everyone
our policyserver is 12.8
and run on redhat
and our sampl sso is ok
and we access application via relaystate ,
and we want to access more applications
and we want to access : https://fed.test.com.cn/test,https://fed.test.com.cn/prd,
we want to judge when is test ,forward to one place ,and judge when is prd ,forward to another place
and our proxyrule is here :
<?xml version="1.0"?>
<?cocoon-process type="xslt"?>
<!DOCTYPE nete:proxyrules SYSTEM "file:////app/siteminder/agent/agentfed/secure-proxy/proxy-engine/conf/dtd/proxyrules.dtd">
<!-- Proxy Rules -->
<!-- replace www.example.com with your namespace -->
<nete:proxyrules xmlns:nete="https://fed.test.com.cn/" debug="yes">
<nete:cond criteria="beginswith" type="uri">
<!-- replace /dir1 with an appropriate URI -->
<nete:case value="/test">
<!-- replace http://server1.example.com with the appropriate destination server -->
<nete:forward>https://10.164.29.65$0</nete:forward>
</nete:case>
</nete:cond>
</nete:proxyrules>
but when we passed https://fed.test.com/affwebservices/public/saml2assertionconsumer,
we found not forward to destination server.
so ,where is wrong ,we did not found errors in logs
can anyone help us ?
we are in hurry
Proxy rules don't apply to /affwebservices, that's a different "app" on SPS itself.
Related
I am spinning a big wheel now. please shed some light.
Reverse proxy is working with Apache. So, when I access https://hostname/app/default.html, it opens Tomcat app url. No issue.
The tomcat app currently redirects to https://hostname/app/login.html which has a login box.
1) Do I need to disable UserDatabase on Tomcat server.xml ?
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
2) Is this Shibboleth configuration correct ?
But, when I try configure this with OKTA- Shibboleth(3.0), it's looping OKTA SSO url.
In shibboleth2.xml
<ApplicationDefaults id="default"
entityID="https://hostname/shibboleth-sp"
REMOTE_USER="userid" >
<SSO entityID="http://www.okta.com/~~~~">
OKTA's metadata is downloaded and located with shibboleth2.xml file.
cert is also generated and placed in the same folder.
3) Is this OKTA configuration correct ?
In OKTA widget configuration menu,
- Single sign on url :https://hostname/Shibboleth.sso/SAML2/POST
- recipient url : https://hostname/Shibboleth.sso/SAML2/POST
- destination url :https://hostname/Shibboleth.sso/SAML2/POST
- audience restriction :https://hostname/shibboleth-sp <-- above SP entityID
- default relay state : ??
right now, when I click on the widget on OKTA, it's looping.
https://hostname/Shibboleth.sso/SAML2/POST
contains SAML response.
then, it redirects to OKTA SSO url. It never ends.
https:// xxx.oktapreview.com/app/xx_reverse_proxy_/xxxx/sso/saml?SAMLRequest=~~~&RelayState=~~~
This contains SAML request but it looks like this.
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://hostname/Shibboleth.sso/SAML2/POST"
Destination="https://okta sso/sso/saml"
ID="xx"
IssueInstant="2018-11-02T15:39:24Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://hostname/shibboleth-sp
</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="1"/>
Is this Issuer url correct? Why is it looping and how to fix ?
Re Q#1: You only need Tomcat users if you're going to protect an application with it, such as the Tomcat manager. Otherwise, no.
Re Q#2: You list <SSO entityID="http://www.okta.com/~~~~"> but Destination="https://okta sso/sso/saml" from the SAML. You might want to check http/https. This is a very common cause of looping. Eliminate any potential http/https inconsistency.
FWIW Issuer looks correct to me... that's what you specify in entityID="https://hostname/shibboleth-sp"
currently We have CAS SSO to our existing .net application, but now client is asking for Shibboleth SSO instead CAS. I'm totally new to Shibboleth.
Client has given the below details:
entityid= urn:mace:incommon:xxx.edu
metadata URL for test environment is:
https://shibboleth-test.xxx.edu/idp/shibboleth
By using guidelines from Shibboleth site, below are the steps i followed.
Installed Shibbolth Service provider (shibboleth-sp-2.6.1.4-win64.msi)
Installed Java with JCE
Installed Shibboleth Idp (in which jetty also checked)(shibboleth-identity-provider-3.3.3-x64.msi)
Web Application with self signed certificate
attached my Shibboleth2.xml file
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180"> <InProcess logger="native.logger"> <ISAPI normalizeRequest="true" safeHeaderNames="true">
<Site id="2" name="shibboleth-test.xxx.edu" scheme="https" port="443" />
</ISAPI> </InProcess> <RequestMapper type="Native"> <RequestMap> <Host name="shibboleth-test.xxx.edu" scheme="https" port="443">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap></RequestMapper><ApplicationDefaults entityID="urn:mace:incommon:xxx.edu" REMOTE_USER="eppn persistent-id targeted-id" cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2"> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https"> <SSO entityID=""urn:mace:incommon:xxx.edu" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 SAML1 </SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 <my system IP">/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root#localhost"
helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/> <!-- Map to extract attributes from SAML assertions. --> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
Problems I'm facing......
