[Shib-Users] After Configuring Shibboleth - SP with Test Shib

1,248 views
Skip to first unread message

sail...@yahoo.co.in

unread,
Dec 11, 2008, 5:11:32 AM12/11/08
to shibbole...@internet2.edu
Hi All,

I done following things for shibboleth SP:

--> Installed Shibboleth SP

-->Configure SSL for IIS

-->Setup metadata for SP to communicate with testshib IDP

So if we are trying to redirect http://mydomainname/Secure it is redirecting requested IDP site (which testshib site now) to login. By providing given credentials (myself/myself)

It is redirecting back toSAML2 request. (https://mydomainname/Shibboleth.sso/SAML2/POST )which is showing error as below.

“hibsp::ConfigurationException
The system encountered an error at Thu Dec 11 14:51:10 2008

To report this problem, please contact the site administrator at root@localhost.

Please include the following message in any email:

Shibsp::ConfigurationException at (https://hb6793.datamonitor.com/Shibboleth.sso/SAML2/POST)

Shibboleth handler invoked at an unconfigured location. “

Can you please give me any idea to resolve this?


Thanks in Advance

Thanks & Regards
Sailu

Chad La Joie

unread,
Dec 11, 2008, 5:14:38 AM12/11/08
to shibbole...@internet2.edu
Look at your logs. what do they say?

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch

seshu bandaru

unread,
Dec 11, 2008, 5:32:30 AM12/11/08
to shibbole...@internet2.edu
This is the Log i got for previous running in native.log:
 
2008-12-11 15:43:33 INFO Shibboleth.Config [2808] isapi_shib: change detected, reloading local resource...
2008-12-11 15:43:33 INFO Shibboleth.Config [2808] isapi_shib: loaded XML resource (D:/opt/shibboleth-sp/etc/shibboleth/shibboleth2.xml)
2008-12-11 15:43:33 INFO Shibboleth.Config [2808] isapi_shib: building RequestMapper of type xml...
2008-12-11 15:43:33 CRIT Shibboleth.Config [2808] isapi_shib: maintaining existing configuration, error reloading resource (D:/opt/shibboleth-sp/etc/shibboleth/shibboleth2.xml): Unknown plugin type.
2008-12-11 15:43:36 ERROR Shibboleth.Listener [2808] isapi_shib: socket call resulted in error (10054): Unknown error
 
Thanks & Regards
Sailu

From: Chad La Joie <chad....@switch.ch>
To: shibbole...@internet2.edu
Sent: Thursday, 11 December, 2008 3:44:38 PM
Subject: Re: [Shib-Users] After Configuring Shibboleth - SP with Test Shib

Look at your logs. what do they say?

sail...@yahoo.co.in wrote:
> Hi All,
>
> I done following things for shibboleth SP:
>
> --> Installed Shibboleth SP
>
> -->Configure SSL for IIS
>
> -->Setup metadata for SP to communicate with testshib IDP
>
> So if we are trying to redirect http://mydomainname/Secure it is redirecting requested IDP site (which testshib site now) to login. By providing given credentials (myself/myself)
>
> It is redirecting back toSAML2 request. (https://mydomainname/Shibboleth.sso/SAML2/POST )which is showing error as below.
>
> “hibsp::ConfigurationException
> The system encountered an error at Thu Dec 11 14:51:10 2008
>
> To report this problem, please contact the site administrator at root@localhost.
>
> Please include the following message in any email:
>
> Shibsp::ConfigurationException at (https://mydomainname/Shibboleth.sso/SAML2/POST)

>
> Shibboleth handler invoked at an unconfigured location. “
>
> Can you please give me any idea to resolve this?
>
>
> Thanks in Advance
>
> Thanks & Regards
> Sailu
>

>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch


Add more friends to your messenger and enjoy! Invite them now.

Scott Cantor

unread,
Dec 11, 2008, 10:44:45 AM12/11/08
to shibbole...@internet2.edu

> 2008-12-11 15:43:33 INFO Shibboleth.Config [2808] isapi_shib: building
> RequestMapper of type xml...

