[Shib-Users] SSL redirect loop
505 views
Skip to first unread message
Cal Heldenbrand
Aug 21, 2009, 12:12:40 PM8/21/09
to shibbole...@internet2.edu
Hi everyone,
I realize this problem comes up frequently on the list and you're probably tired of answering this, but I believe my problem might be different than the other threads. (I have read through the list and the wiki docs, and tried a bunch of config combinations)
My setup works fine without https, but the IdP uses SSL and I want to get rid of the encryption warning in Firefox. For this test I have bypassed my load balancer and configured an apache vhost for SSL.
When I log in and get directed back from the IdP, the SAML2/POST URL request does contain the _shibstate_ cookie, but in the response headers my SP sets a new cookie, then redirects back to the IdP again, causing a loop. (No shibsession cookie is set) There are no interesting errors in the shibd.log.
Any help to point me in the right direction would be great!
Thank you,
--Cal
Here's the juice:
--------- shibboleth2.xml snippet -------------
<ApplicationOverride id="SSLcca"
entityID="https://cca.mydomain.com/sp/shibboleth"
homeURL="http://cca.mydomain.com/"
REMOTE_USER="eppn persistent-id targeted-id safemls-login-id"
signing="false" encryption="false"
>
<Sessions lifetime="28800" timeout="21600" checkAddress="false"
handlerURL="https://cca.mydomain.com/Shibboleth.sso" handlerSSL="false"
cookieProps="; path=/; secure; domain=cca.mydomain.com"
exportLocation="/Shibboleth.sso/GetAssertion"
idpHistory="false" idpHistoryDays="7">
------------- shibd.log -----------------------------------
2009-08-21 10:59:05 DEBUG Shibboleth.Listener [1]: dispatching message (SSLcca/Login::run::SAML2SI)
2009-08-21 10:59:05 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: validating input
2009-08-21 10:59:05 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: marshalling, deflating, base64-encoding the message
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: starting to marshal samlp:AuthnRequest
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: creating root element to marshall
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling namespace attributes for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling text and child elements for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: starting to marshalling saml:Issuer
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: creating root element to marshall
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling namespace attributes for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling text and child elements for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: caching DOM for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: starting to marshalling samlp:NameIDPolicy
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: creating root element to marshall
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling namespace attributes for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling text and child elements for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: caching DOM for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: caching DOM for XMLObject (document is bound)
2009-08-21 10:59:05 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: marshalled message:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://cca.mydomain.com/Shibboleth.sso/SAML2/POST" Destination="https://idp.otherdomain.com/idp/profile/SAML2/Redirect/SSO" ID="_aca31cf18977d0679c7bc99eaf3c0354" IssueInstant="2009-08-21T15:59:05Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://cca.mydomain.com/sp/shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>
2009-08-21 10:59:05 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: message encoded, sending redirect to client
2009-08-21 10:59:05 DEBUG Shibboleth.Listener [1]: dispatching message (SSLcca/Login::run::SAML2SI)
2009-08-21 10:59:05 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: validating input
2009-08-21 10:59:05 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: marshalling, deflating, base64-encoding the message
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: starting to marshal samlp:AuthnRequest
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: creating root element to marshall
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling namespace attributes for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling text and child elements for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: starting to marshalling saml:Issuer
