[Shib-Users] Shibboleth SP 1.3 to Shibboleth SP 2.0 how to upgrade.
Richard Genthner
2.0, We have it installed but are trying to figure out how we move the
configurations from shib 1.3 to shib 2.0. Since this isn't documentation
on this subject matter I was hoping that someone out there might have
gone though this process before and might want to share some information
on it. We automatically pull down incommon-meta data for 1.3 so I'm
hoping the process is going to be the same. Any help would be great.
--
Thanks,
Richard Genthner
Systems Administrator
Symplicity
tel. 703-351-0200x8051
Scott Cantor
> we are in the process of upgrading from shibboleth 1.3 to shibboleth
> 2.0, We have it installed but are trying to figure out how we move the
> configurations from shib 1.3 to shib 2.0. Since this isn't documentation
> on this subject matter I was hoping that someone out there might have
> gone though this process before and might want to share some information
> on it.
You may find some useful information in my local documentation:
https://webauth.service.ohio-state.edu/~shibboleth/upgrade.html
There isn't really that much to say about it, really, most of the settings transfer in pretty obvious ways except for more obscure things like cache policies.
> We automatically pull down incommon-meta data for 1.3 so I'm
> hoping the process is going to be the same. Any help would be great.
You don't have to do anything special to refresh the metadata, the software does it for you now. All of that is documented.
-- Scott
Richard Genthner
Whats the best way to convert our AAP.xml to the new layout. I was
looking at it and i'm not 100% sure i understand the
attribute-policy.xml role in this.
Scott Cantor
> looking at it and i'm not 100% sure i understand the
> attribute-policy.xml role in this.
The AAP file did two separate, unrelated things, which are now managed by separate files. You have to start by knowing what you have and/or want to do, and then it's just a matter of doing it.
I advise people to avoid filtering. They don't usually seem to have any clear notion of what they're trying to accomplish, so it's best to do nothing. The default policy provides basic syntax and scoped attribute validation and passes everything else through, and that's sufficient for the majority of needs.
The mapping half of the process is much more straightforward and is thoroughly documented.
-- Scott
Richard Genthner
what we are not sure is how to convert Entries like this
<AttributeRule Name="urn:mace:dir:attribute-def:wustlEduId"
Header="WUSTL_EDUID" Alias="WUSTL_EDUID">
<AnySite>
<AnyValue/>
</AnySite>
</AttributeRule>
from our AAP.xml. From what I'm seeing is that we would just have the
Rule, am I correct on this?
Peter Schober
> <AttributeRule Name="urn:mace:dir:attribute-def:wustlEduId"
> Header="WUSTL_EDUID" Alias="WUSTL_EDUID">
> <AnySite>
> <AnyValue/>
> </AnySite>
> </AttributeRule>
>
> from our AAP.xml. From what I'm seeing is that we would just have the
> Rule, am I correct on this?
Look at any entry in the attribute-map.xml and adjust to taste,
i.e. add a new line somewhere that's not inside an XML comment and
change the attribute and header name to match what you have above.
-peter
Richard Genthner
shibboleth 2 are they the same thing?
Scott Cantor
> shibboleth 2 are they the same thing?
The Alias feature is described here:
https://spaces.internet2.edu/display/SHIB/AttributeAcceptancePolicy
There is no separation anymore between the internal names that determine environment and header variables, and names used in access control rules, so the old feature doesn't apply.
-- Scott
Peter Schober
> Whats the difference between the Alias in sibboleth 1.3 and the ID in
> shibboleth 2 are they the same thing?
Linked from
https://spaces.internet2.edu/display/SHIB2/NativeSPConfiguration
you'll find:
https://spaces.internet2.edu/display/SHIB2/NativeSPAddAttribute
"The name property in the rule corresponds to the formal SAML
name the IdP is using for the attribute, generally a URI. The id
property is the shorthand name to use, and determines the environment
variable or header by which the attribute will be made available to
the web application."
cheers,
-peter
Richard Genthner
I'm not getting how to convert my shibboleth.xml to the new
shibboleth2.xml. The layout is totally different. from this one, I have
shortened it up a bunch. I'm not sure how translate this file to
shibboleth2.xml Any help one this.