When i try to access https://shibboleth-test.xxx.edu/Shibboleth.sso/Status
getting error no metadataprovider available.
Noticed Problems:
1.when i try to add Metadataprovider Shibboleth daemon 2 service is getting
stopped and unable to start.if i remove it's is running.
2.Shibboleth Idp 3 deamon is getting stopped very frequently
When i run 'SC interrogate shibd_idp' in command prompt, results are
control service failed 1062
the service has not been started.
I donno what is wrong with my work.
Can any one please tell me what are the steps to be followed to accomplish this integration.
Thanks in advance,
Hema
There will be a tag in shibboleth2.xml called metadata provider, you will need to open that.
If you have done this but shill service is not getting started then you can check the log and give additional info in question.
Another reason I can think of is connection problem. Try downloading idP's metadata and store it physically in the SP configuration folder. Manually map the file, using following tag
<MetadataProvider type="XML" file="partner-metadata.xml"/>
All the issues has been resolved after we upgraded from Shibboleth 2.6 to 3.0.2. we are getting the Shibboleth Identity provider login page.We are able to see the attributes in Session.Now we are working on how to retrieve the attributes in our application and how to redirect to our application home page.Currently we created 1 sample html page under secure folder in our application. once we logged in we are able to this html page.But when i tried to redirect to our application home page, it's giving 500 error. Can any one knows like how to redirect to our app home page and retrieve the attributes in the application.
I'm trying to use JMeter to invoke a RPC/SOAP Web service and when I invoke the service my namespaces are mangled from the actual values to NS1.
<?xml version="1.0" encoding="UTF-8"?>
<wpc:invoke xmlns:wpc="http://wpc.ibm.com">
<wpc:envelope communicationVersion="5.3">
<wpc:WPCResponseType>asynchronous</wpc:WPCResponseType>
<wpc:wpcHeader>
<wpc:companyName>mycompany</wpc:companyName>
<wpc:wpsUserID>me</wpc:wpsUserID>
<wpc:wpcUserID>wpcUsername</wpc:wpcUserID>
<wpc:password />
<wpc:messageIdentifier>9E2FA100-BE54-11E5-8A91-BF48E24665E0</wpc:messageIdentifier>
<wpc:timestamp>2016-01-18</wpc:timestamp>
<wpc:supplierId><![CDATA[0Z188]]></wpc:supplierId>
<wpc:localeForDisplay>en_US</wpc:localeForDisplay>
<wpc:localeRestriction>en_US</wpc:localeRestriction>
</wpc:wpcHeader>
<wpc:wpcBody>
<wpc:wpcCommand mode="ASYNC" type="UPLOAD">
<wpc:wpcCatalogName>Item Transaction Catalog</wpc:wpcCatalogName>
<wpc:wpcFileDocStorePath>test_data/upload/0003_items.csv</wpc:wpcFileDocStorePath>
<wpc:wpcUpdateOnly>false</wpc:wpcUpdateOnly>
</wpc:wpcCommand>
</wpc:wpcBody>
</wpc:envelope>
</wpc:invoke>
Changes to:
<?xml version="1.0" encoding="UTF-8"?>
<ns1:invoke xmlns:ns1="http://wpc.ibm.com">
<ns1:envelope communicationVersion="5.3">
<ns1:WPCResponseType>asynchronous</ns1:WPCResponseType>
<ns1:wpcHeader>
<ns1:companyName>mycompany</ns1:companyName>
<ns1:wpsUserID>me</ns1:wpsUserID>
<ns1:wpcUserID>wpcUsername</ns1:wpcUserID>
<ns1:password/>
<ns1:messageIdentifier>9E2FA100-BE54-11E5-8A91-BF48E24665E0</ns1:messageIdentifier>
<ns1:timestamp>2016-01-18</ns1:timestamp>
<ns1:supplierId><![CDATA[0Z188]]></ns1:supplierId>
<ns1:localeForDisplay>en_US</ns1:localeForDisplay>
<ns1:localeRestriction>en_US</ns1:localeRestriction>
</ns1:wpcHeader>
<ns1:wpcBody>
<ns1:wpcCommand mode="ASYNC" type="UPLOAD">
<ns1:wpcCatalogName>Item Transaction Catalog</ns1:wpcCatalogName>
<ns1:wpcFileDocStorePath>test_data/upload/0003_items.csv</ns1:wpcFileDocStorePath>
<ns1:wpcUpdateOnly>false</ns1:wpcUpdateOnly>
</ns1:wpcCommand>
</ns1:wpcBody>
</ns1:envelope>
</ns1:invoke>
There must be a setting in JMeter to keep the message from being transformed from my original meaningful namespace to this arbitrary namespace called NS1? When the message is received at the target endpoint it cannot parse the request because of this semantic error.
Any/all replies are appreciated!
MG
JMeter should not change anything in the request body, maybe it is an issues with your web service? Double check the request which is being sent by JMeter using a sniffer tool like Wireshark
In any case try switching to HTTP Request sampler, this is recommended way of sending web service requests (just don't forget to add HTTP Header Manager to send Content-Type and SOAPAction headers).