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: creating root element to marshall
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling namespace attributes for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling text and child elements for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: caching DOM for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: starting to marshalling samlp:NameIDPolicy
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: creating root element to marshall
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling namespace attributes for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling text and child elements for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: caching DOM for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: caching DOM for XMLObject (document is bound)
2009-08-21 10:59:05 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: marshalled message:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://cca.mydomain.com/Shibboleth.sso/SAML2/POST" Destination="https://idp.otherdomain.com/idp/profile/SAML2/Redirect/SSO" ID="_439213fe3fb8f727fd6f33da131671fe" IssueInstant="2009-08-21T15:59:05Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://cca.mydomain.com/sp/shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>
2009-08-21 10:59:05 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: message encoded, sending redirect to client
-------------------- browser session headers --------------------
----------------------------------------------------------
https://idp.otherdomain.com/idp/Authn/UserPassword
POST /idp/Authn/UserPassword HTTP/1.1
Host: idp.otherdomain.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.13) Gecko/2009080315 Ubuntu/9.04 (jaunty) Firefox/3.0.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://idp.otherdomain.com/idp/Authn/UserPassword
Cookie: JSESSIONID=131D801C011ABDA638B736958715CE5A; _idp_authn_lc_key=ca6623ea-6157-4e6c-8c85-2fb95a3c871a
Content-Type: application/x-www-form-urlencoded
Content-Length: 124
HTTP/1.x 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: _idp_session=MTIuNS4zMS4xMA%3D%3D%7CYTM5ZDFjOWQ5MGMxMTE3ODQzYTk2NzQzYWY3NWQxZWMxZTIxN2ExYzgzZTM5MWFkZDc2ODE1MWY0YmNhNDE4Ng%3D%3D%7CqdGnmOytgPIpOvfMhvsHYMnwvOk%3D; Path=/idp; Secure
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 21 Aug 2009 14:45:11 GMT
----------------------------------------------------------
https://cca.mydomain.com/Shibboleth.sso/SAML2/POST
POST /Shibboleth.sso/SAML2/POST HTTP/1.1
Host: cca.mydomain.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.13) Gecko/2009080315 Ubuntu/9.04 (jaunty) Firefox/3.0.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://idp.otherdomain.com/idp/Authn/UserPassword
Cookie: _shibstate_8b8f8331=http%3A%2F%2Fcca.mydomain.com%2F
Content-Type: application/x-www-form-urlencoded
Content-Length: 6242
RelayState=cookie%3A8b8f8331&SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlb ... cut
HTTP/1.x 302 Found
Date: Fri, 21 Aug 2009 14:45:11 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: _shibstate_aaf94b58=http%3A%2F%2Fcca.mydomain.com%2FShibboleth.sso%2FSAML2%2FPOST; path=/; secure; domain=cca.mydomain.com
Location: https://idp.otherdomain.com/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZJfT4MwFMW%2FCun7KCBsrBlLcHtwydRlTB98MaXcuSalxd7in28vjKnzwT01%0Aac89555fOkNeq4blrTvoLby2gM77qJVGdnzISGs1MxwlMs1rQOYEK%2FLbNYv8%0AgDXWOCOMIl6OCNZJoxdGY1uDLcC%2BSQEP23VGDs41yCgVgvt7BZ09%2BsLUtDjI%0AsjQK3MFHNLS3jejmvtgRb9ntITXvHX%2FnZdX4QvTTyPfQnxpcf0u7RfZSwcli%0AC5W0IBwtinvirZYZeZ5OpmmajMu0gphP4pSLMq6uyiRKoyQI%2BbiTIbaw0ui4%0AdhmJgmA6CtJRFO7CmMUJC8Mn4m1Ofa%2BlrqR%2BuQynHETIbna7zWio9QgWj5U6%0AAZnPesTsGGzPoF%2B25d%2Bkyfw%2FrthQ%2FEE7o2cpQ2TD7jrb1XJjlBSfXq6UeV9Y%0A4A4yEhI6H0b%2Bfor5Fw%3D%3D%0A&RelayState=cookie%3Aaaf94b58
Content-Length: 865
Keep-Alive: timeout=15, max=9999
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
----------------------------------------------------------
https://idp.otherdomain.com/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZJfT4MwFMW%2FCun7KCBsrBlLcHtwydRlTB98MaXcuSalxd7in28vjKnzwT01%0Aac89555fOkNeq4blrTvoLby2gM77qJVGdnzISGs1MxwlMs1rQOYEK%2FLbNYv8%0AgDXWOCOMIl6OCNZJoxdGY1uDLcC%2BSQEP23VGDs41yCgVgvt7BZ09%2BsLUtDjI%0AsjQK3MFHNLS3jejmvtgRb9ntITXvHX%2FnZdX4QvTTyPfQnxpcf0u7RfZSwcli%0AC5W0IBwtinvirZYZeZ5OpmmajMu0gphP4pSLMq6uyiRKoyQI%2BbiTIbaw0ui4%0AdhmJgmA6CtJRFO7CmMUJC8Mn4m1Ofa%2BlrqR%2BuQynHETIbna7zWio9QgWj5U6%0AAZnPesTsGGzPoF%2B25d%2Bkyfw%2FrthQ%2FEE7o2cpQ2TD7jrb1XJjlBSfXq6UeV9Y%0A4A4yEhI6H0b%2Bfor5Fw%3D%3D%0A&RelayState=cookie%3Aaaf94b58
