[LON-CAPA-admin] Single Sign On

Neubauer, Paul pneubauer at bsu.edu
Wed Mar 24 09:38:56 EDT 2021


Hi Stuart and all,

As Stuart commented on Sunday, "the standard advice is to check the MetadataProvider element(s) in your shibboleth2.xml file." Our guy who is spearheading the replacement of our IdP (Identity Provider) came up with the following change to our MetadataProvider element:

  <MetadataProvider type="XML" uri="https://federate.bsu.edu/FederationMetadata/2007-06/FederationMetadata.xml"
       backingFilePath="metadata/federate.bsu.edu.xml" reloadInterval="7200"/>

I have to admit that I don't understand the point of the differences. My ignorance may be curable, but as of now we only have about a week to make it work, so educating me about the ins and outs of SSO is not our highest priority right now. We've been "experimenting" every morning at 6am. At this time, using that new version of shibboleth2.xml, I do successfully get redirected to our login page and I can tell I have succeeded at the IdP end of the operation because I get the push to my phone for our two-factor authentication. So far, so good.

Unfortunately (you knew this was coming, right?) the next thing I see is:

-------------------------------------------------
Forbidden
You don't have permission to access /adm/sso on this server.
-------------------------------------------------

Some googling reveals that I had asked exactly this question on this list in December, 2017: http://mail.lon-capa.org/pipermail/lon-capa-admin/2017-December/003310.html

I got no answer on the list at that time and I don't recall even asking the question, let alone how we solved it, or even who solved it.

I naïvely suspected that the new IdP is providing different data to lon-capa, but I am assured that the "assertions and attributes haven't changed." I don't know how to capture whatever our IdP is actually providing to lon-capa, so I don't know how to compare the new IdP data to the old. Is that logged somewhere? What routine handles the authentication within lon-capa?

Does anyone have a clue for the clueless (me)?

Thanks,
Paul



From: LON-CAPA-admin <lon-capa-admin-bounces at mail.lon-capa.org> on behalf of Neubauer, Paul via LON-CAPA-admin <lon-capa-admin at mail.lon-capa.org>
Sent: Sunday, March 21, 2021 6:01 PM
To: lon-capa-admin at mail.lon-capa.org <lon-capa-admin at mail.lon-capa.org>; Raeburn, Stuart <raeburn at msu.edu>
Subject: Re: [LON-CAPA-admin] Single Sign On 
 
Hi Stuart,

Sorry. Yes it is odd. I did a screenshot instead of a text copy and then retyped the message from that. That's the cause of the "lonn-capa01" instead of "lon-capa01" (assuming you meant the double-n in "lonn" as what is odd).  (I also have to apologize for the HTML mail instead of plain text I think I've corrected both now.)

"lon-capa01.aws.bsu.edu" is the canonical name of the system (as we have it hosted on Amazon Web Services) and "lon-capa.bsu.edu" is an alternate name. So far, that has not been a problem.

Anyway, the file shibboleth2.xml.old is the (copy of the) original (which we have now reverted to) and shibboleth2.xml.new is the version of shibboleth2.xml that was in use when we got the error.

A diff of the two files:

diff shibboleth2.xml.old shibboleth2.xml.new
51c51
<             <SSO  entityID="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fshibboleth.bsu.edu%2Fsso&data=04%7C01%7Cpneubauer%40bsu.edu%7Cec3100d8cfc942326ba908d8ecb4dce5%7C6fff909f07dc40da9e30fd7549c0f494%7C0%7C1%7C637519608850131473%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9MiP%2BszNJHwpaj5SsA%2BCEQzcklBCEi0X4DYr9TCTDsw%3D&reserved=0">SAML2 SAML1</SSO>
---
>             <SSO  entityID="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffederate.bsu.edu%2Fsso&data=04%7C01%7Cpneubauer%40bsu.edu%7Cec3100d8cfc942326ba908d8ecb4dce5%7C6fff909f07dc40da9e30fd7549c0f494%7C0%7C1%7C637519608850131473%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=K3UeSfeSHp5Kr5SOkTU03X%2BzNyGKuPgHc6%2FUkWe0ETU%3D&reserved=0">SAML2 SAML1</SSO>
82c82
<                             file="metadata/shibboleth.bsu.edu.xml"/>
---
>                             file="metadata/federate.bsu.edu.xml"/>

