By: prerna arote user 04 Feb 2016 at 11:57 p.m. CST

25 Responses
prerna arote gravatar
Hi, Goal is to perform SSO using Shib SP and Gluu shibboleth. I have 1 gluu server installed machine which is connected to our AD. Another is Shibboleth service provider machine. When I try to access www.sp-domain.com/auth, it get redirected to https://idp-domain/idp/profile/SAML2/Redirect/SSO?SAMLRequest=f...... But I am not able to see the login page there. i want to see login page here, so that after putting credentials (if successful authentication) it will again go to SP domain. I have modified: /opt/shibboleth-idp/conf/logging.xml --> set opensaml, shibboleth, ldap level to 'ALL' etc/tomcat7/server.xml --> 8443 8009 port lines uncommented /etc/tomcat7/Catalina/localhost/idp.xml --> this file checked /opt/shibboleth-idp/conf/handler.xml --> remote user handler commented and user password handler is active (un commented) /opt/shibboleth-idp/conf/login.config --> This file is already set for local ldap of gluu server Then, I restarted gluu-server. But I dont see login page after redirection. Page is just blank. I am not even able to see my https://idp-domain/idp/shibboleth page. Below is idp.log file: 11:00:18.781 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile handler for request path: /Metadata/SAML 11:00:18.782 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.SAMLMetadataProfileHandler 11:23:39.602 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] - Attempting to retrieve IdP session cookie. 11:23:39.602 - INFO [Shibboleth-Access:73] - 20160203T112339Z|10.16.40.112|sso.iisc.ernet.in:443|/profile/status| 11:23:39.603 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile handler for request path: /status 11:23:39.603 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:100] - shibboleth.HandlerManager: No profile handler registered for request path /status 11:23:39.603 - WARN [edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:91] - No profile handler configured for request at path: /status 11:23:39.604 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:339] - LoginContext key cookie was not present in request 11:23:39.604 - DEBUG [edu.internet2.middleware.shibboleth.idp.ui.ServiceContactTag:177] - No relying party, nothing to display 11:23:39.646 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] - Attempting to retrieve IdP session cookie.

By Mohib Zico staff 05 Feb 2016 at 2:36 a.m. CST

Mohib Zico gravatar
Your configuration in SP is wrong. >> I have modified: /opt/shibboleth-idp/conf/logging.xml --> set opensaml, shibboleth, ldap level to 'ALL' etc/tomcat7/server.xml --> 8443 8009 port lines uncommented /etc/tomcat7/Catalina/localhost/idp.xml --> this file checked /opt/shibboleth-idp/conf/handler.xml --> remote user handler commented and user password handler is active (un commented) /opt/shibboleth-idp/conf/login.config This is totally wrong! You do not need to configure any configuration file in IDP to make SSO working. You just need to create trust relationship from oxTrust ( the GUI of Gluu Server ).

By prerna arote user 05 Feb 2016 at 2:56 a.m. CST

prerna arote gravatar
This modification i did in Gluu IDP. My Sp configuration: 1. Install apache, generate self signed certificate 2. Modifying this file: /etc/shibboleth/shibboleth2.xml (only application defaults entity ID, SSO entity ID, Metadata file) 3. Grab the IdP Metadata and restart services 4. Add the SP metadata to the IdP 5. Log back into the IdP server and add a reference to metadata for your SP /opt/shibboleth-idp/conf/relying-party.xml under the existing Chaining Metadata Provider 6. Protecting the /auth directory by adding <Location /auth> AuthType shibboleth ShibRequireSession On require valid-user </Location> 7. Restart apache Where I am wrong in this? Now, I kept all files as they were before in gluu IDP. What should I change?

By Mohib Zico staff 05 Feb 2016 at 4:14 a.m. CST

Mohib Zico gravatar
>> 5. Log back into the IdP server and add a reference to metadata for your SP /opt/shibboleth-idp/conf/relying-party.xml under the existing Chaining Metadata Provider 6. Protecting the /auth directory by adding <Location /auth> AuthType shibboleth ShibRequireSession On require valid-user </Location> You don't need to touch any configuration file in IDP. You can configure relying party from oxTrust. Check 'How to configure relying party' here in [this](https://www.gluu.org/docs/admin-guide/saml/outbound-saml/#saml-trust-relationship) doc.