GET /idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZJfT4MwFMW%2FCun7KCBsrBlLcHtwydRlTB98MaXcuSalxd7in28vjKnzwT01%0Aac89555fOkNeq4blrTvoLby2gM77qJVGdnzISGs1MxwlMs1rQOYEK%2FLbNYv8%0AgDXWOCOMIl6OCNZJoxdGY1uDLcC%2BSQEP23VGDs41yCgVgvt7BZ09%2BsLUtDjI%0AsjQK3MFHNLS3jejmvtgRb9ntITXvHX%2FnZdX4QvTTyPfQnxpcf0u7RfZSwcli%0AC5W0IBwtinvirZYZeZ5OpmmajMu0gphP4pSLMq6uyiRKoyQI%2BbiTIbaw0ui4%0AdhmJgmA6CtJRFO7CmMUJC8Mn4m1Ofa%2BlrqR%2BuQynHETIbna7zWio9QgWj5U6%0AAZnPesTsGGzPoF%2B25d%2Bkyfw%2FrthQ%2FEE7o2cpQ2TD7jrb1XJjlBSfXq6UeV9Y%0A4A4yEhI6H0b%2Bfor5Fw%3D%3D%0A&RelayState=cookie%3Aaaf94b58 HTTP/1.1
Host: idp.otherdomain.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.13) Gecko/2009080315 Ubuntu/9.04 (jaunty) Firefox/3.0.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://idp.otherdomain.com/idp/Authn/UserPassword
Cookie: JSESSIONID=131D801C011ABDA638B736958715CE5A; _idp_session=MTIuNS4zMS4xMA%3D%3D%7CYTM5ZDFjOWQ5MGMxMTE3ODQzYTk2NzQzYWY3NWQxZWMxZTIxN2ExYzgzZTM5MWFkZDc2ODE1MWY0YmNhNDE4Ng%3D%3D%7CqdGnmOytgPIpOvfMhvsHYMnwvOk%3D; _idp_authn_lc_key=ca6623ea-6157-4e6c-8c85-2fb95a3c871a
HTTP/1.x 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache, no-store
Expires: Wed, 31 Dec 1969 19:00:00 EST
Set-Cookie: _idp_authn_lc_key=96621c75-7551-4b82-95ab-7498a925860b; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 21 Aug 2009 14:45:11 GMT
----------------------------------------------------------
https://cca.mydomain.com/Shibboleth.sso/SAML2/POST
POST /Shibboleth.sso/SAML2/POST HTTP/1.1
Host: cca.mydomain.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.13) Gecko/2009080315 Ubuntu/9.04 (jaunty) Firefox/3.0.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://idp.otherdomain.com/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZJfT4MwFMW%2FCun7KCBsrBlLcHtwydRlTB98MaXcuSalxd7in28vjKnzwT01%0Aac89555fOkNeq4blrTvoLby2gM77qJVGdnzISGs1MxwlMs1rQOYEK%2FLbNYv8%0AgDXWOCOMIl6OCNZJoxdGY1uDLcC%2BSQEP23VGDs41yCgVgvt7BZ09%2BsLUtDjI%0AsjQK3MFHNLS3jejmvtgRb9ntITXvHX%2FnZdX4QvTTyPfQnxpcf0u7RfZSwcli%0AC5W0IBwtinvirZYZeZ5OpmmajMu0gphP4pSLMq6uyiRKoyQI%2BbiTIbaw0ui4%0AdhmJgmA6CtJRFO7CmMUJC8Mn4m1Ofa%2BlrqR%2BuQynHETIbna7zWio9QgWj5U6%0AAZnPesTsGGzPoF%2B25d%2Bkyfw%2FrthQ%2FEE7o2cpQ2TD7jrb1XJjlBSfXq6UeV9Y%0A4A4yEhI6H0b%2Bfor5Fw%3D%3D%0A&RelayState=cookie%3Aaaf94b58
Cookie: _shibstate_8b8f8331=http%3A%2F%2Fcca.mydomain.com%2F; _shibstate_aaf94b58=http%3A%2F%2Fcca.mydomain.com%2FShibboleth.sso%2FSAML2%2FPOST
Content-Type: application/x-www-form-urlencoded
Content-Length: 6248
RelayState=cookie%3Aaaf94b58&SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmN ... cut
HTTP/1.x 302 Found
Date: Fri, 21 Aug 2009 14:45:11 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: _shibstate_127e490e=http%3A%2F%2Fcca.mydomain.com%2FShibboleth.sso%2FSAML2%2FPOST; path=/; secure; domain=cca.mydomain.com
Location: https://idp.otherdomain.com/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fVJdT4MwFP0rpO%2BjgBtxzSDB7cEl05ExffDFlHKRJqXF3uLHvxe2qfPBvbRJ%0A7%2Fm456QL5K3qWNa7Ru%2FgtQd03kerNLLDICG91cxwlMg0bwGZE6zI7jYs8gPW%0AWeOMMIp4GSJYJ41eGo19C7YA%2ByYFPOw2CWmc65BRKgT3awWDPPrCtLRoZFka%0ABa7xEQ0dZSOab4s98VbDHlLzUfGXL6vOF2JkI69hvDW48ZUOi9RSwUliB5W0%0AIBwtii3x1quEPFcVVDzkYSyCOfDZcMZReSXielqW8zqOBxhiD2uNjmuXkCgI%0A5pPgehKF%2B3DKpjMWhk%2FEy095b6SupH65XE55BCG73e%2FzyTHWI1g8RBoAJF2M%0AFbODsT0r%2FbIs%2F26apP%2F1ih3Fn2oX9MzlaNmx%2B0F2vcqNkuLTy5Qy70sL3EFC%0AQkLTI%2BXvp0i%2FAA%3D%3D%0A&RelayState=cookie%3A127e490e
Content-Length: 861
Keep-Alive: timeout=15, max=9998
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
----------------------------------------------------------
I realize this problem comes up frequently on the list and you're probably tired of answering this, but I believe my problem might be different than the other threads. (I have read through the list and the wiki docs, and tried a bunch of config combinations)
My setup works fine without https, but the IdP uses SSL and I want to get rid of the encryption warning in Firefox. For this test I have bypassed my load balancer and configured an apache vhost for SSL.
When I log in and get directed back from the IdP, the SAML2/POST URL request does contain the _shibstate_ cookie, but in the response headers my SP sets a new cookie, then redirects back to the IdP again, causing a loop. (No shibsession cookie is set) There are no interesting errors in the shibd.log.
Any help to point me in the right direction would be great!