<SPConfig xmlns="urn:mace:shibboleth:target:config:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 /usr/local/share/xml/shibboleth/shibboleth-targetconfig-1.0.xsd"
logger="/etc/shibboleth/shibboleth.logger" clockSkew="180">
<Extensions>
<Library path="/usr/libexec/xmlproviders.so" fatal="true"/>
</Extensions>
<Global logger="/etc/shibboleth/shibd.logger">
<UnixListener address="/var/run/shib-shar.sock"/>
<MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="false"/>
</Global>
<Local logger="/etc/shibboleth/native.logger" localRelayState="true">
<RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider">
<RequestMap applicationId="default">
<Host name="shibboleth.symplicity.com" scheme="https" port="443" applicationId="psu">
<Path name="sso" authType="shibboleth" requireSession="true" exportAssertion="true"/>
</Host>
<Host name="shibboleth-umbc.symplicity.com" scheme="https" port="443" applicationId="umbc" />
<Host name="shibboleth-nw.symplicity.com" scheme="https" port="443" applicationId="northwestern" />
<Host name="shibboleth-nyu.symplicity.com" scheme="https" port="443" applicationId="nyu" />
<Host name="shibboleth-carleton.symplicity.com" scheme="https" port="443" applicationId="carleton" />
<Host name="shibboleth-richmond.symplicity.com" scheme="https" port="443" applicationId="richmond" />
<Host name="shibboleth-uchicago.symplicity.com" scheme="https" port="443" applicationId="uchicago" />
</RequestMap>
</RequestMapProvider>
</Local>
<Applications id="default" providerId="https://shibboleth.symplicity.com/sso"
homeURL="https://shibboleth.symplicity.com/index.html"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<Sessions lifetime="7200" timeout="3600" checkAddress="false" consistentAddress="true"
handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
<SessionInitiator isDefault="true" id="https://shibboleth.symplicity.com/sso"
Location="/WAYF/as1.fim.psu.edu"
Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
wayfURL="https://as1.fim.psu.edu/shibboleth-idp/SSO"
wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
<md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="2"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<md:SingleLogoutService Location="/Logout"
ResponseLocation="https://shibboleth.symplicity.com/sso/logout.php"
Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
</Sessions>
<Errors session="/etc/shibboleth/sessionError.html"
metadata="/etc/shibboleth/metadataError.html"
rm="/etc/shibboleth/rmError.html"
access="/etc/shibboleth/accessError.html"
ssl="/etc/shibboleth/sslError.html"
supportContact="sh...@symplicity.com"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Indicates what credentials to use when communicating -->
<CredentialUse TLS="defcreds" Signing="defcreds">
</CredentialUse>
<!-- AAP can be inline or in a separate file -->
<AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" uri="/etc/shibboleth/AAP.xml"/>
<MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
uri="/etc/shibboleth/InCommon-metadata.xml"/>
<TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/>
<saml:Audience>urn:mace:incommon</saml:Audience>
<Application id="psu" providerId="https://shibboleth.symplicity.com/sso"
homeURL="https://shibboleth.symplicity.com/index.html"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<Sessions lifetime="7200" timeout="3600" checkAddress="false" consistentAddress="true"
handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
<SessionInitiator isDefault="true" id="https://shibboleth.symplicity.com/sso" Location="/WAYF/as1.fim.psu.edu"
Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
wayfURL="https://as1.fim.psu.edu/shibboleth-idp/SSO"
wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
<md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="2"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<md:SingleLogoutService Location="/Logout" ResponseLocation="https://shibboleth.symplicity.com/sso/logout.php" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
</Sessions>
<!-- Use designators to request specific attributes or none to ask for all -->
<saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
<saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
<saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:psCampusCode" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
</Application>
<Application id="umbc" providerId="https://shibboleth-umbc.symplicity.com/sso"
homeURL="https://shibboleth-umbc.symplicity.com/index.html"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<Sessions lifetime="7200" timeout="3600" checkAddress="false" consistentAddress="true"
handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
<SessionInitiator isDefault="true" id="https://shibboleth-umbc.symplicity.com/sso"
Location="/WAYF/webauth.umbc.edu"
Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
wayfURL="https://webauth.umbc.edu:443/shibboleth-idp/SSO"
wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
<md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="2"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<md:SingleLogoutService Location="/Logout" ResponseLocation="https://shibboleth-umbc.symplicity.com/sso/logout.php" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
</Sessions>
<CredentialUse TLS="umbc" Signing="umbc"> </CredentialUse>
<saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
</Application>
<Application id="northwestern" providerId="https://shibboleth-nw.symplicity.com/sso"
homeURL="https://shibboleth-nw.symplicity.com/index.html"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<Sessions lifetime="7200" timeout="3600" checkAddress="false" consistentAddress="true"
handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
<SessionInitiator isDefault="true" id="https://shibboleth-nw.symplicity.com/sso" Location="fed.it.northwestern.edu"
Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
wayfURL="https://fed.it.northwestern.edu/shibboleth-idp/SSO"
wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
<md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="2"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<md:SingleLogoutService Location="/Logout" ResponseLocation="https://shibboleth-nw.symplicity.com/sso/logout.php" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
</Sessions>
<CredentialUse TLS="northwestern" Signing="northwestern">
</CredentialUse>
</Application>
<Application id="carleton" providerId="https://shibboleth-carleton.symplicity.com/sso/"
homeURL="https://shibboleth-carleton.symplicity.com/index.html"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<Sessions lifetime="7200" timeout="3600" checkAddress="false" consistentAddress="true" handlerURL="/Shibboleth.sso"
handlerSSL="false" idpHistory="true" idpHistoryDays="7">
<SessionInitiator isDefault="true" id="https://shibboleth-carleton.symplicity.com/sso/" Location="login.carleton.edu"
Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
wayfURL="https://login.carleton.edu/idp/profile/Shibboleth/SSO"
wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
<md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="2"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<md:SingleLogoutService Location="/Logout" ResponseLocation="https://login.carleton.edu/idp/logout.jsp" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
</Sessions>
<CredentialUse TLS="carleton" Signing="carleton"></CredentialUse>
</Application>
<Application id="nyu" providerId="https://shibboleth-nyu.symplicity.com/sso"
homeURL="https://shibboleth-nyu.symplicity.com/index.html"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<Sessions lifetime="7200" timeout="3600" checkAddress="false" consistentAddress="true" handlerURL="/Shibboleth.sso"
handlerSSL="false" idpHistory="true" idpHistoryDays="7">
<SessionInitiator isDefault="true" id="https://shibboleth-nyu.symplicity.com/sso" Location="shibboleth.nyu.edu"
Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
wayfURL="https://shibboleth.nyu.edu/idp/profile/Shibboleth/SSO"
wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
<md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="2"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<md:SingleLogoutService Location="/Logout" ResponseLocation="https://shibboleth-nyu.symplicity.com/sso/logout.php" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
</Sessions>
<CredentialUse TLS="nyu" Signing="nyu"></CredentialUse>
</Application>
</Applications>
<!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
<CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
<Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
<FileResolver Id="defcreds">
<Key>
<Path>/etc/shibboleth/certs/incommon.key</Path>
</Key>
<Certificate>
<Path>/etc/shibboleth/certs/sympincommon.cert</Path>
</Certificate>
</FileResolver>
<FileResolver Id="umbc">
<Key>
<Path>/etc/shibboleth/certs/incommon.key</Path>
</Key>
<Certificate>
<Path>/etc/shibboleth/certs/umbc.cert</Path>
</Certificate>
</FileResolver>
<FileResolver Id="northwestern">
<Key>
<Path>/etc/shibboleth/certs/incommon.key</Path>
</Key>
<Certificate>
<Path>/etc/shibboleth/certs/northwestern.cert</Path>
</Certificate>
</FileResolver>
</CredentialsProvider>
<AttributeFactory AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
type="edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"/>
</SPConfig>
Scott Cantor
> shibboleth2.xml. The layout is totally different.
