We Keep Coding

Shibboleth integration

currently We have CAS SSO to our existing .net application, but now client is asking for Shibboleth SSO instead CAS. I'm totally new to Shibboleth.
Client has given the below details:
entityid= urn:mace:incommon:xxx.edu
metadata URL for test environment is:
https://shibboleth-test.xxx.edu/idp/shibboleth
By using guidelines from Shibboleth site, below are the steps i followed.
Installed Shibbolth Service provider (shibboleth-sp-2.6.1.4-win64.msi)
Installed Java with JCE
Installed Shibboleth Idp (in which jetty also checked)(shibboleth-identity-provider-3.3.3-x64.msi)
Web Application with self signed certificate
attached my Shibboleth2.xml file
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180"> <InProcess logger="native.logger"> <ISAPI normalizeRequest="true" safeHeaderNames="true">
<Site id="2" name="shibboleth-test.xxx.edu" scheme="https" port="443" />
</ISAPI> </InProcess> <RequestMapper type="Native"> <RequestMap> <Host name="shibboleth-test.xxx.edu" scheme="https" port="443">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap></RequestMapper><ApplicationDefaults entityID="urn:mace:incommon:xxx.edu" REMOTE_USER="eppn persistent-id targeted-id" cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2"> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https"> <SSO entityID=""urn:mace:incommon:xxx.edu" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 SAML1 </SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 <my system IP">/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root#localhost"
helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/> <!-- Map to extract attributes from SAML assertions. --> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
Problems I'm facing......
When i try to access https://shibboleth-test.xxx.edu/Shibboleth.sso/Status
getting error no metadataprovider available.
Noticed Problems:
1.when i try to add Metadataprovider Shibboleth daemon 2 service is getting
stopped and unable to start.if i remove it's is running.
2.Shibboleth Idp 3 deamon is getting stopped very frequently
When i run 'SC interrogate shibd_idp' in command prompt, results are
control service failed 1062
the service has not been started.
I donno what is wrong with my work.
Can any one please tell me what are the steps to be followed to accomplish this integration.
Thanks in advance,
Hema

There will be a tag in shibboleth2.xml called metadata provider, you will need to open that.
If you have done this but shill service is not getting started then you can check the log and give additional info in question.
Another reason I can think of is connection problem. Try downloading idP's metadata and store it physically in the SP configuration folder. Manually map the file, using following tag
<MetadataProvider type="XML" file="partner-metadata.xml"/>

All the issues has been resolved after we upgraded from Shibboleth 2.6 to 3.0.2. we are getting the Shibboleth Identity provider login page.We are able to see the attributes in Session.Now we are working on how to retrieve the attributes in our application and how to redirect to our application home page.Currently we created 1 sample html page under secure folder in our application. once we logged in we are able to this html page.But when i tried to redirect to our application home page, it's giving 500 error. Can any one knows like how to redirect to our app home page and retrieve the attributes in the application.

Sigining UWP-Apps with custom code sign certificate

What exactly is the requirement to create a company internal App with Xamarin.Forms UWP? I can compile the *.appxbundle-Package but nobody can install it because of an certificate error. If I try to use our normal code signing certificate from StartSSL to sign the package, I got the following error:
The Manifest Designer could not import the certificate.
The certificate you selected is not valid for signing because it is
either expired or has another issue. For more information, see:
https://go.microsoft.com/fwlink/?LinkID=241478
The same certificate is used by our other desktop application with the signtool, so I guess the certificate is ok. Usage of the signtool for other .NET assemblies such as WPF projects:
"C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe" sign /f "..\..\..\..\..\Finaltec\Framework\Signing.pfx" /p ... /tr "http://timestamp.globalsign.com/scripts/timestamp.dll" "$(TargetPath)"
Are there any special requirements to sign a UWP app so anyone can install it? The used certificate is a Class 3 StartSSL Code Signing Certificate and it is valid until Junuary 2020. If I try to install the app with the generated test certificate from the Visual Studio, I got the message that the root certificate is not trusted and the installation process will be canceled. Even if I install the certificate manual before I got the same result error.
Code Signing Certificate informations:
Name: CVA Computer - Visualisierung und Animation GmbH
Address: Beckebohnen 2
Zip, City: 31618 Liebenau
State, Country: Niedersachsen, DE
Phone: +49-502398110
Email: info#cva.de
Expiry Date: 2017-04-14
Package.appxmanifest content:
<?xml version="1.0" encoding="utf-8"?>
<Package xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10" xmlns:mp="http://schemas.microsoft.com/appx/2014/phone/manifest" xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10" IgnorableNamespaces="uap mp">
<Identity Name="f736c883-f105-4d30-a719-4bf328872f5e" Publisher="CN=CVA Computer - Visualisierung und Animation GmbH" Version="1.0.1.0" />
<mp:PhoneIdentity PhoneProductId="f736c883-f105-4d30-a719-4bf328872f5e" PhonePublisherId="00000000-0000-0000-0000-000000000000" />
<Properties>
<DisplayName>CVA.COS_App</DisplayName>
<PublisherDisplayName>CVA Computer - Visualisierung und Animation GmbH</PublisherDisplayName>
<Logo>Assets\StoreLogo.png</Logo>
</Properties>
<Dependencies>
<TargetDeviceFamily Name="Windows.Universal" MinVersion="10.0.0.0" MaxVersionTested="10.0.0.0" />
</Dependencies>
<Resources>
<Resource Language="x-generate" />
</Resources>
<Applications>
<Application Id="App" Executable="$targetnametoken$.exe" EntryPoint="FPCL.WIndows.App">
<uap:VisualElements DisplayName="CVA.COS_App" Square150x150Logo="Assets\Square150x150Logo.png" Square44x44Logo="Assets\Square44x44Logo.png" Description="CVA.COS_App" BackgroundColor="#f4f4f4">
<uap:DefaultTile Wide310x150Logo="Assets\Wide310x150Logo.png">
</uap:DefaultTile>
<uap:SplashScreen Image="Assets\SplashScreen.png" />
<uap:InitialRotationPreference>
<uap:Rotation Preference="portrait" />
<uap:Rotation Preference="landscape" />
<uap:Rotation Preference="portraitFlipped" />
<uap:Rotation Preference="landscapeFlipped" />
</uap:InitialRotationPreference>
</uap:VisualElements>
</Application>
</Applications>
<Capabilities>
<Capability Name="internetClient" />
<Capability Name="privateNetworkClientServer" />
<DeviceCapability Name="webcam" />
</Capabilities>
</Package>

