I installed Shibboleth SP on my mac. I try to make a connect with the test shib. However, I get this error after I login.
Error Message: No peer endpoint available to which to send SAML response
Here's my Shibboleth2.xml
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="http">
<SSO entityID="https://idp.testshib.org/idp/shibboleth"
discoveryProtocol="SAMLDS" forceAuthn="true">
SAML2 SAML1
</SSO>
<MetadataProvider type="XML" uri="http://www.testshib.org/metadata/testshib-providers.xml"
backingFilePath="testshib-two-idp-metadata.xml" reloadInterval="180000">
</MetadataProvider>
here's my metadata
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/Shibboleth.sso/SAML2/POST" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://localhost/Shibboleth.sso/SAML2/ECP" index="3"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://localhost/Shibboleth.sso/SAML/POST" index="4"/>
Why I am getting this error?
This message indicates a mismatch between the configuration of the Testshib Identity Provider and your Shibboleth Service Provider you tried logging in to. I would suspect a problem caused by using the name "localhost" in the Assertion Consumer Service URL provided with your metadata. The IDP is trying to send the SAML response to https://localhost/Shibboleth.sso/SAML2/POST, but there is of course no Assertion Consumer Service because "localhost" is in this case the IDP itself.
So, I would start by removing everything from Testshib, changing your SP's entityID to make it more unique (Use your IP address instead of localhost) and re-add updated metadata for your SP to TestShib.
Try the request, then Testshib's idp logs at https://idp.testshib.org/cgi-bin/idplog.cgi?lines=300. For me, there was an error message like this:
05:15:03.350 - WARN [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:206] -
Relying party 'my.entity.id' requested the response to be returned to endpoint with ACS
URL 'https://wrong-host/Shibboleth.sso/SAML2/POST' and binding 'urn:oasis:names:tc:
SAML:2.0:bindings:HTTP-POST' however no endpoint, with that URL and using a supported
binding, can be found in the relying party's metadata
But my metadata said
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://right-host/Shibboleth.sso/SAML2/POST" index="1"/>
As you can see, shibd asked to be redirected to the wrong place. The problem is that shibd uses the host name from Apache. (I assume you're using Apache. The setup is probably similar if not.)
The solution is to go to /etc/apache2/sites-enabled/default-ssl.conf and set ServerName to the correct host:port that matches your metadata. Then, open /etc/apache2/apache2.conf and make sure UseCanonicalName is On.
This is detailed in the docs, which I recommend reading carefully.
Related
I have implemented a proxy extending jetty's ProxyServlet.Transparent.
However upon testing I noticed there is a difference on error messages the user sees when the server returns an error.
For example, when connecting directly to one of our application server with an invalid user credential, the server should return something more specific with instructions on the auth as we have set it this way. When connecting to the proxy server the error is in its most generic form like Authentication failed: Unauthorized
I suspect at some stage jetty checks on the server response and set the proxy response with minimal information so I am looking into the Transparent class code and its parent classes to find which method I can override to intercept the original server response and forward the information in the proxy response, assuming my understanding on these two responses are correct.
Thanks for the help.
I have set up SSO using weblogic on windows and Kerberos, It is working fine for the http pages, however I observed a strange behavior on https pages which requires CONFIDENTIAL setting for the transport, It works fine if I first access a page on http which is not configured as secured in web.xml(Transport-Gurantee as None) and then the https page.
But If I try to hit the https url directly which is configured with Transport-Gurantee as CONFIDENTIAL then it shows the Basic Auth Dialog and a 401 Unauthorized response, Looking at the logs I see that the Server responded with the WWW-Authenticate but browser showed the Basic Auth Dialog in response instead of getting the Authorize token.
Does anyone has any idea on what might be issue here, If there is any problem with the browser settings then it would not have worked irrespective of accessing the http url first.
I can see the following error log in weblogic console
Malformed request "Can not parse URI from http request". Request parsing failed, Code: -1
Found one of the link here
SPNEGO on IBM WebSphere Portal 6.1 with https
For my case it is weblogic 12c , I don't think reinstalling 12c is a valid solution for it
Ok I got it fixed , It turns out to be an issue with the browser configuration , the https://myserver.domain.com was not inside the intranet domain and the control to do that rests with the windows Admin team, once they added it , the https urls are also working fine.