That should be XML, not xml.

> > Shibsp::ConfigurationException at
> (https://mydomainname/Shibboleth.sso/SAML2/POST
> <https://hb6793.datamonitor.com/Shibboleth.sso/SAML2/POST> )

That means you altered the endpoint configuration and have broken it. Please revert to the default configuration file and reapply only the changes you're directed to apply in whatever documentation you're following.

-- Scott


sail...@yahoo.co.in

unread,
Dec 16, 2008, 1:24:00 AM12/16/08
to shibbole...@internet2.edu
Hi,

this is my shibboleth2.xml file after configure my SP with testshib (generated by testshib ).

Shibboleth2.xml File
-------------------------------------------------------------------------------
<!--
This is an example shibboleth2.xml generated for you by TestShib Two. It's reduced and recommented
specifically for testing. You don't need to change anything, but you may want to explore the file
to learn about how your SP works. Uncomment attributes in your attribute-map.xml file to test them.

If you want to test advanced functionality, start from the distribution shibboleth2.xml and add the
MetadataProvider, TestShib credentials, the right entityID, and a SessionInitiator. More information:

https://spaces.internet2.edu/display/SHIB2/NativeSPConfiguration
-->

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
logger="syslog.logger" clockSkew="1800">

<!-- You might want to increase the top-level log sensitivity in these files. -->
<OutOfProcess logger="shibd.logger" />
<InProcess logger="native.logger">
<ISAPI normalizeRequest="true">
<!-- Maps IIS Instance ID values to the host name. -->
<Site id="1" name="mydomain.com"/>
</ISAPI>

</InProcess>

<!-- Settings for session storage and internal communication. -->
<TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/>
<StorageService type="Memory" id="mem" cleanupInterval="900"/>
<SessionCache type="StorageService" StorageService="mem" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="mem"/>

<!-- The RequestMap defines portions of the webspace to protect; mydomain.com/secure here. -->
<RequestMapper type="XML">

<RequestMap applicationId="default">
<!--
<Host name="mydomain.com" scheme="https">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
-->
<Host name="mydomain.com" scheme="http">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>

<!-- The entityID is the name TestShib made for your SP. -->
<ApplicationDefaults id="default" policyId="default" REMOTE_USER="eppn"
entityID="https://mydomain.com/shibboleth-sp"
homeURL="https://mydomain.com/index.html">

<Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/Shibboleth.sso" handlerSSL="true" cookieProps="; path=/secure; secure">

<!--
SessionInitiators can request login many different ways. This example sends users directly to the
TestShib IdP. If you want to use a different IdP that has joined TestShib, just change this entityID.
-->

<SessionInitiator type="SAML2" Location="/TestShib" isDefault="true" defaultACSIndex="1" id="TestShib"
entityID="https://idp.testshib.org/idp/shibboleth" template="bindingTemplate.html" />

<!-- How and where the SP listens. -->
<md:AssertionConsumerService Location="https://mydomain.com/secure/" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<!--
<md:AssertionConsumerService Location="/SAML2/POST" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>

<md:AssertionConsumerService Location="/SAML/POST" index="6" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
-->
<Handler type="Status" Location="/Status"/>
<Handler type="Session" Location="/Session"/>
</Sessions>

<!-- Error pages to display to yourself if something goes horribly wrong. -->
<Errors session="sessionError.html" metadata="metadataError.html" access="accessError.html" ssl="sslError.html"
supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>

<!-- TestShib Two's metadata lists all members of TestShib so your SP can talk to them. -->
<!--
<MetadataProvider type="XML" uri="http://www.testshib.org/metadata/testshib-two-metadata.xml"
backingFilePath="testshib-two-metadata.xml" reloadInterval="180000" />-->
<MetadataProvider type="XML" file="testshib-two-metadata.xml"/>
<!-- Attribute and trust options you shouldn't need to change. -->
<TrustEngine type="ExplicitKey"/>
<AttributeExtractor type="XML" path="attribute-map.xml"/>
<AttributeResolver type="Query"/>
<AttributeFilter type="XML" path="attribute-policy.xml"/>