By prerna arote user 08 Feb 2016 at 4:53 a.m. CST

prerna arote gravatar
Hi, I followed shibboleth SP install/configure document(https://www.gluu.org/docs/articles/apache-saml/) by gluu. http://SP-host/secure is redirecting to https://sso.iisc.ernet.in/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZ with some Error page. Created Trust relationship. Clicked on 'Update' When I am trying to download SP related configuration files: It says: System Error. Please try again or contact gluu administrator. What shall I do? What I have missed here?

By prerna arote user 08 Feb 2016 at 11:40 p.m. CST

prerna arote gravatar
Hi, Can you tell me steps to perform SSO between shibboleth SP and Gluu as IDP? I did, 1. Installed and configured shibboleth SP on cent OS 6.5 2. Created Trust relationship inside gluu 3. relying party configuration, I have added shibboleth SSO and SAML2SSO 4. I have added Email and First name as released attribute 5. I got validation success after updating it. What are the next steps? Thanks.

By Mohib Zico staff 09 Feb 2016 at 1:45 a.m. CST

Mohib Zico gravatar
Your steps looks good. Now it's time to perform and troubleshoot SSO if there is any. 1. hit SP's protected link ( .../secure/... or anything which is protected in SP ) 2. It will go to Gluu Server for authentication. 3. After successful authentication, you will be able to see the protected SP page.

By prerna arote user 09 Feb 2016 at 2:48 a.m. CST

prerna arote gravatar
Yeah correct. http://www.sp-domain.com/secure is redirecting to gluu IDP (https://sso.iisc.ernet.in/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZLNTsMwE.....) This page shows ERROR. I have copy pasted the text below from the Error page. Do I need to do any changes in gluu? I mean, in default authentication method, i should select SAML or what? How to troubleshoot now? ERROR An error occurred while processing your request. Please contact your helpdesk or user ID office for assistance. This service requires cookies. Please ensure cookies are enabled in your browser, then go back to your desired resource and try to login again. Use of your browser's back button may cause specific errors that can be resolved by going back to your desired resource and trying to login again. If you think you were sent here in error, please contact technical support Error Message: Message did not meet security requirements