JSON File
{"web":{"auth_uri":"https://accounts.google.com/o/oauth2/auth",
"client_secret":"c-kaafSexciO7It3QcKxx3BO",
"token_uri":"https://accounts.google.com/o/oauth2/token",
"client_email":"xxx678964-tjkl572knihtgocll9tnadvsdngmnld6#developer.gserviceaccount.com",
**"redirect_uris":["http://www.alfrosia.com"]**,
"client_x509_cert_url":"https://www.googleapis.com/robot/v1/metadata/x509/798911678964-tjkl572knihtgocll9tnadvsdngmnld6#developer.gserviceaccount.com",
"client_id":"xxx1678964-tjkl572knihtgocll9tnadvsdngmnld6.apps.googleusercontent.com",
"auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
"javascript_origins":["[http://www.alfrosia.com][1]"]}}
I am specifying proper redirect url in the json file above, but during authentication it is giving wrong url message on browser. While I have given, this as Redirect Uri in json file.
In the error message it says that
redirect_uri=http://localhost:57826/authorize/
is uri_mismatch while I have not specified it in json
But Google OAuth2 authorization Failed ,this error message occurs during authentication process
- Error: redirect_uri_mismatch.
Request Details
scope=https:[//www.googleapis.com/auth/youtube.readonly][3]
response_type=code
redirect_uri=http://localhost:57826/authorize/
access_type=offline
pageId=none
client_id=xxxxx964-tjkl572knihtgocll9tnadvsdngmnld6.apps.googleuserconten
redirect_uri must exactly match what you have set in the Google Developer console. My guess is that your code / client library / IDE is automatically setting the redirect URI based upon the url you are browsing from.
Visual studio for example has a habit of randomly changing the port.
Option 1:
Fix your redirect uri in the Google developer console to
http://localhost:57826/authorize/
option 2:
assuming you are using visual studio fix the project settings so it stops adding a random port.
option 3:
assuming you are using java or visual studio IDE that may be adding this random port. Create a Client ID for native application instead of a Client ID for web application and use that for testing on local host. Do not release Client ID for native application to your live webserver.
"localhost" is not working in Google developer console.
Try 127.0.0.1 as redirect URI and don't use symbols in the URI.
I am trying to make a proxy CAS webapp using PHPCAS library version 1.3.3. At first I tried an example from the docs but unfortunately I got an error and said that I wasn't authenticated.
I was using the example_proxy_GET.php and on the log it said like this :
Authentication failure: Ticket validated but no PGT Iou transmitted [AuthenticationException.php:80]
Reason: no CAS error [AuthenticationException.php:94]
The authentication was successful on validate the ST (Service Ticket) but the log also said that :
<proxyGrantingTicket> not found [Client.php:2541]
CAS_AuthenticationException::__construct(CAS_Client, 'Ticket validated but no PGT Iou transmitted
So, my question is that the Single Sign-On server (CAS 2.0 I think) that was not sending a PGT Iou (so there's misconfiguration on the server) or there's something wrong on the examples file?
And if the server was misconfigured, what should I do?
Thanks
UDPATE
I'm using a private IP address and when I tried open the CAS server log on tomcat, here's it said
2015-04-09 11:56:41,428 WARN [org.jasig.cas.util.HttpClient] - <Socket Timeout Detected while attempting to send message to [http://10.10.100.102/sso/docs/examples/example_proxy_GET.php].>
My guess was that I should use some public IP / domain to use the CAS properly
It turns out that I need setup a https server to use the proxy feature on CAS.
I found the detail on here
https://wiki.jasig.org/display/CASC/phpCAS+requirements
I am trying to generate proxy code using svcutil.exe. Service is running on the same box.
Here is console output. Any idea what's wrong?
SvcUtil.exe https ://xyz:xxx/servicename/wsdl?wsdl
Attempting to download metadata from 'https://xyz:xxx/servicename/wsdl?wsdl' using WS-
Error: Cannot obtain Metadata from https ://xyz:xxx/servicename/wsdl?wsdl
WS-Metadata Exchange Error
URI: https ://xyz:xxx/servicename/wsdl?wsdl
Metadata contains a reference that cannot be resolved: 'https ://xyz:xxx/servicename/wsdl?wsdl'.
There was no endpoint listening at https://xyz:xxx/servicename/wsdl?wsdl that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
The remote server returned an error: (404) Not Found.
HTTP GET Error
URI: https ://xyz:xxx/servicename/wsdl?wsdl
The document was understood, but it could not be processed.
The WSDL document contains links that could not be resolved.
There was an error downloading 'https ://localhost:xxx/servicename/wsdl?wsdl=wsdl1'.
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The remote certificate is invalid according to the validation procedure.
Are you sure that's the right address for the wsdl?
What are xyz and xxx? Is xxx a port number?
For example, if you browse to it using your web browser, can you see the wsdl correctly?
You can try different urls like:
http://domain/servicename
http://domain/servicename?wsdl
https://domain/servicename
https://domain/servicename?wsdl
Do any of those work in your browser and\or using svcutil.exe?
Which version of svcutil.exe are you using?
What type of web service is it that you are trying to connect to?