[Shib-Users] 404 Error while Accessing /Shibboleth.sso/SAML2/POST
1,438 views
Skip to first unread message
rudra moorthy
Oct 18, 2010, 3:50:52 AM10/18/10
to shibbole...@internet2.edu
Hi,
I am using IBM HTTP Server for Shibboleth SP. IBM HTTP Server is connecting to IBM Web sphere using the regular IBM plug-in. IDP is Novell Access Manager 3.1.
I am facing an issue while the IDP is trying to sending an response.i am able to connect to the IDP by sending the request but while receiving the response I am seeing the 404 error. In the browser the URL is showing https://XXX/Shibboleth.sso/SAML2/POST. I attached my shibboleth2.xml and SP metadata file. My virtual host configuration is given below,
<VirtualHost *:8443>
ServerName XXX
SSLEnable
SSLProtocolDisable SSLv2
Keyfile D:/IBMHTTPServer61/Plugins/etc/ssl/plugIn.kdb
## SSLv3 128 bit Ciphers
SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA
## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA
## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA
## Triple DES 168 bit Ciphers
## These can still be used, but only if the client does
## not support any of the ciphers listed above.
SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSLV3Timeout 1000
<LocationMatch "/WSC">
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user
</LocationMatch>
</VirtualHost>
What my guess is the web server is diverting everything to the web sphere and since web sphere doesn't know what to do with Shibboleth.sso/SAML2/POST it is failing.
Please let me know how to fix this issue. thanks for your help.
WSC_SSO_UAT_Metadata.xml
shibboleth2.xml
View this message in context: 404 Error while Accessing /Shibboleth.sso/SAML2/POST
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
I am using IBM HTTP Server for Shibboleth SP. IBM HTTP Server is connecting to IBM Web sphere using the regular IBM plug-in. IDP is Novell Access Manager 3.1.
I am facing an issue while the IDP is trying to sending an response.i am able to connect to the IDP by sending the request but while receiving the response I am seeing the 404 error. In the browser the URL is showing https://XXX/Shibboleth.sso/SAML2/POST. I attached my shibboleth2.xml and SP metadata file. My virtual host configuration is given below,
<VirtualHost *:8443>
ServerName XXX
SSLEnable
SSLProtocolDisable SSLv2
Keyfile D:/IBMHTTPServer61/Plugins/etc/ssl/plugIn.kdb
## SSLv3 128 bit Ciphers
SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA
## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA
## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA
## Triple DES 168 bit Ciphers
## These can still be used, but only if the client does
## not support any of the ciphers listed above.
SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSLV3Timeout 1000
<LocationMatch "/WSC">
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user
</LocationMatch>
</VirtualHost>
What my guess is the web server is diverting everything to the web sphere and since web sphere doesn't know what to do with Shibboleth.sso/SAML2/POST it is failing.
Please let me know how to fix this issue. thanks for your help.
WSC_SSO_UAT_Metadata.xml
shibboleth2.xml
View this message in context: 404 Error while Accessing /Shibboleth.sso/SAML2/POST
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
Peter Schober
Oct 18, 2010, 4:31:29 AM10/18/10
to shibbole...@internet2.edu
* rudra moorthy <rudr...@gmail.com> [2010-10-18 09:51]:
> I am facing an issue while the IDP is trying to sending an response.i am
> able to connect to the IDP by sending the request but while receiving the
> response I am seeing the 404 error. In the browser the URL is showing
> https://XXX/Shibboleth.sso/SAML2/POST. I attached my shibboleth2.xml and SP
> metadata file. My virtual host configuration is given below,
> I am facing an issue while the IDP is trying to sending an response.i am
> able to connect to the IDP by sending the request but while receiving the
> response I am seeing the 404 error. In the browser the URL is showing
> https://XXX/Shibboleth.sso/SAML2/POST. I attached my shibboleth2.xml and SP
> metadata file. My virtual host configuration is given below,
Why did you need to change the handlerURL to an absolute URL (instead
of leaving the default)?
Also, the Apache httpd config you sent does not contain any directives
that would cause proxying of content anywhere else, so if you wanted
to prevent sending off requests to the shib handler to Websphere this
is the wrong config file.
-peter
rudra moorthy
Oct 18, 2010, 5:28:17 AM10/18/10
to shibbole...@internet2.edu
i have to change the handler URL because for the port 8443 the resulting URL (if i am leaving to default) is https://XXX:80/Shibboleth.sso/SAML2/POST instead of https://XXX/shibboleth.sso/SAML2/POST and my client doesn't want in XXX:80 format and they didn't configured their firewall for XXX:80. we also tried using the scheme and port attributes in shibboleth2.xml to remove the appearance of port 80 in URL but we failed. Only then i suggested using this.
i copied the virtual host tag in IBM httpd.conf which I am using for Shibboleth SP. There is a IBM plug-in acting on port 8443 for diverting calls to web sphere. I am not using proxy pass for handling the web sphere calls.