By prerna arote user 09 Feb 2016 at 3:36 a.m. CST

prerna arote gravatar
Hi, This is my idp-process.log says: tail -n 150 idp-process.log at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat7-websocket.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.55] at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.4.4.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.55] at unimr.shib2.UniMrMemcachedServletFilter.doFilter(UniMrMemcachedServletFilter.java:53) [unimr-memcached-idp2.4-rev218.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.55] at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:87) [shibboleth-identityprovider-2.4.4.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.55] at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.4.4.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.55] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:203) [catalina.jar:7.0.55] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) [catalina.jar:7.0.55] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) [catalina.jar:7.0.55] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) [catalina.jar:7.0.55] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) [catalina.jar:7.0.55] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) [catalina.jar:7.0.55] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) [catalina.jar:7.0.55] at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) [tomcat-coyote.jar:7.0.55] at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) [tomcat-coyote.jar:7.0.55] at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) [tomcat-coyote.jar:7.0.55] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_91] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_91] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-coyote.jar:7.0.55] at java.lang.Thread.run(Thread.java:745) [na:1.7.0_91] 09:37:52.054 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:339] - LoginContext key cookie was not present in request 09:37:52.055 - DEBUG [edu.internet2.middleware.shibboleth.idp.ui.ServiceContactTag:177] - No relying party, nothing to display 09:37:52.606 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] - Attempting to retrieve IdP session cookie. 09:37:59.360 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] - Attempting to retrieve IdP session cookie. 09:37:59.360 - INFO [Shibboleth-Access:73] - 20160209T093759Z|10.16.40.112|sso.iisc.ernet.in:443|/profile/SAML2/Redirect/SSO| 09:37:59.361 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/Redirect/SSO 09:37:59.361 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler 09:37:59.361 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:339] - LoginContext key cookie was not present in request 09:37:59.362 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:188] - Incoming request does not contain a login context, processing as first leg of request 09:37:59.362 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:366] - Decoding message with decoder binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' 09:37:59.364 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relying party configuration for http://10.114.1.96/secure 09:37:59.364 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:130] - Custom relying party configuration found for http://10.114.1.96/secure 09:37:59.365 - WARN [org.opensaml.common.binding.security.IssueInstantRule:108] - Message was expired: message issue time was '2016-02-09T07:45:34.000Z', message expired at: '2016-02-09T07:51:34.000Z', current time: '2016-02-09T09:37:59.364Z' 09:37:59.366 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:406] - Message did not meet security requirements org.opensaml.ws.security.SecurityPolicyException: Message was rejected due to issue instant expiration at org.opensaml.common.binding.security.IssueInstantRule.evaluate(IssueInstantRule.java:110) ~[opensaml-2.6.5.jar:na] at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51) ~[openws-1.5.5.jar:na] at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132) ~[openws-1.5.5.jar:na] at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83) ~[openws-1.5.5.jar:na] at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) ~[opensaml-2.6.5.jar:na] at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.decodeRequest(SSOProfileHandler.java:386) [shibboleth-identityprovider-2.4.4.jar:na] at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:211) [shibboleth-identityprovider-2.4.4.jar:na] at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:189) [shibboleth-identityprovider-2.4.4.jar:na] at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:90) [shibboleth-identityprovider-2.4.4.jar:na] at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83) [shibboleth-common-1.4.4.jar:na] at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) [servlet-api.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) [catalina.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.55] at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat7-websocket.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.55] at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.4.4.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.55] at unimr.shib2.UniMrMemcachedServletFilter.doFilter(UniMrMemcachedServletFilter.java:53) [unimr-memcached-idp2.4-rev218.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.55] at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:87) [shibboleth-identityprovider-2.4.4.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.55] at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.4.4.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.55] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:203) [catalina.jar:7.0.55] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) [catalina.jar:7.0.55] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) [catalina.jar:7.0.55] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) [catalina.jar:7.0.55] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) [catalina.jar:7.0.55] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) [catalina.jar:7.0.55] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) [catalina.jar:7.0.55] at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) [tomcat-coyote.jar:7.0.55] at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) [tomcat-coyote.jar:7.0.55] at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) [tomcat-coyote.jar:7.0.55] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_91] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_91] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-coyote.jar:7.0.55] at java.lang.Thread.run(Thread.java:745) [na:1.7.0_91] 09:37:59.367 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:339] - LoginContext key cookie was not present in request 09:37:59.367 - DEBUG [edu.internet2.middleware.shibboleth.idp.ui.ServiceContactTag:177] - No relying party, nothing to display 09:37:59.582 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] - Attempting to retrieve IdP session cookie. 09:41:07.254 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] - Attempting to retrieve IdP session cookie. 09:41:07.256 - INFO [Shibboleth-Access:73] - 20160209T094107Z|10.114.1.96|sso.iisc.ernet.in:443|/profile/Metadata/SAML| 09:41:07.256 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile handler for request path: /Metadata/SAML 09:41:07.256 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.SAMLMetadataProfileHandler 09:41:22.617 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] - Attempting to retrieve IdP session cookie. 09:41:22.617 - INFO [Shibboleth-Access:73] - 20160209T094122Z|10.16.40.112|sso.iisc.ernet.in:443|/profile/SAML2/Redirect/SSO| 09:41:22.617 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/Redirect/SSO 09:41:22.618 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler 09:41:22.618 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:339] - LoginContext key cookie was not present in request 09:41:22.618 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:188] - Incoming request does not contain a login context, processing as first leg of request 09:41:22.618 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:366] - Decoding message with decoder binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' 09:41:22.619 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relying party configuration for http://10.114.1.96/secure 09:41:22.619 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:130] - Custom relying party configuration found for http://10.114.1.96/secure 09:41:22.620 - WARN [org.opensaml.common.binding.security.IssueInstantRule:108] - Message was expired: message issue time was '2016-02-09T07:48:57.000Z', message expired at: '2016-02-09T07:54:57.000Z', current time: '2016-02-09T09:41:22.620Z' 09:41:22.621 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:406] - Message did not meet security requirements org.opensaml.ws.security.SecurityPolicyException: Message was rejected due to issue instant expiration at org.opensaml.common.binding.security.IssueInstantRule.evaluate(IssueInstantRule.java:110) ~[opensaml-2.6.5.jar:na] at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51) ~[openws-1.5.5.jar:na] at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132) ~[openws-1.5.5.jar:na] at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83) ~[openws-1.5.5.jar:na] at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) ~[opensaml-2.6.5.jar:na] at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.decodeRequest(SSOProfileHandler.java:386) [shibboleth-identityprovider-2.4.4.jar:na] at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:211) [shibboleth-identityprovider-2.4.4.jar:na] at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:189) [shibboleth-identityprovider-2.4.4.jar:na] at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:90) [shibboleth-identityprovider-2.4.4.jar:na] at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83) [shibboleth-common-1.4.4.jar:na] at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) [servlet-api.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) [catalina.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.55] at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat7-websocket.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.55] at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.4.4.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.55] at unimr.shib2.UniMrMemcachedServletFilter.doFilter(UniMrMemcachedServletFilter.java:53) [unimr-memcached-idp2.4-rev218.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.55] at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:87) [shibboleth-identityprovider-2.4.4.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.55] at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.4.4.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.55] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.55] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:203) [catalina.jar:7.0.55] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) [catalina.jar:7.0.55] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) [catalina.jar:7.0.55] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) [catalina.jar:7.0.55] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) [catalina.jar:7.0.55] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) [catalina.jar:7.0.55] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) [catalina.jar:7.0.55] at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) [tomcat-coyote.jar:7.0.55] at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) [tomcat-coyote.jar:7.0.55] at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) [tomcat-coyote.jar:7.0.55] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_91] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_91] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-coyote.jar:7.0.55] at java.lang.Thread.run(Thread.java:745) [na:1.7.0_91] 09:41:22.622 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:339] - LoginContext key cookie was not present in request 09:41:22.622 - DEBUG [edu.internet2.middleware.shibboleth.idp.ui.ServiceContactTag:177] - No relying party, nothing to display 09:41:23.345 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] - Attempting to retrieve IdP session cookie.

