Still having redirect issues
2,144 views
Skip to first unread message
Peterson, Tommy
Jul 28, 2011, 4:08:47 PM7/28/11
to us...@shibboleth.net
OK. So I tried adding https://mydomain:443 as the servername to the Apache virtual host directive to get Shibboleth to pick up the return from the IDP. I still get “The requested URL /Shibboleth.sso/SAML2/POST was not found on this server.”
Also, if I try https://mydomain/Shibboleth.sso/Status I get the same thing . . . “The requested URL /Shibboleth.sso/Status was not found on this server.”
If I put https://mymachinename/Shibboleth.sso/Status (with the correct ACL in place) I get the Metadata and OK page.
What is even more strange is that if I just access the site, click on a protected link, Shibboleth picks it up and sends it to the IDP which throws up the log in page etc.
So, I’m confused. I know how to set up VirtualHosting. I have before. And SSL is virtualized here with NameVirtualHost *:443 and the corresponding <VirtualHost *:443>. I did review the Apache documentation here-> http://httpd.apache.org/docs/2.1/vhosts/name-based.html, which says that this OK.
This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.
To unsubscribe from this group, send email to
users+un...@shibboleth.net
Cantor, Scott E.
Jul 28, 2011, 4:47:38 PM7/28/11
to us...@shibboleth.net
On 7/28/11 4:08 PM, "Peterson, Tommy" <Tommy.P...@xpandcorp.com> wrote:
>OK. So I tried adding https://mydomain:443 as the servername to the
>Apache virtual host directive to get Shibboleth to pick up the return
>from the IDP. I still get ³The requested URL /Shibboleth.sso/SAML2/POST
> was not found on this server.²
>OK. So I tried adding https://mydomain:443 as the servername to the
>Apache virtual host directive to get Shibboleth to pick up the return
>from the IDP. I still get ³The requested URL /Shibboleth.sso/SAML2/POST
If the 404 happens in the presence of correct vhost settings, then the
usual reason seems to be the module not seeing the requests for some
reason.
<Location />
AuthType shibboleth
require shibboleth
</Location>
That may fix it. Another option would be using /Shibboleth.sso as the
Location, since that's really the goal.
>
>If I put
>https://mymachinename/Shibboleth.sso/Status
><https://mymachinename/Shibboleth.sso/Status> (with the correct ACL in
>place) I get the Metadata and OK page.
but perhaps the module is configured as above in one vhost and not another.
>
>What is even more strange is that if I just access the site, click on a
>protected link, Shibboleth picks it up and sends it to the IDP which
>throws up the log in page etc.
such that the module steps in, but it's not stepping in for the
/Shibboleth.sso requests. I don't get that behavior on my servers, but
some people seem to.
-- Scott
Peterson, Tommy
Jul 28, 2011, 4:56:52 PM7/28/11
to us...@shibboleth.net
I tried that Location as you suggested it before. But I want to make sure I have it correctly. Are you saying to add that to the VirtualHost directive?
Like this guy did-->http://groups.google.com/group/shibboleth-users/browse_thread/thread/eed8d3436a0703a4
While I am not using a reverse proxy the situations seem similar.
When I said that if I used https://mymachinename/Shibboleth.sso/Status I meant that the server has a name on our internal network (e.g. rt-hvcp-ws21.local). So if I just access that machine directly, not th rough the load balancer or the domain name, then I can get the Status page. If I try through the domain name I get the "file cannot be found".
I will try the Shibboleth.sso directive too.
Like this guy did-->http://groups.google.com/group/shibboleth-users/browse_thread/thread/eed8d3436a0703a4
While I am not using a reverse proxy the situations seem similar.
When I said that if I used https://mymachinename/Shibboleth.sso/Status I meant that the server has a name on our internal network (e.g. rt-hvcp-ws21.local). So if I just access that machine directly, not th rough the load balancer or the domain name, then I can get the Status page. If I try through the domain name I get the "file cannot be found".
