[Shib-Users] Protecting multiple resources with a single Shibboleth2.xml

Sohail Bashadi

unread,

Aug 22, 2008, 12:34:27 PM8/22/08

to shibbole...@internet2.edu

Hi,

I am trying to protect two resources with a single Shibboleth2.xml and after going thru some of the archive emails I came across the <ApplicationOverride> attribute. I tried using it in the following manner in my Shibboleth2.xml

</Host>

</Host>

</RequestMap>

</RequestMapper>

<ApplicationDefaults id="default" policyId="default"

entityID="https://sohailweb.peopleadmin.com/shibboleth-sp"

homeURL="https://sohailweb.peopleadmin.com/index.html"

REMOTE_USER="eppn" >

<ApplicationOverride id="simplehire"

entityID="https://test.simplehire.com/shibboleth-sp"/>

.

</ ApplicationDefaults>

And I get the following error when I run the Shibd.exe with the –check command:

C:\opt\shibboleth-sp\sbin>shibd -check

2008-08-22 11:04:32 ERROR XMLTooling.ParserPool : error on line 85, column 25, m

essage: Element 'ApplicationOverride' is not valid for content model: '((Session

s,Errors,RelyingParty,Notify,Audience,MetadataProvider,TrustEngine,AttributeExtr

actor,AttributeResolver,AttributeFilter,CredentialResolver),ApplicationOverride)

'

2008-08-22 11:04:32 ERROR Shibboleth.Config : error while loading configuration

from (C:/opt/shibboleth-sp/etc/shibboleth/shibboleth2.xml): error during XML par

sing: Element 'ApplicationOverride' is not valid for content model: '((Sessions,

Errors,RelyingParty,Notify,Audience,MetadataProvider,TrustEngine,AttributeExtrac

tor,AttributeResolver,AttributeFilter,CredentialResolver),ApplicationOverride)'

caught exception while loading configuration: error during XML parsing: Element

'ApplicationOverride' is not valid for content model: '((Sessions,Errors,Relying

Party,Notify,Audience,MetadataProvider,TrustEngine,AttributeExtractor,AttributeR

esolver,AttributeFilter,CredentialResolver),ApplicationOverride)'

Any pointers are greatly appreciated.

Thanks,

Sohail

Scott Cantor

unread,

Aug 22, 2008, 1:10:34 PM8/22/08

to shibbole...@internet2.edu

> I am trying to protect two resources with a single Shibboleth2.xml and
after
> going thru some of the archive emails I came across the
> <ApplicationOverride> attribute. I tried using it in the following manner
in
> my Shibboleth2.xml

That's pretty much correct save for the XML error you apparently made.

> And I get the following error when I run the Shibd.exe with the -check
> command:

The error is telling you the required order of content. You violated that
order, so just correct it. The override elements have to be last.

-- Scott

Sohail Bashadi

unread,

Aug 26, 2008, 2:39:04 PM8/26/08

to shibbole...@internet2.edu

Hi All,

I have had some success with protecting multiple resources with the same
Shibboleth2.xml. The only issue I have at the moment is that I am
getting a 'Shibboleth handler invoked at an unconfigured location'
error.

The native.log has the error message:

isapi_shib_extension: remoted message returned an error: SAML message
delivered with POST to incorrect server URL.

I have the <ApplicationOverride> section of shibboleth2.xml configured:

</Sessions>
</ApplicationOverride>

The metadata provider is the same for all resources. Any help on this is
greatly appreciated!

Thanks,
Sohail

Scott Cantor

unread,

Aug 26, 2008, 2:45:23 PM8/26/08

to shibbole...@internet2.edu

> I have had some success with protecting multiple resources with the same
> Shibboleth2.xml. The only issue I have at the moment is that I am
> getting a 'Shibboleth handler invoked at an unconfigured location'
> error.

Did you configure all of the ISAPI Site elements properly?

