Trust relationship suddenly stopped working and Shibboleth IdP metadata is not accessible.

By: Jay Kumar user 29 Jan 2018 at 6:15 a.m. CST

24 Responses
Jay Kumar gravatar
Hi there! The shibboleth metadata on our Gluu setup is not accessible and giving 503 error which was working fine and so do our TR (trust relationship) with SP. But it suddenly stopped working which might be due to inaccessible shibboleth idp metadata. We have ran this command ``` mv /opt/shibboleth-idp/logs/idp-process.log /opt/shibboleth-idp/logs/idp-process.log.bak ``` to remove the existing idp-process log file and restarted the idp service. The Jetty service started successfully and yet we are not able access the aforementioned metadata. Kindly look into the logs below which generated few errors after restarting the idp service and suggest the solution for this issue. Thank you. [PS. deleted the logs from this comment instead shared a pastebin link for the same.]
Ubuntu 16.04
closed

Answers

By Mohib Zico Account Admin 29 Jan 2018 at 6:50 a.m. CST

Copy
Mohib Zico gravatar
It's really hard to understand log.. can you please use some mkdocs format or some external source ( i.e. pastebin ) to make it readable?

By Jay Kumar user 29 Jan 2018 at 7:14 a.m. CST

Copy
Jay Kumar gravatar
Please find below the pastebin URL for those logs: https://pastebin.com/zK4j3jkp

By Jay Kumar user 30 Jan 2018 at 7:17 a.m. CST

Copy
Jay Kumar gravatar
Hi Mohib, I have shared above the pastebin link for the idp-process logs and let me know if it is inaccessible for you. Please take a look at those logs and suggest a solution. Thank you.

By Mohib Zico Account Admin 31 Jan 2018 at 12:44 a.m. CST

Copy
Mohib Zico gravatar
Hello Jay, Thanks. I can see two ERRORs here: - _"Caused by: java.io.FileNotFoundException: class path resource [etc/certs/openldap.crt] cannot be opened because it does not exist"_ - Attribute resolver configuration can't be loaded. Question: Did you change anything in cert + attribute-resolver.xml or attribute-resolver.xml.vm for any kind of customization?

By Jay Kumar user 31 Jan 2018 at 4:09 a.m. CST

Copy
Jay Kumar gravatar
Hi Mohib, We have not changed anything in those files you mentioned. We only did the following steps to add onboarding external IdP into our Gluu setup: - First, we have installed Gluu server version 3.1.2 on our Ubuntu server by following this doc: https://gluu.org/docs/ce/installation-guide/install/. - Secondly, we have successfully established the trust relationship between our application as SP and Gluu's shibboleth IdP. And, we were able to authenticate the Gluu user into our SP. - After that, we have enabled passport saml script (passport service is pre-configured in version 3.1.2 so we did not change anything regarding configuration) and added an onboarding external IdP in passport-saml-config.json file and restarted the passport service. We followed the steps mentioned on this page: https://gluu.org/docs/ce/authn-guide/inbound-saml-passport/. The external IdP's metadata generated successfully and it is showing on our Gluu's passport login page under external IdP section. - But now when we are testing the user authentication via SAML with our SP application, it is now showing oxauth error page and the authentication is not working. As per our observations this might be due to inaccessible shibboleth metadata which suddenly stopped working. So can you please suggest how we are going to resolve this issue. Thank you!

By Mohib Zico Account Admin 31 Jan 2018 at 4:15 a.m. CST

Copy
Mohib Zico gravatar
'Passport'... that is different issue. Then my question is: how you are trying to access your Gluu Server metadata?

By Jay Kumar user 31 Jan 2018 at 4:35 a.m. CST

Copy
Jay Kumar gravatar
Please find below our Gluu server metadata path: https://dev-sso.taoconnect.org/idp/shibboleth which showing 503 HTTP error. We used this IdP metadata in our SP application to establish TR between both.

