RE: Shibboleth idp and CAS

This is a multi-part message in MIME format.

I reverted to a test using testshib so I could see the logs on the sp side of the house.

 

The sp does try to access the -idp/AA but has SSL problems - the error log from the sp side:

 

 

2006-12-12 11:58:19 INFO shibtarget.SessionCache [1110] sessionGet: trying to get new attributes for session (ID=_a2f06aa1d3dedbfd05977d07da54ebc8)

2006-12-12 11:58:19 DEBUG shibtarget.SessionCache [1110] sessionGet: trying to query an AA...

2006-12-12 11:58:19 DEBUG SAML.SAMLSOAPHTTPBinding.CURLPool [1110] sessionGet: getting connection handle to https://web2.ametsoc.org:8443/shibboleth-idp/AA

2006-12-12 11:58:19 DEBUG SAML.SAMLSOAPHTTPBinding.CURLPool [1110] sessionGet: nothing free in pool, returning new connection handle

2006-12-12 11:58:19 INFO SAML.SAMLSOAPHTTPBinding [1110] sessionGet: sending SOAP message to https://web2.ametsoc.org:8443/shibboleth-idp/AA

2006-12-12 11:58:19 DEBUG SAML.libcurl [1110] sessionGet: About to connect() to web2.ametsoc.org port 8443

2006-12-12 11:58:19 DEBUG SAML.libcurl [1110] sessionGet: Trying 64.55.87.5...

2006-12-12 11:58:19 DEBUG SAML.libcurl [1110] sessionGet: connected

2006-12-12 11:58:19 DEBUG SAML.libcurl [1110] sessionGet: Connected to web2.ametsoc.org (64.55.87.5) port 8443

2006-12-12 11:58:19 DEBUG shibtarget.ShibHTTPHook [1110] sessionGet: OpenSAML invoked SSL context callback

2006-12-12 11:58:19 DEBUG SAML.libcurl [1110] sessionGet: SSLv3, TLS handshake, Client hello (1):

2006-12-12 11:58:19 DEBUG SAML.libcurl [1110] sessionGet: SSLv3, TLS handshake, Server hello (2):

2006-12-12 11:58:19 DEBUG SAML.libcurl [1110] sessionGet: SSLv3, TLS handshake, CERT (11):

2006-12-12 11:58:19 DEBUG SAML.libcurl [1110] sessionGet:

2006-12-12 11:58:19 DEBUG OpenSSL [1110] sessionGet: invoking default X509 verify callback

2006-12-12 11:58:19 DEBUG Shibboleth.Trust.Basic [1110] sessionGet: comparing certificate to KeyDescriptors

2006-12-12 11:58:19 DEBUG Shibboleth.Trust.Basic [1110] sessionGet: KeyDescriptor resolved into a certificate, comparing it...

2006-12-12 11:58:19 DEBUG Shibboleth.Trust.Basic [1110] sessionGet: certificate did not match

2006-12-12 11:58:19 DEBUG Shibboleth.Trust.Basic [1110] sessionGet: failed to find an exact match for certificate in KeyDescriptors

2006-12-12 11:58:19 DEBUG Shibboleth.Trust.Shibboleth [1110] sessionGet: performing certificate path validation...

2006-12-12 11:58:19 DEBUG Shibboleth.Trust.Shibboleth [1110] sessionGet: failed to validate certificate chain using KeyAuthority extensions

2006-12-12 11:58:19 DEBUG SAML.libcurl [1110] sessionGet: SSLv3, TLS alert, Server hello (2):

2006-12-12 11:58:19 DEBUG SAML.libcurl [1110] sessionGet: SSL certificate problem, verify that the CA cert is OK. Details:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

2006-12-12 11:58:19 DEBUG SAML.libcurl [1110] sessionGet: Closing connection #0

2006-12-12 11:58:19 ERROR SAML.SAMLSOAPHTTPBinding [1110] sessionGet: failed while contacting SAML responder: SSL certificate problem, verify that the CA cert is OK. Details:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

2006-12-12 11:58:19 ERROR shibtarget.SessionCache [1110] sessionGet: caught SAML exception during SAML attribute query: SOAPHTTPBindingProvider::send() failed while contacting SAML responder: SSL certificate problem, verify that the CA cert is OK. Details:

 

Not sure why this is failing when I am working ok with a cassified servlets-examples in tomcat.