If I try to use our normal code signing certificate from StartSSL to sign the package, I got the following error
If we want to sing a UWP app, the code signing certificate is needed. The certificate you got from StartSSL is used for client authentication, you can check the Enhanced Key Usage field:
Available code signing cert:
The cert from StartSSL:
See also: What is special about a code signing certificate? and Intro to certificates
------Update 11/16/2016------
Please see the Validating Certificates section at https://go.microsoft.com/fwlink/?LinkID=241478
It looks like this certificate violates the sentence I bolded in:
Verifies the value of the Enhanced Key Usage property, which must
contain Code Signing and may also contain Lifetime Signing. Any
other EKUs are prohibited.
Their screenshot (below) shows the enhanced keys Codesignatur and Kernelmodus-Codesignatur.

Create logon token using BI Platform RESTful SDK

I'm attempting to create a logon token using the BOE BI Platform RESTful SDK v4.1 (using RESTClient).
A GET request to http://server:6405/biprws/logon/long/ returns:
<attrs xmlns="http://www.sap.com/rws/bip">
<attr name="userName" type="string" />
<attr name="password" type="string" />
<attr name="auth" type="string" possibilities="secEnterprise,secLDAP,secWinAD,secSAPR3">secEnterprise</attr>
</attrs>
A POST to http://server:6405/biprws/logon/long/ with a single header of Content-Type: application/xml and a payload of
<attrs xmlns="http://www.sap.com/rws/bip">
<attr name="userName" type="string">myAccount</attr>
<attr name="password" type="string">myPassword</attr>
<attr name="auth" type="string" possibilities="secEnterprise,secLDAP,secWinAD,secSAPR3">secWinAD</attr>
</attrs>
returns:
<error>
<error_code>FWM 00006</error_code>
<message>Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName#DNS_DomainName, and then try again. (FWM 00006)</message>
</error>
I've also tried attr name="userName" type="string">myAccount#mycompany.org</attr>, but with the same results.
A POST to http://server:6405/biprws/logon/adsso returns:
<error>
<error_code>RWS 00057</error_code>
<message>Method not allowed (RWS 00057)</message>
</error>
The credentials work with BI Launchpad and the CMC.
What am I missing?

First, a disclaimer -- I've only done REST WinAD with SSO, not manual logon. So I can't be absolutely sure that my suggestions below will fix your problem.
The call to /biprws/logon/adsso requires a GET not a POST, but that will likely not work until you have SSO working.
There are a few settings that are required for WACS to use WinAD, with or without SSO. The file is here:
SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\pjs\services\RestWebService\biprws\WEB-INF\web.xml
You will see a section commented out, starting with:
<!-- Kerberos filter section starts
Uncomment this section. Then set the following parameters:
idm.realm
idm.princ
idm.keytab
idm.kdc
idm.allowUnsecured
The values for these parameters should equal what was set in your system for BI launch pad. This is in:
SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties
The format of the file is different (global.properties is a simple properties file, but web.xml is xml). So you can't just copy/paste the section, but you can copy the individual values. For example, in global.properties, you might see:
idm.keytab=C:/WINDOWS/bosso.keytab
This would be done in web.xml as:
<init-param>
<param-name>idm.keytab</param-name>
<param-value>C:/WINDOWS/bosso.keytab</param-value>
<description>
The file containing the keytab that Kerberos will use for
user-to-service authentication. If unspecified, SSO will default
to using an in-memory keytab with a password specified in the
com.wedgetail.idm.sso.password environment variable.
</description>
</init-param>
Couple of references:
http://myinsightbi.blogspot.com/
https://techwriter79.wikispaces.com/file/view/sbo41sp5_bip_rest_ws_en.pdf

