Menu
▾
▴
unity-idm-discuss
|
From: Sander A. <sa....@fz...> - 2017-04-19 09:34:31
Attachments:
smime.p7s
|
Hi Krzysztof, I got a problem report by an user about broken login with his home IdP. The IdP changed his certificate and it was not trusted by unity. [2017-04-19 07:32:47,210 [qtp304966690-1742] WARN unity.server.saml.SAMLRetrievalUI - SAML response verification or processing failed pl.edu.icm.unity.server.authn.AuthenticationException: The SAML response is either invalid or is issued by an untrusted identity provider.] This IdP comes with eduGain metadata. The Metadata URL is updated once per hour. Reloading SAML authenticator did not solve the problem. A restart solved the problem. But restarts during the the working time are not very welcome. Is there another solution to solve this problem? Best regards, Sander --Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2017-04-19 10:22:58
|
Hi Sander, W dniu 19.04.2017 o 11:34, Sander Apweiler pisze: > Hi Krzysztof, > > I got a problem report by an user about broken login with his home IdP. > The IdP changed his certificate and it was not trusted by unity. > > [2017-04-19 07:32:47,210 [qtp304966690-1742] > WARN unity.server.saml.SAMLRetrievalUI - SAML response verification or > processing failed > pl.edu.icm.unity.server.authn.AuthenticationException: The SAML response > is either invalid or is issued by an untrusted identity provider.] > > This IdP comes with eduGain metadata. The Metadata URL is updated once > per hour. Reloading SAML authenticator did not solve the problem. A > restart solved the problem. But restarts during the the working time are > not very welcome. Is there another solution to solve this problem? I'll look into it - likely some cache is not purged after metadata reload. Thanks for the info KB |
|
From: Krzysztof B. <kb...@un...> - 2017-04-25 19:46:33
|
Hi Sander, W dniu 19.04.2017 o 12:22, Krzysztof Benedyczak pisze: > Hi Sander, > > W dniu 19.04.2017 o 11:34, Sander Apweiler pisze: >> Hi Krzysztof, >> >> I got a problem report by an user about broken login with his home IdP. >> The IdP changed his certificate and it was not trusted by unity. >> >> [2017-04-19 07:32:47,210 [qtp304966690-1742] >> WARN unity.server.saml.SAMLRetrievalUI - SAML response verification or >> processing failed >> pl.edu.icm.unity.server.authn.AuthenticationException: The SAML response >> is either invalid or is issued by an untrusted identity provider.] >> >> This IdP comes with eduGain metadata. The Metadata URL is updated once >> per hour. Reloading SAML authenticator did not solve the problem. A >> restart solved the problem. But restarts during the the working time are >> not very welcome. Is there another solution to solve this problem? > > I'll look into it - likely some cache is not purged after metadata reload. I've run quite a few tests and unfortunately I can not reproduce this issue. All cases that I tried (e.g. with changed certificate DN in update or without DN change) worked fine - immediately after metadata reload a new certificate was used. I've found however another nasty problem related to SAML metadata reloading (#601 in tracker). While this other problem alone is rather not related with your case, its fix could also solve your issue: a small refactoring was applied to the overal process of metadata reloading - which should be now simplified and more stable. All in all if you notice such issue again please let us know, providing as much of context as possible. Especially what was the IdP. I have some saved eduGAIN metadata dumps so chances are that I'll be able to reproduce the setup before and after update. Best Krzysztof |
|
From: Sander A. <sa....@fz...> - 2017-04-26 05:15:49
Attachments:
smime.p7s
|
Hi Krzysztof, thank you for your efforts. The IdP was from CSC. If it appears again, I will contact you again. Best regards, Sander Am Dienstag, den 25.04.2017, 21:45 +0200 schrieb Krzysztof Benedyczak: > Hi Sander, > > W dniu 19.04.2017 o 12:22, Krzysztof Benedyczak pisze: > > Hi Sander, > > > > W dniu 19.04.2017 o 11:34, Sander Apweiler pisze: > > > Hi Krzysztof, > > > > > > I got a problem report by an user about broken login with his > > > home IdP. > > > The IdP changed his certificate and it was not trusted by unity. > > > > > > [2017-04-19 07:32:47,210 [qtp304966690-1742] > > > WARN unity.server.saml.SAMLRetrievalUI - SAML response > > > verification or > > > processing failed > > > pl.edu.icm.unity.server.authn.AuthenticationException: The SAML > > > response > > > is either invalid or is issued by an untrusted identity > > > provider.] > > > > > > This IdP comes with eduGain metadata. The Metadata URL is updated > > > once > > > per hour. Reloading SAML authenticator did not solve the problem. > > > A > > > restart solved the problem. But restarts during the the working > > > time are > > > not very welcome. Is there another solution to solve this > > > problem? > > > > I'll look into it - likely some cache is not purged after metadata > > reload. > > I've run quite a few tests and unfortunately I can not reproduce > this > issue. All cases that I tried (e.g. with changed certificate DN in > update or without DN change) worked fine - immediately after > metadata > reload a new certificate was used. > > I've found however another nasty problem related to SAML metadata > reloading (#601 in tracker). While this other problem alone is > rather > not related with your case, its fix could also solve your issue: a > small > refactoring was applied to the overal process of metadata reloading > - > which should be now simplified and more stable. > > All in all if you notice such issue again please let us know, > providing > as much of context as possible. Especially what was the IdP. I have > some > saved eduGAIN metadata dumps so chances are that I'll be able to > reproduce the setup before and after update. > > Best > Krzysztof -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X