Menu
▾
▴
Re: [Unity-idm-discuss] Authentication fails
|
From: Krzysztof B. <go...@ic...> - 2015-06-15 08:40:55
|
Dear Gerben, W dniu 15.06.2015 o 09:42, Gerben Venekamp pisze: > Dear Krzysztof, > > Yes, I have configured Unity with the metadata from the IdP. This IdP > acts as a proxy to the federation. Looking at the metadata from > http://metadata.aai.switch.ch/metadata.aaitest.xml, I think I am seeing > the metadata of all members of the federation. I don’t want to know the > individual members of the federation. Instead, I would like rely on the > proxy, which knows about the federation. This part seems to work for me, > as I am presented with a WAYF page. This is fine, however the syntax is the problem. Unity can load federation's metadata only, it do not automatically convert a given federation member's metadata into ad-hoc one member only federation. But OK, in such case you can of course use manual configuration. > Using one of the presented members, > I am able to authenticate. However, upon returning to Unity and > completing the authN, I get a failure in Unity. It complains that the > Authentication failed, due to either invalid user name, credential or > external authentication failed. I have included a number of screen shots > to show what is happening. What is successful and what is not. > > Start of the authentication process... > This the WAYF page. > This is where I provide my credentials > Returning to Unity, gives me the following screen. > My feeling is that everything works as expected, with the exception of > the last steps in Unity and I do not know what I have done in my > configurations. I am using Unities DIY certificate for the moment and > have checked with the IdP if self signed certificates are allowed. This > should not be a problemen and there are IdP which in fact use self > signed certificates. Unity's certificate is not a problem: if it was a problem then Surfonext would protest. What I can see from the error message is that you have configured this wrong: unity.saml.requester.remoteIdp.1.samlId=https://engine.surfconext.nl/authentication/idp/single-sign-on Saml identifier of the surfonext instance you use is: https://engine.surfconext.nl/authentication/idp/metadata Besides of fixing this issue also make sure that you have correctly installed the certificate of the service. The pem file starting with "MIID3zCCAseg..." should be on Unity box, and defined in pki.properties with the key SURFconext: unity.pki.certificates.SURFconext.certificateFile=... In case of further problems please provide the DEBUG log. HTH, Krzysztof |
