By: Michael Dehmlow user 23 Mar 2015 at 1:56 p.m. CDT

8 Responses
Michael Dehmlow gravatar
Hello Gentlemen! I'm working on a test environment but I can't figure out where the idp-metadata.xml lives. I can see what appears to be a template at /opt/apache-tomcat-7.0.55/conf/shibboleth2/idp/idp-metadata.xml.vm Is there some url or file location that contains an updated version I can give to an SP. I could always just substitute all the $idpXXX markers but that feels a bit hacky. Thanks guys great project! ~Michael

By Mohib Zico staff 23 Mar 2015 at 2:14 p.m. CDT

Mohib Zico gravatar
Hello Michael, Gluu Server's metadata is accessible with "https://<hostname_of_idp>/idp/shibboleth The XML version is available inside /opt/idp/metadata/ location as "A1234..-idp-metadata.xml"

By Michael Dehmlow user 23 Mar 2015 at 3:33 p.m. CDT

Michael Dehmlow gravatar
Thanks Mohib! Hmm https://<hostname_of_idp>/idp/shibboleth is completely blank an empty page is returned (No 404 Error). And only the SP xml file is stored at /opt/idp/metadata/ I started looking through the Logs and noticed I am getting an error: ERROR [org.xdi.util.process.ProcessHelper] Problem during starting process check_ssl Running ssl check I'm getting an: SSL_CERT CRITICAL *.companyOfMine.net: Cannot verify certificate\nverification error: unable to get local issuer certificate verification error: certificate not trusted verification error: unable to verify the first certificate|days=129;;;; I gather from another post that this needs to return a number and seems like its complaining about my CA. I downloaded and ran the check_ssl from https://github.com/GluuFederation/gluu-util/blob/master/check_ssl/check_ssl_cert.sh to get this result. I can see my ca cert in /etc/pki/java/ is there someplace else it needs to be?

By Michael Dehmlow user 23 Mar 2015 at 3:40 p.m. CDT

Michael Dehmlow gravatar
We used this command to add the cert: keytool -import -trustcacerts -file /tmp/root.der -alias AlphaSSL -keystore /etc/pki/java/

By Mohib Zico staff 23 Mar 2015 at 3:50 p.m. CDT

Mohib Zico gravatar
>> Hmm https://<hostname_of_idp>/idp/shibboleth is completely blank an empty page is returned (No 404 Error). And only the SP xml file is stored at /opt/idp/metadata/ Did you select "Shibboleth SAML" durning installation? By default, it's "NO".