> The native.log has the error message:
>
> isapi_shib_extension: remoted message returned an error: SAML message
> delivered with POST to incorrect server URL.

My guess is you didn't supply the right hostname information, and its
causing both problems.

> <SessionInitiator type="SAML2"
> Location="https://test.simplehire.com/TestShib" isDefault="true"

That's wrong. Locations should be relative paths, which get appended to the
handlerURL at runtime.

> <md:AssertionConsumerService
> Location="https://test.simplehire.com/Shibboleth.sso/SAML2/POST"

Same here. This should be /SAML2/POST.

-- Scott

Sohail Bashadi

unread,

Aug 26, 2008, 5:17:58 PM8/26/08

to shibbole...@internet2.edu

Hi Scott,

>> I have had some success with protecting multiple resources with the
same
>> Shibboleth2.xml. The only issue I have at the moment is that I am
>> getting a 'Shibboleth handler invoked at an unconfigured location'
>> error.

I made the Assertion Consumer service URLs relative and am no longer
getting this error message.

>
>Did you configure all of the ISAPI Site elements properly?
>

All the ISAPI site elements are configured properly i.e. the ISAPI
listener is setup for these two sites and in Shibboleth2.xml I have:

I have the authentication working for 'sohailweb.peopleadmin.com', but
not for 'test.simplehire.com'.

>
>> The native.log has the error message:
>>
>> isapi_shib_extension: remoted message returned an error: SAML message
>> delivered with POST to incorrect server URL.
>
>My guess is you didn't supply the right hostname information, and its
>causing both problems.

This is the error message I get on authentication (for
'test.simplehire.com'). I am not sure if I got the hostname setup
information right, but here is what I have in my Shibboleth2.xml:

>

>> <SessionInitiator type="SAML2"
>> Location="https://test.simplehire.com/TestShib" isDefault="true"
>
>That's wrong. Locations should be relative paths, which get appended to
the
>handlerURL at runtime.
>
>> <md:AssertionConsumerService
>> Location="https://test.simplehire.com/Shibboleth.sso/SAML2/POST"
>
>Same here. This should be /SAML2/POST.
>
>-- Scott
>
>

Thanks! for the quick response to help me resolve this. Much
appreciated!

Thanks,
Sohail

Scott Cantor

unread,

Aug 26, 2008, 5:22:57 PM8/26/08

to shibbole...@internet2.edu

> All the ISAPI site elements are configured properly i.e. the ISAPI
> listener is setup for these two sites and in Shibboleth2.xml I have:

And those are actually the correct Site IDs, right?

> >> isapi_shib_extension: remoted message returned an error: SAML message
> >> delivered with POST to incorrect server URL.
> >

> This is the error message I get on authentication (for
> 'test.simplehire.com'). I am not sure if I got the hostname setup
> information right, but here is what I have in my Shibboleth2.xml:

What, that message above? You need to compare what's being sent to the IdP
as the destination for the message to what URL its being delivered to.

-- Scott

Sohail Bashadi

unread,

Aug 26, 2008, 5:32:51 PM8/26/08

to shibbole...@internet2.edu

Scott,

Almost forgot, here is the exact error in shibd.log:

2008-08-26 15:05:58 INFO Shibboleth.SessionCache [1]: new session
created: ID (_dd2f15fe9138060e76e0c153e4697de2) IdP
(https://idp.testshib.org/idp/shibboleth)
Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (192.168.1.164)
2008-08-26 15:06:39 ERROR OpenSAML.MessageDecoder.SAML2POST [1]: POST
targeted at (https://test.simplehire.com/Shibboleth.sso/SAML2/POST), but
delivered to
(https://sohailweb.peopleadmin.com/Shibboleth.sso/SAML2/POST)

FYI: The name of the machine itself is 'sohailweb.peopleadmin.com'.

And those are actually the correct Site IDs, right? Yes, these are the
site Ids in IIS.

