[Shib-Users] Shibboleth 2 SP and ADFS

383 views
Skip to first unread message

Shokes, Tom

unread,
Sep 30, 2009, 4:42:25 PM9/30/09
to shibbole...@internet2.edu

I am having trouble getting a newly installed Shibboleth SP configured to work with ADFS. I have read all the documentation I could find but most of it is for Shibboleth 1.3. When I try to access the protected directory, tcpdump shows that no packets are sent from the SP to the ADFS server. I am not seeing any errors in the shibd.log but when I try to access a protected directory I see this error in the browser:

 

opensaml::RetryableProfileException at (https://shibtest.example.com/secure)

Unable to obtain session to export to request.

 

I have implemented the configuration suggestions at https://spaces.internet2.edu/display/SHIB2/NativeSPADFS and my SessionInitiator settings in shibboleth2.xml are:

 

<SessionInitiator type="ADFS" Location="/secure" isDefault="true" id="Intranet"

                    relayState="cookie" entityID="https://adfstest.example.com/adfs/">

 

Here is what I have for a metadata file and the logs show it is loading without errors:

 

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://adfstest.example.com/adfs/">

  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol http://schemas.xm

lsoap.org/ws/2003/07/secext">

    <md:KeyDescriptor use="signing">

      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

        <ds:X509Data>

          <ds:X509Certificate>MIIC3DCCAcSgAwIBAgIQapX5Y3ooyIxHWhGHv7is9jANBgkqhkiG9w0BAQUFADAq

MSgwJgYDVQQDEx9GZWRlcmF0aW9uIFNlcnZlciB2Y2Ftb3NzdGVzdDAyMB4XDTA5

MDkwMjE4MTUxNVoXDTEwMDkwMzAwMTUxNVowKjEoMCYGA1UEAxMfRmVkZXJhdGlv

biBTZXJ2ZXIgdmNhbW9zc3Rlc3QwMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC

AQoCggEBAO85nwAe3Z042mL0pDSzqCX0yCy88i+FDtYOvqCh0XoQM7ebO/rONzfb

eDLf5X5NVQ0USAgaJP0hOrT2dRjtJnRogyMiaAIZ/5Nf6KKjCyY2Lnwtw6LI5+qg

7oUUl7OY4MOhrSCYZGXPBi3OniZ6NFvnOYSgkf4Mmx7d7NKBAextnQ3D3MWWSNlD

wdo12PBGcsfYM2M83UYFiV/1og3PsRwCOFS2lTdFUv1Tk1qOPyhmapOqUsbO48cQ

vUgzyKwdhARm3wWUAME5E9SfE/fAPu+JG384nxH3A6l19CgAC/+CeSMPvfranjsg

hB6dgqW6qcbw3B9/4XlUx2fyDyx8nZkCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA

vXsBMDvBhIsCMuvyHx4qiN7f+N46uiFFrg24+MD+hgFcxAQOMSshE3sAU+E7+wCY

p3W9wuxCSm9pSPuwZL0Vbk4DzQVyfwXhd5ZFDZdLkb6CISNhBvW9S2YalSNmOCOS

P9eyQfRDjr9EqcOlwSCJooJQ7wiyPBoPkQ7fdWA57y3ghfbMGlG3iFhT9dqSdgvq

hwskv7+G4+K6jLEgV71ACR9ofQXkcMDBNqkLndrmq/nK62+KJDLGY43g4U5riSVj

MGCcyh2hY7lwy/p9QS/iWCTnR9HI7yybulgWj6Xp6lmZJbnHLsjCz6pqQB94XERg

Ze2m+PIuS/BG37MParCSCw==

          </ds:X509Certificate>

        </ds:X509Data>

      </ds:KeyInfo>

    </md:KeyDescriptor>

    <md:SingleSignOnService Binding="http://schemas.xmlsoap.org/ws/2003/07/secext"

        Location="https://adfstest.example.com/adfs/ls/"/>

  </md:IDPSSODescriptor>

 

  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol http://schemas.x

mlsoap.org/ws/2003/07/secext">

    <md:AssertionConsumerService Binding="http://schemas.xmlsoap.org/ws/2003/07/secext" Location="https://adfstest.example.com/adfs/ls/" index="10"/>

  </md:SPSSODescriptor>

 

</md:EntityDescriptor>

 

Can some help me figure out what is wrong with my configuration?

