By: Matt Jamison user 03 Mar 2017 at 10:04 a.m. CST

8 Responses

I've done a clean yum install of gluu-server-3.0.1.x86_64 and setup a testshib Trust Relationship using the following settings: Entity Type: Single SP Metadata Location: URI Sp Metadata URL: http://www.testshib.org/metadata/testshib-providers.xml Attributes: username, First name and TransientID I saved, waited for it to show Status of Active, tailed the idp-process.log to verify the metadata reload had occured. Downloaded the idp-metadata.xml file, renamed it to something unqiue and uploaded to testshib. I then waited a few minutes for the metadata reload on their side. Then I headed over to https://sp.testshib.org/ and put in our URL but receive the below error: Web Login Service - Unsupported Request The application you have accessed is not registered for use with this service. 2017-03-03 10:39:37,069 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] - Message Handler: No metadata returned for https://sp.testshib.org/shibboleth-sp in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol 2017-03-03 10:39:37,080 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for relying party configuration shibboleth.UnverifiedRelyingParty 2017-03-03 10:39:37,087 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: InvalidProfileConfiguration If I follow these directions with Gluu 2.4.4.2, they work perfectly. I was able to get 3.0.1 to work with testshib if I manually go edit metadata-providers.xml and add: <MetadataProvider id="HTTPMetadataTESTSHIB" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/testshib-providers.xml" metadataURL="http://www.testshib.org/metadata/testshib-providers.xml"/> Once I edit the file and tail -f idp-process.log and see the metadata was reloaded, testshib starts working. HOWEVER, once I restart Gluu 3.0.1, the metadata-providers.xml file reverts and testshib no longer works. Any ideas? Am I doing something wrong?

Gluu Other CentOS72

closed

By Aliaksandr Samuseu staff 03 Mar 2017 at 10:38 a.m. CST

Copy

Hi, Matt. I believe what you need to do is to add custom relying party configuration to your setup with default settings 1. On Testshib TR's page, tick "Configure Relying Party" checkbox 2. Click "Configure RelyingParty" link which will appear. 3. In appeared dialog box from the list to the left select "SAML2SSO" and add it to the list to the right; don't change any settings for it, leave them at defaults 4. Click "Save" button in the dialog 5. Click "Update" button on the update TR page 6. Restart Shib `# service idp restart` That should resolve it without need to edit files manually on disk.

By Matt Jamison user 03 Mar 2017 at 10:59 a.m. CST

Copy

Thanks for the quick response. I made the changes but unfortunately same errors. What do you need from me to help troubleshoot this?

By Aliaksandr Samuseu staff 03 Mar 2017 at 11:02 a.m. CST

Copy

>I made the changes but unfortunately same errors. That's strange. Can you confirm that xml element you before were adding manually to `metadata-providers.xml` is not there after Custom Relying party configuration is added? It should be there now.

By Aliaksandr Samuseu staff 03 Mar 2017 at 11:20 a.m. CST

Copy

Matt, here is how I managed to make it work. Please use metadata I'm attaching to this post, it's edited Testshib's metadata with IdP part removed (they include both their SP's and IdP's metadata in the file, which make Gluu recognize it as a federation instead of a single SP). Then also you need to add Custom Relying party config as stated above.

testshib-md-idp-only.xml

By Matt Jamison user 03 Mar 2017 at 12:35 p.m. CST

Copy

There is still nothing in metadata-providers.xml, even after adding the relay party information. I used the metadata file you supplied but still same errors. See images of my settings.

Video or screenshot link

By Matt Jamison user 03 Mar 2017 at 12:41 p.m. CST

Copy

After a restart metadata-providers.xml does have this: <MetadataProvider id="SiteSP2" xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/metadata/65E7DC02E919BF370002D6060C0F0006DF55E488-sp-metadata.xml"> </MetadataProvider> </MetadataProvider> But when testing testshib, I'm still getting: 2017-03-03 13:40:02,228 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] - Message Handler: No metadata returned for https://sp.testshib.org/shibboleth-sp in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol 2017-03-03 13:40:02,246 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for relying party configuration shibboleth.UnverifiedRelyingParty 2017-03-03 13:40:02,253 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: InvalidProfileConfiguration

By Aliaksandr Samuseu staff 03 Mar 2017 at 1:44 p.m. CST

Copy

Your setup is correct, and as this element is now in ` metadata-providers.xml` it should start to work. Try to restart idp service, or wait for next config reload.

By Chris Abel user 08 Mar 2017 at 3:30 p.m. CST

Copy

I'm not sure if this is related or not, but I'm also getting the same exact errors in my idp-process.log when trying to configure google SSO. ``` 2017-03-08 21:20:14,698 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] - Message Handler: No metadata returned for google.com in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol 2017-03-08 21:20:14,701 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for relying party configuration shibboleth.UnverifiedRelyingParty 2017-03-08 21:20:14,704 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: InvalidProfileConfiguration ``` I do see the this in metadata-providers.xml: ``` <MetadataProvider id="SiteSP2" xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/metadata/CF96E7FC3EAFCC250002BF4DF6EE00062CBE3F63-sp-metadata.xml"> ``` CF96E7FC3EAFCC250002BF4DF6EE00062CBE3F63-sp-metadata.xml seems to link to my google metadata which shows this: ``` <EntityDescriptor entityID="google.com/a/myorg.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:email</NameIDFormat> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/myorg.com/acs" ></AssertionConsumerService> </SPSSODescriptor> </EntityDescriptor> ``` Is there something wrong with the metadata I uploaded?

You need to Login in order to post an answer

shibboleth-idp and testshib

By: Matt Jamison user 03 Mar 2017 at 10:04 a.m. CST

Answers

By Aliaksandr Samuseu staff 03 Mar 2017 at 10:38 a.m. CST

By Matt Jamison user 03 Mar 2017 at 10:59 a.m. CST

By Aliaksandr Samuseu staff 03 Mar 2017 at 11:02 a.m. CST

By Aliaksandr Samuseu staff 03 Mar 2017 at 11:20 a.m. CST

By Matt Jamison user 03 Mar 2017 at 12:35 p.m. CST

By Matt Jamison user 03 Mar 2017 at 12:41 p.m. CST

By Aliaksandr Samuseu staff 03 Mar 2017 at 1:44 p.m. CST

By Chris Abel user 08 Mar 2017 at 3:30 p.m. CST

Post an answer