Menu
▾
▴
Re: [Unity-idm-discuss] SLO failing in unity v2.8.2
|
From: Shiraz M. <a....@fz...> - 2019-11-08 13:37:47
|
Hi,
The saml log is already configured to trace level.
</xenc:CipherData></xenc:EncryptedData></saml:EncryptedID><samlp:SessionIndex>SAMLY2lib_assert_a3a85c9524c1fa67b7ccce8c40ffb89c175e85a49058231b</samlp:SessionIndex></samlp:LogoutRequest>
2019-11-08T14:34:15,788 [qtp1417465-7314] DEBUG unity.server.saml.SLOAsyncResponseHandler: SAML error is going to be returned to the SAML requester from SLO endpoint
eu.unicore.samly2.exceptions.SAMLRequesterException: Logged out entity name must be present in SLO request and only NameID is supported
at eu.unicore.samly2.validators.LogoutRequestValidator.validateSubject(LogoutRequestValidator.java:64) ~[samly2-2.3.3.jar:2.3.3]
at eu.unicore.samly2.validators.LogoutRequestValidator.validate(LogoutRequestValidator.java:35) ~[samly2-2.3.3.jar:2.3.3]
at pl.edu.icm.unity.saml.slo.SAMLLogoutProcessor.resolveRequest(SAMLLogoutProcessor.java:364) ~[unity-server-saml-2.8.2.jar:?]
at pl.edu.icm.unity.saml.slo.SAMLLogoutProcessor.initFromSAML(SAMLLogoutProcessor.java:256) [unity-server-saml-2.8.2.jar:?]
at pl.edu.icm.unity.saml.slo.SAMLLogoutProcessor.handleAsyncLogoutFromSAML(SAMLLogoutProcessor.java:165) [unity-server-saml-2.8.2.jar:?]
at pl.edu.icm.unity.saml.slo.SLOSAMLServlet.postProcessRequest(SLOSAMLServlet.java:44) [unity-server-saml-2.8.2.jar:?]
at pl.edu.icm.unity.saml.SamlHttpServlet.process(SamlHttpServlet.java:100) [unity-server-saml-2.8.2.jar:?]
at pl.edu.icm.unity.saml.SamlHttpServlet.doGet(SamlHttpServlet.java:46) [unity-server-saml-2.8.2.jar:?]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) [javax.servlet-api-3.1.0.jar:3.1.0]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [javax.servlet-api-3.1.0.jar:3.1.0]
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:867) [jetty-servlet-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623) [jetty-servlet-9.4.14.v20181114.jar:9.4.14.v20181114]
at pl.edu.icm.unity.webui.authn.InvocationContextSetupFilter.doFilter(InvocationContextSetupFilter.java:74) [unity-server-web-common-2.8.2.jar:?]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) [jetty-servlet-9.4.14.v20181114.jar:9.4.14.v20181114]
at pl.edu.icm.unity.webui.authn.AuthenticationFilter.gotoNotProtectedResource(AuthenticationFilter.java:266) [unity-server-web-common-2.8.2.jar:?]
at pl.edu.icm.unity.webui.authn.AuthenticationFilter.handleNotProtectedResource(AuthenticationFilter.java:104) [unity-server-web-common-2.8.2.jar:?]
at pl.edu.icm.unity.webui.authn.AuthenticationFilter.doFilter(AuthenticationFilter.java:81) [unity-server-web-common-2.8.2.jar:?]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) [jetty-servlet-9.4.14.v20181114.jar:9.4.14.v20181114]
at pl.edu.icm.unity.engine.api.utils.HiddenResourcesFilter.doFilter(HiddenResourcesFilter.java:49) [unity-server-engine-api-2.8.2.jar:?]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) [jetty-servlet-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540) [jetty-servlet-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1588) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) [jetty-servlet-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1557) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) [unity-server-engine-2.8.2.jar:?]
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335) [jetty-rewrite-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:753) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.Server.handle(Server.java:502) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:215) [unity-server-engine-2.8.2.jar:?]