No, it's almost exactly the same in most significant respects. The areas that differ that aren't just reordered or slightly renamed are typically low level settings that are the least changed or used.
The primary exception to that is where new features change the nature of the settings you use, which is most particularly true of the SessionInitiator feature.
> from this one, I have
> shortened it up a bunch. I'm not sure how translate this file to
> shibboleth2.xml Any help one this.
The most I'm prepared to do is provide a few bullet points about the old material where the translation isn't pretty obvious, and say that what you need to do is start with the 2.x defaults and apply the *changes* to those defaults that correspond to the old settings.
> <Extensions>
> <Library path="/usr/libexec/xmlproviders.so" fatal="true"/>
> </Extensions>
Irrelevant, that library no longer exists.
> <Global logger="/etc/shibboleth/shibd.logger">
Loosely maps to the OutOfProcess settings, mostly either obvious or too low level to worry about.
> <Local logger="/etc/shibboleth/native.logger" localRelayState="true">
Loosely maps to InProcess settings, mostly copyable in a straightforward way.
> <RequestMap applicationId="default">
Copyable totally or almost literally in most cases, by design.
> <SessionInitiator isDefault="true"
> id="https://shibboleth.symplicity.com/sso"
> Location="/WAYF/as1.fim.psu.edu"
Probably the only complex piece to translate and may not be needed now. A single global SessionInitiator inherited from the default application can point to any IdP by simply passing it an entityID parameter if you're using lazy session redirects, or (more likely) by adding an entityID property naming the IdP to use in the RequestMap under the appropriate content.
The key is that a hardwired initiator (avoiding discovery) needs an entityID property naming the IdP to use in the RequestMap or in the SessionInitiator element directly. By putting it in the map, you can reuse one common initiator and change the behavior dynamically from the content side.
In any case, you will never have references to IdP endpoints in your config any more, and those locations are replaced with the IdP's entityID instead. In general, the handler Location should be "/Login" in all cases to ensure consistency in building initiation URLs.
The examples in the file are designed to illustrate common use cases.
You should look at https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator carefully.
> <MetadataProvider
> type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
> uri="/etc/shibboleth/InCommon-metadata.xml"/>
The InCommon technical guide page has the exact configuration used for InCommon metadata loading.
https://spaces.internet2.edu/display/InCCollaborate/Technical+Guide
> <saml:Audience>urn:mace:incommon</saml:Audience>
Unneeded.
> <Application id="psu"
> providerId="https://shibboleth.symplicity.com/sso"
> homeURL="https://shibboleth.symplicity.com/index.html"
> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
> xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
These just become ApplicationOverride tags, different name, same thing.
The hassle of redefining all those embedded Sessions and handler elements should be gone, that's why the main task is to redesign how the SessionInitiator setup works and utilize the new features there.
-- Scott
Peter Schober
> > <Application id="psu"
> > providerId="https://shibboleth.symplicity.com/sso"
> > homeURL="https://shibboleth.symplicity.com/index.html"
> > xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
> > xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
>
> thing.
From a quick glance it seemed to me all those Applications (and
contained Sessions and SessionInitiators) could be remove completely,
since they all have their own vhost anyway.
(Don't know about the use of application- or IdP-specific credentials
though, since the OP seems to be using different credentials for each
application for whatever reason?)
Richard: have a look at this page, maybe this will help clearing this up:
https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationModel
Instead of carrying over all the bits and pieces (which certainly is
possible) I'd rather do a clean reimplementation on another box.
Your config file (as sent to the list) is not well-formed, you're
missing the closing </Credentials> tag, xmlwf(1) will tell you the
exact location.
Anyway, posting a complete 200+ lines config file and expecting others
to convert it to transfer the relevant settings to another version for
you is /not/ how things work. Not on a community supported mailing list.
