By: Timothy Millett user 17 Jan 2019 at 5:56 p.m. CST

7 Responses

Hello, I am very new to Gluu and I am picking up where someone left off (They only installed it using the docker containers). I was able to add the IDP's (2 Active Directies) and I can see the see the shibboleth XML output from the url (https://my.domain.net/idp/shibboleth and I see the following... <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://my.domain.net/idp/profile/SAML2/SOAP/ArtifactResolution" index="1"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://my.domain.net/idp/profile/SAML2/Redirect/SLO"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https:/my.domain.net/idp/profile/SAML2/POST/SLO"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://my.domain.net/idp/profile/SAML2/POST-SimpleSign/SLO"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://my.domain.net/idp/profile/SAML2/SOAP/SLO"/> But the url's show "Web Login Service - Stale Request". Can someone point to some missing configuration. I tried to follow the doc, but I am lost. Thanks

Ubuntu 16.04

closed

By Sahil Arora user 17 Jan 2019 at 6:52 p.m. CST

Copy

Please check if server time is in Sync with service provider. You should also check the Shibboleth IDP logs. For locations see[ Gluu Server Logs](https://gluu.org/docs/ce/3.1.4/operation/logs/)

By Timothy Millett user 17 Jan 2019 at 9:54 p.m. CST

Copy

The server time is in sync between the docker container and the host. I check the logs, and I see this in the idp-process.log: 019-01-18 03:46:39,486 - ERROR [net.shibboleth.utilities.java.support.service.AbstractReloadableService:231] - Service 'shibboleth.NameIdentifierGenerationService': Reload for shibboleth.NameIdenti net.shibboleth.utilities.java.support.service.ServiceException: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'net.shibboleth.idp.saml.nameid.impl.NameIdenti at net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:336) Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'net.shibboleth.idp.saml.nameid.impl.NameIdentifierGenerationServiceImpl#0' defined in file [/opt/sh at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313) Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.opensaml.saml.saml1.profile.impl.ChainingSAML1NameIdentifierGenerator#786b6e24' defined in file at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:359) Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'shibboleth.SAML1NameIdentifierGenerators' available at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:687) 2019-01-18 03:48:48,074 - ERROR [org.opensaml.profile.action.impl.DecodeMessage:73] - Profile Action DecodeMessage: Unable to decode incoming request org.opensaml.messaging.decoder.MessageDecodingException: This message decoder only supports the HTTP POST method at org.opensaml.saml.saml2.binding.decoding.impl.HTTPPostDecoder.doDecode(HTTPPostDecoder.java:82) 2019-01-18 03:48:48,077 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: UnableToDecode 2019-01-18 03:49:15,083 - ERROR [org.opensaml.profile.action.impl.DecodeMessage:73] - Profile Action DecodeMessage: Unable to decode incoming request org.opensaml.messaging.decoder.MessageDecodingException: This message decoder only supports the HTTP POST method at org.opensaml.saml.saml2.binding.decoding.impl.HTTPPostDecoder.doDecode(HTTPPostDecoder.java:82) 2019-01-18 03:49:15,084 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: UnableToDecode

By Timothy Millett user 17 Jan 2019 at 10:55 p.m. CST

Copy

Also, I updated the passport-saml-config.json, but I could not restart the service on the passport container using (service passport restart), which is stated in the documentation. I tried service and systemctl.

By Sahil Arora user 18 Jan 2019 at 4:55 p.m. CST

Copy

>ERROR [org.opensaml.profile.action.impl.DecodeMessage:73] - Profile Action DecodeMessage: Unable to decode incoming request org.opensaml.messaging.decoder.MessageDecodingException: This message decoder only supports the HTTP POST method > As indicated by the error, your SP is not sending the HTTP POST request to Gluu IDP. Please check the configuration from SP side.

By Sahil Arora user 23 Jan 2019 at 7:34 p.m. CST

Copy

Hi Timothy, Let us know if you have any further questions. Thanks

By Timothy Millett user 26 Jan 2019 at 1 p.m. CST

Copy

Taking a step back and looking at the cache refresh setup. Test LDAP connection just times out when trying to connect a Microsoft AD server ``` Proxy Error The proxy server received an invalid response from an upstream server. The proxy server could not handle the request POST /identity/organization/cacherefresh. Reason: Error reading from remote server ``` I have the following: Bind DN: CN=binduser,CN=Users,DC=mydomain,DC=net Server: mydomain.net:389 Base DN: CN=Users,DC=wscsnet,DC=net I also set the Bind Password I was able to authenticate in a sample php script to the same Microsoft AD server with following: ``` <?php $ldap = ldap_connect('LDAP://mydomain.net') or die('Could not connect to LDAP server.'); echo '<p></p>'; echo 'LDAP SERVER STATUS: '.$ldap; // active directory DN (base location of ldap search) $ldap_dn = 'CN=Users,DC=mydomain,DC=net'; $user = 'mydomain\binduser'; $pass = 'mypassword'; ``` This is being done via ec2 instances in AWS in that helps.

By Timothy Millett user 26 Jan 2019 at 1:14 p.m. CST

Copy

Nevermind network issue.

You need to Login in order to post an answer

idp/profile/SAML2/POST-SimpleSign/SLO --> Web Login Service - Stale Request

By: Timothy Millett user 17 Jan 2019 at 5:56 p.m. CST

Answers

By Sahil Arora user 17 Jan 2019 at 6:52 p.m. CST

By Timothy Millett user 17 Jan 2019 at 9:54 p.m. CST

By Timothy Millett user 17 Jan 2019 at 10:55 p.m. CST

By Sahil Arora user 18 Jan 2019 at 4:55 p.m. CST

By Sahil Arora user 23 Jan 2019 at 7:34 p.m. CST

By Timothy Millett user 26 Jan 2019 at 1 p.m. CST

By Timothy Millett user 26 Jan 2019 at 1:14 p.m. CST

Post an answer