By Mohib Zico Account Admin 31 Jan 2018 at 4:55 a.m. CST

Copy
Mohib Zico gravatar
>> https://dev-sso.taoconnect.org/idp/shibboleth which showing 503 HTTP error. That means.. 'IDP' is actually not loading. Can you share your attribute-resolver.xml and attribute-resolver.xml.vm files/

By Jay Kumar user 31 Jan 2018 at 6:59 a.m. CST

Copy
Jay Kumar gravatar
Please find below the pastebin URL for those files: 1. https://pastebin.com/zhxfTeFq [attribute-resolver.xml] 2. https://pastebin.com/i2miat5G [attribute-resolver.xml.vm]

By Jay Kumar user 01 Feb 2018 at 4:58 a.m. CST

Copy
Jay Kumar gravatar
Hi Mohib, I have shared above the pastebin link for both the attribute-resolver files you have asked for and let me know if it is inaccessible for you. Please take a look and suggest a solution. Thank you.

By Mohib Zico Account Admin 01 Feb 2018 at 5 a.m. CST

Copy
Mohib Zico gravatar
It's accessible. I'll check.

By Jay Kumar user 01 Feb 2018 at 5:15 a.m. CST

Copy
Jay Kumar gravatar
Thank you so much :)

By Jay Kumar user 05 Feb 2018 at 5:19 a.m. CST

Copy
Jay Kumar gravatar
Hello again, Mohib! Did you find anything odd in the aforementioned files you have asked for? Kindly look for the issue and suggest a solution for the same, it's urgent, please. Thank you!!

By Mohib Zico Account Admin 05 Feb 2018 at 5:28 a.m. CST

Copy
Mohib Zico gravatar
Can you share your idp-process.log? Escalate Shib log to DEBUG mode and restart container; then please share 'idp-process.log'.

By Jay Kumar user 05 Feb 2018 at 5:31 a.m. CST

Copy
Jay Kumar gravatar
Can you please provide more info on how to Escalate Shib log to DEBUG mode?

By Mohib Zico Account Admin 05 Feb 2018 at 5:35 a.m. CST

Copy
Mohib Zico gravatar
Please check shibboleth doc on how to do that.

By Jay Kumar user 06 Feb 2018 at 5:28 a.m. CST

Copy
Jay Kumar gravatar
Hi Mohib, Please find below the pastebing URL for the idp process logs in debug mode. https://pastebin.com/pj2V0Sd9 Thank you.

By Mohib Zico Account Admin 06 Feb 2018 at 6:02 a.m. CST

Copy
Mohib Zico gravatar
Hello Jay, Thanks. I got same log from one of my colleague; I'll try to reproduce this issue locally as soon as I can manage some time; adding this in my ToDo list.

By Jay Kumar user 06 Feb 2018 at 6:29 a.m. CST

Copy
Jay Kumar gravatar
That is so generous of you :) Hope to hear from you soon!

By Jay Kumar user 08 Feb 2018 at 11:28 a.m. CST

Copy
Jay Kumar gravatar
Hi Mohib, Did you get a chance to reproduce this issue locally and find the solution for the same?? Please update. Thank you.

By Mohib Zico Account Admin 09 Feb 2018 at 12:58 a.m. CST

Copy
Mohib Zico gravatar
Experiment still going on...

By Mohib Zico Account Admin 09 Feb 2018 at 4:29 p.m. CST

Copy
Mohib Zico gravatar
Jay, Please try these modifications in your 3.1.2 Gluu Server: - Change cert location in: ldap.properties - Location of the file: /opt/shibboleth-idp/conf/ - Change: - Line number: 16 - Value of idp.authn.LDAP.trustCertificates: From 'openldap.crt' to 'opendj.crt' - Stop / Start Gluu Server container

By Jay Kumar user 12 Feb 2018 at 5:52 a.m. CST

Copy
Jay Kumar gravatar
Hi Mohib, We followed the steps mentioned by you above and now the Shibboleth metadata is accessible on our Gluu setup. But our TR (Trust Relationship) still not working. We deleted current TR and established new one again, it validated successfully with our SP and is active as well. However, when we are testing the user authentication then it redirects to oxauth error page. So, can you please suggest us where we can look for the logs regarding why the TR not working. Thank you.

By Mohib Zico Account Admin 12 Feb 2018 at 5:53 a.m. CST

Copy
Mohib Zico gravatar
Please create a new ticket and provide passport log. This ticket covered with 'IDP metadata not loading' issue.

Post an answer