edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Pål Axelsson <pax AT sunet.se>
- To: Marco Malavolti <marco.malavolti AT garr.it>
- Cc: Andreas Theodorou <andreas.theodorou AT cynet.ac.cy>, edugain-discuss AT lists.geant.org
- Subject: Re: [eduGAIN-discuss] IdP discoveryURL error
- Date: Mon, 29 May 2023 14:39:21 +0200
Dear Andreas,
the eduGAIN Connectivity Check Service (https://technical.edugain.org/eccs) performs the checks described here:
The URL that ECCS check is generated by this function:
def generate_login_url(sp_entity_id, sp_http_post_acs_location, idp_http_redirect_sso_location): """Returns a login url needed to get the IdP Login page for an SP :param sp_entity_id: the SP entityID :param sp_http_post_acs_location: the SP HTTP-POST AssertionConsumerService URL :param idp_http_redirect_sso_location: the IDP HTTP-Redirect SSO Location :return: a login url built upon a SAML Authn Request :rtype: string """ authn_request_id = f'_{str(uuid.uuid4()).replace("-", "")}' issue_instant = str(datetime.datetime.now(datetime.timezone.utc).isoformat(timespec='seconds')).replace('+00:00', 'Z') authn_request = '<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ' \ f'AssertionConsumerServiceURL="{sp_http_post_acs_location}" ' \ f'Destination="{idp_http_redirect_sso_location}" ' \ f'ID="{authn_request_id}" ' \ f'IssueInstant="{issue_instant}" ' \ 'ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ' \ 'Version="2.0">' \ f'<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">{sp_entity_id}</saml:Issuer>' \ '<samlp:NameIDPolicy AllowCreate="1"/>' \ '</samlp:AuthnRequest>' args = {"SAMLRequest": deflate_and_base64_encode(authn_request)} string = urlencode(args) glue_char = "&" if urlparse(idp_http_redirect_sso_location).query else "?" return glue_char.join([idp_http_redirect_sso_location, string])
for 3 different SP:1) "SP Demo" (https://sp-demo.idem.garr.it/shibboleth) from IDEM GARR AAI
2) "AAI Viewer Interfederation Test" (https://attribute-viewer.aai.switch.ch/interfederation-test/shibboleth) from SWITCHaai.
3) A random generated fake SP (for example: https://wblrphiddx.org)then it retrieve the IdP Login Page resulting from the URL generated.
If the IdP Login Page contains the "username" and "password" fields, the check is passed.The "idp.authn.discoveryURL" you mention on the "authn.properties" files has to contain the Discovery Service URL if you have it on your Identity Provider.
The example value is: "https://ds.example.org/shibboleth-ds/index.html"
I don' use this parameter because I don't use my IdP like a proxy of multiple IdP. Do you need to configure your IdP like a proxy for multiple IdP?
If not, replace the default value of that parameter. The problem with ECCS is not related to it.What your IdP has to do is to use correctly the eduGAIN metadata stream https://technical.edugain.org/metadata on conf/metadata-providers.xml file.
Best Regars,
Marco Malavolti
Il 26/05/23 09:27, Andreas Theodorou ha scritto:
Dear All,
I have identified the error message below in idp-process.log file. It looks that it affects the eduGAIN connectivity status.
ERROR [net.shibboleth.idp.authn:39] - Uncaught runtime exception net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Discovery URL cannot be null or empty at net.shibboleth.utilities.java.support.logic.Constraint.isNotEmpty(Constraint.java:289)
This line is in /conf/authn/authn.properties and was commented out and the eduGAIN connectivity check was showing the red warning “IdP-Generic-Error”.
I then removed the comments and set this parameter to idp.authn.discoveryURL = https://idp.cynet.ac.cy/idp/profile/SAML2/Redirect/SSO and now the eduGAIN connectivity check shows the yellow warning.
I kindly request your assistance in resolving the issue. Thank you for your attention.
Kind regards,
Andreas.
-- Marco Malavolti Consortium GARR - Servizio IDEM GARR AAI Via dei Tizii, 6 - I-00185 (ROMA) CF: 97284570583 - PI: 07577141000 Tel.: 02 6448 2507 Skype: marco.mala PGP Key: https://keys.openpgp.org/search?=q=marco.malavolti AT garr.it
- [eduGAIN-discuss] IdP discoveryURL error, Andreas Theodorou, 26-May-2023
- Re: [eduGAIN-discuss] IdP discoveryURL error, Marco Malavolti, 26-May-2023
- Re: [eduGAIN-discuss] IdP discoveryURL error, Pål Axelsson, 05/29/2023
- Re: [eduGAIN-discuss] IdP discoveryURL error, Marco Malavolti, 26-May-2023
Archive powered by MHonArc 2.6.24.