I will try the Shibboleth.sso directive too.
This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.
Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.
Peterson, Tommy
Jul 28, 2011, 5:05:19 PM7/28/11
to us...@shibboleth.net
So I tried the
Same issue.
<Location />
AuthType shibboleth
require shibboleth
</Location>
<Location /Shibboleth.sso>
AuthType shibboleth
require shibboleth
</Location>
AuthType shibboleth
require shibboleth
</Location>
In both the virtual host and the shib.conf files. Restarted apache and the service.
require shibboleth
</Location>
Same issue.
Cantor, Scott E.
Jul 28, 2011, 6:21:50 PM7/28/11
to us...@shibboleth.net
On 7/28/11 5:05 PM, "Peterson, Tommy" <Tommy.P...@xpandcorp.com> wrote:
>I tried that Location as you suggested it before. But I want to make sure
>I have it correctly. Are you saying to add that to the VirtualHost
>directive?
I'm saying to add it so that it affects the requests that are apparently
>I tried that Location as you suggested it before. But I want to make sure
>I have it correctly. Are you saying to add that to the VirtualHost
>directive?
not getting handled. Whatever that is in your Apache config.
>While I am not using a reverse proxy the situations seem similar.
>When I said that if I used https://mymachinename/Shibboleth.sso/Status I
>meant that the server has a name on our internal network (e.g.
>rt-hvcp-ws21.local). So if I just access that machine directly, not th
>rough the load balancer or the domain name, then I can get the Status
>page. If I try through the domain name I get the "file cannot be found".
are actually being handled by the back-end Apache server with the SP? The
error log or access log shows the 404s?
Last question/option: did you ill-advisedly change handlerURL in the SP
config, in the Sessions element? If this is a newer SP, I don't think the
setting is even in the file by default. Just making sure.
That's about all I can think of.
Peterson, Tommy
Jul 28, 2011, 9:52:59 PM7/28/11
to us...@shibboleth.net
Hello.
Here is what the access log shows:
10.100.20.3 - - [28/Jul/2011:21:39:56 -0400] "GET /" 400 466
10.100.20.3 - - [28/Jul/2011:21:39:56 -0400] "GET / HTTP/1.1" 200 2261
10.100.20.4 - - [28/Jul/2011:21:39:56 -0400] "GET / HTTP/1.1" 200 2261
10.100.20.4 - - [28/Jul/2011:21:39:56 -0400] "GET /" 400 466
And here is what the error log shows:
[Thu Jul 28 21:39:53 2011] [error] [client 10.100.10.1] File does not exist: /usr/local/zend/apache2/htdocs/Shibboleth.sso, referer: https://(myidpdomainname)/idp/profile/SAML2/Redirect/SSO
/usr/local/zend/apache2/htdocs/ is again the default content directory for these apaches.
My shibboleth2.xml's show the following:
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerURL="/Shibboleth.sso" handlerSSL="true">
<SSO entityID="https://(myidpdomainname)/idp/shibboleth">
SAML2 SAML1
</SSO>
So you say you are out of options/suggestions if the above checks out. But you have said several times that all this assumes that I am correctly virtualized on 443 since the load balancer terminates ssl on the loadbalancer and passes traffic through on 80. How exactly would I know that my virutal host directive is set up?