 

Thanks,

 

Thomas Shokes

 

Scott Cantor

unread,
Sep 30, 2009, 5:12:04 PM9/30/09
to shibbole...@internet2.edu
> When I try to access the protected directory,
> tcpdump shows that no packets are sent from the SP to the ADFS server.

There is no communication under any circumstances between them, so that's
not relevant. That isn't how WS-Federation works.

> opensaml::RetryableProfileException at
(https://shibtest.example.com/secure)
>
> Unable to obtain session to export to request.

Umm, that's what I call a "save my walrus" error. It never happens. That
message is for a code path that I would have said isn't even physically
possible. It would require a session being validated in one stage of
processing and then the session going missing literally in the milliseconds
between the calling of a couple of functions.

> Can some help me figure out what is wrong with my configuration?

Turn up the log I suppose, and also check for any signs of shibd crashing
and restarting or something like that.

I wouldn't hold my breath on it, you have something seriously wrong here
that I don't understand. More interesting for me, but doesn't help you any.

FWIW, it has nothing to do with ADFS that I can think of. If the logs show
it's getting the session created, that part is fine.

-- Scott


Vadnais, Kevin

unread,
Sep 30, 2009, 5:54:14 PM9/30/09
to shibbole...@internet2.edu
Hi,

I apologize for the newbie question, but in trying to set up my idp
service, I can't seem to get access to the login.jsp page. I can't seem
to find any documentation about its location or how to turn it on. For
now I just wanted to see the default login.jsp page. I can customize it
later once I validate against my local database and attach my active
directory server. Is there a particular wiki entry that talks about
setting up this page.

Thanks,

Kevin Vadnais
Systems Progammer
University of Lethbridge (IT Department)
403-332-4056

There are only 10 kinds of people in this world. Those that understand
binary and those that don't.

Shokes, Tom

unread,
Sep 30, 2009, 6:24:59 PM9/30/09
to shibbole...@internet2.edu
Thanks for the reply. I really appreciate it. My brain must have left my
body with that tcpdump thing. Of course the client's browser is
redirected for the authentication. Unfortunately, that is not happening.

I think I already have about as much logging turned on as I can. Here is
my shibd.logger file.

# set overall behavior
log4j.rootCategory=DEBUG, shibd_log

# fairly verbose for DEBUG, so generally leave at INFO
log4j.category.XMLTooling.XMLObject=DEBUG
log4j.category.XMLTooling.KeyInfoResolver=DEBUG
log4j.category.Shibboleth.PropertySet=DEBUG

# raise for low-level tracing of SOAP client HTTP/SSL behavior
log4j.category.XMLTooling.libcurl=DEBUG

# useful categories to tune independently:
#
# tracing of SAML messages and security policies
log4j.category.OpenSAML.MessageDecoder=DEBUG
log4j.category.OpenSAML.MessageEncoder=DEBUG
log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
# interprocess message remoting
log4j.category.Shibboleth.Listener=DEBUG
# mapping of requests to applicationId
log4j.category.Shibboleth.RequestMapper=DEBUG
# high level session cache operations
log4j.category.Shibboleth.SessionCache=DEBUG
# persistent storage and caching
log4j.category.XMLTooling.StorageService=DEBUG

# the tran log blocks the "default" appender(s) at runtime
# Level should be left at INFO for this category
log4j.category.Shibboleth-TRANSACTION=DEBUG, tran_log
log4j.additivity.Shibboleth-TRANSACTION=false

# define the appenders

log4j.appender.shibd_log=org.apache.log4j.RollingFileAppender
log4j.appender.shibd_log.fileName=/var/log/shibboleth/shibd.log
log4j.appender.shibd_log.maxFileSize=1000000
log4j.appender.shibd_log.maxBackupIndex=10
#log4j.appender.shibd_log.layout=org.apache.log4j.BasicLayout
log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
log4j.appender.shibd_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S}
%p %c %x: %m%n

log4j.appender.tran_log=org.apache.log4j.RollingFileAppender
log4j.appender.tran_log.fileName=/var/log/shibboleth/transaction.log
log4j.appender.tran_log.maxFileSize=1000000
log4j.appender.tran_log.maxBackupIndex=20
log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
log4j.appender.tran_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S}
%p %c %x: %m%n


Here are the complete logs for a shibd startup. The last line here is
logged when I try to access the application.