Thank you,
--Cal
Here's the juice:
--------- shibboleth2.xml snippet -------------
<ApplicationOverride id="SSLcca"
entityID="https://cca.mydomain.com/sp/shibboleth"
homeURL="http://cca.mydomain.com/"
REMOTE_USER="eppn persistent-id targeted-id safemls-login-id"
signing="false" encryption="false"
>
<Sessions lifetime="28800" timeout="21600" checkAddress="false"
handlerURL="https://cca.mydomain.com/Shibboleth.sso" handlerSSL="false"
cookieProps="; path=/; secure; domain=cca.mydomain.com"
exportLocation="/Shibboleth.sso/GetAssertion"
idpHistory="false" idpHistoryDays="7">
------------- shibd.log -----------------------------------
2009-08-21 10:59:05 DEBUG Shibboleth.Listener [1]: dispatching message (SSLcca/Login::run::SAML2SI)
2009-08-21 10:59:05 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: validating input
2009-08-21 10:59:05 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: marshalling, deflating, base64-encoding the message
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: starting to marshal samlp:AuthnRequest
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: creating root element to marshall
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling namespace attributes for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling text and child elements for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: starting to marshalling saml:Issuer
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: creating root element to marshall
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling namespace attributes for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling text and child elements for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: caching DOM for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: starting to marshalling samlp:NameIDPolicy
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: creating root element to marshall
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling namespace attributes for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling text and child elements for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: caching DOM for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: caching DOM for XMLObject (document is bound)
2009-08-21 10:59:05 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: marshalled message:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://cca.mydomain.com/Shibboleth.sso/SAML2/POST" Destination="https://idp.otherdomain.com/idp/profile/SAML2/Redirect/SSO" ID="_aca31cf18977d0679c7bc99eaf3c0354" IssueInstant="2009-08-21T15:59:05Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://cca.mydomain.com/sp/shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>
2009-08-21 10:59:05 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: message encoded, sending redirect to client
2009-08-21 10:59:05 DEBUG Shibboleth.Listener [1]: dispatching message (SSLcca/Login::run::SAML2SI)
2009-08-21 10:59:05 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: validating input
2009-08-21 10:59:05 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: marshalling, deflating, base64-encoding the message
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: starting to marshal samlp:AuthnRequest
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: creating root element to marshall
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling namespace attributes for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling text and child elements for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: starting to marshalling saml:Issuer
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: creating root element to marshall
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling namespace attributes for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling text and child elements for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: caching DOM for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: starting to marshalling samlp:NameIDPolicy
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: creating root element to marshall
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling namespace attributes for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: marshalling text and child elements for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: caching DOM for XMLObject
2009-08-21 10:59:05 DEBUG XMLTooling.XMLObject [1]: caching DOM for XMLObject (document is bound)
2009-08-21 10:59:05 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: marshalled message:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://cca.mydomain.com/Shibboleth.sso/SAML2/POST" Destination="https://idp.otherdomain.com/idp/profile/SAML2/Redirect/SSO" ID="_439213fe3fb8f727fd6f33da131671fe" IssueInstant="2009-08-21T15:59:05Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://cca.mydomain.com/sp/shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>