Not sure, what exactly you mean by this:

What, that message above? You need to compare what's being sent to the
IdP as the destination for the message to what URL its being delivered
to.

Or more importantly how do I verify?

Thanks,
Sohail

-----Original Message-----
From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Tuesday, August 26, 2008 4:23 PM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Protecting multiple resources with a single
Shibboleth2.xml

> All the ISAPI site elements are configured properly i.e. the ISAPI
> listener is setup for these two sites and in Shibboleth2.xml I have:

And those are actually the correct Site IDs, right? Yes

Scott Cantor

unread,

Aug 26, 2008, 5:42:02 PM8/26/08

to shibbole...@internet2.edu

> 2008-08-26 15:06:39 ERROR OpenSAML.MessageDecoder.SAML2POST [1]: POST
> targeted at (https://test.simplehire.com/Shibboleth.sso/SAML2/POST), but
> delivered to
> (https://sohailweb.peopleadmin.com/Shibboleth.sso/SAML2/POST)

For that to happen, your web server has to be completely confused relative
to your client. The IdP has to be directing your form post to
https://test.simplehire.com/Shibboleth.sso/SAML2/POST but your client is
delivering it to a web site that thinks its name is something else.

Your IIS server is not configured correctly and/or doesn't match the SP's
configuration. Those site IDs are wrong, basically.

-- Scott

Sohail Bashadi

unread,

Aug 27, 2008, 4:05:03 PM8/27/08

to shibbole...@internet2.edu

Hi,

I verified the site Ids for each of my sites and they are pointing
correctly. Tweaking the <SessionInitiator> and <md:
AssertionConsumerService> configuration has improved my results; but I
am not quite there yet. So, here is the scenario:

My default <SessionInitiator> and <md: AssertionConsumerService> tags
look something like this:

<SessionInitiator type="SAML2" Location="/TestShib" defaultACSIndex="1"

id="TestShib" entityID="https://idp.testshib.org/idp/shibboleth"
template="bindingTemplate.html" />

<md:AssertionConsumerService Location="/SAML2/POST" index="1"

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" />

<md:AssertionConsumerService Location="/SAML/POST" index="6"

Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" />

And my Application Override <SessionInitiator> and <md:
AssertionConsumerService> tags look like this:

<SessionInitiator type="SAML2" Location="/TestShib" defaultACSIndex="2"

id="TestShib" entityID="https://idp.testshib.org/idp/shibboleth"
template="bindingTemplate.html" />

<md:AssertionConsumerService Location="/SAML2/POST"
index="2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" />
<md:AssertionConsumerService Location="/SAML/POST"

index="6" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" />

Now when I try to authenticate the site that has the Application
Override:

https://test.simplehire.com/protect/index.html

The shibboleth Daemon kicks in and requires me to login, which is fine
and dandy. But, once I authenticate I am being redirected by the
Shibboleth Daemon to:

https://test.simplehire.com/Shibboleth.sso/SAML2/POST instead of
https://test.simplehire.com/protect/index.html where I would like to end
up.

Side question: What is the purpose of the "defaultACSIndex" in the
<SessionInitiator> tag and "index" in the <md:AssertionConsumerService>
tag?

Any help is greatly appreciated!

Thanks,
Sohail
-----Original Message-----
From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Tuesday, August 26, 2008 4:42 PM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Protecting multiple resources with a single
Shibboleth2.xml

Scott Cantor

unread,

Aug 27, 2008, 5:44:14 PM8/27/08

to shibbole...@internet2.edu

> And my Application Override <SessionInitiator> and <md:
> AssertionConsumerService> tags look like this:

That's your problem. DO NOT put all that stuff into your override. Your
override should look like this:

That's it. Everything else should be inherited and should be the same as
with the default application, unless you have a specific need to change
something. Here you don't. If you're vhosting, all the paths are relative
and will have the right hostname inserted at runtime.