By Mohib Zico staff 09 Feb 2016 at 4:11 a.m. CST

Mohib Zico gravatar
Okay. Check the time of your Gluu Server and SP. Seems like time is mismatching. Better... configure network time protocol ( ntp ) and sync both Gluu Server and SP.

By prerna arote user 09 Feb 2016 at 11:25 p.m. CST

prerna arote gravatar
Hey, It worked, I got my Gluu oxtrust login window. But, when i put my AD credentials, it says ERROR An error occurred while processing your request. Please contact your helpdesk or user ID office for assistance.This service requires cookies. Please ensure cookies are enabled in your browser, then go back to your desired resource and try to login again.Use of your browser's back button may cause specific errors that can be resolved by going back to your desired resource and trying to login again. If you think you were sent here in error, please contact technical support **Error Message: No peer endpoint available to which to send SAML response** How to resolve this issue? Thanks.

By prerna arote user 09 Feb 2016 at 11:52 p.m. CST

prerna arote gravatar
Here is my idp-process.log WARN [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:206] - Relying party 'http://10.114.1.96/secure' requested the response to be returned to endpoint with ACS URL 'https://10.114.1.96/Shibboleth.sso/SAML2/POST' and binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' however no endpoint, with that URL and using a supported binding, can be found in the relying party's metadata 05:59:58.250 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:447] - No return endpoint available for relying party http://10.114.1.96/secure 05:59:58.251 - TRACE [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:349] - Looking up LoginContext with key 09d60271c9725e6c1bc0d8d7bae45d9f00e9cd377f5c96d20dd40de363fbb816 from StorageService parition: loginContexts 05:59:58.252 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:360] - No login context in storage service 05:59:58.252 - DEBUG [edu.internet2.middleware.shibboleth.idp.ui.ServiceContactTag:177] - No relying party, nothing to display 05:59:58.395 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] - Attempting to retrieve IdP session cookie. 05:59:58.396 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:123] - Found IdP session cookie. 05:59:58.396 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:81] - Updating IdP session activity time and adding session object to the request 06:00:05.351 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] - Attempting to retrieve IdP session cookie. 06:00:05.352 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:123] - Found IdP session cookie. 06:00:05.352 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:81] - Updating IdP session activity time and adding session object to the request 06:00:05.352 - INFO [Shibboleth-Access:73] - 20160210T060005Z|10.16.40.112|sso.iisc.ernet.in:443|/profile/SAML2/Redirect/SSO| 06:00:05.353 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/Redirect/SSO 06:00:05.353 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler 06:00:05.353 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:339] - LoginContext key cookie was not present in request 06:00:05.353 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:188] - Incoming request does not contain a login context, processing as first leg of request 06:00:05.353 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:366] - Decoding message with decoder binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' 06:00:05.355 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relying party configuration for http://10.114.1.96/secure 06:00:05.355 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:130] - Custom relying party configuration found for http://10.114.1.96/secure 06:00:05.356 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:387] - Decoded request from relying party 'http://10.114.1.96/secure' 06:00:05.356 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relying party configuration for http://10.114.1.96/secure 06:00:05.356 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:130] - Custom relying party configuration found for http://10.114.1.96/secure 06:00:05.356 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:226] - Creating login context and transferring control to authentication engine 06:00:05.358 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:181] - Storing LoginContext to StorageService partition loginContexts, key e9d4a4828613b84213510d862feef6039f445a9257d30d047e911b95006cdbbc 06:00:05.358 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:240] - Redirecting user to authentication engine at https://sso.iisc.ernet.in:443/idp/AuthnEngine 06:00:05.383 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] - Attempting to retrieve IdP session cookie. 06:00:05.383 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:123] - Found IdP session cookie. 06:00:05.384 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:81] - Updating IdP session activity time and adding session object to the request 06:00:05.384 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:209] - Processing incoming request 06:00:05.384 - TRACE [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:349] - Looking up LoginContext with key e9d4a4828613b84213510d862feef6039f445a9257d30d047e911b95006cdbbc from StorageService parition: loginContexts 06:00:05.385 - TRACE [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:355] - Retrieved LoginContext with key e9d4a4828613b84213510d862feef6039f445a9257d30d047e911b95006cdbbc from StorageService parition: loginContexts 06:00:05.386 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:240] - Beginning user authentication process. 