Note that there is an XSLT script (called 'upgrade.xsl') distributed
with the Shib 2.x SP that /will/ try a conversion from the old format
to the new (could be out of date, though, I never used it):
$ cd /etc/shibboleth
$ xsltproc upgrade.xsl shibboleth.xml > shibboleth2.xml
In case you don't have xsltproc (eponymous Debian package, on RHEL
it's libxslt) you can also use Saxon ('HE' is still open source and in
Java, so "runs anywhere"). Download, unzip, run on a machine with a
JRE (also from within /etc/shibboleth):
$ java -jar /path/to/saxon9he.jar -s:shibboleth.xml -xsl:upgrade.xsl -o:shibboleth2.xml
Both processors produce idential output from your config file, which,
as it stands, will not load with shibd (see
https://spaces.internet2.edu/display/SHIB2/NativeSPshibd how to check
that on your platform). But it might help get you started.
-peter
Scott Cantor
> From a quick glance it seemed to me all those Applications (and
> contained Sessions and SessionInitiators) could be remove completely,
> since they all have their own vhost anyway.
Well, the main use seems to be to override the entityID, which I'm slightly
aware of from conversations regarding Symplicity on the InCommon TAC calls.
That's fine, though it creates more work to setup, but in general you want
to if possible limit what you need to something simple like:
<ApplicationOverride id="..." entityID="..."/>
Where possible everything else should default in and/or be set in the
RequestMap using content settings. Or in fact in the Apache vhost using
ShibRequestSetting, with no RequestMap at all. All of that is documented in
the NativeSPApacheConfig topic.
Things like the IdP entityID, custom error templates, etc. can all be
defined now without using an ApplicationOverride. If I know what's supposed
to be distinct in the vhosts, I can identify what actually requires an
override.
> (Don't know about the use of application- or IdP-specific credentials
> though, since the OP seems to be using different credentials for each
> application for whatever reason?)
I didn't catch that. That is indeed a bad idea and serves no good purpose,
but that would still have to go inside the Overrides using RelyingParty
elements (that's the equivalent of the old CredentialUse feature), and I
documented that in some detail this week in the MultipleCredentials topic.
But yes, this is a bad idea and is best avoided. It's one physical install,
just use one key.
> Note that there is an XSLT script (called 'upgrade.xsl') distributed
> with the Shib 2.x SP that /will/ try a conversion from the old format
> to the new (could be out of date, though, I never used it):
It is out of date, but anything it generates that's not broken would still
be compatible. It most certainly can't handle anything this complex though,
which is why I didn't mention it.
-- Scott
Peter Schober
> > Note that there is an XSLT script (called 'upgrade.xsl')
> > distributed with the Shib 2.x SP that /will/ try a conversion from
> > the old format to the new (could be out of date, though, I never
> > used it):
>
> It is out of date, but anything it generates that's not broken would
> still be compatible. It most certainly can't handle anything this
> complex though, which is why I didn't mention it.
Actually didn't look too bad (not that I can make sense of why the v1
config file looks like it does), with this small patch to upgrade.xslt:
--- configs/upgrade.xsl (revision 3205)
+++ configs/upgrade.xsl (working copy)
@@ -223,8 +223,7 @@
<xsl:for-each select="oldconf:Application">
<xsl:text> </xsl:text>
- <ApplicationOverride>
- <xsl:apply-templates select="@*"/>
+ <ApplicationOverride id="{@id}" entityID="{@providerId}">
<xsl:apply-templates select="oldconf:Sessions"/>
<xsl:apply-templates select="oldconf:Errors"/>
<xsl:apply-templates select="oldconf:CredentialUse"/>
At least with that applied (and the referenced external credential and
metadata files in place) `shibd -t` only outputs the expected
deprecation WARNings for PolicyRules and defaultACSIndex (which of
course also could be fixed in the XSLT, but doesn't add anything
relevant to this thread).
-peter
Richard Genthner
I wasn't hoping for people to do it for me but pick up pieces and
explain the difference like scott did, but I'll try the xsltproc method
first. Thanks for the information.
Peter Schober
> I wasn't hoping for people to do it for me but pick up pieces and
> explain the difference like scott did
Well, "here's some 233 lines of config, please explain any differences
to the new format" is still asking a but much in my book.
But what do I know.
> but I'll try the xsltproc method first
Be sure to apply the patch to upgrade.xslt first (see my previous
mail) or alternatively s/providerId/entityID/ after the transformation
for the five ApplicationOverride elements).
Also note that I seemed to have missed the redirect of STDOUT to a
file in my xsltproc command line example before (" > shibboleth2.xml").
-peter
Richard Genthner
When I tried to use the upgrade.xsl with peters patch I get his
[root@gp5a:/etc/shibboleth] xsltproc
upgrade.xsl /etc/shibboleth1.3/shibboleth.xml > shibboleth2-upgrade.xml
compilation error: file upgrade.xsl line 8 element stylesheet
xsl:version: only 1.0 features are supported
Peter Schober
> When I tried to use the upgrade.xsl with peters patch I get his
> [root@gp5a:/etc/shibboleth] xsltproc
> upgrade.xsl /etc/shibboleth1.3/shibboleth.xml > shibboleth2-upgrade.xml
> compilation error: file upgrade.xsl line 8 element stylesheet
> xsl:version: only 1.0 features are supported
Yes. And the file still has been created successfully. You did check
that, did you? At least it did so on my box.
If you're worried try Saxon, where I also gave a complete instruction,
-peter
Richard Genthner
Thanks for the help everyone.