2009-08-21 10:59:05 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: message encoded, sending redirect to client
-------------------- browser session headers --------------------
----------------------------------------------------------
https://idp.otherdomain.com/idp/Authn/UserPassword
POST /idp/Authn/UserPassword HTTP/1.1
Host: idp.otherdomain.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.13) Gecko/2009080315 Ubuntu/9.04 (jaunty) Firefox/3.0.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://idp.otherdomain.com/idp/Authn/UserPassword
Cookie: JSESSIONID=131D801C011ABDA638B736958715CE5A; _idp_authn_lc_key=ca6623ea-6157-4e6c-8c85-2fb95a3c871a
Content-Type: application/x-www-form-urlencoded
Content-Length: 124
HTTP/1.x 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: _idp_session=MTIuNS4zMS4xMA%3D%3D%7CYTM5ZDFjOWQ5MGMxMTE3ODQzYTk2NzQzYWY3NWQxZWMxZTIxN2ExYzgzZTM5MWFkZDc2ODE1MWY0YmNhNDE4Ng%3D%3D%7CqdGnmOytgPIpOvfMhvsHYMnwvOk%3D; Path=/idp; Secure
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 21 Aug 2009 14:45:11 GMT
----------------------------------------------------------
https://cca.mydomain.com/Shibboleth.sso/SAML2/POST
POST /Shibboleth.sso/SAML2/POST HTTP/1.1
Host: cca.mydomain.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.13) Gecko/2009080315 Ubuntu/9.04 (jaunty) Firefox/3.0.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://idp.otherdomain.com/idp/Authn/UserPassword
Cookie: _shibstate_8b8f8331=http%3A%2F%2Fcca.mydomain.com%2F
Content-Type: application/x-www-form-urlencoded
Content-Length: 6242
RelayState=cookie%3A8b8f8331&SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlb ... cut
HTTP/1.x 302 Found
Date: Fri, 21 Aug 2009 14:45:11 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: _shibstate_aaf94b58=http%3A%2F%2Fcca.mydomain.com%2FShibboleth.sso%2FSAML2%2FPOST; path=/; secure; domain=cca.mydomain.com
Location: https://idp.otherdomain.com/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZJfT4MwFMW%2FCun7KCBsrBlLcHtwydRlTB98MaXcuSalxd7in28vjKnzwT01%0Aac89555fOkNeq4blrTvoLby2gM77qJVGdnzISGs1MxwlMs1rQOYEK%2FLbNYv8%0AgDXWOCOMIl6OCNZJoxdGY1uDLcC%2BSQEP23VGDs41yCgVgvt7BZ09%2BsLUtDjI%0AsjQK3MFHNLS3jejmvtgRb9ntITXvHX%2FnZdX4QvTTyPfQnxpcf0u7RfZSwcli%0AC5W0IBwtinvirZYZeZ5OpmmajMu0gphP4pSLMq6uyiRKoyQI%2BbiTIbaw0ui4%0AdhmJgmA6CtJRFO7CmMUJC8Mn4m1Ofa%2BlrqR%2BuQynHETIbna7zWio9QgWj5U6%0AAZnPesTsGGzPoF%2B25d%2Bkyfw%2FrthQ%2FEE7o2cpQ2TD7jrb1XJjlBSfXq6UeV9Y%0A4A4yEhI6H0b%2Bfor5Fw%3D%3D%0A&RelayState=cookie%3Aaaf94b58
Content-Length: 865
Keep-Alive: timeout=15, max=9999
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
----------------------------------------------------------
https://idp.otherdomain.com/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZJfT4MwFMW%2FCun7KCBsrBlLcHtwydRlTB98MaXcuSalxd7in28vjKnzwT01%0Aac89555fOkNeq4blrTvoLby2gM77qJVGdnzISGs1MxwlMs1rQOYEK%2FLbNYv8%0AgDXWOCOMIl6OCNZJoxdGY1uDLcC%2BSQEP23VGDs41yCgVgvt7BZ09%2BsLUtDjI%0AsjQK3MFHNLS3jejmvtgRb9ntITXvHX%2FnZdX4QvTTyPfQnxpcf0u7RfZSwcli%0AC5W0IBwtinvirZYZeZ5OpmmajMu0gphP4pSLMq6uyiRKoyQI%2BbiTIbaw0ui4%0AdhmJgmA6CtJRFO7CmMUJC8Mn4m1Ofa%2BlrqR%2BuQynHETIbna7zWio9QgWj5U6%0AAZnPesTsGGzPoF%2B25d%2Bkyfw%2FrthQ%2FEE7o2cpQ2TD7jrb1XJjlBSfXq6UeV9Y%0A4A4yEhI6H0b%2Bfor5Fw%3D%3D%0A&RelayState=cookie%3Aaaf94b58
GET /idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZJfT4MwFMW%2FCun7KCBsrBlLcHtwydRlTB98MaXcuSalxd7in28vjKnzwT01%0Aac89555fOkNeq4blrTvoLby2gM77qJVGdnzISGs1MxwlMs1rQOYEK%2FLbNYv8%0AgDXWOCOMIl6OCNZJoxdGY1uDLcC%2BSQEP23VGDs41yCgVgvt7BZ09%2BsLUtDjI%0AsjQK3MFHNLS3jejmvtgRb9ntITXvHX%2FnZdX4QvTTyPfQnxpcf0u7RfZSwcli%0AC5W0IBwtinvirZYZeZ5OpmmajMu0gphP4pSLMq6uyiRKoyQI%2BbiTIbaw0ui4%0AdhmJgmA6CtJRFO7CmMUJC8Mn4m1Ofa%2BlrqR%2BuQynHETIbna7zWio9QgWj5U6%0AAZnPesTsGGzPoF%2B25d%2Bkyfw%2FrthQ%2FEE7o2cpQ2TD7jrb1XJjlBSfXq6UeV9Y%0A4A4yEhI6H0b%2Bfor5Fw%3D%3D%0A&RelayState=cookie%3Aaaf94b58 HTTP/1.1
Host: idp.otherdomain.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.13) Gecko/2009080315 Ubuntu/9.04 (jaunty) Firefox/3.0.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://idp.otherdomain.com/idp/Authn/UserPassword
Cookie: JSESSIONID=131D801C011ABDA638B736958715CE5A; _idp_session=MTIuNS4zMS4xMA%3D%3D%7CYTM5ZDFjOWQ5MGMxMTE3ODQzYTk2NzQzYWY3NWQxZWMxZTIxN2ExYzgzZTM5MWFkZDc2ODE1MWY0YmNhNDE4Ng%3D%3D%7CqdGnmOytgPIpOvfMhvsHYMnwvOk%3D; _idp_authn_lc_key=ca6623ea-6157-4e6c-8c85-2fb95a3c871a
HTTP/1.x 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache, no-store
Expires: Wed, 31 Dec 1969 19:00:00 EST
Set-Cookie: _idp_authn_lc_key=96621c75-7551-4b82-95ab-7498a925860b; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 21 Aug 2009 14:45:11 GMT