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) [jetty-io-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:411) [jetty-io-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:305) [jetty-io-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159) [jetty-io-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118) [jetty-io-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765) [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683) [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]
2019-11-08T14:34:15,789 [qtp1417465-7314] DEBUG unity.server.saml.ResponseHandlerBase: Returning Logout Error SAMLResponse with HTTP Redirect binding to https://test.ggus.eu/Shibboleth.sso/SLO/Redirect
2019-11-08T14:34:15,790 [qtp1417465-7314] TRACE unity.server.saml.ResponseHandlerBase: SAML SAMLResponse is:
<urn:LogoutResponse IssueInstant="2019-11-08T13:34:15.789Z" ID="SAMLY2lib_msg_e22ca2eb2cd0014ac9c34617b52b836eebb6141762df2bcf" Version="2.0" InResponseTo="_cdeb6c41e0e34221ccba36ec18db2d84" xmlns:urn="urn:oasis:names:tc:SAML:2.0:protocol"><urn1:Issuer Format="" xmlns:urn1="urn:oasis:names:tc:SAML:2.0:assertion">https://unity.eudat-aai.fz-juelich.de:8443/saml-
idp/metadata</urn1:Issuer><urn:Status><urn:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"/><urn:StatusMessage>Logged out entity name must be present in SLO request and only NameID is supported</urn:StatusMessage></urn:Status></urn:LogoutResponse>
2019-11-08T14:34:15,790 [qtp1417465-7314] TRACE unity.server.saml.ResponseHandlerBase: Returned Redirect URL is:
https://test.ggus.eu/Shibboleth.sso/SLO/Redirect?SAMLResponse=fZJbaxsxEEb%2FyqD3vUi7Wa%2BFbSgNBYPTQhwC7YvRZexs2ZW2Ggma%2FvrKbgPbPuRNGkZnzsdok4KTB3%2FxKT4izd4Rwp4o4d5RVC5umaj5uuC8qPsn3simlfyuXPXrbwz291t2%2FPBw%2BCrGQZ8mupxQCKMEamFsXfNWmbVp2o6v9J3QfdMhat3xlq86Yc9CmzODZww0eJfHlHUmujeJJ79lJ2NRd6blWGPTCsGN0SpTDO%2BtFrZvGfycRkcyZ9iyaxCvaCDp1IQko5FXOZnBcg4%2BeuNHttvk
Ni5vCQN88mFSOeKCw98HKSIMMQuz3UuMM8mqSm6IryUmq2Kh1FCefxXfE46DeSktyr5tm4rUNBaDnasJo8p9alMtNG5O8hhVTLQ8f%2FQW4VmNCd93olu3fMQfCSliYNWS8oBE6oK7vOMLWsh7BnQxK8OVBFOiCBphDki5DoOD4%2BELhD8wUC4%2FceMrfM7N%2B3sYCCjNsw8R7S3Ef1OWtb%2BXfz%2FX7jc%3D
Cheers,
Shiraz
On Fri, Nov 8, 2019 at 9:44 AM Krzysztof Benedyczak <kb...@un...<mailto:kb...@un...>> wrote:
Hi Shiraz,
W dniu 06.11.2019 o 13:00, Shiraz Memon pisze:
Hi Krzysztof,
I have configured an SP, which is based on shibboleth. I can successfully sign-in but unfortunately I cannot log-out (SLO). Below are the SLO request and response messages from sp and unity respectively, and also the SP configuration in unity.