2009-09-30 15:16:39 INFO Shibboleth.Config : Library versions: Xerces-C
3.0.1, XML-Security-C 1.5.1, XMLTooling-C 1.2.1, OpenSAML-C 2.2.1,
Shibboleth 1.2.1
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
clockSkew (180)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property logger
(syslog.logger)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property logger
(shibd.logger)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added nested property
set: {urn:mace:shibboleth:2.0:native:sp:config}OutOfProcess
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property logger
(native.logger)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
normalizeRequest (true)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
safeHeaderNames (true)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added nested property
set: {urn:mace:shibboleth:2.0:native:sp:config}ISAPI
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added nested property
set: {urn:mace:shibboleth:2.0:native:sp:config}InProcess
2009-09-30 15:16:39 INFO XMLTooling.XMLToolingConfig : loading
extension: adfs.so
2009-09-30 15:16:39 INFO XMLTooling.XMLToolingConfig : loaded extension:
/usr/lib/shibboleth/adfs.so
2009-09-30 15:16:39 DEBUG Shibboleth.Config : loaded out of process
extension library (adfs.so)
2009-09-30 15:16:39 INFO Shibboleth.Config : building ListenerService of
type UnixListener...
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (set::RelayState)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (get::RelayState)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (set::PostData)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (get::PostData)
2009-09-30 15:16:39 INFO Shibboleth.Config : building StorageService
(mem) of type Memory...
2009-09-30 15:16:39 INFO Shibboleth.Config : building ReplayCache on top
of StorageService (mem)...
2009-09-30 15:16:39 INFO Shibboleth.Config : building in-memory
ArtifactMap...
2009-09-30 15:16:39 INFO Shibboleth.Config : building SessionCache of
type StorageService...
2009-09-30 15:16:39 INFO Shibboleth.SessionCache : bound to
StorageService (mem)
2009-09-30 15:16:39 INFO Shibboleth.SessionCache : No StorageServiceLite
specified. Using standard StorageService.
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (find::StorageService::SessionCache)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (remove::StorageService::SessionCache)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (touch::StorageService::SessionCache)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property id
(default)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
validate (false)
2009-09-30 15:16:39 INFO OpenSAML.SecurityPolicyRule.Conditions :
building SecurityPolicyRule of type Audience
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
REMOTE_USER (eppn persistent-id targeted-id)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
encryption (false)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
entityID (https://shibtest.example.com/shibboleth)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property id
(default)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
policyId (default)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
signing (false)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
checkAddress (false)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
exportACL (127.0.0.1)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
exportLocation (http://localhost/Shibboleth.sso/GetAssertion)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
handlerSSL (false)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
handlerURL (/Shibboleth.sso)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
idpHistory (false)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
idpHistoryDays (7)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
lifetime (28800)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
timeout (3600)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added nested property
set: {urn:mace:shibboleth:2.0:native:sp:config}Sessions
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property access
(accessError.html)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
globalLogout (globalLogout.html)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
localLogout (localLogout.html)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
logoLocation (/shibboleth-sp/logo.jpg)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
metadata (metadataError.html)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
session (sessionError.html)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property ssl
(sslError.html)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
styleSheet (/shibboleth-sp/main.css)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
supportContact (root@localhost)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added nested property
set: {urn:mace:shibboleth:2.0:native:sp:config}Errors
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (http://localhost/Shibboleth.sso/GetAssertion)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
exportACL (127.0.0.1)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (run::AssertionLookup)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/secure)
2009-09-30 15:16:39 INFO XMLTooling.StorageService : cleanup thread
started...running every 900 seconds
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
entityID (https://adfstest.example.com/adfs/)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property id
(Intranet)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
isDefault (true)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
relayState (cookie)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property type
(ADFS)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/secure::run::ADFSSI)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/SAML2/POST)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property index
(1)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SAML2/POST)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/SAML2/POST-SimpleSign)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property index
(2)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SAML2/POST-SimpleSign)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/SAML2/Artifact)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property index
(3)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SAML2/Artifact)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Binding (urn:oasis:names:tc:SAML:2.0:bindings:PAOS)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/SAML2/ECP)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property index
