc2xpbmcuY29tMB4XDTA5MDkwNDAxMTEzN1oXDTE5MDkwMjAxMTEzN1owHDEaMBgGA1UE
AxMR
aW50dm0wMi5zbGluZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN2soz
4P5N
y35EnlDkhem95ADc/zPLFL03vRcvzeVbJ64y0GRKuflo5zCWh4XNiL2JaqA1W+/+b9ZJ1Cz+
ywIK
W7x3HVYqaO3P6sTgkF9YFFNzPOzjJ/Bx2GOukaSj0sl5EFIAIwBQa//FOm3u8Og6kqnE5pUT
Mew2
OZGSHZT49NM23E90fgl/+36JhekONPO1ovZTBbxiUMJ8EBu2Z9PQKadcRUO1Vuqee14O2eAK
qNEh
lpFGCcJK09BSvjye49E2tErBGHDVfoD+6QqlRiiyjbXc9U6YI58iHGynnlkqs6rgD3HjPlJ3
joaD
jj7r39+NC4OKS3oCKJCF+0A9L2rnAgMBAAGjPzA9MBwGA1UdEQQVMBOCEWludHZtMDIuc2xp
bmcu
Y29tMB0GA1UdDgQWBBTLS4bGNVYMO8A9/jk2Nqq9Km/SYzANBgkqhkiG9w0BAQUFAAOCAQEA
sAFM
eg2cTlIKH2XifHW7j5gl0eouVR0hISmxKdClWCiTVbsDnl2WPaIDPAsvNCPZ9/SF5/lUvnZE
JLuB
RyLWf2AVbl09fN9yL43JSQ8FX7N/nLDiM7tGMoKwpnPakepfLPp5OXPMJ/ibsCNe9u+lCwcS
BdnX
WZVPnTbpe3mdAkvcd38qz0+Tt4kV6SK5C6FHtkQPZsHQibhinIqo31HNnXsyiiEND5yeES0I
eNgM
fqSA8RCAFlU74Lwny+rSEsrPPpwrsqY9C5CGupTffmVEFQuTsGXlKNgJ/DdH9YaE56F9nGVe
2fd2
PAbSvPqVvHVpd0GlCgdvHH1Zq/OY886prg==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat
>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md
:NameIDFormat>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://intsecure.sling.com/Shibboleth.sso/SAML2/POST"
index="1"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://intsecure.sling.com/Shibboleth.sso/SAML2/POST"
index="2"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="http://intsecure.sling.com/Shibboleth.sso/SAML2/POST-SimpleSig
n" index="3"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="http://intsecure.sling.com/Shibboleth.sso/SAML2/Artifact"
index="4"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="http://intsecure.sling.com/Shibboleth.sso/SAML2/Artifact"
index="5"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="http://intsecure.sling.com/Shibboleth.sso/SAML/POST"
index="6"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.1:profiles:browser-post"
Location="http://intsecure.sling.com/Shibboleth.sso/SAML/POST"
index="7"/>
</md:SPSSODescriptor>
<md:Organization
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:OrganizationName
xml:lang="en">intsecure.sling.com</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">TestShib
SP</md:OrganizationDisplayName>
<md:OrganizationURL
xml:lang="en">http://intsecure.sling.com/</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:GivenName>Kalleri</md:GivenName>
<md:SurName>Faizel Rehiman</md:SurName>
<md:EmailAddress>freh...@openidp.org</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
=====================================================================
Thanks
Faizel
Scott Cantor
> I get this problem with the POST endpoint if I use the NoScript Firefox
> extension, unless I let it do an unsafe reload of the page. Not sure if
> that's what you're seeing, but it might be a pointer in the right
> direction.
Is there supposed to be a difference between turning Javascript off, and
using NoScript?
-- Scott
Scott Cantor
> Not getting any clue for this error
There error means exactly what it says. Is there something about the message
that doesn't make sense?
Your browser is, well, your browser. If it's buggy or misbehaving, you'd
have to figure out why, I guess.
-- Scott
Russ Allbery
NoScript does other things in addition to turning off Javascript that
makes life even harder for web applications wanting to do what Shibboleth
is doing, such as disallowing cross-site POST.
To be clear, I don't consider NoScript blocking problem for Shibboleth to
fix, but rather something requiring modification of the NoScript
configuration. I only mentioned it because it can be unintuitive to
people who are using NoScript to block the more typical advertising junk.
I suspect adding the IdP to the trusted sites in one's NoScript
configuration would fix the problem.
Etienne Dysli
> To be clear, I don't consider NoScript blocking problem for Shibboleth to
> fix, but rather something requiring modification of the NoScript
> configuration.
I've turned off the option "turn cross-site POST requests into data-less
GET requests" in NoScript's Advanced/XSS configuration. It was causing
endless loops in NoScript code when posting an assertion from the IdP to
a SP.
Regards,
Etienne