Menu
▾
▴
Re: [Unity-idm-discuss] SLO failing in unity v2.8.2
|
From: Krzysztof B. <kb...@un...> - 2019-11-12 08:55:04
|
Shiraz, Please enable dumping of raw messages during deciphering. This is a library logging: <Logger name="unicore.security" level="TRACE"/> and the deciphered request is what we need, so should be before what you pasted. HTH KB W dniu 08.11.2019 o 14:37, Shiraz Memon pisze: > Hi, > > The saml log is already configured to trace level. > > </xenc:CipherData></xenc:EncryptedData></saml:EncryptedID><samlp:SessionIndex>SAMLY2lib_assert_a3a85c9524c1fa67b7ccce8c40ffb89c175e85a49058231b</samlp:SessionIndex></samlp:LogoutRequest> > > 2019-11-08T14:34:15,788 [qtp1417465-7314] DEBUG > unity.server.saml.SLOAsyncResponseHandler: SAML error is going to be > returned to the SAML requester from SLO endpoint > eu.unicore.samly2.exceptions.SAMLRequesterException: Logged out entity > name must be present in SLO request and only NameID is supported > at > eu.unicore.samly2.validators.LogoutRequestValidator.validateSubject(LogoutRequestValidator.java:64) > ~[samly2-2.3.3.jar:2.3.3] > at > eu.unicore.samly2.validators.LogoutRequestValidator.validate(LogoutRequestValidator.java:35) > ~[samly2-2.3.3.jar:2.3.3] > at > pl.edu.icm.unity.saml.slo.SAMLLogoutProcessor.resolveRequest(SAMLLogoutProcessor.java:364) > ~[unity-server-saml-2.8.2.jar:?] > at > pl.edu.icm.unity.saml.slo.SAMLLogoutProcessor.initFromSAML(SAMLLogoutProcessor.java:256) > [unity-server-saml-2.8.2.jar:?] > at > pl.edu.icm.unity.saml.slo.SAMLLogoutProcessor.handleAsyncLogoutFromSAML(SAMLLogoutProcessor.java:165) > [unity-server-saml-2.8.2.jar:?] > at > pl.edu.icm.unity.saml.slo.SLOSAMLServlet.postProcessRequest(SLOSAMLServlet.java:44) > [unity-server-saml-2.8.2.jar:?] > at > pl.edu.icm.unity.saml.SamlHttpServlet.process(SamlHttpServlet.java:100) > [unity-server-saml-2.8.2.jar:?] > at > pl.edu.icm.unity.saml.SamlHttpServlet.doGet(SamlHttpServlet.java:46) > [unity-server-saml-2.8.2.jar:?] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) > [javax.servlet-api-3.1.0.jar:3.1.0] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > [javax.servlet-api-3.1.0.jar:3.1.0] > at > org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:867) > [jetty-servlet-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623) > [jetty-servlet-9.4.14.v20181114.jar:9.4.14.v20181114] > at > pl.edu.icm.unity.webui.authn.InvocationContextSetupFilter.doFilter(InvocationContextSetupFilter.java:74) > [unity-server-web-common-2.8.2.jar:?] > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) > [jetty-servlet-9.4.14.v20181114.jar:9.4.14.v20181114] > at > pl.edu.icm.unity.webui.authn.AuthenticationFilter.gotoNotProtectedResource(AuthenticationFilter.java:266) > [unity-server-web-common-2.8.2.jar:?] > at > pl.edu.icm.unity.webui.authn.AuthenticationFilter.handleNotProtectedResource(AuthenticationFilter.java:104) > [unity-server-web-common-2.8.2.jar:?] > at > pl.edu.icm.unity.webui.authn.AuthenticationFilter.doFilter(AuthenticationFilter.java:81) > [unity-server-web-common-2.8.2.jar:?] > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) > [jetty-servlet-9.4.14.v20181114.jar:9.4.14.v20181114] > at > pl.edu.icm.unity.engine.api.utils.HiddenResourcesFilter.doFilter(HiddenResourcesFilter.java:49) > [unity-server-engine-api-2.8.2.jar:?] > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) > [jetty-servlet-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540) > [jetty-servlet-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) > [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1588) > [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) > [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345) > [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) > [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) > [jetty-servlet-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1557) > [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) > [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247) > [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) > [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) > [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114] > at > pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) > [unity-server-engine-2.8.2.jar:?] > at > org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220) > [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) > [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335) > [jetty-rewrite-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:753) > [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) > [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114] > at org.eclipse.jetty.server.Server.handle(Server.java:502) > [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114] > at > pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:215) > [unity-server-engine-2.8.2.jar:?] > at > org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364) > [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260) > [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) > [jetty-io-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) > [jetty-io-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:411) > [jetty-io-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:305) > [jetty-io-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159) > [jetty-io-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) > [jetty-io-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118) > [jetty-io-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) > [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) > [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) > [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) > [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) > [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765) > [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114] > at > org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683) > [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114] > at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222] > 2019-11-08T14:34:15,789 [qtp1417465-7314] DEBUG > unity.server.saml.ResponseHandlerBase: Returning Logout Error > SAMLResponse with HTTP Redirect binding to > https://test.ggus.eu/Shibboleth.sso/SLO/Redirect > 2019-11-08T14:34:15,790 [qtp1417465-7314] TRACE > unity.server.saml.ResponseHandlerBase: SAML SAMLResponse is: > <urn:LogoutResponse IssueInstant="2019-11-08T13:34:15.789Z" > ID="SAMLY2lib_msg_e22ca2eb2cd0014ac9c34617b52b836eebb6141762df2bcf" > Version="2.0" InResponseTo="_cdeb6c41e0e34221ccba36ec18db2d84" > xmlns:urn="urn:oasis:names:tc:SAML:2.0:protocol"><urn1:Issuer > Format="" > xmlns:urn1="urn:oasis:names:tc:SAML:2.0:assertion">https://unity.eudat-aai.fz-juelich.de:8443/saml- > idp/metadata</urn1:Issuer><urn:Status><urn:StatusCode > Value="urn:oasis:names:tc:SAML:2.0:status:Requester"/><urn:StatusMessage>Logged > out entity name must be present in SLO request and only NameID is > supported</urn:StatusMessage></urn:Status></urn:LogoutResponse> > 2019-11-08T14:34:15,790 [qtp1417465-7314] TRACE > unity.server.saml.ResponseHandlerBase: Returned Redirect URL is: > https://test.ggus.eu/Shibboleth.sso/SLO/Redirect?SAMLResponse=fZJbaxsxEEb%2FyqD3vUi7Wa%2BFbSgNBYPTQhwC7YvRZexs2ZW2Ggma%2FvrKbgPbPuRNGkZnzsdok4KTB3%2FxKT4izd4Rwp4o4d5RVC5umaj5uuC8qPsn3simlfyuXPXrbwz291t2%2FPBw%2BCrGQZ8mupxQCKMEamFsXfNWmbVp2o6v9J3QfdMhat3xlq86Yc9CmzODZww0eJfHlHUmujeJJ79lJ2NRd6blWGPTCsGN0SpTDO%2BtFrZvGfycRkcyZ9iyaxCvaCDp1IQko5FXOZnBcg4%2BeuNHttvk > Ni5vCQN88mFSOeKCw98HKSIMMQuz3UuMM8mqSm6IryUmq2Kh1FCefxXfE46DeSktyr5tm4rUNBaDnasJo8p9alMtNG5O8hhVTLQ8f%2FQW4VmNCd93olu3fMQfCSliYNWS8oBE6oK7vOMLWsh7BnQxK8OVBFOiCBphDki5DoOD4%2BELhD8wUC4%2FceMrfM7N%2B3sYCCjNsw8R7S3Ef1OWtb%2BXfz%2FX7jc%3D > > Cheers, > Shiraz > > On Fri, Nov 8, 2019 at 9:44 AM Krzysztof Benedyczak <kb...@un... > <mailto:kb...@un...>> wrote: > > Hi Shiraz, > > W dniu 06.11.2019 o 13:00, Shiraz Memon pisze: >> Hi Krzysztof, >> >> I have configured an SP, which is based on shibboleth. I can >> successfully sign-in but unfortunately I cannot log-out (SLO). >> Below are the SLO request and response messages from sp and unity >> respectively, and also the SP configuration in unity. >> <?xml version="1.0"encoding="UTF-8"?