(4)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SAML2/ECP)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Binding (urn:oasis:names:tc:SAML:1.0:profiles:browser-post)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/SAML/POST)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property index
(5)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SAML/POST)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Binding (urn:oasis:names:tc:SAML:1.0:profiles:artifact-01)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/SAML/Artifact)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property index
(6)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SAML/Artifact)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Binding (http://schemas.xmlsoap.org/ws/2003/07/secext)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/ADFS)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property index
(10)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Binding (http://schemas.xmlsoap.org/ws/2003/07/secext)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/ADFS)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property index
(10)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/ADFS)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/ADFS::run::ADFSLO)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/Logout)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
relayState (cookie)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property type
(Chaining)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
template (bindingTemplate.html)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property type
(SAML2)
2009-09-30 15:16:39 DEBUG Shibboleth.LogoutInitiator.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2009-09-30 15:16:39 DEBUG Shibboleth.LogoutInitiator.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2009-09-30 15:16:39 DEBUG Shibboleth.LogoutInitiator.SAML2 : supporting
outgoing binding
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2009-09-30 15:16:39 DEBUG Shibboleth.LogoutInitiator.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/Logout::run::SAML2LI)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property type
(ADFS)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/Logout::run::ADFSLI)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property type
(Local)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/Logout::run::LocalLI)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Binding (urn:oasis:names:tc:SAML:2.0:bindings:SOAP)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/SLO/SOAP)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SLO/SOAP)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/SLO/Redirect)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
{urn:mace:shibboleth:2.0:native:sp:config}template
(bindingTemplate.html)
2009-09-30 15:16:39 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2009-09-30 15:16:39 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2009-09-30 15:16:39 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2009-09-30 15:16:39 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SLO/Redirect)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/SLO/POST)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
{urn:mace:shibboleth:2.0:native:sp:config}template
(bindingTemplate.html)
2009-09-30 15:16:39 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2009-09-30 15:16:39 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2009-09-30 15:16:39 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2009-09-30 15:16:39 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SLO/POST)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/SLO/Artifact)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
{urn:mace:shibboleth:2.0:native:sp:config}template
(bindingTemplate.html)
2009-09-30 15:16:39 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2009-09-30 15:16:39 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2009-09-30 15:16:39 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2009-09-30 15:16:39 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SLO/Artifact)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Binding (urn:oasis:names:tc:SAML:2.0:bindings:SOAP)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/NIM/SOAP)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/NIM/SOAP)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/NIM/Redirect)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
{urn:mace:shibboleth:2.0:native:sp:config}template
(bindingTemplate.html)
2009-09-30 15:16:39 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2009-09-30 15:16:39 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2009-09-30 15:16:39 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2009-09-30 15:16:39 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/NIM/Redirect)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/NIM/POST)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
{urn:mace:shibboleth:2.0:native:sp:config}template
(bindingTemplate.html)
2009-09-30 15:16:39 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2009-09-30 15:16:39 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2009-09-30 15:16:39 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2009-09-30 15:16:39 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/NIM/POST)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/NIM/Artifact)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
{urn:mace:shibboleth:2.0:native:sp:config}template
(bindingTemplate.html)
2009-09-30 15:16:39 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2009-09-30 15:16:39 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2009-09-30 15:16:39 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2009-09-30 15:16:39 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/NIM/Artifact)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Binding (urn:oasis:names:tc:SAML:2.0:bindings:SOAP)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/Artifact/SOAP)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property index
(1)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/Artifact/SOAP::run::SAML2Artifact)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/Metadata)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
signing (false)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property type
