Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
shibboleth IdP configuration
02-12-2018, 09:49 PM (This post was last modified: 02-12-2018 09:53 PM by qiracle.)
Post: #1
shibboleth IdP configuration
After install shibboleth IdP,now we should configure idp to connect SP through authentication.In this thread, I will introduce the ldap authentication of password authentication.

1.config ldap properties in /opt/shibboleth-idp/conf/ldap.properties. About LDAP install you can see here.

Code:
idp.authn.LDAP.ldapURL                          = ldap://linux02.shufangkeji.com:389 #your ldap url
idp.authn.LDAP.useStartTLS                      = false #true for TLS encryption. It's necessary in future. Now just test.
idp.authn.LDAP.baseDN                           = ou=people,dc=linux02.shufangkeji,dc=com #the values depending on your ldap configuration
idp.authn.LDAP.bindDNCredential                 = 8ik,9ol #ldap password
idp.authn.LDAP.dnFormat                         = uid=%s,ou=people,dc=linux02.shufangkeji,dc=com #the values depending on your ldap configuration

2. The Password flow must be listed earlier in the shibboleth.AvailableAuthenticationFlows bean in authn/general-authn.xml than the extended flows (or at least, you must be cognizant that any flows listed earlier may be run earlier)

Code:
<bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
                p:passiveAuthenticationSupported="true"
                p:forcedAuthenticationSupported="true" />


3. config /opt/shibboleth-idp/conf/idp.properties
Code:
idp.entityID= https://linux02.shufangkeji.com/idp/shibboleth
idp.scope= shufangkeji.com
idp.views = %{idp.home}/views
idp.sealer.storePassword= 8ik,9ol // your password
idp.sealer.keyPassword= 8ik,9ol

4. Release some attributes to an SP in /opt/shibboleth-idp/conf/attribute-filter.xml
Code:
<!-- Release some attributes to an SP. -->
    <AttributeFilterPolicy id="example1">
      <PolicyRequirementRule xsi:type="Requester" value="https://linux01.shufangkeji.com/shibboleth" />
Here value="https://linux01.shufangkeji.com/shibboleth" is you SP entityID URL.

5. Metadata provider in /opt/shibboleth-idp/conf/metadata-providers.xml .Here we use local Metadata to test.
Code:
<MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/metadata/idp-metadata.xml"/>
Find all posts by this user
Quote this message in a reply
03-06-2018, 11:57 AM
Post: #2
RE: shibboleth IdP configuration
Code:
We're sorry, but you cannot access this service at this time.

This service requires information about you that your identity provider (A Name for the IdP at idp.shufangkeji.com) did not release. To gain access to this service, your identity provider must release the required information.

You were trying to access the following URL:

    http://sp.shufangkeji.com/secure

For more information about this service, including what user information is required for access, please visit our information page.

When I open http://sp.shufangkeji.com/secure and use password to login shibboleth. It shows above info. It seems SP cannot got the IDP info, so we cannot brower this page.

Here is SP log(/var/log/shibboleth/shibd_warn.log):
Code:
2018-03-06 10:04:40 WARN Shibboleth.AttributeResolver.Query [5]: no SAML 2 AttributeAuthority role found in metadata
2018-03-06 10:04:40 INFO Shibboleth.SessionCache [5]: new session created: ID (_565d5d141f7479eee4d2d798bb06f014) IdP (https://idp.shufangkeji.com/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (10.16.20.91)
2018-03-06 10:04:40 INFO Shibboleth.SessionCache [5]: removed session (_565d5d141f7479eee4d2d798bb06f014)

"no SAML 2 AttributeAuthority role found in metadata" I think maybe have problems in metadata