References:
JMeter User's Manual: Building a SOAP WebService Test Plan
Testing SOAP/REST Web Services Using JMeter
I'm new in XMPP, recently I have installed and configure openfire admin control by defining IP (localhost), port (5222) and new database named: openfire in MySql.
But my usernames and their passwords are in another database, is there any steps to configure in openfire so that it can check the user authentication in my own created database instead of checking it's(openfire) own created usertable ofuser.
I'am Adding TAGS here,
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file stores bootstrap properties needed by Openfire.
Property names must be in the format: "prop.name.is.blah=value"
That will be stored as:
<prop>
<name>
<is>
<blah>value</blah>
</is>
</name>
</prop>
Most properties are stored in the Openfire database. A
property viewer and editor is included in the admin console.
-->
<!-- root element, all properties must be under this element -->
<jive>
<adminConsole>
<!-- Disable either port by setting the value to -1 -->
<port>9099</port>
<securePort>9091</securePort>
</adminConsole>
<locale>en</locale>
<!-- Network settings. By default, Openfire will bind to all network interfaces.
Alternatively, you can specify a specific network interfaces that the server
will listen on. For example, 127.0.0.1. This setting is generally only useful
on multi-homed servers. -->
<!--
<network>
<interface></interface>
</network>
-->
<connectionProvider>
<className>org.jivesoftware.database.DefaultConnectionProvider</className>
</connectionProvider>
<database>
<defaultProvider>
<driver>com.mysql.jdbc.Driver</driver>
<serverURL>jdbc:mysql://localhost:3306/openfire?rewriteBatchedStatements=true</serverURL>
<username encrypted="true">87d776abae54f5b4c95c78b78420a6967a9429e9e6d7a5c0</username>
<password encrypted="true">7a1603cafdfe1383ea0e284360172ca8c94b37314dbd5390</password>
<testSQL>select 1</testSQL>
<testBeforeUse>false</testBeforeUse>
<testAfterUse>false</testAfterUse>
<minConnections>5</minConnections>
<maxConnections>25</maxConnections>
<connectionTimeout>1.0</connectionTimeout>
</defaultProvider>
</database>
<jdbcProvider>
<driver>com.mysql.jdbc.Driver</driver>
<connectionString>jdbc:mysql://localhost:3306/mydb?user=root;password=root</connectionString>
</jdbcProvider>
<provider>
<auth>
<className>org.jivesoftware.openfire.auth.JDBCAuthProvider</className>
</auth>
<user>
<className>org.jivesoftware.openfire.user.JDBCUserProvider</className>
</user>
</provider>
<jdbcAuthProvider>
<passwordSQL>SELECT upwd FROM users WHERE uname=? and usertype=2 and delflag=0</passwordSQL>
<passwordType>md5</passwordType>
</jdbcAuthProvider>
<jdbcUserProvider>
<loadUserSQL>SELECT CONCAT(ufname,ulname) AS name,uemail as email FROM users WHERE uname=? AND usertype=2 AND delflag=0</loadUserSQL>
<userCountSQL>SELECT COUNT(*) FROM users WHERE usertype=2 AND delflag=0 AND inactive=0</userCountSQL>
<allUsersSQL>SELECT uname FROM users WHERE usertype=2 AND delflag=0 AND inactive=0</allUsersSQL>
<searchSQL>SELECT uname FROM users WHERE usertype=2 AND delflag=0 AND inactive=0</searchSQL>
<usernameField>uname</usernameField>
<nameField>ufname</nameField>
<emailField>uemail</emailField>
</jdbcUserProvider>
<setup>true</setup>
</jive>
Here is a official openfire documentation for exact your case:
https://www.igniterealtime.org/builds/openfire/docs/latest/documentation/db-integration-guide.html
First, editing openfire.xml wont make any expected change with your openfire. even after you restart it.
You should edit that configuration from SERVER -> System Properties . OR you can directly modify database in ofproperty values.
but be carefull.. none of my JDBC authentication seems work if use my own user table. even if i set it to PLAIN password. and their MD5 looks different than standart md5 hashing method
Perl CGI web application is my Shibboleth Service Provider.
The cgi protected by Shibb is causing the redirect to Shibboleth IDP.
Authentication successful at the IDP and redirect back to the protected CGI page.
I can see Shibboleth Session variables, but i don't see 'REMOTE_USER' variable set.
Shibboleth2.xml has 'REMOTE-USER="eppn transient-id targeted-id".
What am i doing wrong?? What do i need to do in the attribute configuration files to set the REMOTE_USER(REMOTE-USER) ?
thanks
Do you have settings in your attribute-map.xml that will create one of eppn, transient-id, targeted-id? I added persistent-id to the aliases as follows:
<!-- more OLAT support -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
id="Shib-eduPersonTargetedID"
aliases="Shib-SwissEP-UniqueID persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder"
formatter="$Name!!$NameQualifier!!$SPNameQualifier"/>
</Attribute>
and promptly, that value showed up in REMOTE_USER as well.