Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SAML TR added without custom RP configuration doesn't work

See original GitHub issue

Environment: CentOS 6.7, Gluu CE 3.0.1-1-3

Preconditions: Gluu was installed with full set of modules

Steps to reproduce:

  1. Log in to web UI as admin user
  2. Move to “SAML -> Trust Relationships” page and click “Add TR” button there
  3. Fill in all fields on the page required to create some simple valid TR there using “Url” method (may work for “File” too). Make sure metadata you’ll use is valid/reachable, i.e. under normal circumstances it must pass validation successfully in Gluu and result in active TR. Do not activate “Configure Relying Party” feature! Release uid, transientid and email attributes.
  4. Click the “Update” button to finalize the creation and wait until it passes validation and becomes active.
  5. Restart IdP service to make sure it reload updated configuration from disk: # service idp restart
  6. Try to access SP you configured.

Result: After user is redirected to IdP it responds with “Application is not registered” error page. In idp-process.log messages like this appears (note the “No metadata returned” part):

2017-02-17 22:56:36,569 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] - Message Handler:  No metadata returned 
for https://sphost-shib.site:8443/shibboleth in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SA
ML:2.0:protocol
2017-02-17 22:56:36,587 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: P
rofile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for relying party configuration shibboleth.UnverifiedRelyingParty
2017-02-17 22:56:36,594 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: InvalidP
rofileConfiguration

grepping for SP’s hostname shows, that in case when TR is created without custom RP settings entry for this SP is not added to /opt/shibboleth-idp/conf/metadata-providers.xml

Without it:

# grep -i -r -e 'sphost-shib' /opt/shibboleth-idp/conf/
/opt/shibboleth-idp/conf/attribute-filter.xml:        <PolicyRequirementRule xsi:type="Requester" value="https://sphost-shib.site:8443/shibboleth" />

With it:

# grep -i -r -e 'sphost-shib' /opt/shibboleth-idp/conf/
/opt/shibboleth-idp/conf/metadata-providers.xml:                      metadataURL="https://sphost-shib.site:8443/Shibboleth.sso/Metadata"
/opt/shibboleth-idp/conf/relying-party.xml:        <bean parent="RelyingPartyByName" id="DB5D9A62F10F706C0002180CF85A0006460D81EB" c:relyingPartyIds="https://sphost-shib.site:8443/shibboleth">
/opt/shibboleth-idp/conf/attribute-filter.xml:        <PolicyRequirementRule xsi:type="Requester" value="https://sphost-shib.site:8443/shibboleth" />

You can view full screen capture here

Expected result: If custom RP properties are not specified TR is still functional, has corresponding entry in /opt/shibboleth-idp/conf/metadata-providers.xml: file and default RP configuration provided in /opt/shibboleth-idp/conf/relying-party.xml is used for it.

Issue Analytics

  • State:closed
  • Created 7 years ago
  • Comments:10 (10 by maintainers)

github_iconTop GitHub Comments

1reaction
dmogncommented, Apr 19, 2017

@willow9886 Yes. Fixed. I’ll merge today.

0reactions
nynymikecommented, Aug 23, 2017

Closing this as won’t fix. In 3.0 it is required to click on Configure Relying Party

Read more comments on GitHub >

github_iconTop Results From Across the Web

Troubleshoot SAML Configurations - Auth0
Locate your connection, and select its Try (triangle/play) icon to test the interaction between Auth0 and the remote IdP. If the Connection does...
Read more >
SAML IDP - Gluu Server 4.0 Docs
It starts with the IDP sending a SAML response to the SP when no prior SAML request was made. To configure this SAML...
Read more >
ForgeRock Access Management 6.5 > SAML v1.x Guide
Guide to working with SAML v1.x. ForgeRock® Access Management provides authentication, authorization, entitlement and federation software.
Read more >
Register a SAML application in Azure AD B2C - Microsoft Learn
Learn how to configure Azure Active Directory B2C to provide SAML ... For setup steps, select Custom policy in the preceding selector.
Read more >
TroubleShoot: SAML Web SSO, WebSphere traditional - IBM
Where can I find the custom properties for the WebSphere SAML web SSO TAI? ... If trust association is not enabled, the SAML...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Handle coversation timeout

Next page

"System error" upon attempt to create user via oxTrust on freshly installed instance