Here is IdP log(/opt/shibboleth-idp/logs/idp-process.log)
Code:
018-03-06 10:04:24,512 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] - Message Handler:  No metadata returned for https:/sp.shufangkeji.com/shibboleth in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol
2018-03-06 10:04:24,662 - WARN [org.opensaml.saml.saml2.binding.security.impl.SAML2AuthnRequestsSignedSecurityHandler:60] - SAMLPeerContext did not contain either a SAMLMetadataContext or a RoleDescriptor, unable to evaluate rule
2018-03-06 10:04:38,052 - INFO [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:152] - Profile Action ValidateUsernamePasswordAgainstLDAP: Login by 'ldapuser1' succeeded
2018-03-06 10:04:38,531 - INFO [Shibboleth-Audit.SSO:275] - 20180306T020438Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_5c3cc1f030973ca19b03422e82b1e77e|https:/sp.shufangkeji.com/shibboleth|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp.shufangkeji.com/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_bd687af8592e2e9e6095d0522f2d2776|ldapuser1|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||AAdzZWNyZXQxcA+rQZmszJHHevy026F8H3PT1fJ​0TpTxf5sGoABQ6xDSOrqD3hRXrCYsh6dNEW/x92eCdCql4uekmZNJ/x26vmKNeKxhk17ATqMYDT+11pmKlKkCMEgD8z9qBiQfvmOI8hIqQt6ggsTLYPed|_2fff46bf636d413​ee7143ccdf802ffb1|
key info:
"No metadata returned for https:/sp.shufangkeji.com/shibboleth in role " Seems Sp cannot get metadata from idp
"SAMLPeerContext did not contain either a SAMLMetadataContext or a RoleDescriptor, unable to evaluate rule" I cannot understand it means.
" Login by 'ldapuser1' succeeded" login authenticate passed

httpd log (/var/log/httpd/error_log)
Code:
[Tue Mar 06 09:52:37.576508 2018] [alias:warn] [pid 16849] AH00671: The Alias directive in /etc/shibboleth/apache24.config at line 38 will probably never match because it overlaps an earlier Alias.
[Tue Mar 06 09:52:37.576544 2018] [alias:warn] [pid 16849] AH00671: The Alias directive in /etc/httpd/conf.d/shib.conf at line 38 will probably never match because it overlaps an earlier Alias.
[Tue Mar 06 09:52:37.576973 2018] [auth_digest:notice] [pid 16849] AH01757: generating secret for digest authentication ...
[Tue Mar 06 09:52:37.577723 2018] [lbmethod_heartbeat:notice] [pid 16849] AH02282: No slotmem from mod_heartmonitor
[Tue Mar 06 09:52:37.622436 2018] [mpm_prefork:notice] [pid 16849] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 configured -- resuming normal operations
[Tue Mar 06 09:52:37.622492 2018] [core:notice] [pid 16849] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Tue Mar 06 10:04:13.908729 2018] [mod_shib:warn] [pid 16855] [client 10.16.20.91:35538] AttributeChecker found session unavailable immediately after creation
[Tue Mar 06 10:04:16.304691 2018] [mod_shib:warn] [pid 16921] [client 10.16.20.91:35540] AttributeChecker found session unavailable immediately after creation
[Tue Mar 06 10:04:20.410023 2018] [autoindex:error] [pid 16856] [client 10.16.20.91:35542] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.php) found, and server-generated directory index forbidden by Options directive
"/etc/shibboleth/apache24.config at line 38" "/etc/httpd/conf.d/shib.conf at line 38 " I find it just shibboleth css. I didn't modify it.

Overall, I think there are two reasons to cause problem:
1. some wrong in metadeda
2.some wrong happened in sending metadata from idp to sp.

What's your opinion?@xwcwt
Find all posts by this user
Quote this message in a reply
03-06-2018, 08:46 PM (This post was last modified: 03-06-2018 08:46 PM by qiracle.)
Post: #3
RE: shibboleth IdP configuration
After discussed with xwcwt, The temporary solution is remove follow code in shibboleth2.xml.

Code:
<!--
sessionHook="/Shibboleth.sso/AttrChecker"
-->

<!-- <Handler type="AttributeChecker" Location="/AttrChecker" template="attrChecker.html"
                attributes="eppn" flushSession="true"/>
-->
Find all posts by this user
Quote this message in a reply
03-06-2018, 08:56 PM
Post: #4
RE: shibboleth IdP configuration
(03-06-2018 08:46 PM)jiangqiangqiang Wrote:  After discussed with xwcwt, The temporary solution is remove follow code in shibboleth2.xml.

Code:
<!--
sessionHook="/Shibboleth.sso/AttrChecker"
-->

<!-- <Handler type="AttributeChecker" Location="/AttrChecker" template="attrChecker.html"
                attributes="eppn" flushSession="true"/>
-->

Write something what's the meaning of above so-called AttrChecker does. Write down what you learn as we discussed, do not ignore again.
Find all posts by this user
Quote this message in a reply
03-06-2018, 10:17 PM
Post: #5
RE: shibboleth IdP configuration
AttributeChecker,validates a user's session against a list of required attributes (and optionally values) and either returns the user to complete the login process or displays an error template. When we removed the AttributeCheck, it means skipping checking for required attribute(s) before login completes. So we can easy to login successful as long as the username and password match. So removed the AttributeCheck is not a long-term solution.
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: