Passive Login returning "An error occurred."

By: Murillo Rocha user 09 Nov 2017 at 9:42 a.m. CST

3 Responses
Murillo Rocha gravatar
Hello everyone, We successfully implemented the SAML2 authentication (Shibboleth) for three different applications: MediaWiki, Discourse and WordPress (Our goal is SSO for all the applications). For the MediaWiki solution, we are using SimpleSaml as a SP. Now, everything works great if I click in the Login button, the application calls the SP, SP will check with the Gluu Server if the user is already Authenticated. If yes, the Gluu Server returns the user data, if not, it redirects the user to the login screen (Gluu login screen). What we are trying to do now is: when the page load, we want to automatically check with the Gluu Server if the user is already authenticated, if he is, we authenticate the user within the MediaWiki, if not, we just let him surf anonymously (without forcing him to log in). To solve that, we are trying to verify if user is logged in using a passive request, but that lead us to an error in the response (saml2p:Response): ``` <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive" /> </saml2p:StatusCode> <saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage> </saml2p:Status> ``` Our request: ``` <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6b2efb5d953fe917b05cae9308161cb5f96ceaf0d1" Version="2.0" IssueInstant="2017-11-09T14:58:31Z" Destination="https://my.idp.com/idp/profile/SAML2/POST/SSO" IsPassive="true" AssertionConsumerServiceURL="http://my.service.com/simplesaml/module.php/saml/sp/saml2-acs.php/sp1" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > <saml:Issuer>http://my.service.com/simplesaml/module.php/saml/sp/metadata.php/sp1</saml:Issuer> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true" /> </samlp:AuthnRequest> ``` Thanks.
Ubuntu 16.0
closed

Answers

By Mohib Zico staff 14 Nov 2017 at 1:26 a.m. CST

Copy
Mohib Zico gravatar
Gluu server's authentication is controlled by oxAuth, not shibboleth. You can find the info of authentication in oxAuth.log.

By Michael Schwartz Account Admin 14 Nov 2017 at 5:51 a.m. CST

Copy
Michael Schwartz gravatar
It might work with the Shibboleth IDP 3. If you find a solution, let us know on this issue. But it's not something we're going to support because in 9 years, no one else has ever asked us about it. So it's classified as _esoteric SAML_

By Murillo Rocha user 11 Dec 2017 at 11:32 a.m. CST

Copy
Murillo Rocha gravatar
Thank you guys for the responses. In the end, we've decided to control the authentication with one cookie and, for each apllication, we test if that cookie is set or if the application is logged-in. When the user load the page, the application will check for a specific cookie (a cookie saying that somewhere else, that user is authenticated), if the cookie is set, he will log-in into Gluu for the current application. Else, he will ignore, and let the user surf anonymously. The cookie is set when the user gets authenticated in the application. There is a condition like this: ``` if(application.HasUserSession() && !isLoginCookieSet())then setLoginCookie(); else if(isLoginCookieSet() && !application.HasUserSession())then //Application will call gluu gluuAuthentication(); end; ``` The steps for a non authenticated user will be: 1. Open Application as Anonymous (Fail to verify user and cookie). 2. Click login (redirectto Gluu). 3. SAML2 authentication process then redirected back to Application. 4. On page load, Application check if there is a user in its session (if there is a user, it will set the cookie). 5. User logged-in. The steps for an user authenticated in another application will be: 1. Open Application as Anonymous (Verified cookie, but no application session). 2. The application will redirect to Gluu authentication 3. SAML2 authentication process then redirected back to Application. 5. User logged-in. If you guys have any suggestion, we would be much appreciated. Thanks again.

Post an answer