(MetadataGenerator)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default/Metadata)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
Location (/Session)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property
showAttributeValues (false)
2009-09-30 15:16:39 DEBUG Shibboleth.PropertySet : added property type
(Session)
2009-09-30 15:16:39 INFO Shibboleth.Application : building
MetadataProvider of type Chaining...
2009-09-30 15:16:39 INFO OpenSAML.Metadata.Chaining : building
MetadataProvider of type XML
2009-09-30 15:16:39 DEBUG OpenSAML.MetadataProvider.XML : using local
resource (/etc/shibboleth/adfstest-metadata.xml), will monitor for
changes
2009-09-30 15:16:39 DEBUG OpenSAML.MetadataProvider.XML : loading
configuration from external resource...
2009-09-30 15:16:39 INFO OpenSAML.MetadataProvider.XML : loaded XML
resource (/etc/shibboleth/adfstest-metadata.xml)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject.Builder : located
XMLObjectBuilder for element name: md:EntityDescriptor
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling DOM
element (md:EntityDescriptor)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling
attributes for DOM element (md:EntityDescriptor)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing generic
attribute
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : found namespace
declaration, adding it to the list of namespaces on the XMLObject
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling child
nodes of DOM element (md:EntityDescriptor)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing text content
at position (0)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject.Builder : located
XMLObjectBuilder for element name: md:IDPSSODescriptor
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling child
element (md:IDPSSODescriptor)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling DOM
element (md:IDPSSODescriptor)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling
attributes for DOM element (md:IDPSSODescriptor)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing generic
attribute
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling child
nodes of DOM element (md:IDPSSODescriptor)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing text content
at position (0)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject.Builder : located
XMLObjectBuilder for element name: md:KeyDescriptor
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling child
element (md:KeyDescriptor)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling DOM
element (md:KeyDescriptor)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling
attributes for DOM element (md:KeyDescriptor)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing generic
attribute
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling child
nodes of DOM element (md:KeyDescriptor)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing text content
at position (0)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject.Builder : located
XMLObjectBuilder for element name: ds:KeyInfo
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling child
element (ds:KeyInfo)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling DOM
element (ds:KeyInfo)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling
attributes for DOM element (ds:KeyInfo)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : found namespace
declaration, adding it to the list of namespaces on the XMLObject
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling child
nodes of DOM element (ds:KeyInfo)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing text content
at position (0)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject.Builder : located
XMLObjectBuilder for element name: ds:X509Data
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling child
element (ds:X509Data)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling DOM
element (ds:X509Data)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling child
nodes of DOM element (ds:X509Data)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing text content
at position (0)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject.Builder : located
XMLObjectBuilder for element name: ds:X509Certificate
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling child
element (ds:X509Certificate)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling DOM
element (ds:X509Certificate)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling child
nodes of DOM element (ds:X509Certificate)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing text content
at position (0)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing text content
at position (1)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing text content
at position (1)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing text content
at position (1)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing text content
at position (1)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject.Builder : located
XMLObjectBuilder for element name: md:SingleSignOnService
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling child
element (md:SingleSignOnService)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling DOM
element (md:SingleSignOnService)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling
attributes for DOM element (md:SingleSignOnService)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing generic
attribute
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing generic
attribute
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling child
nodes of DOM element (md:SingleSignOnService)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : element had no children
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing text content
at position (2)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing text content
at position (1)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject.Builder : located
XMLObjectBuilder for element name: md:SPSSODescriptor
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling child
element (md:SPSSODescriptor)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling DOM
element (md:SPSSODescriptor)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling
attributes for DOM element (md:SPSSODescriptor)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing generic
attribute
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling child
nodes of DOM element (md:SPSSODescriptor)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing text content
