[Shib-Users] Certificate based user authentication

[Jesse Erdmann]

I'm having a problem with user authentication based on certificates. My IdP and SP get along fine with username/password authentication, but when I switch to certificate based authentication I start getting exceptions from OpenSAML like the one below. My internet searches have turned up nothing conclusive, but from what I can glean from various sources and http://groups.google.com/group/shibboleth-users/browse_thread/thread/e7fe828c5685775d/70ae84d268ddcc4e?lnk=gst&q=user+certificate#70ae84d268ddcc4e, specifically "You should probably turn ClientAuth back on unless you're going to use certificate-based user authentication in the future." - Nate Klingenstein, certificate based user authentication and client certificate authentication do not get along.

Is the preferred method for authenticating users with certificates for Shib2 to comment out the ClientCertAuth lines in relying-party.xml? Is there some good documentation on this that my google searches are just failing to turn up? Thanks!

org.opensaml.ws.security.SecurityPolicyException: Client certificate authentication failed for context issuer entity ID
at org.opensaml.ws.security.provider.ClientCertAuthRule.doEvaluate(ClientCertAuthRule.java:143) [openws-1.2.2.jar:na]
at org.opensaml.ws.security.provider.ClientCertAuthRule.evaluate(ClientCertAuthRule.java:109) [openws-1.2.2.jar:na]
at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:50) [openws-1.2.2.jar:na]
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:84) [openws-1.2.2.jar:na]
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:69) [opensaml-2.2.3.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.decodeRequest(SSOProfileHandler.java:306) [shibboleth-identityprovider-2.1.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:168) [shibboleth-identityprovider-2.1.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:145) [shibboleth-identityprovider-2.1.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:82) [shibboleth-identityprovider-2.1.2.jar:na]
at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:82) [shibboleth-common-1.1.2.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:na]
at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:77) [shibboleth-identityprovider-2.1.2.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:na]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) [catalina.jar:na]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:na]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) [catalina.jar:na]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:na]
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) [catalina.jar:na]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:na]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) [catalina.jar:na]
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-coyote.jar:na]
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283) [tomcat-coyote.jar:na]
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:767) [tomcat-coyote.jar:na]
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:697) [tomcat-coyote.jar:na]
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:889) [tomcat-coyote.jar:na]
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote.jar:na]
at java.lang.Thread.run(Thread.java:619) [na:1.6.0_10]
14:20:09.656 - ERROR [edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85] - Error processing profile request
edu.internet2.middleware.shibboleth.common.profile.ProfileException: Message did not meet security requirements
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.decodeRequest(SSOProfileHandler.java:321) [shibboleth-identityprovider-2.1.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:168) [shibboleth-identityprovider-2.1.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:145) [shibboleth-identityprovider-2.1.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:82) [shibboleth-identityprovider-2.1.2.jar:na]
at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:82) [shibboleth-common-1.1.2.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:na]
at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:77) [shibboleth-identityprovider-2.1.2.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:na]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) [catalina.jar:na]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:na]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) [catalina.jar:na]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:na]
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) [catalina.jar:na]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:na]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) [catalina.jar:na]
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-coyote.jar:na]
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283) [tomcat-coyote.jar:na]
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:767) [tomcat-coyote.jar:na]
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:697) [tomcat-coyote.jar:na]
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:889) [tomcat-coyote.jar:na]
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote.jar:na]
at java.lang.Thread.run(Thread.java:619) [na:1.6.0_10]
Caused by: org.opensaml.ws.security.SecurityPolicyException: Client certificate authentication failed for context issuer entity ID
at org.opensaml.ws.security.provider.ClientCertAuthRule.doEvaluate(ClientCertAuthRule.java:143) [openws-1.2.2.jar:na]
at org.opensaml.ws.security.provider.ClientCertAuthRule.evaluate(ClientCertAuthRule.java:109) [openws-1.2.2.jar:na]
at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:50) [openws-1.2.2.jar:na]
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:84) [openws-1.2.2.jar:na]
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:69) [opensaml-2.2.3.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.decodeRequest(SSOProfileHandler.java:306) [shibboleth-identityprovider-2.1.2.jar:na]
... 24 common frames omitted

Jesse Erdmann
Semantic Web Architect
MEDNETWorld.com

Phone: 612-435-7600
Fax: 612-435-7601
www.MEDNETWorld.com
333 Washington Ave N, Suite 208
Minneapolis, MN  55401

[Brent Putman]

Jesse Erdmann wrote:
> Is the preferred method for authenticating users with certificates for Shib2 to comment out the ClientCertAuth lines in relying-party.xml? Is there some good documentation on this that my google searches are just failing to turn up? Thanks!
>

Yes, that's the way, but only do it for the SecurityPolicy having id of
'shibboleth.SAML2SSOSecurityPolicy'. The others do legitimately require
it. I think we agreed sometime in the past that we would remove the
ClientCertAuth rule from that policy, since it doesn't make sense for
the standard cases, and prohibits user client cert authN. I'll see that
it gets into the next release.