06:00:05.386 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:244] - Existing IdP session available for principal prernahp 06:00:05.387 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:283] - Filtering configured LoginHandlers: {urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler@5b94cac1, urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler@58b73e0, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@66479f8} 06:00:05.387 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:464] - Selecting appropriate login handler from filtered set {urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler@5b94cac1, urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler@58b73e0, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@66479f8} 06:00:05.388 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:467] - Authenticating user with previous session LoginHandler 06:00:05.388 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:478] - Basing previous session authentication on active authentication method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport 06:00:05.388 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler:112] - Using existing IdP session for prernahp 06:00:05.388 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:144] - Returning control to authentication engine 06:00:05.389 - TRACE [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:349] - Looking up LoginContext with key e9d4a4828613b84213510d862feef6039f445a9257d30d047e911b95006cdbbc from StorageService parition: loginContexts 06:00:05.389 - TRACE [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:355] - Retrieved LoginContext with key e9d4a4828613b84213510d862feef6039f445a9257d30d047e911b95006cdbbc from StorageService parition: loginContexts 06:00:05.389 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:209] - Processing incoming request 06:00:05.389 - TRACE [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:349] - Looking up LoginContext with key e9d4a4828613b84213510d862feef6039f445a9257d30d047e911b95006cdbbc from StorageService parition: loginContexts 06:00:05.390 - TRACE [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:355] - Retrieved LoginContext with key e9d4a4828613b84213510d862feef6039f445a9257d30d047e911b95006cdbbc from StorageService parition: loginContexts 06:00:05.390 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:514] - Completing user authentication process 06:00:05.390 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:585] - Validating authentication was performed successfully 06:00:05.390 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:696] - Updating session information for principal prernahp 06:00:05.391 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:560] - User prernahp authenticated with method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport 06:00:05.391 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:161] - Returning control to profile handler 06:00:05.391 - TRACE [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:349] - Looking up LoginContext with key e9d4a4828613b84213510d862feef6039f445a9257d30d047e911b95006cdbbc from StorageService parition: loginContexts 06:00:05.392 - TRACE [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:355] - Retrieved LoginContext with key e9d4a4828613b84213510d862feef6039f445a9257d30d047e911b95006cdbbc from StorageService parition: loginContexts 06:00:05.392 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:177] - Redirecting user to profile handler at https://sso.iisc.ernet.in:443/idp/profile/SAML2/Redirect/SSO 06:00:05.407 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] - Attempting to retrieve IdP session cookie. 06:00:05.407 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:123] - Found IdP session cookie. 06:00:05.408 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:81] - Updating IdP session activity time and adding session object to the request 06:00:05.408 - INFO [Shibboleth-Access:73] - 20160210T060005Z|10.16.40.112|sso.iisc.ernet.in:443|/profile/SAML2/Redirect/SSO| 06:00:05.408 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/Redirect/SSO 06:00:05.409 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler 06:00:05.409 - TRACE [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:349] - Looking up LoginContext with key e9d4a4828613b84213510d862feef6039f445a9257d30d047e911b95006cdbbc from StorageService parition: loginContexts 06:00:05.409 - TRACE [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:355] - Retrieved LoginContext with key e9d4a4828613b84213510d862feef6039f445a9257d30d047e911b95006cdbbc from StorageService parition: loginContexts 06:00:05.409 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:588] - Unbinding LoginContext 06:00:05.410 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:614] - Expiring LoginContext cookie 06:00:05.410 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:625] - Removed LoginContext, with key e9d4a4828613b84213510d862feef6039f445a9257d30d047e911b95006cdbbc, from StorageService partition loginContexts 06:00:05.410 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:172] - Incoming request contains a login context and indicates principal was authenticated, processing second leg of request 06:00:05.411 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relying party configuration for http://10.114.1.96/secure 06:00:05.411 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:130] - Custom relying party configuration found for http://10.114.1.96/secure 06:00:05.412 - WARN [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:206] - Relying party 'http://10.114.1.96/secure' requested the response to be returned to endpoint with ACS URL 'https://10.114.1.96/Shibboleth.sso/SAML2/POST' and binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' however no endpoint, with that URL and using a supported binding, can be found in the relying party's metadata 06:00:05.413 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:447] - No return endpoint available for relying party http://10.114.1.96/secure 06:00:05.414 - TRACE [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:349] - Looking up LoginContext with key e9d4a4828613b84213510d862feef6039f445a9257d30d047e911b95006cdbbc from StorageService parition: loginContexts 06:00:05.414 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:360] - No login context in storage service 06:00:05.415 - DEBUG [edu.internet2.middleware.shibboleth.idp.ui.ServiceContactTag:177] - No relying party, nothing to display 06:00:05.617 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] - Attempting to retrieve IdP session cookie. 06:00:05.618 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:123] - Found IdP session cookie. 06:00:05.618 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:81] - Updating IdP session activity time and adding session object to the request