> Now when I try to authenticate the site that has the Application
> Override:
>
> https://test.simplehire.com/protect/index.html
>
> The shibboleth Daemon kicks in and requires me to login, which is fine
> and dandy. But, once I authenticate I am being redirected by the
> Shibboleth Daemon to:
>
> https://test.simplehire.com/Shibboleth.sso/SAML2/POST instead of
> https://test.simplehire.com/protect/index.html where I would like to end
> up.

I don't know what you mean by that. You have to go there first. You'll end
up at the original URL only if the assertion is successfully processed. If
not, it will fail with an error message and/or log entries.

> Side question: What is the purpose of the "defaultACSIndex" in the
> <SessionInitiator> tag and "index" in the <md:AssertionConsumerService>
> tag?

To tell it where to tell the IdP to send you back to with the assertion. The
request message contains an index or a URL to return you to at the SP.

It's required so that the SAML 1 requests route you back to the SAML 1
endpoint and the SAML 2 requests route you back to the SAML 2 endpoint.

-- Scott

Sohail Bashadi

unread,

Aug 27, 2008, 7:21:32 PM8/27/08

to shibbole...@internet2.edu

Scott,

I have scaled down my <ApplicationOverride> section per your
instructions; but am still having the same problem. Here are some more
details about this:
I have two resources that I am trying to protect
https://sohailweb.peopleadmin.com/secure and
https://test.simplehire.com/protect.

I am successfully able to access the first site and the webserver logs
have the following:

2008-08-27 19:45:39 192.168.1.164 - 192.168.1.164 443 - - - 302
sohailweb.peopleadmin.com 2008-08-27 19:45:46 192.168.1.164 -
192.168.1.164 443 POST /Shibboleth.sso - 200 sohailweb.peopleadmin.com
2008-08-27 19:45:46 192.168.1.164 - 192.168.1.164 443 GET /secure/ - 302
sohailweb.peopleadmin.com
2008-08-27 19:45:46 192.168.1.164 - 192.168.1.164 443 GET
/secure/index.html - 200 sohailweb.peopleadmin.com

But, when I try to access the overridden application
https://test.simplehire.com/protect. I get the following in the
webserver logs:

2008-08-27 22:57:38 192.168.1.164 - 192.168.1.164 80 - - - 302
test.simplehire.com
2008-08-27 22:57:44 192.168.1.164 - 192.168.1.164 443 POST
/Shibboleth.sso/SAML2/POST - 405 test.simplehire.com

So, in the second case; instead of going only to /Shibboleth.sso it goes
to /Shibboleth.sso/SAML2/POST which is coming from my default
<SessionInitiator> and <AssertionConsumerService>.

<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" />

Is there any way I can control where the Post is sent for the overridden
application?

Your help is greatly appreciated!

Thanks,
Sohail
-----Original Message-----
From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Wednesday, August 27, 2008 4:44 PM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Protecting multiple resources with a single
Shibboleth2.xml

Scott Cantor

unread,

Aug 28, 2008, 1:35:09 AM8/28/08

to shibbole...@internet2.edu, sbas...@peopleadmin.com

> But, when I try to access the overridden application
> https://test.simplehire.com/protect. I get the following in the
> webserver logs:
>
> 2008-08-27 22:57:38 192.168.1.164 - 192.168.1.164 80 - - - 302
> test.simplehire.com
> 2008-08-27 22:57:44 192.168.1.164 - 192.168.1.164 443 POST
> /Shibboleth.sso/SAML2/POST - 405 test.simplehire.com

That's a good observation. My guess is your second site isn't
processing the .sso extension mapping properly. What is it actually
returning from that 405 error?

Can you get a response from the SP from /Shibboleth.sso/Foo on that
vhost? It should return an error page from the SP.

> Is there any way I can control where the Post is sent for the
> overridden application?

You are, it's going to the right place.

You need to make sure IIS has the proper script mapping.

-- Scott

Reply all

Reply to author

Forward