By Michael Dehmlow user 25 Mar 2015 at 3:11 p.m. CDT

Michael Dehmlow gravatar
So I've managed to configure the server (mostly... Detail installation steps included for posterity) However when I try to connect an app using Spring Security SAML extension as an SP I'm getting a "Message: Incoming SAML message is invalid" exception... Not sure if it's the gluu server or the SP app, the SP works against CircleSSO whats the best way to validate my gluu install? FYI I did create a So I configured a user and a established a trust relationship with a grails app SP. I think this has something to do with my certs as steps 27 - 29 are not called out in the gluu certificates page: 1. mkdir gluu 2. cd gluu/ 3. wget -c http://deb-repo.gluu.org/GLUU/ubuntu/pool/gluu/gluu-server_2.0-0_amd64.deb 4. sudo dpkg -i gluu-server_2.0-0_amd64.deb 5. sudo apt-get update 6. sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys AB6E65FC 7. sudo service gluu-server start 8. service gluu-server login 9. cd /install/community-edition-setup/ 10. ./setup.py - Enter IP Address [10.0.0.217] :  - Enter hostname [ce.gluu.info] : idp.companyOfMine.net - Enter your city or locality : Denver - Enter your state or province two letter code : Co - Enter two letter Country Code : Us - Enter Organization Name : Company - Enter email address for support at your organization : michael@companyOfMine.net - Enter maximum RAM for tomcat in MB [1536] : 2500 - Optional: enter password for oxTrust and LDAP superuser [default] :  - Update the hostname, hosts, and resolv.conf files? [No] : Yes - Install oxAuth OAuth2 Authorization Server? [Yes] :  - Install oxTrust Admin UI? [Yes] :  - Install Gluu OpenDJ LDAP Server? [Yes] :  - Install Apache HTTPD Server [Yes] :  - Install Shibboleth 2 SAML IDP? [No] : Yes - Install Asimba SAML Proxy? [No] : Yes - Install CAS? [No] :  11. exit 12. sudo service gluu-server stop 13. sudo service gluu-server start - At this point the site is responding with a self-signed certificate. 14. [scp certs to ~/certs] 15. cd ~/certs 16. sudo cp star-companyOfMine-net.key /home/gluu-server/etc/certs/httpd.key 17. cat star-companyOfMine-net.crt alphassl-inter.crt >> combined.crt 18. sudo cp combined.crt /home/gluu-server/etc/certs/httpd.crt 19. [scp root.der to /home/gluu-server/tmp/root.der] 20. sudo service gluu-server login 21. sudo keytool -import -trustcacerts -file /tmp/root.der -alias AlphaSSL -keystore /etc/pki/java/ 22. GLUU.root@idp:~# keytool -import -trustcacerts -file /tmp/root.der -alias AlphaSSL -keystore /etc/pki/java/ - Enter keystore password:  ######## - Re-enter new password:   ######## - Certificate already exists in system-wide CA keystore under alias <debian:globalsign_root_ca.pem> - Do you still want to add it to your own keystore? [no]:  yes - Certificate was added to keystore` 23. exit 24. sudo service gluu-server stop 25. sudo service gluu-server start 26. [Can hit gluu server but error occurs stating that I need contact my gluu administrator] - Attempted the following additional steps found online for ubuntu OS 27. ubuntu@idp:~/certs$ sudo cp combined.crt /home/gluu-server/usr/local/share/ca-certificates/ 28. ubuntu@idp:~/certs$ sudo service gluu-server login 29. GLUU.root@idp:~# update-ca-certificates  30. exit 31. sudo service gluu-server stop 32. sudo service gluu-server start 33. CAN NOW FULLY LOGIN!!! I can now also see my metadata file at https://idp.companyOfMine.net/idp/shibboleth !!! `<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" entityID="https://idp.companyOfMine.net/idp/shibboleth"> <IDPSSODescriptor errorURL="https://idp.companyOfMine.net/identity/feedback.htm" protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"> <Extensions> <shibmd:Scope regexp="false">idp.companyOfMine.net</shibmd:Scope> </Extensions> <KeyDescriptor> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIID...mRbA== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.companyOfMine.net:9443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/> <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.companyOfMine.net:9443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent </NameIDFormat> <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp.companyOfMine.net/idp/profile/Shibboleth/SSO"/> <SingleSignOnService Binding="urn:mace:shibboleth:2.0:profiles:AuthnRequest" Location="https://idp.companyOfMine.net/idp/profile/SAML2/Unsolicited/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.companyOfMine.net/idp/profile/SAML2/POST/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.companyOfMine.net/idp/profile/SAML2/POST-SimpleSign/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.companyOfMine.net/idp/profile/SAML2/Redirect/SSO"/> </IDPSSODescriptor> <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"> <Extensions> <shibmd:Scope regexp="false">idp.companyOfMine.net</shibmd:Scope> </Extensions> <KeyDescriptor> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MII...mRbA== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.companyOfMine.net:9443/idp/profile/SAML1/SOAP/AttributeQuery"/> <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.companyOfMine.net:9443/idp/profile/SAML2/SOAP/AttributeQuery"/> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent </NameIDFormat> </AttributeAuthorityDescriptor> </EntityDescriptor> ` Victory!!! almost

By Mohib Zico staff 26 Mar 2015 at 5:42 a.m. CDT

Mohib Zico gravatar
Michael, Thanks a bunch for your awesome detailed message... :) >> Message: Incoming SAML message is invalid" exception I think it might be a certificate mismatch issue between Gluu Server and SP. Either side is not loading the proper cert which is included in metadata ( either IDP or SP ). Here is what you can do: * Check if your SP's configuration is loading proper IDP metadata. * Check if your Gluu Server's Trust relationship is loading proper certificate which is there in SP metadata. * Try to do SSO and tail idp-process.log. The location of this log is: /opt/idp/logs/

By Michael Dehmlow user 26 Mar 2015 at 11:14 p.m. CDT

Michael Dehmlow gravatar
Since I had reinstalled several times my shib certificates had changed but I forgot to reimport the metadata-idp.xml into my SP. After doing that I'm pretty sure GLUU Server is doing its end of the bargain. Thanks for your help MZ ~Michael

By Mohib Zico staff 27 Mar 2015 at 4:29 a.m. CDT

Mohib Zico gravatar
Enjoy! Feel free to let us know if you have any question or confusion.