My apaches are listening on port 80 but they have ssl turned on and
NameVirtualHost *:443
<VirtualHost *:443>
#DocumentRoot "/usr/local/zend/apache2/htdocs"
ServerName https://(mydomainname):443
<Location />
AuthType shibboleth
require shibboleth
</Location>
<Location /Shibboleth.sso>
AuthType shibboleth
require shibboleth
</Location>
<Location /shibboleth-sp>
Allow from all
</Location>
ServerAdmin admin@(myvirtualname)
ErrorLog "/usr/local/zend/apache2/logs/error_log"
TransferLog "/usr/local/zend/apache2/logs/access_log"
UseCanonicalName On
SSLEngine on
SSLCipherSuite ALL:(stuffgoeshere)
SSLCertificateFile "/usr/local/zend/apache2/conf/extra/(domainname).crt"
SSLCertificateKeyFile "/usr/local/zend/apache2/conf/extra/myserver.key"
SSLCertificateChainFile "/usr/local/zend/apache2/conf/extra/chain.crt"
</virtualhost>
Any other info would greatly be appreciated as I have ran out of ideas weeks ago. The people who set up the load balancer only know how to set it up. I have no knowledge of it (other than SSL terminates on it and they have opened ports 80,443,8443) and I have no access to it to learn about it. It is an A10 balancer so as I understand it is is very very basic.
Thanks.
________________________________________
From: Cantor, Scott E. [cant...@osu.edu]
Sent: Thursday, July 28, 2011 6:21 PM
Here is what the access log shows:
10.100.20.3 - - [28/Jul/2011:21:39:56 -0400] "GET /" 400 466
10.100.20.3 - - [28/Jul/2011:21:39:56 -0400] "GET / HTTP/1.1" 200 2261
10.100.20.4 - - [28/Jul/2011:21:39:56 -0400] "GET / HTTP/1.1" 200 2261
10.100.20.4 - - [28/Jul/2011:21:39:56 -0400] "GET /" 400 466
And here is what the error log shows:
[Thu Jul 28 21:39:53 2011] [error] [client 10.100.10.1] File does not exist: /usr/local/zend/apache2/htdocs/Shibboleth.sso, referer: https://(myidpdomainname)/idp/profile/SAML2/Redirect/SSO
/usr/local/zend/apache2/htdocs/ is again the default content directory for these apaches.
My shibboleth2.xml's show the following:
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerURL="/Shibboleth.sso" handlerSSL="true">
<SSO entityID="https://(myidpdomainname)/idp/shibboleth">
SAML2 SAML1
</SSO>
So you say you are out of options/suggestions if the above checks out. But you have said several times that all this assumes that I am correctly virtualized on 443 since the load balancer terminates ssl on the loadbalancer and passes traffic through on 80. How exactly would I know that my virutal host directive is set up?
My apaches are listening on port 80 but they have ssl turned on and
NameVirtualHost *:443
<VirtualHost *:443>
#DocumentRoot "/usr/local/zend/apache2/htdocs"
ServerName https://(mydomainname):443
<Location />
AuthType shibboleth
require shibboleth
</Location>
<Location /Shibboleth.sso>
AuthType shibboleth
require shibboleth
</Location>
Allow from all
</Location>
ServerAdmin admin@(myvirtualname)
ErrorLog "/usr/local/zend/apache2/logs/error_log"
TransferLog "/usr/local/zend/apache2/logs/access_log"
UseCanonicalName On
SSLEngine on
SSLCipherSuite ALL:(stuffgoeshere)
SSLCertificateFile "/usr/local/zend/apache2/conf/extra/(domainname).crt"
SSLCertificateKeyFile "/usr/local/zend/apache2/conf/extra/myserver.key"
SSLCertificateChainFile "/usr/local/zend/apache2/conf/extra/chain.crt"
</virtualhost>
Any other info would greatly be appreciated as I have ran out of ideas weeks ago. The people who set up the load balancer only know how to set it up. I have no knowledge of it (other than SSL terminates on it and they have opened ports 80,443,8443) and I have no access to it to learn about it. It is an A10 balancer so as I understand it is is very very basic.
Thanks.
________________________________________
From: Cantor, Scott E. [cant...@osu.edu]
Sent: Thursday, July 28, 2011 6:21 PM
This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.
Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.
Cantor, Scott E.