at position (0)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject.Builder : located
XMLObjectBuilder for element name: md:AssertionConsumerService
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling child
element (md:AssertionConsumerService)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling DOM
element (md:AssertionConsumerService)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling
attributes for DOM element (md:AssertionConsumerService)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing generic
attribute
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing generic
attribute
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing generic
attribute
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : unmarshalling child
nodes of DOM element (md:AssertionConsumerService)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : element had no children
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing text content
at position (1)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : processing text content
at position (2)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : releasing cached DOM
representation for children with propagation set to true
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : releasing cached DOM
representation for (md:IDPSSODescriptor)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : releasing cached DOM
representation for children with propagation set to true
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : releasing cached DOM
representation for (md:KeyDescriptor)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : releasing cached DOM
representation for children with propagation set to true
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : releasing cached DOM
representation for (ds:KeyInfo)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : releasing cached DOM
representation for children with propagation set to true
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : releasing cached DOM
representation for (ds:X509Data)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : releasing cached DOM
representation for children with propagation set to true
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : releasing cached DOM
representation for (ds:X509Certificate)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : releasing cached DOM
representation for (md:SingleSignOnService)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : releasing cached DOM
representation for (md:SPSSODescriptor)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : releasing cached DOM
representation for children with propagation set to true
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : releasing cached DOM
representation for (md:AssertionConsumerService)
2009-09-30 15:16:39 DEBUG XMLTooling.XMLObject : releasing cached DOM
representation for (md:EntityDescriptor)
2009-09-30 15:16:39 INFO Shibboleth.Application : building TrustEngine
of type Chaining...
2009-09-30 15:16:39 INFO XMLTooling.TrustEngine.Chaining : building
TrustEngine of type ExplicitKey
2009-09-30 15:16:39 INFO XMLTooling.TrustEngine.Chaining : building
TrustEngine of type PKIX
2009-09-30 15:16:39 INFO Shibboleth.Application : building
AttributeExtractor of type XML...
2009-09-30 15:16:39 DEBUG Shibboleth.AttributeExtractor.XML : using
local resource (/etc/shibboleth/attribute-map.xml), will monitor for
changes
2009-09-30 15:16:39 DEBUG Shibboleth.AttributeExtractor.XML : loading
configuration from external resource...
2009-09-30 15:16:39 INFO Shibboleth.AttributeExtractor.XML : loaded XML
resource (/etc/shibboleth/attribute-map.xml)
2009-09-30 15:16:39 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:mace:dir:attribute-def:eduPersonPrincipalName
2009-09-30 15:16:39 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.6
2009-09-30 15:16:39 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute
urn:mace:dir:attribute-def:eduPersonScopedAffiliation
2009-09-30 15:16:39 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.9
2009-09-30 15:16:39 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:mace:dir:attribute-def:eduPersonAffiliation
2009-09-30 15:16:39 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.1
2009-09-30 15:16:39 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:mace:dir:attribute-def:eduPersonEntitlement
2009-09-30 15:16:39 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.7
2009-09-30 15:16:39 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.11
2009-09-30 15:16:39 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:mace:dir:attribute-def:eduPersonTargetedID
2009-09-30 15:16:39 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.10
2009-09-30 15:16:39 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
2009-09-30 15:16:39 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute CommonName,
Format/Namespace:http://schemas.xmlsoap.org/claims
2009-09-30 15:16:39 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute EmailAddress,
Format/Namespace:http://schemas.xmlsoap.org/claims
2009-09-30 15:16:39 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute UPN,
Format/Namespace:http://schemas.xmlsoap.org/claims
2009-09-30 15:16:39 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute Group,
Format/Namespace:http://schemas.xmlsoap.org/claims
2009-09-30 15:16:39 INFO Shibboleth.Application : building
AttributeFilter of type XML...
2009-09-30 15:16:39 DEBUG Shibboleth.AttributeFilter : using local
resource (/etc/shibboleth/attribute-policy.xml), will monitor for
changes
2009-09-30 15:16:39 DEBUG Shibboleth.AttributeFilter : loading
configuration from external resource...
2009-09-30 15:16:39 INFO Shibboleth.AttributeFilter : loaded XML
resource (/etc/shibboleth/attribute-policy.xml)
2009-09-30 15:16:39 INFO Shibboleth.Application : building
AttributeResolver of type Query...
2009-09-30 15:16:39 INFO Shibboleth.Application : building
CredentialResolver of type File...
2009-09-30 15:16:39 INFO XMLTooling.SecurityHelper : loading private key
from file (/etc/shibboleth/sp-key.pem)
2009-09-30 15:16:39 DEBUG XMLTooling.SecurityHelper : key encoding
format for (/etc/shibboleth/sp-key.pem) dynamically resolved as (PEM)
2009-09-30 15:16:39 INFO XMLTooling.SecurityHelper : loading
certificate(s) from file (/etc/shibboleth/sp-cert.pem)
2009-09-30 15:16:39 INFO Shibboleth.Listener : registered remoted
message endpoint (default::getHeaders::Application)
2009-09-30 15:16:39 INFO Shibboleth.Listener : listener service starting
2009-09-30 15:16:53 DEBUG Shibboleth.Listener [1]: dispatching message
(default::getHeaders::Application)

