[Shib-Users] opensaml::FatalProfileException or User login problem?

143 views
Skip to first unread message

Filipa Moura

unread,
Apr 3, 2009, 10:43:46 AM4/3/09
to shibbole...@internet2.edu

I’m trying to test shibb on a local environment following the steps on

 

When accessing “https://sp.example.com/secure

·         If on the handler.xml I un-comment the “<LoginHandler xsi:type="RemoteUser"> “ I cant seem to get a login because the message “A valid session was not found.” is always returned.. no matter if I type a correct or incorrect password, I always get the same..

 

·         If on the handler.xml I comment the “<LoginHandler xsi:type="RemoteUser"> “ I get the following error

opensaml::FatalProfileException at (http://sp.example.com/Shibboleth.sso/SAML2/POST)

SAML response contained an error.

Error from identity provider:

Status: urn:oasis:names:tc:SAML:2.0:status:Responder
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed

 

 

What should I do and how can I fix this ?

 

Filipa Moura

 

Paul Hethmon

unread,
Apr 3, 2009, 10:57:06 AM4/3/09
to Shibboleth Users
On 4/3/09 10:43 AM, "Filipa Moura" <filipa...@alert.pt> wrote:

I’m trying to test shibb on a local environment following the steps on
 
When accessing “https://sp.example.com/secure
·        If on the handler.xml I un-comment the “<LoginHandler xsi:type="RemoteUser"> “ I cant seem to get a login because the message “A valid session was not found.” is always returned.. no matter if I type a correct or incorrect password, I always get the same..

Did you set up your container managed authentication?

·        If on the handler.xml I comment the “<LoginHandler xsi:type="RemoteUser"> “ I get the following error

opensaml::FatalProfileException at (http://sp.example.com/Shibboleth.sso/SAML2/POST)
SAML response contained an error.
Error from identity provider:
Status: urn:oasis:names:tc:SAML:2.0:status:Responder
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
What did you use to perform authentication here?

You have to configure some type of authentication. Shib, itself, doesn’t do authentication. It does have support for tying into several different basic authentication mechanisms such as the container managed RemoteUser, UsernamePassword via JAAS, and LDAP based. But since it doesn’t know what you have available, there is nothing there by default.

Paul

-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----

Give a man a fire and he's warm for the day. But set fire to him and he's warm for the rest of his life.

 -- Terry Pratchett, Discworld

Filipa Moura

unread,
Apr 3, 2009, 11:00:40 AM4/3/09
to shibbole...@internet2.edu

Not even for local testing?  I just want to see how it works, simple.. Do I really have to configure some type of authentication? If so, what do you think is the simplest? :\

Paul Hethmon

unread,
Apr 3, 2009, 11:09:22 AM4/3/09
to Shibboleth Users
On 4/3/09 11:00 AM, "Filipa Moura" <filipa...@alert.pt> wrote:

Not even for local testing?  I just want to see how it works, simple.. Do I really have to configure some type of authentication? If so, what do you think is the simplest? :\
 
You’ve got to configure something. Simplest depends on what you know already. If you know how to configure the container based authentication for the container you are running Shib in, then that’s the simplest. I think there is a handler in there that uses IP address, for testing, you could allow all.

Filipa Moura

unread,
Apr 3, 2009, 11:16:34 AM4/3/09
to shibbole...@internet2.edu

I tried this:

 

<LoginHandler xsi:type="IPAddress" username="ip-user" defaultDeny="true">

    <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol</AuthenticationMethod>

    <IPEntry>192.168.16.0/8</IPEntry>

</LoginHandler>

 

Yet the error returned is the same

opensaml::FatalProfileException at (http://sp.example.com/Shibboleth.sso/SAML2/POST)

SAML response contained an error.

Error from identity provider:

Status: urn:oasis:names:tc:SAML:2.0:status:Responder
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed

 

 

On the idp-process.log I get

16:15:07.432 - ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:592] - No user identified by login handler.

16:15:07.435 - ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:554] - Authentication failed with the error:

edu.internet2.middleware.shibboleth.idp.authn.AuthenticationException: No user identified by login handler.

                at edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.validateSuccessfulAuthentication(AuthenticationEngine.java:593) [shibboleth-identityprovider-2.1.1.jar:na]

[…]

 

I mean, shouldn’t this work? :\

From: Paul Hethmon [mailto:paul.h...@clareitysecurity.com]
Sent: sexta-feira, 3 de Abril de 2009 16:09
To: Shibboleth Users
Subject: Re: [Shib-Users] opensaml::FatalProfileException or User login problem?

 

On 4/3/09 11:00 AM, "Filipa Moura" <filipa...@alert.pt> wrote:

Steven_...@brown.edu

unread,
Apr 3, 2009, 11:18:52 AM4/3/09
to shibbole...@internet2.edu
At 4:00 PM +0100 4/3/09, Filipa Moura wrote:
>Not even for local testing? I just want to see how it works,
>simple.. Do I really have to configure some type of authentication?
>If so, what do you think is the simplest? :\
>

is there a site in your area that is already running Shib? Might
someone from that site be willing to visit you, and work thru a basic
install?

That would probably be a much faster process to get you to where you
want to be..... rather than the email list.....

Paul Hethmon

unread,
Apr 3, 2009, 11:22:27 AM4/3/09
to Shibboleth Users
On 4/3/09 11:16 AM, "Filipa Moura" <filipa...@alert.pt> wrote:

I tried this:
 
<LoginHandler xsi:type="IPAddress" username="ip-user" defaultDeny="true">
   <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol</AuthenticationMethod>
    <IPEntry>192.168.16.0/8</IPEntry>
</LoginHandler>

This is where you’ll have to dive into the wiki and see what it says. I’ve not used that handler myself.

Filipa Moura

unread,
Apr 3, 2009, 11:51:24 AM4/3/09
to shibbole...@internet2.edu

Yes, i’ve already read the documentation and its exactly how it says there. I even defined it in the relying-party.xml as the default authentication method (<DefaultRelyingParty provider="https://idp.example.com/shibboleth" defaultSigningCredentialRef="IdPCredential" defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol"> )…

 

(And yes Steven I know I’m being a pain in the ass with this much emails.. but my boss is bugging me and I cannot get this to work.. it’s my 4th day installing it..and there is no site in my area that is already running Shib…)

 

From: Paul Hethmon [mailto:paul.h...@clareitysecurity.com]
Sent: sexta-feira, 3 de Abril de 2009 16:22
To: Shibboleth Users
Subject: Re: [Shib-Users] opensaml::FatalProfileException or User login problem?

 

On 4/3/09 11:16 AM, "Filipa Moura" <filipa...@alert.pt> wrote:

Scott Cantor

unread,
Apr 3, 2009, 12:19:04 PM4/3/09
to shibbole...@internet2.edu
> Yes, i've already read the documentation and its exactly how it says
there.
> I even defined it in the relying-party.xml as the default authentication

Did you turn up logging to DEBUG and then analyze it in detail to see what's
going wrong?

Search for any previous references to the problem in the list archive?

Try a search for earlier questions about "simple authentication for a demo"
or something like that?

-- Scott


Reply all
Reply to author
Forward
0 new messages