View this message in context: Re: 404 Error while Accessing /Shibboleth.sso/SAML2/POST
i copied the virtual host tag in IBM httpd.conf which I am using for Shibboleth SP. There is a IBM plug-in acting on port 8443 for diverting calls to web sphere. I am not using proxy pass for handling the web sphere calls.
View this message in context: Re: 404 Error while Accessing /Shibboleth.sso/SAML2/POST
Scott Cantor
Oct 18, 2010, 9:43:13 AM10/18/10
to shibbole...@internet2.edu
> i have to change the handler URL because for the port 8443 the resulting
URL
> (if i am leaving to default) is https://XXX:80/Shibboleth.sso/SAML2/POST
> instead of https://XXX/shibboleth.sso/SAML2/POST and my client doesn't
want
> in XXX:80 format and they didn't configured their firewall for XXX:80. we
> also tried using the scheme and port attributes in shibboleth2.xml to
remove
> the appearance of port 80 in URL but we failed. Only then i suggested
using
> this.
URL
> (if i am leaving to default) is https://XXX:80/Shibboleth.sso/SAML2/POST
> instead of https://XXX/shibboleth.sso/SAML2/POST and my client doesn't
want
> in XXX:80 format and they didn't configured their firewall for XXX:80. we
> also tried using the scheme and port attributes in shibboleth2.xml to
remove
> the appearance of port 80 in URL but we failed. Only then i suggested
using
> this.
You'll need to figure out how to configure the web server to virtualize
itself, using the handlerURL that way won't work.
Most likely it's returning a 404 precisely because the handlerURL does not
match the properties of the request into the web server.
-- Scott
rudra moorthy
Oct 18, 2010, 11:04:38 AM10/18/10
to shibbole...@internet2.edu
Ok, then I have another question. To the virtual host configuration above
when I try to access to https://XXX/WSC. It is always going to
https://XXX:80/WSC why? is this Apache issue or Shibboleth one?
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/404-Error-while-Accessing-Shibboleth-sso-SAML2-POST-tp5646144p5647359.html
Scott Cantor
Oct 18, 2010, 11:11:15 AM10/18/10
to shibbole...@internet2.edu
> Ok, then I have another question. To the virtual host configuration above
> when I try to access to https://XXX/WSC. It is always going to
> https://XXX:80/WSC why? is this Apache issue or Shibboleth one?
> when I try to access to https://XXX/WSC. It is always going to
> https://XXX:80/WSC why? is this Apache issue or Shibboleth one?
It's an Apache issue.
-- Scott
rudra moorthy
Oct 18, 2010, 11:16:52 AM10/18/10
to shibbole...@internet2.edu
is there any fix for that? like proxy pass
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/404-Error-while-Accessing-Shibboleth-sso-SAML2-POST-tp5646144p5647412.html
Scott Cantor
Oct 18, 2010, 11:37:25 AM10/18/10
to shibbole...@internet2.edu
> is there any fix for that? like proxy pass
It has nothing to do with proxying; you're virtualizing your server in some
fashion so you need to configure Apache to know about it with the ServerName
setting.
-- Scott
rudra moorthy
Oct 18, 2010, 11:44:40 AM10/18/10
to shibbole...@internet2.edu
Scott,
If you see my virtual host configuration I already specified the Server name
as XXX should I also add the port to that? could you please give me an
example
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/404-Error-while-Accessing-Shibboleth-sso-SAML2-POST-tp5646144p5647522.html
Scott Cantor
Oct 18, 2010, 11:53:19 AM10/18/10
to shibbole...@internet2.edu
> If you see my virtual host configuration I already specified the Server
name
> as XXX should I also add the port to that? could you please give me an
> example
name
> as XXX should I also add the port to that? could you please give me an
> example
I don't know what you're trying to do or what your settings would need to
be, and I don't have time to find out and teach you how to run Apache. They
have documentation so I suggest you try there.
-- Scott
Peter Schober
Oct 18, 2010, 11:53:28 AM10/18/10
to shibbole...@internet2.edu
* rudra moorthy <rudr...@gmail.com> [2010-10-18 17:45]:
> If you see my virtual host configuration I already specified the
> Server name as XXX should I also add the port to that? could you
> please give me an example
> If you see my virtual host configuration I already specified the
> Server name as XXX should I also add the port to that? could you
> please give me an example
http://httpd.apache.org/docs/2.2/en/mod/core.html#servername
-peter
sofia cardita
Oct 18, 2010, 4:34:59 PM10/18/10
to shibbole...@internet2.edu
Something along these lines:
<VirtualHost 94.236.2.242:80>
ServerName domain.pt:80
ServerAlias www.domain.pt
UseCanonicalName On
#etc
</VirtualHost>
<VirtualHost 94.236.2.242:443>
ServerName domain.pt:443
ServerAlias www.domain.pt
UseCanonicalName On
#etc
</VirtualHost>
Sofia
Reply all
Reply to author
Forward
0 new messages