unity-idm-discuss

[Unity-idm-discuss] Shibboleth - Issuer is not among trusted

[D B. <ba...@aw...>]

Hi!

I feel I've asked about this before but could not find the message any
more - sorry!

I'm trying to configure two SAML SPs in parallel in
conf/modules/saml/saml-webidp.properties:

unity.saml.acceptedSPMetadataSource.a.url=file:///conf/saml/a-metadata.xml
unity.saml.acceptedSPMetadataSource.b.url=file:///conf/saml/b-metadata.xml
unity.saml.spAcceptPolicy=validRequester

SP A works fine, but I've got issues with SP B, which is a
Shibboleth/Apache setup. When I try to access a protected resource, I
get forwarded to unity and it tells me:

SAML IdP got an invalid request.

eu.unicore.samly2.exceptions.SAMLRequesterException: Issuer is not among
trusted: https://mydomain/shibboleth

In unity the logs, I find this

eu.unicore.samly2.exceptions.SAMLRequesterException: Issuer is not among
trusted: https://mydomain/shibboleth
        at
eu.unicore.samly2.validators.AbstractRequestValidator.validate(AbstractRequestValidator.java:87)
~[samly2-2.4.0.jar:2.4.0]
        at
pl.edu.icm.unity.saml.validator.WebAuthRequestValidator.validate(WebAuthRequestValidator.java:33)
~[unity-server-saml-3.2.0.jar:?]
        at
pl.edu.icm.unity.saml.idp.web.filter.SamlParseServlet.validate(SamlParseServlet.java:213)
~[unity-server-saml-3.2.0.jar:?]
        at
pl.edu.icm.unity.saml.idp.web.filter.SamlParseServlet.processSamlRequestInterruptible(SamlParseServlet.java:140)
~[unity-server-saml-3.2.0.jar:?]
        at
pl.edu.icm.unity.saml.idp.web.filter.SamlParseServlet.processSamlRequest(SamlParseServlet.java:93)
~[unity-server-saml-3.2.0.jar:?]
        at
pl.edu.icm.unity.saml.idp.web.filter.SamlParseServlet.doGet(SamlParseServlet.java:73)
~[unity-server-saml-3.2.0.jar:?]


Caused by: eu.unicore.samly2.exceptions.SAMLValidationException: Issuer
is not among trusted: https://mydomain/shibboleth
        at
eu.unicore.samly2.trust.EnumeratedTrustChecker.checkTrust(EnumeratedTrustChecker.java:95)
~[samly2-2.4.0.jar:2.4.0]
        at
eu.unicore.samly2.validators.AbstractRequestValidator.validate(AbstractRequestValidator.java:83)
~[samly2-2.4.0.jar:2.4.0]


The problem goes away if I set
unity.saml.spAcceptPolicy=all

Is this error about the crypto certificate being untrusted or about the
SAML SP being untrusted?
I tried dumping the SP's certificate in conf/pki/trusted-ca but to no avail.

Cheers,
D

Re: [Unity-idm-discuss] Shibboleth - Issuer is not among trusted

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 12.03.2020 o 19:59, D Baum pisze:
> Hi!
>
> I feel I've asked about this before but could not find the message any
> more - sorry!
>
> I'm trying to configure two SAML SPs in parallel in
> conf/modules/saml/saml-webidp.properties:
>
> unity.saml.acceptedSPMetadataSource.a.url=file:///conf/saml/a-metadata.xml
> unity.saml.acceptedSPMetadataSource.b.url=file:///conf/saml/b-metadata.xml
> unity.saml.spAcceptPolicy=validRequester
>
> SP A works fine, but I've got issues with SP B, which is a
> Shibboleth/Apache setup. When I try to access a protected resource, I
> get forwarded to unity and it tells me:
>
> SAML IdP got an invalid request.

So certainly the B's metadata is a problem. You can enable more detailed 
logging on the saml facility (DEBUG should be enough, but try TRACE to 
get all insights) and check what SPs were extracted from the config. 
Especially the logger 'unity.server.saml.MetaToSPConfigConverter' should 
be helpful.

HTH,
Krzysztof

Re: [Unity-idm-discuss] Shibboleth - Issuer is not among trusted

[D B. <ba...@aw...>]

Hi,

thanks for the hints!

For posterity: I had mismatching entityIDs in my Shibboleth config:
"https://mydomain/shibboleth" in shibboleth2.xml and
"https://mydomain/shibboleth/" in the sp-metadata.xml
Yes, of course, that last slash makes a difference %-)

It seems that Shibboleth will send to the IDP the entityID set in
shibboleth2.xml - or at least it did in my case.

Cheers,
D

On 14/03/2020 10:41, Krzysztof Benedyczak wrote:
> Hi,
> 
> W dniu 12.03.2020 o 19:59, D Baum pisze:
>> Hi!
>>
>> I feel I've asked about this before but could not find the message any
>> more - sorry!
>>
>> I'm trying to configure two SAML SPs in parallel in
>> conf/modules/saml/saml-webidp.properties:
>>
>> unity.saml.acceptedSPMetadataSource.a.url=file:///conf/saml/a-metadata.xml
>>
>> unity.saml.acceptedSPMetadataSource.b.url=file:///conf/saml/b-metadata.xml
>>
>> unity.saml.spAcceptPolicy=validRequester
>>
>> SP A works fine, but I've got issues with SP B, which is a
>> Shibboleth/Apache setup. When I try to access a protected resource, I
>> get forwarded to unity and it tells me:
>>
>> SAML IdP got an invalid request.
> 
> So certainly the B's metadata is a problem. You can enable more detailed
> logging on the saml facility (DEBUG should be enough, but try TRACE to
> get all insights) and check what SPs were extracted from the config.
> Especially the logger 'unity.server.saml.MetaToSPConfigConverter' should
> be helpful.
> 
> HTH,
> Krzysztof
> 
> 
>