Richard Genthner
OOps something blew up
[root@gp5a:/etc/shibboleth] shibd -t
2009-12-05 08:52:21 WARN Shibboleth.Config : detected legacy Policy
configuration, please convert to new PolicyRule syntax
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 ERROR OpenSAML.Metadata.Chaining : error building
MetadataProvider: Unable to access local file
(/etc/shibboleth/InCommon-metadata.xml)
2009-12-05 08:52:21 ERROR XMLTooling.ParserPool : fatal error on line
77, column 17, message: '--' sequence is illegal in comment
2009-12-05 08:52:21 ERROR Shibboleth.AttributeExtractor.XML : error
while loading configuration from (/etc/shibboleth/attribute-map.xml):
XML error(s) during parsing, check log for specifics
2009-12-05 08:52:21 CRIT Shibboleth.Application : error building
AttributeExtractor: XML error(s) during parsing, check log for specifics
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 ERROR OpenSSL : error code: 33558530 in bss_file.c,
line 352
2009-12-05 08:52:21 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/certs/incommon.key','r')
2009-12-05 08:52:21 ERROR OpenSSL : error code: 537346050 in bss_file.c,
line 354
2009-12-05 08:52:21 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element: Unable
to load private key from file (/etc/shibboleth/certs/incommon.key).
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:52:21 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
overall configuration is loadable, check console for non-fatal problems
Richard Genthner
[root@gp5a:/etc/shibboleth] shibd -t
2009-12-05 08:57:29 WARN Shibboleth.Config : detected legacy Policy
configuration, please convert to new PolicyRule syntax
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 ERROR XMLTooling.CredentialResolver.Chaining :
caught exception processing embedded CredentialResolver element:
FilesystemCredentialResolver given mismatched key/certificate, check for
consistency.
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
2009-12-05 08:57:29 WARN Shibboleth.PropertySet : deprecation -
remapping property (defaultACSIndex) to (acsIndex)
overall configuration is loadable, check console for non-fatal problems
Peter Schober
> I got it down to these errors
It's only a single error:
> 2009-12-05 08:57:29 ERROR XMLTooling.CredentialResolver.Chaining :
> caught exception processing embedded CredentialResolver element:
> FilesystemCredentialResolver given mismatched key/certificate, check for
> consistency.
I guess that just means what it says?
I obviously can't check this for you, but it seems both the old and
the new config used the same private key for different certs and I
think that is what the new config is doing as well? Never used several
certs in an SP, so check the wiki docs Scott referred to earlier.
Also I'd pairwise check if `openssl s_server` can open those creds.
-peter
Scott Cantor
> Actually didn't look too bad (not that I can make sense of why the v1
> config file looks like it does), with this small patch to upgrade.xslt:
I patched that, but it still handles only a subset of the override options.
I would advise against relying on it as anything but a point of comparison.
It's practically guaranteed to be both more complex than a proper config
would be and not completely equivalent.
> At least with that applied (and the referenced external credential and
> metadata files in place) `shibd -t` only outputs the expected
> deprecation WARNings for PolicyRules and defaultACSIndex (which of
> course also could be fixed in the XSLT, but doesn't add anything
> relevant to this thread).
I fixed things up a little. It was actually worse than that, the acsIndex
for SAML 1.1 requests was off by one and would be broken.
-- Scott
Richard Genthner
getting this:
[Tue Dec 08 08:35:19 2009] [error] [client 10.120.101.153] Configured or
requested ACS has non-SAML 1.x binding
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST).
in my apache logs. I'm assuming theres something minor I need to tweak?
Scott Cantor
> in my apache logs. I'm assuming theres something minor I need to tweak?
You need to change the defaultACSIndex or acsIndex SessionInitiator property that's broken and pointing to the wrong endpoint.
You also need to take me seriously when I tell you that converting those files is not the right approach here other than as an example to look at. It won't work and it won't give you what you want. Your starting point is much too complex.
-- Scott
Richard Genthner
I'm only using it as a example to attempt to get only one up and running
and then once I have it working I'll move the rest in.
Scott Cantor
> I'm only using it as a example to attempt to get only one up and running
> and then once I have it working I'll move the rest in.
That would be a reasonable approach, other than to note again that the result you'll get is *not* likely to be the right approach for 2.x. I outlined why I believe most/all of your complexity is no longer needed.