<!-- Your SP generated these credentials. They're used to talk to IdP's. -->
<!-- <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>-->
<CredentialResolver type="File" key="c:\pki\testshib.key" certificate="c:\pki\testshib.crt"/>

</ApplicationDefaults>


<!-- Security policies you shouldn't change unless you know what you're doing. -->
<SecurityPolicies>
<Policy id="default" validate="false">
<Rule type="MessageFlow" checkReplay="true" expires="60"/>
<Rule type="ClientCertAuth" errorFatal="true"/>
<Rule type="XMLSigning" errorFatal="true"/>
</Policy>
</SecurityPolicies>

</SPConfig>

-------------------------------------------------------------------------------

Error i Got is :

shibsp::ConfigurationException at (https://mydomain.com/Shibboleth.sso/SAML2/POST)

Shibboleth handler invoked at an unconfigured location.


-------------------------------------------------------------------------------

Any one got solution for this..

I replaced default shibboleth xml and done required changes but not got any solution..so i replace xml file generated by TestShib configuration step for my SP..

Thanks & Regards
Sailu.

Nate Klingenstein

unread,
Dec 16, 2008, 10:11:28 AM12/16/08
to shibbole...@internet2.edu
Sailu,

Your shibboleth2.xml looks just fine for all the handler configuration.  The only possible problem I can think of is that the Site ID and name don't match the ones you've configured in IIS.  Can you please focus very hard on that to make sure it's correct?

Take care,
Nate.

Scott Cantor

unread,
Dec 16, 2008, 11:11:49 AM12/16/08
to shibbole...@internet2.edu
> this is my shibboleth2.xml file after configure my SP with testshib
> (generated by testshib ).

I don't buy it. Maybe it is, but I don't think Nate is generating something
that broken.

> <!-- How and where the SP listens. -->
> <md:AssertionConsumerService
> Location="https://mydomain.com/secure/" index="1"
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>

This is wrong. The Location attribute cannot be a URL. I believe you have
commented out something that works and replaced it with a broken element. If
testshib is generating that, it would never work.

An ACS Location in the configuration MUST NOT be a URL. The documentation is
clear on this.

https://spaces.internet2.edu/display/SHIB2/NativeSPAssertionConsumerService

Location (relative path)

A URL is not a relative path.

-- Scott


Nate Klingenstein

unread,
Dec 16, 2008, 11:33:15 AM12/16/08
to shibbole...@internet2.edu
Oops.  I skipped over that, thinking it was just commented out; instead, it's the correct configuration that is commented out.

No, that's not in the generated shibboleth2.xml.  It only has:

            <!-- How and where the SP listens. -->
            <md:AssertionConsumerService Location="/SAML2/POST" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
            <md:AssertionConsumerService Location="/SAML/POST" index="6" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>

sai_...@ymail.com

unread,
Dec 17, 2008, 2:08:26 AM12/17/08
to shibbole...@internet2.edu
Hi

Thank you for your patience replay for my question.

After uncomment these lines i am getting

Error :
---------------------------------------------------------------------
opensaml::SecurityPolicyException at (http://mydomain.com/Secure/)

Attempt to spoof header (Shib-Session-ID) was detected.

----------------------------------------------------------------------

in shibd.log i didn't see any errors but in native.log files i encounter following mesages as error but i couldn't recognise why these comes.
ISAPI filter is successfully running in my IIS server.


Messages in native.log file:
-----------------------------------------------------------------------
2008-12-17 12:28:01 ERROR Shibboleth.Listener [5760] isapi_shib: socket call resulted in error (10054): Unknown error

2008-12-17 12:28:01 ERROR Shibboleth.Listener [5760] isapi_shib: remoted message returned an error: Your session has expired, and you must re-authenticate.

2008-12-17 12:28:01 WARN Shibboleth.ServiceProvider [5760] isapi_shib: error during session lookup: Your session has expired, and you must re-authenticate.

-----------------------------------------------------------------------

Can anyone tell me the solution

Thanks
Sailu

Reply all
Reply to author
Forward
0 new messages