Thanks,
Tom

Scott Cantor

unread,
Sep 30, 2009, 6:28:22 PM9/30/09
to shibbole...@internet2.edu
Vadnais, Kevin wrote on 2009-09-30:
> I apologize for the newbie question, but in trying to set up my idp
> service, I can't seem to get access to the login.jsp page. I can't seem
> to find any documentation about its location or how to turn it on.

At first I thought you meant "where is it so I can modify it?", answer being
that's in the unpacked source and you just modify it in place and rerun the
install to get it into the warfile (and then eventually develop a more
reasonable way to overlay local mods on to the source).

But I think you mean "how do I trigger the IdP to display it?", in which
case the answer is you don't, not without an SP making a request. IdP
initiated isn't supported, please see the archives for dozens of threads on
that.

-- Scott


Scott Cantor

unread,
Sep 30, 2009, 6:47:14 PM9/30/09
to shibbole...@internet2.edu
Shokes, Tom wrote on 2009-09-30:
> Thanks for the reply. I really appreciate it. My brain must have left my
> body with that tcpdump thing. Of course the client's browser is
> redirected for the authentication. Unfortunately, that is not happening.

I don't know what server this is, so that's one issue.

You need to check native.log as well.

Apart from that I have no idea what it's doing. My best guess would be a bug
in the ADFS plugin that causes different behavior than usual when no session
exists and there's something wrong when it tries to generate the redirect.

I would probably try a SAML example maybe with testshib and see if that's
different. It shouldn't be, so if it is, that's a sign of where the bug is.
But if it still fails, that just proves the whole thing is broken.

We know there's no session at all here, so the problem is that it's passing
control beyond the authentication hook. If requireSession isn't on, that
shouldn't happen, it should simply pass control back up to the web server.
If it's on, that should result in an AuthnRequest or an error from the
SessionInitiator.

In neither case can it do what you posted. If this is Apache, I'd actually
suspect something like a build issue with the wrong headers used. It's a
problem at that kind of level, let's put it that way. I seriously doubt
anything you do would fix it, so the testshib thing is really just a sanity
check to show that it's just broken.

-- Scott


Scott Cantor

unread,
Sep 30, 2009, 6:53:04 PM9/30/09
to shibbole...@internet2.edu
I think I spotted the problem, if not the cause. It's not behaving as
intended if you use a single SessionInitiator alone. I think it's failing to
propagate an exception (which means it's not working, but you won't know why
until you get that error bubbled our) and falling through into code that
shouldn't be running.

Try wrapping your ADFS handler in a Chaining initiator per usual, even if
it's alone. I think that will fix it for now.

Please report the bug, if that proves to be correct.

-- Scott


Vadnais, Kevin

unread,
Sep 30, 2009, 7:34:06 PM9/30/09
to shibbole...@internet2.edu
Scott,


Ahhh, that makes sense. I do know where to modify the file, but couldn't seem to get it to load. Thanks for the heads up.

Kevin

________________________________

From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Wed 9/30/2009 4:28 PM
To: shibbole...@internet2.edu

winmail.dat

Shokes, Tom

unread,
Sep 30, 2009, 8:14:02 PM9/30/09
to shibbole...@internet2.edu
Ok, for the record I am running the default Apache on Centos 5.3.
Shibboleth-2 and the associated packages were installed from RPMs.

I changed the SessionInitiator settings to the following:

<SessionInitiator type="Chaining" Location="/secure"


isDefault="true" id="Intranet"
relayState="cookie"
entityID="https://adfstest.example.com/adfs/">

<SessionInitiator type="ADFS"/>
</SessionInitiator>

And now the browser error has changed to:

None of the configured SessionInitiators handled the request

I am not getting a native.log even though it is configured in the
native.logger file.

Is my next step to start over with testshib?

Thanks,
Tom

-----Original Message-----
From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Wednesday, September 30, 2009 3:53 PM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Shibboleth 2 SP and ADFS

Scott Cantor

unread,
Sep 30, 2009, 9:07:27 PM9/30/09
to shibbole...@internet2.edu
I would note that there is no reason to use a Location of "/secure" for a
SessionInitiator. A single initiator should be left at /Login. This has
nothing to do with resource paths, and you should read the documentation on
handlers if that's not clear.

> And now the browser error has changed to:
>
> None of the configured SessionInitiators handled the request

That's what I'd expect, but in addition to it logging the actual error now,
I would have expected it to do so before as well.

> I am not getting a native.log even though it is configured in the
> native.logger file.

Permissions.

> Is my next step to start over with testshib?

No. You should have what you need to diagnose the issue in the log, a
metadata issue I'm sure. If not, something else is wrong.