-- Scott
Richard Genthner
I wrote the configuration from the give template and I get these
[root@gp5a:/etc/shibboleth] shibd -t
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 61,
column 78, message: no declaration found for element 'Atrribute'
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 61,
column 78, message: attribute 'name' is not declared for element
'Atrribute'
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 61,
column 78, message: attribute 'id' is not declared for element
'Atrribute'
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 64,
column 81, message: no declaration found for element 'Atrribute'
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 64,
column 81, message: attribute 'name' is not declared for element
'Atrribute'
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 64,
column 81, message: attribute 'id' is not declared for element
'Atrribute'
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 78,
column 77, message: no declaration found for element 'Atrribute'
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 78,
column 77, message: attribute 'name' is not declared for element
'Atrribute'
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 78,
column 77, message: attribute 'id' is not declared for element
'Atrribute'
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 155,
column 14, message: element 'Atrribute' is not allowed for content model
'((MetadataProvider,TrustEngine,AttributeFilter),Attribute)'
2009-12-10 15:52:21 ERROR Shibboleth.AttributeExtractor.XML : error
while loading configuration from (/etc/shibboleth/attribute-map.xml):
XML error(s) during parsing, check log for specifics
2009-12-10 15:52:21 CRIT Shibboleth.Application : error building
AttributeExtractor: XML error(s) during parsing, check log for specifics
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 61,
column 78, message: no declaration found for element 'Atrribute'
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 61,
column 78, message: attribute 'name' is not declared for element
'Atrribute'
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 61,
column 78, message: attribute 'id' is not declared for element
'Atrribute'
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 64,
column 81, message: no declaration found for element 'Atrribute'
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 64,
column 81, message: attribute 'name' is not declared for element
'Atrribute'
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 64,
column 81, message: attribute 'id' is not declared for element
'Atrribute'
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 78,
column 77, message: no declaration found for element 'Atrribute'
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 78,
column 77, message: attribute 'name' is not declared for element
'Atrribute'
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 78,
column 77, message: attribute 'id' is not declared for element
'Atrribute'
2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 155,
column 14, message: element 'Atrribute' is not allowed for content model
'((MetadataProvider,TrustEngine,AttributeFilter),Attribute)'
2009-12-10 15:52:21 ERROR Shibboleth.AttributeExtractor.XML : error
while loading configuration from (/etc/shibboleth/attribute-map.xml):
XML error(s) during parsing, check log for specifics
2009-12-10 15:52:21 CRIT Shibboleth.Application : error building
AttributeExtractor: XML error(s) during parsing, check log for specifics
overall configuration is loadable, check console for non-fatal problems
and here is the shibboleth.xml
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
logger="syslog.logger" clockSkew="180">
<!-- The OutOfProcess section contains properties affecting the
shibd daemon. -->
<OutOfProcess logger="shibd.logger">
<!--
<Extensions>
<Library path="odbc-store.so" fatal="true"/>
</Extensions>
-->
</OutOfProcess>
<!-- The InProcess section conrains settings affecting web server
modules/filters. -->
<InProcess logger="native.logger">
<ISAPI normalizeRequest="true" safeHeaderNames="true">
<!--
Maps IIS Instance ID values to the host scheme/name/port.
The name is
required so that the proper <Host> in the request map above
is found without
having to cover every possible DNS/IP combination the user
might enter.
-->
<Site id="1" name="shibboleth-upenn-csm.symplicity.com"/>
<!--
When the port and scheme are omitted, the HTTP request's
port and scheme are used.
If these are wrong because of virtualization, they can be
explicitly set here to
ensure proper redirect generation.
-->
<!--
<Site id="42" name="virtual.example.org" scheme="https"
port="443"/>
-->
</ISAPI>
</InProcess>
<!-- Only one listener can be defined, to connect in-process modules
to shibd. -->
<UnixListener address="shibd.sock"/>
<!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/>
-->
<!-- This set of components stores sessions and other persistent
data in daemon memory. -->
<StorageService type="Memory" id="mem" cleanupInterval="900"/>
<SessionCache type="StorageService" StorageService="mem"
cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="mem"/>
<ArtifactMap artifactTTL="180"/>
<!-- This set of components stores sessions and other persistent
data in an ODBC database. -->
<!--
<StorageService type="ODBC" id="db" cleanupInterval="900">
<ConnectionString>
DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
</ConnectionString>
</StorageService>
<SessionCache type="StorageService" StorageService="db"
cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="db"/>
<ArtifactMap StorageService="db" artifactTTL="180"/>
-->
<!-- To customize behavior, map hostnames and path components to
applicationId and other settings. -->
<RequestMapper type="Native">
<RequestMap applicationId="default">
<!--
The example requires a session for documents in /secure on
the containing host with http and
https on the default ports. Note that the name and port in
the <Host> elements MUST match
Apache's ServerName and Port directives or the IIS Site name
in the <ISAPI> element
below.
-->
<Host name="shibboleth-upenn-csm.symplicity.com">
<Path name="sso" authType="shibboleth"
requireSession="true"/>
</Host>
<!-- Example of a second vhost mapped to a different
applicationId. -->
<!--
<Host name="admin.example.org" applicationId="admin"
authType="shibboleth" requireSession="true"/>
-->
</RequestMap>
</RequestMapper>
<!--
The ApplicationDefaults element is where most of Shibboleth's SAML
bits are defined.
Resource requests are mapped by the RequestMapper to an
applicationId that
points into to this section.
-->
<ApplicationDefaults id="default" policyId="default"
entityID="https://shibboleth.symplicity.com/sso"
REMOTE_USER="eppn persistent-id targeted-id"
signing="false" encryption="false">
<!--
Controls session lifetimes, address checks, cookie handling, and
the protocol handlers.
You MUST supply an effectively unique handlerURL value for each
of your applications.
The value can be a relative path, a URL with no hostname
(https:///path) or a full URL.
The system can compute a relative value based on the virtual
host. Using handlerSSL="true"
will force the protocol to be https. You should also add a
cookieProps setting of "; path=/; secure"
in that case. Note that while we default checkAddress to
"false", this has a negative
impact on the security of the SP. Stealing cookies/sessions is
much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/Shibboleth.sso" handlerSSL="false"
exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
exportACL="127.0.0.1"
idpHistory="false" idpHistoryDays="7">
<!--
SessionInitiators handle session requests and relay them to
a Discovery page,
or to an IdP if possible. Automatic session setup will use
the default or first
element (or requireSessionWith can specify a specific id to
use).