shows that the only changes were from shibboleth.bsu.edu to federate.bsu.edu and the result of the grep that I included in the original message showed that I changed all instances of the string 'shibboleth.bsu.edu'  so how did it get that the identity provider ought to be 'https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fshibboleth.bsu.edu%2Fsso&data=04%7C01%7Cpneubauer%40bsu.edu%7Cec3100d8cfc942326ba908d8ecb4dce5%7C6fff909f07dc40da9e30fd7549c0f494%7C0%7C1%7C637519608850131473%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9MiP%2BszNJHwpaj5SsA%2BCEQzcklBCEi0X4DYr9TCTDsw%3D&reserved=0'? There were no instances of that string anywhere in /etc (let alone /etc/shibboleth).. If the message had said that it was unable to locate identity provider (https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffederate.bsu.edu%2Fsso&data=04%7C01%7Cpneubauer%40bsu.edu%7Cec3100d8cfc942326ba908d8ecb4dce5%7C6fff909f07dc40da9e30fd7549c0f494%7C0%7C1%7C637519608850131473%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=K3UeSfeSHp5Kr5SOkTU03X%2BzNyGKuPgHc6%2FUkWe0ETU%3D&reserved=0) I would be a lot less puzzled. 

Thanks,
Paul


From: LON-CAPA-admin <lon-capa-admin-bounces at mail.lon-capa.org> on behalf of Raeburn, Stuart via LON-CAPA-admin <lon-capa-admin at mail.lon-capa.org>
Sent: Sunday, March 21, 2021 4:55 PM
To: lon-capa-admin at mail.lon-capa.org <lon-capa-admin at mail.lon-capa.org>
Subject: Re: [LON-CAPA-admin] Single Sign On 
 
Hello Paul,

This line is odd:
"Identity provider lookup failed at (https:lonn-capa01.aws.bsu.edu/adm/sso)"

I would expect that to be lookup failed at:
https://lon-capa01.aws.bsu.edu/adm/sso

IP address: 34.204.137.158 points at lon-capa.bsu.edu
and lon-capa01.aws.bsu.edu has IP address: 34.204.137.158

If you see: "Unable to locate metadata for identity provider" the standard advice is to check the MetadataProvider element(s) in your shibboleth2.xml file.

Stuart Raeburn
LON-CAPA Academic Consortium
________________________________________
From: LON-CAPA-admin <lon-capa-admin-bounces at mail.lon-capa.org> on behalf of Neubauer, Paul via LON-CAPA-admin <lon-capa-admin at mail.lon-capa.org>
Sent: Sunday, March 21, 2021 2:30 PM
To: list about administration and system updating(lon-capa-admin at mail.lon-capa.org)
Subject: [LON-CAPA-admin] Single Sign On

Hi all,

We (Ball State University) are in the process of updating our identity provider. We are rolling in the changes so individual systems are being moved from using "shibboleth.bsu.edu" to using "federate.bsu.edu". It is lon-capa's turn.