-- Scott


Scott Cantor

unread,
Sep 30, 2009, 9:25:40 PM9/30/09
to shibbole...@internet2.edu
Shokes, Tom wrote on 2009-09-30:
> I changed the SessionInitiator settings to the following:

I found it, a regression bug triggered by the configuration. Your native log
will be logging the errors that it's reporting, which you didn't enable and
look at.

The problem is that you aren't setting a defaultACSIndex property to the
correct ACS handler to use for the response. The ADFS doc page wasn't
changed to reflect something I changed and it won't work without that
property now. I can fix that for the next update, but it's best to just set
it anyway.

You can pull the chain back out, that wasn't the problem after all. You're
just missing that property, that should get it at least moving in the right
direction. Whatever index you put into the ADFS ACS handler is what you put
into the defaultACSIndex property in the initiator.

Bug here:
https://bugs.internet2.edu/jira/browse/SSPCPP-244

ADFS doc page is corrected to account for it.

Thanks for your patience,
-- Scott

winmail.dat

Shokes, Tom

unread,
Oct 1, 2009, 4:21:03 PM10/1/09
to cant...@osu.edu, shibbole...@internet2.edu
Thanks Scott! Setting the defaultACSIndex property in the
SessionInitiator got things working so that I am getting authenticated
by the ADFS server and presenting my claims back to the SP. I am stuck
on one more error. I am now getting this AudienceRestriction error:

2009-10-01 13:02:16 ERROR
OpenSAML.SecurityPolicyRule.AudienceRestriction [2]: unacceptable
AudienceRestrictionCondition in assertion
(<saml:AudienceRestrictionCondition
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Audience>urn:fe
deration:shibtest.example.com</saml:Audience></saml:AudienceRestrictionC
ondition>)


I have read
https://spaces.internet2.edu/display/SHIB/AssertionConditionInvalid and
https://spaces.internet2.edu/display/SHIB2/NativeSPPolicyRule#NativeSPPo
licyRule-AudienceRule(Version2.2andAbove) . I tried changing my
ApplicationDefaults entityID to something completely different on the SP
and set the corresponding setting on the ADFS server. That changed the
<saml:Audience> value in the error but didn't make it go away. I then
tried adding the <saml:Audience> element to the Audience Rule and that
didn't fix it either.

My current ApplicationDefaults are:

<ApplicationDefaults id="default" policyId="default"
entityID="urn:federation:shibtest.example.com"
REMOTE_USER="eppn persistent-id targeted-id"
signing="false" encryption="false">


My Policy settings are:

<Policy id="default" validate="false">
<PolicyRule type="MessageFlow" checkReplay="true"
expires="60"/>
<PolicyRule type="Conditions">
<PolicyRule type="Audience"/>

<saml:Audience>urn:federation:shibtest.example.com</saml:Audience>
</PolicyRule>
<PolicyRule type="ClientCertAuth" errorFatal="true"/>
<PolicyRule type="XMLSigning" errorFatal="true"/>
<PolicyRule type="SimpleSigning" errorFatal="true"/>
</Policy>

I don't see a mismatch and can't figure out why I am getting this error.

Tom

Scott Cantor

unread,
Oct 1, 2009, 4:38:32 PM10/1/09
to shibbole...@internet2.edu
Shokes, Tom wrote on 2009-10-01:
> Thanks Scott! Setting the defaultACSIndex property in the
> SessionInitiator got things working so that I am getting authenticated
> by the ADFS server and presenting my claims back to the SP. I am stuck
> on one more error. I am now getting this AudienceRestriction error:

Well, the audience code seems to be a bit screwed up in the plugin, and I
need to get it corrected, but I don't see any reason why it wouldn't be
accepting the token as long as the Audience in it matches the entityID.
That's always been the primary assumption and the rest of the support for
custom audiences really doesn't apply to this anyway.

You definitely don't need to mess with the policy at all (and the bug I see
now would prevent it from affecting things properly in the audience check
anyway).

If your entityID matches what's in the audience condition and it's still not
working, all I can say is you'll need to file a bug and attach the data in
the form (do NOT attach XML, that will just corrupt the signature) and the
metadata you're using and I can try and reproduce the problem when I have
time.

-- Scott


Reply all
Reply to author
Forward
0 new messages