----------------------------------------------------------
https://cca.mydomain.com/Shibboleth.sso/SAML2/POST
POST /Shibboleth.sso/SAML2/POST HTTP/1.1
Host: cca.mydomain.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.13) Gecko/2009080315 Ubuntu/9.04 (jaunty) Firefox/3.0.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://idp.otherdomain.com/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZJfT4MwFMW%2FCun7KCBsrBlLcHtwydRlTB98MaXcuSalxd7in28vjKnzwT01%0Aac89555fOkNeq4blrTvoLby2gM77qJVGdnzISGs1MxwlMs1rQOYEK%2FLbNYv8%0AgDXWOCOMIl6OCNZJoxdGY1uDLcC%2BSQEP23VGDs41yCgVgvt7BZ09%2BsLUtDjI%0AsjQK3MFHNLS3jejmvtgRb9ntITXvHX%2FnZdX4QvTTyPfQnxpcf0u7RfZSwcli%0AC5W0IBwtinvirZYZeZ5OpmmajMu0gphP4pSLMq6uyiRKoyQI%2BbiTIbaw0ui4%0AdhmJgmA6CtJRFO7CmMUJC8Mn4m1Ofa%2BlrqR%2BuQynHETIbna7zWio9QgWj5U6%0AAZnPesTsGGzPoF%2B25d%2Bkyfw%2FrthQ%2FEE7o2cpQ2TD7jrb1XJjlBSfXq6UeV9Y%0A4A4yEhI6H0b%2Bfor5Fw%3D%3D%0A&RelayState=cookie%3Aaaf94b58
Cookie: _shibstate_8b8f8331=http%3A%2F%2Fcca.mydomain.com%2F; _shibstate_aaf94b58=http%3A%2F%2Fcca.mydomain.com%2FShibboleth.sso%2FSAML2%2FPOST
Content-Type: application/x-www-form-urlencoded
Content-Length: 6248
RelayState=cookie%3Aaaf94b58&SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmN ... cut
HTTP/1.x 302 Found
Date: Fri, 21 Aug 2009 14:45:11 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: _shibstate_127e490e=http%3A%2F%2Fcca.mydomain.com%2FShibboleth.sso%2FSAML2%2FPOST; path=/; secure; domain=cca.mydomain.com
Location: https://idp.otherdomain.com/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fVJdT4MwFP0rpO%2BjgBtxzSDB7cEl05ExffDFlHKRJqXF3uLHvxe2qfPBvbRJ%0A7%2Fm456QL5K3qWNa7Ru%2FgtQd03kerNLLDICG91cxwlMg0bwGZE6zI7jYs8gPW%0AWeOMMIp4GSJYJ41eGo19C7YA%2ByYFPOw2CWmc65BRKgT3awWDPPrCtLRoZFka%0ABa7xEQ0dZSOab4s98VbDHlLzUfGXL6vOF2JkI69hvDW48ZUOi9RSwUliB5W0%0AIBwtii3x1quEPFcVVDzkYSyCOfDZcMZReSXielqW8zqOBxhiD2uNjmuXkCgI%0A5pPgehKF%2B3DKpjMWhk%2FEy095b6SupH65XE55BCG73e%2FzyTHWI1g8RBoAJF2M%0AFbODsT0r%2FbIs%2F26apP%2F1ih3Fn2oX9MzlaNmx%2B0F2vcqNkuLTy5Qy70sL3EFC%0AQkLTI%2BXvp0i%2FAA%3D%3D%0A&RelayState=cookie%3A127e490e
Content-Length: 861
Keep-Alive: timeout=15, max=9998
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
----------------------------------------------------------
Scott Cantor
Aug 21, 2009, 12:41:05 PM8/21/09
to shibbole...@internet2.edu
> Any help to point me in the right direction would be great!
To start with, do NOT use a handlerURL other than /Shibboleth.sso or at
least some other relative value. Any attempt to change that to an absolute
will almost certainly be wrong, and is not the way to fix a loop.
Also, do NOT set domain in the cookie, certainly not if what you intend is
for the cookie to be per-host as it normally is. It shouldn't break
anything, but cookies are funny and clients can do strange things sometimes
if even a semicolon is out of place. Better not to mess with it.
What it's actually doing is protecting the handler URL and causing an
instant redirect away to the IdP just because of the submission of the
response. You somehow fooled it into thinking that the request isn't
actually to a handler. I suspect it's related to the fact that you used an
absolute handlerURL, but I don't really know what it's doing. Tracing
requests in native.log is generally necessary to know what it thinks the
request is and why it doesn't see it as a handler message.
I can't explain the combination of it not understanding the request but also
populating the response URL correctly. That doesn't really fit.
-- Scott
Cal Heldenbrand
Aug 21, 2009, 1:10:32 PM8/21/09
to shibbole...@internet2.edu
Okay, I removed the domain= from the cookie, and set handlerURL back to just /Shibboleth.sso. That goes back to using plain http:// as the ACS. If I set handlerSSL="true" then I get the same redirect loop again, with similar looking headers.
How do I enable the native logger? I changed everything to debug in the hative.logger file, but I still have the <InProcess> tag as the default settings.
Thanks Scott,
--Cal
How do I enable the native logger? I changed everything to debug in the hative.logger file, but I still have the <InProcess> tag as the default settings.
Thanks Scott,
--Cal
On Fri, Aug 21, 2009 at 11:41 AM, Scott Cantor <cant...@osu.edu> wrote:
> Any help to point me in the right direction would be great!
Peter Schober
Aug 21, 2009, 1:34:49 PM8/21/09
to shibbole...@internet2.edu
* Cal Heldenbrand <c...@fbsdata.com> [2009-08-21 19:11]:
> How do I enable the native logger?
> How do I enable the native logger?
Just make sure it's writeable by the user httpd runs as.
-peter
Cal Heldenbrand
Aug 21, 2009, 1:37:28 PM8/21/09
to shibbole...@internet2.edu
Got the native logger working, it was just a permissions thing.