 

Can anyone shed some light?

 

Thanks, Pat

 

 

---

From: Patrick MacDonald [mailto:patmac00-Wuw85uim5zDR7s880joybQ@xxxxxxxxxxxxxxxx]
Sent: Tuesday, December 12, 2006 11:44 AM
To: cas-c5E7yoNEsvRIM2btvs0Z1A@xxxxxxxxxxxxxxxx; shibboleth-users-H4aWS73dXup+qImEYqgU8Q@xxxxxxxxxxxxxxxx
Subject: Shibboleth idp and CAS

I am trying to set up a shibboleth idp with the yale CAS client.

 

CAS is working in that I have cassified the tomcat servlets-examples and that all works just fine.

 

Shibboleth, by itself (using Tomcat Forms authentication) is working with another sp.

 

Combining the two seems to be a problem for me. I'm posting this to both the shibboleth and the CAS lists in the hopes someone can shed some light.

 

When I have shibboleth and CAS configured to work together the first redirect to my  -idp/SSO takes me to my CAS login. I then login thru CAS which is just fine. I send back a AuthN saml response but then get nothing back from the Sp. I am expecting a POST to my idp/AA asking form attributes (which is the next thing sent in the working shibboleth configuration)

 

Both AuthN saml responses (working vs non-working) seem to be identical (barring the time specific details)

 

My configuration is Win2K server with IIS 5.0 frontending Tomcat 5.5 on ports 80 and 443. Tomcat is managing 8080, 8009 and 8443 itself.

 

 

My shibboleth-idp/WEB-INF/web.xml contains the following

 

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app

PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"

"http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>

    <context-param>

        <param-name>IdPConfigFile</param-name>

        <param-value>file:/e:/opt/shibboleth-idp//etc/idp.xml</param-value>

    </context-param>

    <!--added CASFilter -->

    <filter>

    <filter-name>CASFilter</filter-name>

    <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>

        <!-- URL of login page of CAS Server -->

        <init-param>

            <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>

            <param-value>https://web2.ametsoc.org/cas/login</param-value>

        </init-param>

        <!-- URL to validation URL of CAS Server -->

        <init-param>

            <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>

            <param-value>https://web2.ametsoc.org/cas/serviceValidate</param-value>

        </init-param>

        <!-- Full hostname with port number to be filtered. The port

        number is not required for standard ports (80,443) -->

        <init-param>

            <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>

            <param-value>web2.ametsoc.org</param-value>

        </init-param>

        <!-- expose REMOTE_USER (from CAS Client version 2.1.0) -->

        <init-param>

            <param-name>edu.yale.its.tp.cas.client.filter.wrapRequest</param-name>

            <param-value>true</param-value>

        </init-param>

    </filter>

    <filter-mapping>

        <filter-name>CASFilter</filter-name>

        <url-pattern>/SSO/*</url-pattern>

    </filter-mapping>

    <!-- ########################### -->

    <servlet>

    <servlet-name>IdP</servlet-name>

        <display-name>Shibboleth Identity Provider</display-name>

        <servlet-class>edu.internet2.middleware.shibboleth.idp.IdPResponder</servlet-class>

    </servlet>

    <servlet-mapping>

        <servlet-name>IdP</servlet-name>

        <url-pattern>/SSO</url-pattern>

    </servlet-mapping>

    <servlet-mapping>

        <servlet-name>IdP</servlet-name>

        <url-pattern>/AA</url-pattern>

    </servlet-mapping>

    <servlet-mapping>

        <servlet-name>IdP</servlet-name>

        <url-pattern>/Artifact</url-pattern>

    </servlet-mapping>

    <servlet-mapping>

        <servlet-name>IdP</servlet-name>

        <url-pattern>/Status</url-pattern>

    </servlet-mapping>

    <mime-mapping>

        <extension>css</extension>

        <mime-type>text/css</mime-type>

    </mime-mapping>

</web-app>

 

Thanks, Pat MacDonald