Jul 28, 2011, 10:02:52 PM7/28/11
to us...@shibboleth.net
On 7/28/11 9:52 PM, "Peterson, Tommy" <Tommy.P...@xpandcorp.com> wrote:
>
>
>My shibboleth2.xml's show the following:
> <Sessions lifetime="28800" timeout="3600" checkAddress="false"
>relayState="ss:mem" handlerURL="/Shibboleth.sso" handlerSSL="true">
Well, that should be fine but it does pretty much imply that your problem
>
>
>My shibboleth2.xml's show the following:
> <Sessions lifetime="28800" timeout="3600" checkAddress="false"
>relayState="ss:mem" handlerURL="/Shibboleth.sso" handlerSSL="true">
here remains the virtual hosting. It's treating the request as http, not
https. My suggestion to prove it is get native.log working on DEBUG so
that you'll see it process the incoming URLs and see what it thinks they
are.
I think it will show it mapping requests to http://whatever instead of
https.
One think you can do as a test without going that far is just set
handlerSSL to false, and then hit /Shibboleth.sso/Status or whatever. If
that works, I'm right and your Apache remains broken.
>So you say you are out of options/suggestions if the above checks out.
>But you have said several times that all this assumes that I am correctly
>virtualized on 443 since the load balancer terminates ssl on the
>loadbalancer and passes traffic through on 80. How exactly would I know
>that my virutal host directive is set up?
>My apaches are listening on port 80 but they have ssl turned on and
>
>NameVirtualHost *:443
><VirtualHost *:443>
unused. You can do nothing by changing it, it will be ignored. Barring
other issues, what you need is to change that to *:80.
Peterson, Tommy
Jul 28, 2011, 10:58:55 PM7/28/11
to us...@shibboleth.net
Well. I changed the *:443 to *:80. ANd checked the logs (I have it set to debug) and got
2011-07-28 22:30:18 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [41]: marshalled message:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://(mydomainname)/Shibboleth.sso/SAML2/POST" Destination="https://(myidpsdomainname)/idp/profile/SAML2/Redirect/SSO" ID="_c088a22478679ebf1c425e6a50e274c3" IssueInstant="2011-07-29T02:30:18Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://(mydomainname)/moodle</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>
2011-07-28 22:30:18 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [41]: message encoded, sending redirect to client
so it was ssl.
So I changed the handlerSSL to false and I got:
"An error occurred while processing your request. Please contact your helpdesk or user ID office for assistance.
This service requires cookies. Please ensure that they are enabled and try your going back to your desired resource and trying to login again.
Use of your browser's back button may cause specific errors that can be resolved by going back to your desired resource and trying to login again.
Error Message: No peer endpoint available to which to send SAML response"
So then I went to the SP's metadata and changed the https to https
and it appears to work even though Firefox throws a pop up window about the security of it. But if the load balancer terminates SSL there I don't know why it is complaining about security.
This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.
2011-07-28 22:30:18 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [41]: marshalled message:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://(mydomainname)/Shibboleth.sso/SAML2/POST" Destination="https://(myidpsdomainname)/idp/profile/SAML2/Redirect/SSO" ID="_c088a22478679ebf1c425e6a50e274c3" IssueInstant="2011-07-29T02:30:18Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://(mydomainname)/moodle</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>
2011-07-28 22:30:18 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [41]: message encoded, sending redirect to client
so it was ssl.
So I changed the handlerSSL to false and I got:
"An error occurred while processing your request. Please contact your helpdesk or user ID office for assistance.
This service requires cookies. Please ensure that they are enabled and try your going back to your desired resource and trying to login again.
Use of your browser's back button may cause specific errors that can be resolved by going back to your desired resource and trying to login again.
Error Message: No peer endpoint available to which to send SAML response"
So then I went to the SP's metadata and changed the https to https
and it appears to work even though Firefox throws a pop up window about the security of it. But if the load balancer terminates SSL there I don't know why it is complaining about security.
This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.
Reply all
Reply to author
Forward
0 new messages