By Mohib Zico staff 10 Feb 2016 at 7:11 a.m. CST

Mohib Zico gravatar
The SP metadata which you used to create trust relationship in Gluu Server is not matching with your remote SP's configuration.

By prerna arote user 11 Feb 2016 at 4 a.m. CST

prerna arote gravatar
So, I should change metadata file in my remote SP and should upload again in gluu? But, SP under gluu IDP, it contains shibboleth2.xml file which has assertion control service block which is not there in my remote SP's shibboleth2.xml.

By Mohib Zico staff 11 Feb 2016 at 6:57 a.m. CST

Mohib Zico gravatar
>> So, I should change metadata file in my remote SP and should upload again in gluu? I would better suggest to check configuration of your SP. >> But, SP under gluu IDP, it contains shibboleth2.xml file which has assertion control service block which is not there in my remote SP's shibboleth2.xml. Sorry..can't understand your statement. You shouldn't need to touch the 'shibboleth2.xml' inside Gluu Server. Which doc you are following to configure your SSO?

By prerna arote user 11 Feb 2016 at 11:52 p.m. CST

prerna arote gravatar
Document I have referred for Shibboleth SP configuration is below mentioned link: (SP manual configuration on cent OS) https://www.gluu.org/docs/articles/apache-saml/ Then, in gluu created trust relationship. Metadata type URI, I have selected. In relying party configuration: shibbolethSSO, SAML2SSO I have selected. You are saying to check configuration of SP. There is only 1 file to check that is shibboleth2.xml. Below is my shibboleth2.xml of shibboleth SP: <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180"> <ApplicationDefaults entityID="http://10.114.1.96/secure" REMOTE_USER="eppn persistent-id targeted-id"> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https"> <SSO entityID="https://sso.iisc.ernet.in/idp/shibboleth" discoveryProtocol="SAMLDS"> <!-- discoveryURL="https://ds.example.org/DS/WAYF"> --> SAML2 SAML1 </SSO> <!-- SAML and local-only logout. --> <Logout>SAML2 Local</Logout> <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/> <!-- Status reporting service. --> <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/> <!-- Session diagnostic service. --> <Handler type="Session" Location="/Session" showAttributeValues="false"/> <!-- JSON feed of discovery information. --> <Handler type="DiscoveryFeed" Location="/DiscoFeed"/> </Sessions> <Errors supportContact="root@localhost" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/> <MetadataProvider type="XML" uri="http://sso.iisc.ernet.in/idp/shibboleth"> </MetadataProvider> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/> <!-- Use a SAML query if no attributes are supplied during SSO. --> <AttributeResolver type="Query" subjectMatch="true"/> <!-- Default filtering policy for recognized attributes, lets other data pass. --> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/> <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/> </ApplicationDefaults> <!-- Policies that determine how to process and authenticate runtime messages. --> <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/> <!-- Low-level configuration about protocols and bindings available for use. --> <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/> </SPConfig>