<?xml version="1.0" encoding="UTF-8"?>
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://unity.eudat-aai.fz-juelich.de/saml-idp/SLO-WEB" ID="_56f68d31d948b0ccc241c0efe0697d36" IssueInstant="2019-11-06T11:17:58Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://test.ggus.eu/EOSC-hub/secure</saml:Issuer> <samlp:Extensions> <aslo:Asynchronous xmlns:aslo="urn:oasis:names:tc:SAML:2.0:protocol:ext:async-slo" /> </samlp:Extensions> <saml:EncryptedID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" /> <xenc:CipherData> <xenc:CipherValue>S/GMplTHJ2N0vbOVMhyUK8bBTNriupFbp12wwnvUmioEjx5xpBhYGYgEF5IQChVm66GdgIJ8czAk RX1HbwqOGUktGocmR+Fcxq9wn5OSrQ4i/mj4kIF+aqlh8+bir2gua5XLd16DPn61CM3bUv2HWfNK P0IAO3D77ezdJ+DR4jZ5wEfqZE3+OFplfMyzc2s7w4iswSs/cs/3fXJzkSFKGUP32P50izi4HxBg eN7F7knsFHiD8P0b62btMOUQCHHG6LG9U7Esfjwe+uO88wJEmge295FQWRwJHvrbO8O7rEwnDu8+ 1d1/Vnb0OT5lvM0E8sC/LYUKpO62DHjUvVI60BQ2/6NJPVsTjV4CEp77nQK7aR6dmJaVxlFJ2EZw cD3s49RPazXpATvAPLrg/0t2lLFIB/Z5g8AX+5FqBn1vkqrYpKQoBdnTjO/j5LGYbs8q9s2/HlP9 4Mf9iCW9YOCV1Q8KOLAvgLHJWKCVHNQQARTIHHN2ocX2jNWiWf0zaG/1sEW8KP6uOyoLpnTQ9YB6 I81yndVV+YXVWQYLk7wrUB2KPXVHCEshjmHzwJxhvWvIQYrvpBuLOLfAjShNpFsHyn/yCBBs5LdE RlDAdcKkikAQO5MkJjcLSkY0Jh3C5PAJ+jPhjZ5Lv9z1+VuJabb9lpLCNAI8Lx0dYJ7LbExv8Gw=</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>uwTdWX75kV+KaSwdLSY0miFxW7oaIEqIpUF9LTZgYEsgHzh6lQeJs0trR9CzTF6+b8/+j8mpCCkF 6BsHJcikJRZySAo2THBfZlTk1FIcOXgOMW6U2k3loUSxr6JT1mXFXXCBkUeraP38JJ62Yg9GMGFd DYKNtbTI2fuK6Z8TwBwK/lDeJ+atIOcnTT8AKBYXpo0Ni/s+0XivyecXPKdkYIRSh34u9nZ2DVr0 ENrgpmXR1X+hctYU7NeRgEFjQjCf</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </saml:EncryptedID> <samlp:SessionIndex>SAMLY2lib_assert_fd9a89a3fa593431e7c87fc61266a55d5b3b64d8ea7f6bc3</samlp:SessionIndex> </samlp:LogoutRequest>
<?xml version="1.0" encoding="UTF-8"?> <urn:LogoutResponse xmlns:urn="urn:oasis:names:tc:SAML:2.0:protocol" IssueInstant="2019-11-06T11:33:04.725Z" ID="SAMLY2lib_msg_64b9f960635a040fc79f7707675d67b026020087543ab8f8" Version="2.0" InResponseTo="_4d31d3d8048d719329c6c5f43c35fb39"> <urn1:Issuer xmlns:urn1="urn:oasis:names:tc:SAML:2.0:assertion" Format="">https://unity.eudat-aai.fz-juelich.de:8443/saml-idp/metadata</urn1:Issuer> <urn:Status> <urn:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" /> <urn:StatusMessage>Logged out entity name must be present in SLO request and only NameID is supported</urn:StatusMessage> </urn:Status> </urn:LogoutResponse>
Looks like some incompatibility on what is sent to Unity in logout request, as a subject to be logged out. I can't say more as the request is encrypted.
If you enable trace logging you should be able to see decrypted message in log, then we can say more. Looks like the subject (i.e. the one to be logged out) is provided in some of unsupported ways to unity. I suppose this was not working with older unity version too, right? And even if it was most likely the triggering is on the client side.
Best,
Krzysztof
--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)
Phone: +49 2461 61 6899
Fax: +49 2461 61 6656
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
|