> >> <samlp:LogoutRequest >> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >> Destination="https://unity.eudat-aai.fz-juelich.de/saml-idp/SLO-WEB" >> ID="_56f68d31d948b0ccc241c0efe0697d36" >> IssueInstant="2019-11-06T11:17:58Z" Version="2.0"><saml:Issuer >> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://test.ggus.eu/EOSC-hub/secure</saml:Issuer><samlp:Extensions><aslo:Asynchronous >> xmlns:aslo="urn:oasis:names:tc:SAML:2.0:protocol:ext:async-slo" >> /></samlp:Extensions><saml:EncryptedID >> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData >> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" >> Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod >> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" >> /><ds:KeyInfo >> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod >> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" >> /><xenc:CipherData><xenc:CipherValue>S/GMplTHJ2N0vbOVMhyUK8bBTNriupFbp12wwnvUmioEjx5xpBhYGYgEF5IQChVm66GdgIJ8czAk >> RX1HbwqOGUktGocmR+Fcxq9wn5OSrQ4i/mj4kIF+aqlh8+bir2gua5XLd16DPn61CM3bUv2HWfNK >> P0IAO3D77ezdJ+DR4jZ5wEfqZE3+OFplfMyzc2s7w4iswSs/cs/3fXJzkSFKGUP32P50izi4HxBg >> eN7F7knsFHiD8P0b62btMOUQCHHG6LG9U7Esfjwe+uO88wJEmge295FQWRwJHvrbO8O7rEwnDu8+ >> 1d1/Vnb0OT5lvM0E8sC/LYUKpO62DHjUvVI60BQ2/6NJPVsTjV4CEp77nQK7aR6dmJaVxlFJ2EZw >> cD3s49RPazXpATvAPLrg/0t2lLFIB/Z5g8AX+5FqBn1vkqrYpKQoBdnTjO/j5LGYbs8q9s2/HlP9 >> 4Mf9iCW9YOCV1Q8KOLAvgLHJWKCVHNQQARTIHHN2ocX2jNWiWf0zaG/1sEW8KP6uOyoLpnTQ9YB6 >> I81yndVV+YXVWQYLk7wrUB2KPXVHCEshjmHzwJxhvWvIQYrvpBuLOLfAjShNpFsHyn/yCBBs5LdE >> RlDAdcKkikAQO5MkJjcLSkY0Jh3C5PAJ+jPhjZ5Lv9z1+VuJabb9lpLCNAI8Lx0dYJ7LbExv8Gw=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>uwTdWX75kV+KaSwdLSY0miFxW7oaIEqIpUF9LTZgYEsgHzh6lQeJs0trR9CzTF6+b8/+j8mpCCkF >> 6BsHJcikJRZySAo2THBfZlTk1FIcOXgOMW6U2k3loUSxr6JT1mXFXXCBkUeraP38JJ62Yg9GMGFd >> DYKNtbTI2fuK6Z8TwBwK/lDeJ+atIOcnTT8AKBYXpo0Ni/s+0XivyecXPKdkYIRSh34u9nZ2DVr0 >> ENrgpmXR1X+hctYU7NeRgEFjQjCf</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml:EncryptedID><samlp:SessionIndex>SAMLY2lib_assert_fd9a89a3fa593431e7c87fc61266a55d5b3b64d8ea7f6bc3</samlp:SessionIndex></samlp:LogoutRequest> >> >> <?xml version="1.0" encoding="UTF-8"?><urn:LogoutResponse >> xmlns:urn="urn:oasis:names:tc:SAML:2.0:protocol" >> IssueInstant="2019-11-06T11:33:04.725Z" >> ID="SAMLY2lib_msg_64b9f960635a040fc79f7707675d67b026020087543ab8f8" >> Version="2.0" >> InResponseTo="_4d31d3d8048d719329c6c5f43c35fb39"><urn1:Issuer >> xmlns:urn1="urn:oasis:names:tc:SAML:2.0:assertion" >> Format="">https://unity.eudat-aai.fz-juelich.de:8443/saml-idp/metadata</urn1:Issuer><urn:Status><urn:StatusCode >> Value="urn:oasis:names:tc:SAML:2.0:status:Requester" >> /><urn:StatusMessage>Logged out entity name must be present in >> SLO request and only NameID is >> supported</urn:StatusMessage></urn:Status></urn:LogoutResponse> >> > Looks like some incompatibility on what is sent to Unity in logout > request, as a subject to be logged out. I can't say more as the > request is encrypted. > > If you enable trace logging you should be able to see decrypted > message in log, then we can say more. Looks like the subject (i.e. > the one to be logged out) is provided in some of unsupported ways > to unity. I suppose this was not working with older unity version > too, right? And even if it was most likely the triggering is on > the client side. > > Best, > Krzysztof > > > > -- > Shiraz Memon > Federated Systems and Data > Jülich Supercomputing Centre (JSC) > > Phone: +49 2461 61 6899 > Fax: +49 2461 61 6656 > > > ------------------------------------------------------------------------------------------------ > ------------------------------------------------------------------------------------------------ > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Volker Rieke > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, > Prof. Dr. Sebastian M. Schmidt > ------------------------------------------------------------------------------------------------ > ------------------------------------------------------------------------------------------------ > |