By prerna arote user 15 Feb 2016 at 4:16 a.m. CST

prerna arote gravatar
May I know, where is the misconfiguration on SP side?

By Mohib Zico staff 15 Feb 2016 at 4:25 a.m. CST

Mohib Zico gravatar
Supporting SP is not in our 'Community Support' scope. You can check Shibboleth SP doc in internet on how to configure SP properly. Or, you can use [Generate](https://www.gluu.org/docs/admin-guide/saml/outbound-saml/#how-to-create-trust-relationship) method while create Trust Relationships, it will help you to generate few configurations file which are mandatory for your SP configuration to talk to Gluu Server properly.

By prerna arote user 17 Feb 2016 at 3:06 a.m. CST

prerna arote gravatar
Okay. I have configured properly my SP and updated metadata in IDP again. Now, 1. User goes to http://myurl/secure 2. Redirected to gluu idp oxtrust login page by SP 3. Then, IDP use authentication process to authenticate that User On my idp-process.log, it says fetched attributed for principal:user, without any error But, on GUI it says: Forbidden You don't have permission to access /idp/profile/SAML2/Redirect/SSO on this server. Do I need to change the permission on IDP. Because, i have already changed the permissions of my protected directory in SP.

By Mohib Zico staff 17 Feb 2016 at 3:58 a.m. CST

Mohib Zico gravatar
>> On my idp-process.log, it says fetched attributed for principal:user, without any error But, on GUI it says: Forbidden You don't have permission to access /idp/profile/SAML2/Redirect/SSO on this server. >> Do I need to change the permission on IDP. Because, i have already changed the permissions of my protected directory in SP. You shouldn't. Gluu Server is developed in such a way that admin do not need to configure anything from background ( modifying configuration files ) and can do all job from Gluu Server GUI ( codename: oxTrust ). Now... the question is.. have you _already modified_ the default settings of Gluu Server from background? If yes.. then you need to change it back to that setup how it was before.

By prerna arote user 17 Feb 2016 at 4:45 a.m. CST

prerna arote gravatar
No, i did not change anything in background files of gluu. There is no Error in idp-process.log. But on browser it says: Forbidden You don't have permission to access /idp/profile/SAML2/Redirect/SSO on this server.

By prerna arote user 19 Feb 2016 at 3:40 a.m. CST

prerna arote gravatar
Hii, For sso using shib SP, Do I need to set Manage Authentication-> Default Authentication Method-> Authentication mode and oxTrust Authentication mode to SAML or default?? Kindly, let me know. I have enabled Manage Custom Scripts->SAML

By Mohib Zico staff 19 Feb 2016 at 4:02 a.m. CST

Mohib Zico gravatar
>> For sso using shib SP, Do I need to set Manage Authentication-> Default Authentication Method-> Authentication mode and oxTrust Authentication mode to SAML or default?? No. 'Authentication' has nothing to do with SAML SP. [Manage Authentication](https://www.gluu.org/docs/admin-guide/configuration/#manage-authentication) is for 'how Gluu server can perform authentication'. For your case, 'Default' is fine. >> Kindly, let me know. I have enabled Manage Custom Scripts->SAML Most probably you have already locked yourself. :-)

By prerna arote user 19 Feb 2016 at 4:48 a.m. CST

prerna arote gravatar
So, I should not select this option in manage custom scripts?

By prerna arote user 19 Feb 2016 at 6:18 a.m. CST

prerna arote gravatar
In relying party, what to select ShibbolethSSO or SAML2SSO ?

By Mohib Zico staff 19 Feb 2016 at 8:14 a.m. CST

Mohib Zico gravatar
>> In relying party, what to select ShibbolethSSO or SAML2SSO ? It depends on SP configuration. Check out Shibboleth2 [doc](https://wiki.shibboleth.net/confluence/display/SHIB2/IdPRelyingParty).