-->
<!-- Default example directs to a specific IdP's SSO service
(favoring SAML 2 over Shib 1). -->
<SessionInitiator type="Chaining" Location="/Login"
isDefault="true" id="Intranet"
relayState="cookie"
entityID="https://idp.example.org/shibboleth">
<SessionInitiator type="SAML2" acsIndex="1"
template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
</SessionInitiator>
<!-- An example using an old-style WAYF, which means Shib 1
only unless an entityID is provided. -->
<SessionInitiator type="Chaining" Location="/WAYF" id="WAYF"
relayState="cookie">
<SessionInitiator type="SAML2" acsIndex="1"
template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
<SessionInitiator type="WAYF" acsIndex="5"
URL="https://wayf.example.org/WAYF"/>
</SessionInitiator>
<!-- An example supporting the new-style of discovery
service. -->
<SessionInitiator type="Chaining" Location="/DS" id="DS"
relayState="cookie">
<SessionInitiator type="SAML2" acsIndex="1"
template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
<SessionInitiator type="SAMLDS"
URL="https://ds.example.org/DS/WAYF"/>
</SessionInitiator>
<!--
md:AssertionConsumerService locations handle specific SSO
protocol bindings,
such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault
and index attributes
are used when sessions are initiated to determine how to
tell the IdP where and
how to return the response.
-->
<md:AssertionConsumerService Location="/SAML2/POST"
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService
Location="/SAML2/POST-SimpleSign" index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact"
index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService Location="/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact"
index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<!-- LogoutInitiators enable SP-initiated local or
global/single logout of sessions. -->
<LogoutInitiator type="Chaining" Location="/Logout"
relayState="cookie">
<LogoutInitiator type="SAML2"
template="bindingTemplate.html"/>
<LogoutInitiator type="Local"/>
</LogoutInitiator>
<!-- md:SingleLogoutService locations handle single logout
(SLO) protocol messages. -->
<md:SingleLogoutService Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="/SLO/Redirect"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="/SLO/POST"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Artifact"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!-- md:ManageNameIDService locations handle NameID
management (NIM) protocol messages. -->
<md:ManageNameIDService Location="/NIM/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:ManageNameIDService Location="/NIM/Redirect"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:ManageNameIDService Location="/NIM/POST"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:ManageNameIDService Location="/NIM/Artifact"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!--
md:ArtifactResolutionService locations resolve artifacts
issued when using the
SAML 2.0 HTTP-Artifact binding on outgoing messages,
generally uses SOAP.
-->
<md:ArtifactResolutionService Location="/Artifact/SOAP"
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<!-- Extension service that generates "approximate" metadata
based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session"
showAttributeValues="false"/>
</Sessions>
<!--
Allows overriding of error template filenames. You can also add
attributes with values
that can be plugged into the templates.
-->
<Errors supportContact="sh...@symplicity.com"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Uncomment and modify to tweak settings for specific IdPs or
groups. -->
<!-- <RelyingParty Name="SpecialFederation"
keyName="SpecialKey"/> -->
<!-- Chains together all your metadata sources. -->
<MetadataProvider type="Chaining">
<!-- Example of remotely supplied batch of signed metadata.
-->
<!--
<MetadataProvider type="XML"
uri="http://federation.org/federation-metadata.xml"
backingFilePath="federation-metadata.xml"
reloadInterval="7200">
<MetadataFilter type="RequireValidUntil"
maxValidityInterval="2419200"/>
<MetadataFilter type="Signature"
certificate="fedsigner.pem"/>
</MetadataProvider>
-->
<!-- Example of locally maintained metadata. -->
<!--
<MetadataProvider type="XML" file="partner-metadata.xml"/>
-->
</MetadataProvider>
<!-- Chain the two built-in trust engines together. -->
<TrustEngine type="Chaining">
<TrustEngine type="ExplicitKey"/>
<TrustEngine type="PKIX"/>
</TrustEngine>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true"
path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO.
-->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets
other data pass. -->
<AttributeFilter type="XML" validate="true"
path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File"
key="/etc/shibboleth/certs/incommon.key"
certificate="/etc/shibboleth/certs/sympincommon.cert"/>
<!-- Example of a second application (using a second vhost) that
has a different entityID. -->
<!-- <ApplicationOverride id="admin"
entityID="https://admin.example.org/shibboleth"/> -->
<ApplicationOverride id="upenn-csm"
entityID="https://shibboleth-upenn-csm.symplicity.com/sso/">
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/Shibboleth.sso" handlerSSL="false"
exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
exportACL="127.0.0.1"
idpHistory="false" idpHistoryDays="7">
<!--
SessionInitiators handle session requests and relay them to
a Discovery page,
or to an IdP if possible. Automatic session setup will use
the default or first
element (or requireSessionWith can specify a specific id to
use).
-->
<!-- Default example directs to a specific IdP's SSO service
(favoring SAML 2 over Shib 1). -->
<SessionInitiator type="Chaining" Location="/Login"
isDefault="true" id="Intranet"
relayState="cookie"
entityID="https://idp.example.org/shibboleth">
<SessionInitiator type="SAML2" acsIndex="1"
template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
</SessionInitiator>
<!-- An example using an old-style WAYF, which means Shib 1
only unless an entityID is provided. -->
<SessionInitiator type="Chaining" Location="/WAYF" id="WAYF"
relayState="cookie">
<SessionInitiator type="SAML2" acsIndex="1"
template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
<SessionInitiator type="WAYF" acsIndex="5"
URL="https://wayf.example.org/WAYF"/>
</SessionInitiator>
<!-- An example supporting the new-style of discovery
service. -->
<SessionInitiator type="Chaining" Location="/DS" id="DS"
relayState="cookie">
<SessionInitiator type="SAML2" acsIndex="1"
template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
<SessionInitiator type="SAMLDS"
URL="https://ds.example.org/DS/WAYF"/>
</SessionInitiator>
<!--
md:AssertionConsumerService locations handle specific SSO
protocol bindings,
such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault
and index attributes
are used when sessions are initiated to determine how to
tell the IdP where and
how to return the response.