Here are the messages I get in native.log during the redirect loop. This is with just handlerSSL="true"
2009-08-21 12:32:43 DEBUG Shibboleth.Listener [15631] shib_check_user: sending message (SSLcca/Login::run::SAML2SI)
2009-08-21 12:32:43 DEBUG Shibboleth.Listener [15631] shib_check_user: send completed, reading response message
2009-08-21 12:32:43 DEBUG Shibboleth.Listener [15631] shib_check_user: sending message (SSLcca/Login::run::SAML2SI)
2009-08-21 12:32:43 DEBUG Shibboleth.Listener [15631] shib_check_user: send completed, reading response message
2009-08-21 12:32:43 INFO Shibboleth.SessionInitiator.SAML2 [15631] shib_check_user: postData property not supplied, form data will not be preserved across SSO
2009-08-21 12:32:44 DEBUG Shibboleth.Listener [15631] shib_check_user: sending message (SSLcca/Login::run::SAML2SI)
2009-08-21 12:32:44 DEBUG Shibboleth.Listener [15631] shib_check_user: send completed, reading response message
2009-08-21 12:32:44 INFO Shibboleth.SessionInitiator.SAML2 [15631] shib_check_user: postData property not supplied, form data will not be preserved across SSO
2009-08-21 12:32:44 DEBUG Shibboleth.Listener [15631] shib_check_user: sending message (SSLcca/Login::run::SAML2SI)
2009-08-21 12:32:44 DEBUG Shibboleth.Listener [15631] shib_check_user: send completed, reading response message
2009-08-21 12:32:44 INFO Shibboleth.SessionInitiator.SAML2 [15631] shib_check_user: postData property not supplied, form data will not be preserved across SSO
I don't believe the post message is that big of a deal, because my application isn't relying on any post submissions, at least for the initial login event. Would this be stripping off the post data (RelayState, SAMLReponse) from the IdP?
--Cal
Here are the messages I get in native.log during the redirect loop. This is with just handlerSSL="true"
2009-08-21 12:32:43 DEBUG Shibboleth.Listener [15631] shib_check_user: sending message (SSLcca/Login::run::SAML2SI)
2009-08-21 12:32:43 DEBUG Shibboleth.Listener [15631] shib_check_user: send completed, reading response message
2009-08-21 12:32:43 DEBUG Shibboleth.Listener [15631] shib_check_user: sending message (SSLcca/Login::run::SAML2SI)
2009-08-21 12:32:43 DEBUG Shibboleth.Listener [15631] shib_check_user: send completed, reading response message
2009-08-21 12:32:43 INFO Shibboleth.SessionInitiator.SAML2 [15631] shib_check_user: postData property not supplied, form data will not be preserved across SSO
2009-08-21 12:32:44 DEBUG Shibboleth.Listener [15631] shib_check_user: sending message (SSLcca/Login::run::SAML2SI)
2009-08-21 12:32:44 DEBUG Shibboleth.Listener [15631] shib_check_user: send completed, reading response message
2009-08-21 12:32:44 INFO Shibboleth.SessionInitiator.SAML2 [15631] shib_check_user: postData property not supplied, form data will not be preserved across SSO
2009-08-21 12:32:44 DEBUG Shibboleth.Listener [15631] shib_check_user: sending message (SSLcca/Login::run::SAML2SI)
2009-08-21 12:32:44 DEBUG Shibboleth.Listener [15631] shib_check_user: send completed, reading response message
2009-08-21 12:32:44 INFO Shibboleth.SessionInitiator.SAML2 [15631] shib_check_user: postData property not supplied, form data will not be preserved across SSO
I don't believe the post message is that big of a deal, because my application isn't relying on any post submissions, at least for the initial login event. Would this be stripping off the post data (RelayState, SAMLReponse) from the IdP?
--Cal
Scott Cantor
Aug 21, 2009, 1:57:56 PM8/21/09
to shibbole...@internet2.edu
Cal Heldenbrand wrote on 2009-08-21:
> Got the native logger working, it was just a permissions thing.
>
> Here are the messages I get in native.log during the redirect loop. This
is
> with just handlerSSL="true"
> Got the native logger working, it was just a permissions thing.
>
> Here are the messages I get in native.log during the redirect loop. This
is
> with just handlerSSL="true"
You're missing all the RequestMap log entries indicating what the URL is
being seen as inside the server.
If it's using http on the way back when you hit it as https, then your
problem is in fact that you did NOT virtualize the server correctly, same as
most others. I believe Apache 2.2 allows scheme virtualization via
ServerName now.
The RequestMap logs should show that clearly, it will be mapping requests
for http://domain instead of https://domain.
-- Scott
Scott Cantor
Aug 21, 2009, 2:02:55 PM8/21/09
to shibbole...@internet2.edu
Actually, I thought you said you were bypassing a load balancer and using
SSL directly on Apache. Based on your description about it turning https
into http, quite simply, Apache doesn't have SSL on for the vhost. So
something isn't set up the way you think it is.
SSL directly on Apache. Based on your description about it turning https
into http, quite simply, Apache doesn't have SSL on for the vhost. So
something isn't set up the way you think it is.
-- Scott
Cal Heldenbrand
Aug 21, 2009, 2:29:14 PM8/21/09
to shibbole...@internet2.edu
Apparently I can't have a single Host mapping defined across multiple application IDs?
Here's what my apache config looks like, with the fat cut out:
<VirtualHost *:443>
ServerName cca.myhost.com
...
<Location />
AuthType shibboleth
require valid-user
ShibApplicationID "SSLcca"
</Location>
</VirtualHost>
<VirtualHost *:80>
ServerName cca.myhost.com
...