cxf client in applet cause many repeating loading jars

I have a web app with the applet to visit the cxf ws server.
When I init the the connection to the cxf ws,there are so many dirty messages(about 1000 lines,and cost about 2 minutes to init) such as:
network: Connecting \http://localhost:8080/WebUI/DYVCenterVNCClient.jar with proxy=DIRECT
network: Connecting \http://localhost:8080/WebUI/DYVCenterVNCClient.jar and cookie "JSESSIONID=F7DF490E4E7137857494B453667A079E"
network: Connecting \http://localhost:8080/WebUI/DYVCenterVNCClient.jar with proxy=DIRECT
network: Connecting \http://localhost:8080/WebUI/DYVCenterVNCClient.jar and cookie "JSESSIONID=F7DF490E4E7137857494B453667A079E"
the html applet config is:
<object type="application/x-java-applet"
name="TestApplet" width="446" height="291">
<param name="codebase" value="." />
<param name="code" value="com.vnc.CompatibilityApplet" />
<param name="archive" value="DYVCenterVNCClient.jar" />
<PARAM NAME="cache_archive" VALUE="DYVCenterVNCClient.jar">
<PARAM NAME="cache_version" VALUE="0.0.0.1">
<PARAM name="codebase_lookup" value="false">
<param name="scriptable" value="true" />
<param name="mayscript" value="true" />
<param name="background-color" value="#ffffff" />
<param name="border-color" value="#8c8cad" />
</object>
and I found those message being printed out when call the cxf class ClientProxyFactoryBean's method create().
so how can I solve those problem,I also googing and found the similar problem with link:
http://cxf.547215.n5.nabble.com/CXF-based-applet-initialization-worries-td550944.html
but there is no answers
thanks everyone.

Well,at last I found this url
Applet downloading server copy of jars already cached tell us that the URLConnection's defaultUsecaches is been updated with false.
So even if the plugin itself is set to "use cache", the urlconnection will not use the cache.
I search the method setDefaultUseCaches(false) in cxf src ,at last I found that the JDKBugHacks's method doHacks() will set the defaultUseCache to false.And seems that the jdk's bug which confuse me.
finally I solve my problem with change the defaultUsecaches after the new ClientProxyFactoryBean.
try{
URL url = new URL("any valid url is ok");
URLConnection urlConnection = url.openConnection();
urlConnection.setDefaultUseCaches(true);
}catch(Exception e){
//;
}

How do I set up Jetty 6 & Jboss 4.0.5 virtual hosting?

I have 2 webapps deployed in the same JBoss/Jetty server. In Jetty 5.1.14 I had the following jetty-web.xml which configured one of the apps to run as a virtual host (on the same port):
<Configure class="org.jboss.jetty.JBossWebApplicationContext">
<Call name="addVirtualHost"><Arg>app2.localhost.com</Arg></Call>
</Configure>
This worked perfectly fine. Unfortunately, it doesn't work with Jetty 6.1.17 at all. First of all, "JBossWebApplicationContext" seems to now be called "JBossWebAppContext", and secondly the documentation I could find suggests that I should be using a jetty-web.xml that looks like this:
<Configure class="org.jboss.jetty.JBossWebAppContext">
<Set name="VirtualHosts">
<Array type="java.lang.String">
<Item>app2.localhost.com</Item>
</Array>
</Set>
</Configure>
But this doesn't work either. The two webapps deploy without error, but when I try to access the 2nd app under the virtual hostname, it just accesses the first app instead. Both applications are in the root context (this is not negotiable).
How can I make virtual hosts work?
(BTW, I had a friend post this on serverfault a few days ago, but nobody answered.)

This syntax works if you include it in the jetty6-web.xml for each web-app.
<Configure class="org.jboss.jetty.JBossWebAppContext">
<Set name="VirtualHosts">
<Array type="java.lang.String">
<Item>host1.domain.com</Item>
<Item>host2.domain.com</Item>
</Array>
</Set>
</Configure>
ALL webapps need the virtual hosts defined if they are running in the same container. For some reason deploying one WAR with virtual hosts and one without doesn't work.