Unable to set up TestShib.org SP with Gluu (IDP)

By: Brett Cave Account Admin 13 Jun 2017 at 7:48 a.m. CDT

13 Responses
Brett Cave gravatar
We are having the same problem trying to add testshib as an SP via a TR in Gluu server as per issue #23 in github. This is with the Ubuntu deb package gluu-server-3.0.1 2-1~xenial+Ub16.04 amd64 Gluu shows "Validation Success" with the metadata from testshib: TestShib2 Testing TestShib TR First Name, Username federation Validation Success Active The IDP metadata is uploaded to testshib. Restarted IDP. The metadata from `/idp/shibboleth` was initially not accepted by testshib. By adding in `xmlns:mdui` and `<mdui:UIInfo>` and removing `<Organization>` testshib accepted the metadata. However, going to sp.testshib.org and entering our entityID shows an error page on `/idp/profile/SAML2/Redirect/SSO?SAMLRequest=xxxx`: Web Login Service - Unsupported Request The application you have accessed is not registered for use with this service. idp-process.log shows the following: 2017-06-13 12:44:02,656 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] - Message Handler: No metadata returned for https://sp.testshib.org/shibboleth-sp in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol 2017-06-13 12:44:02,657 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for relying party configuration shibboleth.UnverifiedRelyingParty 2017-06-13 12:44:02,658 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: InvalidProfileConfiguration
OS Version : N/A
closed

Answers

By Mohib Zico staff 13 Jun 2017 at 8:22 a.m. CDT

Copy
Mohib Zico gravatar
Hi Brett, How did you create trust relationship for TestShib2?

By Brett Cave Account Admin 13 Jun 2017 at 8:29 a.m. CDT

Copy
Brett Cave gravatar
http://testmd32.readthedocs.io/en/latest/integrate/test-shib2/ In Gluu --> SAML --> Add Trust Relationship Display Name: TestShib2 Description: Testshib Entity Type: Single SP Metadata Location: URI SP Metadata URL: http://www.testshib.org/metadata/testshib-providers.xml I did not configure relying party. Released attributes: First Name, Username I had already uploaded a modified IDP metadata file to testshib. I have a copy of that file here, is there a channel I can use to send it to you securely? I can also provide a login to our Gluu instance if needed.

By Mohib Zico staff 13 Jun 2017 at 8:31 a.m. CDT

Copy
Mohib Zico gravatar
>> http://testmd32.readthedocs.io/en/latest/integrate/test-shib2/ oh man! This is not our official doc. Please give us some time, we are going to give you a new doc on TestShib2.

By Mohib Zico staff 13 Jun 2017 at 12:10 p.m. CDT

Copy
Mohib Zico gravatar
Brett, [Here](https://github.com/GluuFederation/docs-ce-prod/blob/3.0.1/3.0.1/source/integration/testShib2.md) is the new doc for Gluu Server v3.

By Brett Cave Account Admin 14 Jun 2017 at 9:26 a.m. CDT

Copy
Brett Cave gravatar
Thanks Mohib. We have made a little bit of progress but have not been able to complete SAML auth yet. We are working on 2 test setups concurrently: 1 is using testshib SP and the other is using our own SAML application SP. With testshib, starting on sp.testshib.org and entering our entity ID, we go to our Gluu instance and are correctly presented with a login screen on Gluu and after logging in, go back to testshib SP where we get an error about failed validation. While testing our own SP (built using pac4j-saml in a java project), we keep running into an error when using SP-initiated flow of: Validation of protocol message signature failed. Our SP is configured with the cert from shibboleth, although we have noticed that there are 2 certs that might be used for signing - we have tried both keys but neither work. We have tried numerous variations on SP metadata but cannot get past "validation of protocol message signature failed"

By Mohib Zico staff 14 Jun 2017 at 9:33 a.m. CDT

Copy
Mohib Zico gravatar
Hi Brett, >> With testshib, starting on sp.testshib.org and entering our entity ID, we go to our Gluu instance and are correctly presented with a login screen on Gluu and after logging in, go back to testshib SP where we get an error about failed validation. If you get 'failed validation' from testShib, I think you can check logs from testshib; it should have indication of failure. >> While testing our own SP (built using pac4j-saml in a java project), we keep running into an error when using SP-initiated flow of: Validation of protocol message signature failed. Generally it means... there are SAML cert differences between what you are putting in IDP ( from SP side ) and what it's actually there inside SP. May be open a new ticket on that? >> Our SP is configured with the cert from shibboleth I think I didn't understand the term 'cert from shibboleth' >> although we have noticed that there are 2 certs that might be used for signing Which two certs?

By Brett Cave Account Admin 14 Jun 2017 at 10:15 a.m. CDT

Copy
Brett Cave gravatar
These are the errors we're getting from TestShib: 2017-06-14 11:08:27 DEBUG XMLTooling.TrustEngine.PKIX [1855]: unable to match DN, trying TLS subjectAltName match 2017-06-14 11:08:27 DEBUG XMLTooling.TrustEngine.PKIX [1855]: unable to match subjectAltName, trying TLS CN match 2017-06-14 11:08:27 ERROR XMLTooling.TrustEngine.PKIX [1855]: certificate name was not acceptable 2017-06-14 11:08:27 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [1855]: unable to verify message signature with supplied trust engine higher up in the logs, I see a saml2p:Response signed message. The message references the x509 certificate that is in https://our-ipd/idp/shibboleth - this cert is also in /etc/certs/idp-signing.crt. In the Gluu web UI under Json configuration however, /etc/certs/shibIDP.crt is showing as the "idpSecurityCert" value. Do we need to manually update the idp-metadata in shibboleth IDP and the idp-metadata file sent to testshib SP to use the shibIDP cert instead?

By Brett Cave Account Admin 14 Jun 2017 at 10:17 a.m. CDT

Copy
Brett Cave gravatar
/opt/shibboleth-idp/conf/idp.properties also has `idp.signing.cert = /etc/certs/idp-signing.crt`

By Brett Cave Account Admin 14 Jun 2017 at 10:33 a.m. CDT

Copy
Brett Cave gravatar
I found that there are 2 registrations for our IDP in testshib SP - am guessing this is causing the issue. We are going to rather focus on getting our own SP working with Gluu.

By Mohib Zico staff 14 Jun 2017 at 10:34 a.m. CDT

Copy
Mohib Zico gravatar
Ok, thanks for confirmation. Basically we just need to concentrate on one and only SAML cert right now. It's 'shibIDP.crt'. We need to use that cert for every SAML transactions ( and that's inside your Gluu Server metadata ).

By William Lowe user 23 Jun 2017 at 4:03 p.m. CDT

Copy
William Lowe gravatar
Hi Brett, How is this going? Were you able to get the SP working with your Gluu Server? Thanks, Will

By Brett Cave Account Admin 26 Jun 2017 at 4:16 a.m. CDT

Copy
Brett Cave gravatar
Hi Will, Yep, we have our platform working with SP initiated flow to Gluu and want to show the POC to our client. Thanks for checking in. Regards, Brett

By Brett Cave Account Admin 26 Jun 2017 at 4:17 a.m. CDT

Copy
Brett Cave gravatar
we're just working on MFA now (twilio sms for POC). Mohib has been assisting us here https://support.gluu.org/authentication/4244/how-to-use-custom-authentication-scripts/

Post an answer