Shibboleth Integration

  • Ted
    # 6 years, 3 months ago

    Hello Nikhil,

    I am just following up on the issues below. We appear to have resolved the ‘NameID’ issue. Thanks for your help.

    Now, when successfully logging in, we are receiving a different error. (Note: The symptom is still that a blank/empty web page is being returned to the user, and with WP_DEBUG still enabled, any errors are displayed in the (empty) window.) The current errors being displayed are:

    ————————-ERRORS———————————–

    Warning: file_get_contents(https://improveteaching.med.jhmi.edu/wp-content/plugins/miniorange-saml-20-single-sign-on/resources/sp-key.key): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in D:\OIT_PROD\improveteaching.med.jhmi.edu\wp-content\plugins\miniorange-saml-20-single-sign-on\xmlseclibs.php on line 392

    Warning: file_get_contents(https://improveteaching.med.jhmi.edu/wp-content/plugins/miniorange-saml-20-single-sign-on/resources/miniorange_sp_priv_key.key): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in D:\OIT_PROD\improveteaching.med.jhmi.edu\wp-content\plugins\miniorange-saml-20-single-sign-on\xmlseclibs.php on line 392

    trying primary

    Notice: Undefined property: XMLSecurityKey::$—–BEGIN CERTIFICATE—– MIID7TCCAtWgAwIBAgIJAMcsf4R7oVMZMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYD VQQGEwJJTjELMAkGA1UECAwCTUgxDTALBgNVBAcMBFBVTkUxEzARBgNVBAoMCk1J TklPUkFOR0UxEzARBgNVBAsMCk1JTklPUkFOR0UxEzARBgNVBAMMCk1JTklPUkFO R0UxIjAgBgkqhkiG9w0BCQEWE2luZm9AbWluaW9yYW5nZS5jb20wHhcNMTUxMDMw MTA1NDQ4WhcNMjAxMDI4MTA1NDQ4WjCBjDELMAkGA1UEBhMCSU4xCzAJBgNVBAgM Ak1IMQ0wCwYDVQQHDARQVU5FMRMwEQYDVQQKDApNSU5JT1JBTkdFMRMwEQYDVQQL DApNSU5JT1JBTkdFMRMwEQYDVQQDDApNSU5JT1JBTkdFMSIwIAYJKoZIhvcNAQkB FhNpbmZvQG1pbmlvcmFuZ2UuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAsxulwAiXvaJvT6JEckasFcHY7eME2hjClXPKtGJ6okiPOPQjMAv+zYxZ 2beAUPWxg1pfE7HIdTLh6A0yD2Afnw9ayKmCGiq6rX8TqXzEo8J01M/zGRBXxw+Q CjB7BpWpHUVcdfagUEJrURHRcx6VXXf/9xprbtv7Wsx/WVhqGl6MCtj4m5tTsHyY D9BOawxtmaq7dNSECkt9qNUfu+EvTYk3LHI3IoJR4HcMTsYjTbJo6lHNT18FQqRe WcjNXCTvH17Zit4MaH8WGlL32KV62EyTPZwjqrmUHqoXfj87e+1XOpYk+Z/dApMC 47I6++yq+FlyvVne0w48SAHYt4M1rQIDAQABo1AwTjAdBgNVHQ4EFgQUyihK6rNy l3Sx9Onzzup0qko7z7QwHwYDVR0jBBgwFoAUyihK6rNyl3Sx9 in D:\OIT_PROD\improveteaching.med.jhmi.edu\wp-content\plugins\miniorange-saml-20-single-sign-on\xmlseclibs.php on line 399

    Warning: openssl_pkey_get_details() expects parameter 1 to be resource, boolean given in D:\OIT_PROD\improveteaching.med.jhmi.edu\wp-content\plugins\miniorange-saml-20-single-sign-on\Utilities.php on line 459

    Failed to parse decrypted XML. Maybe the wrong sharedkey was used?trying secondary

    Notice: Undefined property: XMLSecurityKey::$—–BEGIN CERTIFICATE—– MIID7TCCAtWgAw… in D:\OIT_PROD\\wp-content\plugins\miniorange-saml-20-single-sign-on\xmlseclibs.php on line 399

    Warning: openssl_pkey_get_details() expects parameter 1 to be resource, boolean given in D:\OIT_PROD\\wp-content\plugins\miniorange-saml-20-single-sign-on\Utilities.php on line 459

    Failed to parse decrypted XML. Maybe the wrong sharedkey was used?Failed to decrypt XML element.