I found all the files that referenced "shibboleth.bsu.edu" and copied them to a different location:

cp /etc/shibboleth/attribute-map.xml /root/sso/attribute-map.xml.old
cp /etc/shibboleth/shibboleth2.xml /root/sso/shibboleth2.xml.old
cp /etc/shibboleth/metadata/shibboleth.bsu.edu.xml /root/sso/shibboleth.bsu.edu.xml

I then made copies of the two .old files as .new and edited them to replace "shibboleth.bsu.edu" with "federate.bsu.edu"
I also got the new metadata (with wget  https://federate.bsu.edu/FederationMetadata/2007-06/FederationMetadata.xml) and saved it as federate.bsu.edu.xml

This morning I stopped shibd, copied the .new files to /etc/shibboleth/ and federate.bsu.edu.xml to /etc/shibboleth/metadata/

I checked for "shibboleth.bsu.edu":
[root at lon-capa01 ~]#  grep -H -r -i 'shibboleth.bsu.edu' /etc
[root at lon-capa01 ~]#
which shows that I had eliminated all references to it.

I restarted shibd and when I tried to log in, I got:

---------------------------------
Unknown or unusable identity provider
The identity provider supplying your login credentials is not authorized for use with this service or does not support the necessary capabilities.
To report this problem, please contact the site administrator at security at bsu.edu.
Please include the following error message in any email:
Identity provider lookup failed at (https:lon-capa01.aws.bsu.edu/adm/sso)
EntityID: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fshibboleth.bsu.edu%2Fsso&data=04%7C01%7Cpneubauer%40bsu.edu%7Cec3100d8cfc942326ba908d8ecb4dce5%7C6fff909f07dc40da9e30fd7549c0f494%7C0%7C1%7C637519608850131473%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9MiP%2BszNJHwpaj5SsA%2BCEQzcklBCEi0X4DYr9TCTDsw%3D&reserved=0
opensaml::saml2md::MetadataException: Unable to locate metadata for identity provider (https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fshibboleth.bsu.edu%2Fsso&data=04%7C01%7Cpneubauer%40bsu.edu%7Cec3100d8cfc942326ba908d8ecb4dce5%7C6fff909f07dc40da9e30fd7549c0f494%7C0%7C1%7C637519608850131473%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9MiP%2BszNJHwpaj5SsA%2BCEQzcklBCEi0X4DYr9TCTDsw%3D&reserved=0)
---------------------------------

For some reason it was still looking for the EntityID https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fshibboleth.bsu.edu%2Fsso&data=04%7C01%7Cpneubauer%40bsu.edu%7Cec3100d8cfc942326ba908d8ecb4dce5%7C6fff909f07dc40da9e30fd7549c0f494%7C0%7C1%7C637519608850131473%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9MiP%2BszNJHwpaj5SsA%2BCEQzcklBCEi0X4DYr9TCTDsw%3D&reserved=0
I did a system reboot but got the same thing.

I reverted to the old files and we are working, but that will only last a couple of weeks before our cert expires for our old identity provider site and it goes down.

I am totally lost. is there somewhere else with shibboleth configuration data?

Thanks,
Paul

_______________________________________________
LON-CAPA-admin mailing list
LON-CAPA-admin at mail.lon-capa.org
https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.lon-capa.org%2Fmailman%2Flistinfo%2Flon-capa-admin&data=04%7C01%7Cpneubauer%40bsu.edu%7Cec3100d8cfc942326ba908d8ecb4dce5%7C6fff909f07dc40da9e30fd7549c0f494%7C0%7C1%7C637519608850131473%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=y9l75t3EdTYmKwFHNMo9ucARvDs%2B8utQ%2BfcxxFDNvow%3D&reserved=0
_______________________________________________
LON-CAPA-admin mailing list
LON-CAPA-admin at mail.lon-capa.org
https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.lon-capa.org%2Fmailman%2Flistinfo%2Flon-capa-admin&data=04%7C01%7Cpneubauer%40bsu.edu%7Cec3100d8cfc942326ba908d8ecb4dce5%7C6fff909f07dc40da9e30fd7549c0f494%7C0%7C1%7C637519608850141462%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=qz0%2FNz%2FwPw4o5fi3fk8uvEnmIYViZAXb25zU2XJYBzA%3D&reserved=0


More information about the LON-CAPA-admin mailing list