SAML / Shibboleth SSO

snapd · November 30, 2022, 9:40pm

I’m getting an “internal server error” after configuring shibboleth. Kindly assist

indico.conf file

#SSO
  AUTH_PROVIDERS = {
      'shib-sso': {
          'type': 'shibboleth',
          'title': 'Single Sign On',
          'attrs_prefix': '',
          'callback_uri': '/login/shib-sso/shibboleth',
          #'logout_uri': 'https://my.sp.com/Shibboleth.sso/Logout'
      }
  }
  IDENTITY_PROVIDERS = {
      'shib-sso': {
          'type': 'shibboleth',
          'title': 'SSO',
          'identifier_field': 'persistent-id',
          'mapping': {
          'login': 'eppn',
              'displayName': 'displayName',
              'eduPersonTargetedID': 'eduPersonTargetedID',
              'givenName': 'givenName',
              'sn': 'sn',
          },
          'trusted_email': True
      }
}

Inserted relevant urls into shibboleth2.xml file
Main changes in attribute-map.xml file

<Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
   <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
  <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="eduPersonTargetedID"/>
<Attribute name="urn:oid:1.2.840.113549.1.9.1.1" id="mail"/>

ThiefMaster · December 1, 2022, 1:21am

If you get a plain internal server error, try running indico shell to see a nicer error.

PS: Please wrap configs, logs, etc. in triple backtick fences when posting them so they are shown in monospace and formatted as code.

snapd · December 1, 2022, 7:55am

Noted. WIll do and revert

snapd · December 1, 2022, 8:27am

SSO tab shows now, but getting an;

“Login failed: Identifier missing in shibboleth response” when trying to sign in. Please help

ThiefMaster · December 1, 2022, 9:04am

Are you passing the persistent-id from SAML?

snapd · December 1, 2022, 9:07am

I passed persistent-id in here;
‘identifier_field’: ‘persistent-id’

When also input ADFS_ in ‘attrs_prefix’: ‘ADFS_’ the login error changes to;
Login failed: No valid data received;

snapd · December 1, 2022, 10:23am

Probably the cause right? Am I missing anything significant please?

2022-12-01 11:21:30 WARN Shibboleth.Application : insecure cookieProps setting, set to "https" for SSL/TLS-only usage
2022-12-01 11:21:30 WARN Shibboleth.Application : handlerSSL should be enabled for SSL/TLS-enabled web sites
2022-12-01 11:21:30 WARN Shibboleth.Application : no MetadataProvider available, configure at least one for standard SSO usage
2022-12-01 11:21:30 WARN Shibboleth.AttributeExtractor.XML : skipping duplicate Attribute mapping (same name and nameFormat)
2022-12-01 11:21:30 ERROR OpenSSL : error code: 33558530 in bss_file.c, line 398
2022-12-01 11:21:30 ERROR OpenSSL : error data: fopen('/etc/shibboleth/sp-key.pem','r')
2022-12-01 11:21:30 ERROR OpenSSL : error code: 537346050 in bss_file.c, line 400
2022-12-01 11:21:30 CRIT Shibboleth.Application : error building CredentialResolver: Unable to load private key from file (/etc/shibboleth/sp-key.pem).
overall configuration is loadable, check console for non-fatal problems

ThiefMaster · December 1, 2022, 10:25am

that sounds like a problem, yes. you probably need to generate the SP key/cert pair and also register it with your IdP.

snapd · December 1, 2022, 10:32am

On it. I generated using ‘shib-keygen’ I see them at /etc/shibboleth. Now i’m stuck on which to send to my idp and how to register. Any luck on an assist for me?

ThiefMaster · December 1, 2022, 10:33am

sorry, it’s been a long time since any of us used shibboleth. but AFAIK you only need to share they cert with them since keys are generally meant to be kept private

snapd · December 1, 2022, 10:37am

Noted with thanks will probe further