    ———————————-ERRORS———————————————-

    FYI – Some additional information/questions that may or may not be relevant:

    1) In the miniOrange plugin configuration page, on the ‘Identity Provider’ tab, I notice in the ‘Step 1:’ section, in the table of information that is provided (for “You will need the following information…”, and which is read-only), for ‘NameID format’ that value provided shows “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”.

    a. The other fields in the table that reference a saml version show “…saml-20…” which is correct for our Shib version used. But, the above ‘NameID…’ value provided shows ‘…SAML:1.1…’. Is this a problem.

    cid:image001.jpg@01D1575B.85132580

    b. Related to the above, The ‘NameID…’ value we configured was/is:

    <saml:NameID SPNameQualifier=”https:///wp-content/plugins/miniorange-saml-20-single-sign-on/”

    Format=”urn:oasis:names:tc:SAML:2.0:nameid-format:transient”

    which does not match the above value that is indicated in the table given (e.g. – “SAML:1.1” vs “SAML:2.0” and “emailAddress” vs “transient”). Just pointing this out in case this is a problem.

    c. Related to the above, also on the “Identity Provider” tab, immediately below the given table it shows the alternate method… which is what we have used (i.e. – the metadata URL):

    “OR

    Provide this metadata URL to your Identity Provider:

    https://improveteaching.med.jhmi.edu/wp-content/plugins/miniorange-saml-20-single-sign-on/metadata.php

    – We used this method, and provided it to the IdP. Question: Should clicking on this link display something in a browser window? If so, it does not, and instead shows a blank browser window.

    – I’ve attached a copy of the ‘metadata.php’ file in case you wanted to review the contents. (I appended “.txt” to the file name.)

    In summary, the Authentication portion is working. When going to the site initially and clicking the ‘shortcode’ link, we are directed to the IdP, and successfully Authenticated, and the attempt is made to send the user back to the WordPress site (getting a blank page at that point, with the above errors). Any thoughts or help would be appreciated. If the miniOrange plugin requires any additional info from the IdP, we can provide it. (Also, in case I haven’t previously mentioned, ours is a Windows 2012R2 / IIS8.5 Server. WP is v4.3, PHP v5.6.8)

    Thanks very much,

    Ted

    Nikhil
    # 6 years, 3 months ago

    Can you please let me know What version of plugin are you using?

    Thanks,
    Nikhil

    Ted
    # 6 years, 3 months ago

    v3.4

    Thanks,
    Ted

    Nikhil
    # 6 years, 3 months ago

    Ted,

    Please update the plugin. It should work then. Go to plugins in WP admin and click on “Update now” against miniorange plugin.

    Thanks,
    Nikhil

    Ted
    # 6 years, 3 months ago

    Hello Nikhil,

    Thanks again for the help in resolving the miniOrange/SSO/Shibboleth integration issues we were having with our Production WP site. Everyone involved is very happy that the site is now working/available, and it is being actively used.

    As I mentioned at the end, we had the final task of also getting our companion Development WP site to work as well. Will you be able to help resolve the issues we are having with the Dev site. The Dev site authenticates against a separate Shib Dev/Test Shibboleth IdP server. All of the MO plugin IdP, SP, Attribute, etc. settings have been configured accordingly for the Shib IdP Dev/Test server (and comparing to the Production site, as a reference), and appear to be correct, but the issue/symptom being received is the same “NameID… Missing” error being received (and with a blank page) (and after successfully authenticating), similar to the original error that we had had with the Prod site:

    Fatal error: Uncaught exception ‘Exception’ with message ‘Missing <saml:NameID> or <saml:EncryptedID> in <saml:Subject>.’ in D:\OIT_DEV\IEEDev.med.jhmi.edu\wp-content\plugins\miniorange-saml-20-single-sign-on\Assertion.php:140 Stack trace: #0 D:\OIT_DEV\IEEDev.med.jhmi.edu\wp-content\plugins\miniorange-saml-20-single-sign-on\Assertion.php(112): SAML2_Assertion->parseSubject(Object(DOMElement)) #1 D:\OIT_DEV\IEEDev.med.jhmi.edu\wp-content\plugins\miniorange-saml-20-single-sign-on\Response.php(63): SAML2_Assertion->__construct(Object(DOMElement)) #2 D:\OIT_DEV\IEEDev.med.jhmi.edu\wp-content\plugins\miniorange-saml-20-single-sign-on\mo_login_saml_sso_widget.php(288): SAML2_Response->__construct(Object(DOMElement)) #3 [internal function]: mo_login_validate(”) #4 D:\OIT_DEV\IEEDev.med.jhmi.edu\wp-includes\plugin.php(503): call_user_func_array(‘mo_login_valida…’, Array) #5 D:\OIT_DEV\IEEDev.med.jhmi.edu\wp-settings.php(353): do_action(‘init’) #6 D:\OIT_DEV\IEEDev.med.jhmi.edu\wp-config.php(97): require_once(‘D:\\OIT_DEV\\IEE in D:\OIT_DEV\IEEDev.med.jhmi.edu\wp-content\plugins\miniorange-saml-20-single-sign-on\Assertion.php on line 140

