Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] IdP discoveryURL error

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] IdP discoveryURL error


Chronological Thread 
    < Chronological >      < Thread >
  • From: Pål Axelsson <pax AT sunet.se>
  • To: Marco Malavolti <marco.malavolti AT garr.it>
  • Cc: Andreas Theodorou <andreas.theodorou AT cynet.ac.cy>, edugain-discuss AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] IdP discoveryURL error
  • Date: Mon, 29 May 2023 14:39:21 +0200
Hi,

This type of test when you look for some fields may be harder in the future when Identity Providers are turning away fron password as the first or only factor. I think the test needs to be redefined.

Pål Axelsson

Den fre 26 maj 2023 10:55Marco Malavolti <marco.malavolti AT garr.it> skrev:

Dear Andreas,

the eduGAIN Connectivity Check Service (https://technical.edugain.org/eccs) performs the checks described here:

https://wiki.geant.org/display/eduGAIN/eduGAIN+Connectivity+Check#eduGAINConnectivityCheck-CheckperformedontheIdPs

The URL that ECCS check is generated by this function:

def generate_login_url(sp_entity_id, sp_http_post_acs_location, idp_http_redirect_sso_location):
    """Returns a login url needed to get the IdP Login page for an SP
    
    :param sp_entity_id: the SP entityID
    :param sp_http_post_acs_location: the SP HTTP-POST AssertionConsumerService URL
    :param idp_http_redirect_sso_location: the IDP HTTP-Redirect SSO Location
    :return: a login url built upon a SAML Authn Request
    :rtype: string
    """

    authn_request_id = f'_{str(uuid.uuid4()).replace("-", "")}'
    issue_instant = str(datetime.datetime.now(datetime.timezone.utc).isoformat(timespec='seconds')).replace('+00:00', 'Z')
    authn_request = '<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ' \
                    f'AssertionConsumerServiceURL="{sp_http_post_acs_location}" ' \
                    f'Destination="{idp_http_redirect_sso_location}" ' \
                    f'ID="{authn_request_id}" ' \
                    f'IssueInstant="{issue_instant}" ' \
                    'ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ' \
                    'Version="2.0">' \
                    f'<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">{sp_entity_id}</saml:Issuer>' \
                    '<samlp:NameIDPolicy AllowCreate="1"/>' \
                    '</samlp:AuthnRequest>'
    args = {"SAMLRequest": deflate_and_base64_encode(authn_request)}
    string = urlencode(args)
    glue_char = "&" if urlparse(idp_http_redirect_sso_location).query else "?"
    return glue_char.join([idp_http_redirect_sso_location, string])


for 3 different SP:

1) "SP Demo" (https://sp-demo.idem.garr.it/shibboleth) from IDEM GARR AAI
2) "AAI Viewer Interfederation Test" (https://attribute-viewer.aai.switch.ch/interfederation-test/shibboleth) from SWITCHaai.
3) A random generated fake SP (for example: https://wblrphiddx.org)

then it retrieve the IdP Login Page resulting from the URL generated.

If the IdP Login Page contains the "username" and "password" fields, the check is passed.

The "idp.authn.discoveryURL" you mention on the "authn.properties" files has to contain the Discovery Service URL if you have it on your Identity Provider.
The example value is: "https://ds.example.org/shibboleth-ds/index.html"
I don' use this parameter because I don't use my IdP like a proxy of multiple IdP. Do you need to configure your IdP like a proxy for multiple IdP?
If not, replace the default value of that parameter. The problem with ECCS is not related to it.

What your IdP has to do is to use correctly the eduGAIN metadata stream https://technical.edugain.org/metadata on conf/metadata-providers.xml file.

Best Regars,
Marco Malavolti


Il 26/05/23 09:27, Andreas Theodorou ha scritto:

Dear All,

 

I have identified the error message below in idp-process.log file. It looks that it affects the eduGAIN connectivity status.

 

ERROR [net.shibboleth.idp.authn:39] - Uncaught runtime exception net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Discovery URL cannot be null or empty at net.shibboleth.utilities.java.support.logic.Constraint.isNotEmpty(Constraint.java:289)

 

This line is in /conf/authn/authn.properties and was commented out and the eduGAIN connectivity check was showing the red warning “IdP-Generic-Error”.

 

I then removed the comments and set this parameter to idp.authn.discoveryURL = https://idp.cynet.ac.cy/idp/profile/SAML2/Redirect/SSO and now the eduGAIN connectivity check shows the yellow warning.

 

I kindly request your assistance in resolving the issue. Thank you for your attention.

 

Kind regards,

Andreas.

 

-- 
Marco Malavolti
Consortium GARR - Servizio IDEM GARR AAI
Via dei Tizii, 6 - I-00185 (ROMA)
CF: 97284570583 - PI: 07577141000
Tel.: 02 6448 2507
Skype: marco.mala
PGP Key: https://keys.openpgp.org/search?=q=marco.malavolti AT garr.it

Archive powered by MHonArc 2.6.24.

Top of Page