-->
<md:AssertionConsumerService Location="/SAML2/POST"
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService
Location="/SAML2/POST-SimpleSign" index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact"
index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService Location="/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact"
index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<!-- LogoutInitiators enable SP-initiated local or
global/single logout of sessions. -->
<LogoutInitiator type="Chaining" Location="/Logout"
relayState="cookie">
<LogoutInitiator type="SAML2"
template="bindingTemplate.html"/>
<LogoutInitiator type="Local"/>
</LogoutInitiator>
<!-- md:SingleLogoutService locations handle single logout
(SLO) protocol messages. -->
<md:SingleLogoutService Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="/SLO/Redirect"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="/SLO/POST"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Artifact"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!-- md:ManageNameIDService locations handle NameID
management (NIM) protocol messages. -->
<md:ManageNameIDService Location="/NIM/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:ManageNameIDService Location="/NIM/Redirect"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:ManageNameIDService Location="/NIM/POST"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:ManageNameIDService Location="/NIM/Artifact"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!--
md:ArtifactResolutionService locations resolve artifacts
issued when using the
SAML 2.0 HTTP-Artifact binding on outgoing messages,
generally uses SOAP.
-->
<md:ArtifactResolutionService Location="/Artifact/SOAP"
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<!-- Extension service that generates "approximate" metadata
based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session"
showAttributeValues="false"/>
</Sessions>
<!--
Allows overriding of error template filenames. You can also add
attributes with values
that can be plugged into the templates.
-->
<Errors supportContact="sh...@symplicity.com"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<MetadataProvider type="Chaining">
</MetadataProvider>
<!-- Chain the two built-in trust engines together. -->
<TrustEngine type="Chaining">
<TrustEngine type="ExplicitKey"/>
<TrustEngine type="PKIX"/>
</TrustEngine>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true"
path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO.
-->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets
other data pass. -->
<AttributeFilter type="XML" validate="true"
path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File"
key="/etc//shibboleth/certs/incommon.key"
certificate="/etc/shibboleth/certs/upenn-csm.cert"/>
</ApplicationOverride>
</ApplicationDefaults>
<!-- Each policy defines a set of rules to use to secure messages.
-->
<SecurityPolicies>
<!--
The predefined policy enforces replay/freshness, standard
condition processing, and permits signing and client TLS.
-->
<Policy id="default" validate="false">
<PolicyRule type="MessageFlow" checkReplay="true"
expires="60"/>
<PolicyRule type="Conditions">
<PolicyRule type="Audience"/>
<!-- Enable Delegation rule to permit delegated access.
-->
<!-- <PolicyRule type="Delegation"/> -->
</PolicyRule>
<PolicyRule type="ClientCertAuth" errorFatal="true"/>
<PolicyRule type="XMLSigning" errorFatal="true"/>
<PolicyRule type="SimpleSigning" errorFatal="true"/>
</Policy>
</SecurityPolicies>
</SPConfig>
it must be something minor I'm doing at this point.
Jim Fox
> I wrote the configuration from the give template and I get these
>
> [root@gp5a:/etc/shibboleth] shibd -t
> 2009-12-10 15:52:21 ERROR XMLTooling.ParserPool : error on line 61,
> column 78, message: no declaration found for element 'Atrribute'
Possibly 'Atrribute' is mispelled?
Jim
Richard Genthner
Thanks, didn't realized that parsed the attribute-map.xml
Richard Genthner
exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
exportACL="127.0.0.1"
--
Richard Genthner
Unable to map request to ApplicationOverride settings, check
configuration.
Scott Cantor
> what should I set this too
>
> exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
> exportACL="127.0.0.1"
Read the documentation on the feature and then tell me what you don't understand.
-- Scott
Scott Cantor
>
> Unable to map request to ApplicationOverride settings, check
> configuration.
Your applicationId / id pairs don't match up.
-- Scott
Richard Genthner
section? I think i have it but not certian.
Scott Cantor
> section? I think i have it but not certian.
You already have one, it's sitting in etc/shibboleth/shibboleth2.xml.dist or on Windows in etc/shibboleth/dist/shibboleth2.xml
-- Scott
Richard Genthner
redirection to the schools idp.
Scott Cantor
> redirection to the schools idp.
The SP doesn't produce such pages, but in general, you have logs, there are Troubleshooting topics in the wiki, and a page devoted to "failure to redirect" in that section. If you're not finding this stuff, please explain why so they can be linked or indexed better.
Secondly, I advise you to ensure that your initial testing contains overrides that are no more complex than this:
<ApplicationOverride id="..." entityID="..." homeURL="..."/>
The only thing offhand that should require more than that might be selecting particular credentials, but that's something that can wait, shouldn't really be done anyway, and should be a simple matter of adding a keyName property to that element.
If you have more than that, your approach is probably wrong, or you have a special requirement you would need to identify.
-- Scott