    The configuration has been compared between our working Prod and the Dev a few times and appear to be correct, but we may be missing something. Will you be able to help.

    Thanks,
    Ted

    Nikhil
    # 6 years, 3 months ago

    Hi Ted,

    Please verify these:

    In conf/attribute-resolver.xml, confirm that you have following configuration:

    <resolver:AttributeDefinition id=”transientId” xsi:type=”ad:TransientId”

    xmlns=”urn:mace:shibboleth:2.0:resolver:ad”>

    <resolver:AttributeEncoder xsi:type=”enc:SAML2StringNameID”

    nameFormat=”urn:oasis:names:tc:SAML:2.0:nameid-format:transient”/>

    </resolver:AttributeDefinition>

    In conf/attribute-filter.xml, confirm that you have released the transientId attribute to relying party like this:

    <afp:AttributeFilterPolicy id=”releaseTransientIdToAnyone”>

    <afp:PolicyRequirementRule xsi:type=”basic:ANY”/>

    <afp:AttributeRule attributeID=”transientId”>

    <afp:PermitValueRule xsi:type=”basic:ANY”/>

    </afp:AttributeRule>

    </afp:AttributeFilterPolicy>

    Once this is done, configure the plugin’s attribute mapping tab like the way we did earlier.

    Thanks,
    Nikhil

    Ted
    # 6 years, 3 months ago

    Nikhil,

    Thanks for your reply. We will follow up and check the settings below.

    Thanks,
    Ted

    Ted
    # 6 years, 3 months ago

    I’m not sure what I’m missing here, but it’s still not working.

    Ted

    nIKHIL
    # 6 years, 3 months ago

    Hi Ted,

    Please follow the below-mentioned steps and verify:
    Open the SP metadata file (in browser) that you have used to configure shibboleth. (You might have copied it to the metadata folder of shibboleth installation)
    Verify that you have the following 6 lines in the content of SP metadata:
    <md:NameIDFormat>
    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    </md:NameIDFormat>
    <md:NameIDFormat>
    urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    </md:NameIDFormat>
    <md:NameIDFormat>
    urn:oasis:names:tc:SAML:2.0:nameid-format:transient
    </md:NameIDFormat>

    It might happen that you would be using the older plugin. We had replaced the new version of premium plugin in the staging instance as well when we were resolving it.

    Thanks,
    Nikhil

    Ted
    # 6 years, 3 months ago

    Nikhil,

    Thanks for your reply, FYI – we uninstalled and reinstalled the latest Premium version (from scratch), just for the sake of doing it, because I remembered that in the course of the prior troubleshooting with our Production website, you had us do that there. So, having done that on our Development site, we’ll try and test with the information.

    Thanks,
    Ted

    Nikhil
    # 6 years, 3 months ago

    Ted,

    Can you get the metadata for me, as outlined here?

    https://ieedev.med.jhmi.edu/wp-content/plugins/miniorange-saml-20-single-sign-on/metadata.php

    Thanks!

    Kevin
    # 6 years, 3 months ago

    The metadata is not a valid xml file.

    Thanks,
    Kevin

    Nikhil
    # 6 years, 3 months ago

    Hi Kevin,

    Please find the attached metadata.xml. It should work.

    Thanks,
    Nikhil

    Ted
    # 6 years, 3 months ago

    Yep, that did the trick. Thanks!

    Ted

    Ted
    # 6 years, 3 months ago

    Yes, the Dev site appears to be OK.

    Kevin and Nikhil – Thanks very much for all of your help, time, and efforts in also getting the Development site to work, as well. It is greatly appreciated by all.

    Thanks,

    Ted

Viewing 15 posts - 1 through 15 (of 15 total)

The topic ‘Shibboleth Integration’ is closed to new replies.