<Location />
AuthType shibboleth
require valid-user
ShibApplicationID "cca"
</Location>
</VirtualHost>
And in my native log:
2009-08-21 13:12:55 DEBUG Shibboleth.PropertySet : added property applicationId (cca)
2009-08-21 13:12:55 DEBUG Shibboleth.PropertySet : added property authType (shibboleth)
2009-08-21 13:12:55 DEBUG Shibboleth.PropertySet : added property name (cca.myhost.com)
2009-08-21 13:12:55 DEBUG Shibboleth.PropertySet : added property requireSession (true)
2009-08-21 13:12:55 DEBUG Shibboleth.RequestMapper : Added <Host> mapping for http://cca.myhost.com
2009-08-21 13:12:55 DEBUG Shibboleth.RequestMapper : Added <Host> mapping for http://cca.myhost.com:80
2009-08-21 13:12:55 DEBUG Shibboleth.RequestMapper : Added <Host> mapping for https://cca.myhost.com
2009-08-21 13:12:55 DEBUG Shibboleth.RequestMapper : Added <Host> mapping for https://cca.myhost.com:443
2009-08-21 13:12:55 DEBUG Shibboleth.PropertySet : added property applicationId (SSLcca)
2009-08-21 13:12:55 DEBUG Shibboleth.PropertySet : added property authType (shibboleth)
2009-08-21 13:12:55 DEBUG Shibboleth.PropertySet : added property name (cca.myhost.com)
2009-08-21 13:12:55 DEBUG Shibboleth.PropertySet : added property requireSession (true)
2009-08-21 13:12:55 WARN Shibboleth.RequestMapper : Skipping duplicate Host element (http://cca.myhost.com)
After seeing that, I set my two apache vhosts to use the same "cca" application ID, then set handlerSSL="true" and set the cookieProps on the cca ApplicationOverride and it still is doing a redirect loop.
I'm pretty sure the apache vhosts are mapping into the correct ApplicationOverride, becuase modifying any of them changes the functionality.
Am I missing something else here?
Thank you,
--Cal
Here's what my apache config looks like, with the fat cut out:
<VirtualHost *:443>
ServerName cca.myhost.com
...
<Location />
AuthType shibboleth
require valid-user
ShibApplicationID "SSLcca"
</Location>
</VirtualHost>
<VirtualHost *:80>
ServerName cca.myhost.com
...
<Location />
AuthType shibboleth
require valid-user
ShibApplicationID "cca"
</Location>
</VirtualHost>
And in my native log:
2009-08-21 13:12:55 DEBUG Shibboleth.PropertySet : added property applicationId (cca)
2009-08-21 13:12:55 DEBUG Shibboleth.PropertySet : added property authType (shibboleth)
2009-08-21 13:12:55 DEBUG Shibboleth.PropertySet : added property name (cca.myhost.com)
2009-08-21 13:12:55 DEBUG Shibboleth.PropertySet : added property requireSession (true)
2009-08-21 13:12:55 DEBUG Shibboleth.RequestMapper : Added <Host> mapping for http://cca.myhost.com
2009-08-21 13:12:55 DEBUG Shibboleth.RequestMapper : Added <Host> mapping for http://cca.myhost.com:80
2009-08-21 13:12:55 DEBUG Shibboleth.RequestMapper : Added <Host> mapping for https://cca.myhost.com
2009-08-21 13:12:55 DEBUG Shibboleth.RequestMapper : Added <Host> mapping for https://cca.myhost.com:443
2009-08-21 13:12:55 DEBUG Shibboleth.PropertySet : added property applicationId (SSLcca)
2009-08-21 13:12:55 DEBUG Shibboleth.PropertySet : added property authType (shibboleth)
2009-08-21 13:12:55 DEBUG Shibboleth.PropertySet : added property name (cca.myhost.com)
2009-08-21 13:12:55 DEBUG Shibboleth.PropertySet : added property requireSession (true)
2009-08-21 13:12:55 WARN Shibboleth.RequestMapper : Skipping duplicate Host element (http://cca.myhost.com)
After seeing that, I set my two apache vhosts to use the same "cca" application ID, then set handlerSSL="true" and set the cookieProps on the cca ApplicationOverride and it still is doing a redirect loop.
I'm pretty sure the apache vhosts are mapping into the correct ApplicationOverride, becuase modifying any of them changes the functionality.
Am I missing something else here?
Thank you,
--Cal
Cal Heldenbrand
Aug 21, 2009, 2:45:52 PM8/21/09
to shibbole...@internet2.edu
Okay after rereading that, I see it. I prepended https:// to my ServerName directive and it's working now.
Sorry, I thought I was special, but I guess it was the same problem as the others.
Thank you Scott!
--Cal
Sorry, I thought I was special, but I guess it was the same problem as the others.
Thank you Scott!
--Cal
Scott Cantor
Aug 21, 2009, 2:46:17 PM8/21/09
to shibbole...@internet2.edu
Cal Heldenbrand wrote on 2009-08-21:
> Apparently I can't have a single Host mapping defined across multiple
> application IDs?
> application IDs?
Not if the handler isn't also split. You can't have https:// mapping to some
other application and still use it as a handler for the application on
http://.
The handler URL MUST map to the same application ID as the resources it
serves.
> I'm pretty sure the apache vhosts are mapping into the correct
> ApplicationOverride, becuase modifying any of them changes the
> functionality.
You also keep saying you're using handlerSSL which is going to throw it all
off. You can't use a handler on SSL for a vhost using http that's trying to
act as a separate application.
You're causing the response to come in to a different application from the
resources you're accessing. That's the loop.
-- Scott
Reply all
Reply to author
Forward
0 new messages