Newest shibboleth Questions

Q&A for system and network administrators

Shibboleth SPNEGOAuthnConfiguration in CentOS server

I have requirement were the user's were already joined to domain logged in using the same credential from ldap server, they don't want to enter it again to login into shibboleth SSO, so I searched ...

Shibboleth: found encrypted assertions, but no CredentialResolver was available

I've gotten a Shibboleth Server Provider (SP) up and running, and I'm using the TestShib Identity Provider (IdP) for testing. The configuration appears to be all correct, and when I requested my ...

JkEnvVar encoding incorrect when received in Java code

I have a problem. I'm running Shiboleth and Apache mod_jk in front of Tomcat. Shibboleth does whatever it does and isn't a problem. I'll explain more later. Apache mod_jk, AFAIK, intercepts in ...

Shibboleth Authentication to AD failed with error “file not found”

I am new to Shibboleth and try to configure authentication between ADFS and Shibboleth. The users are stored in AD. I've already connected ADFS and Shibboleth and able to see the login page, after ...

Shibboleth Native SP Clustering Session Not Shared Among SPs

I am trying to setup a clustering solution for NativeSP using odbc using official documentation from Shibboleth wiki. However it doesn't seem to work.I'm not sure what i'm misconfiguring. Shibboleth ...

ADFS and Shibboleth: Controlling behavior of Windows authentication

We are doing SSO using ADFS and Shibboleth SP. In a perfect world, Windows authentication would always work, i.e., the user accesses https://shibboleth/Login?target=somewhere, is redirected to https:/...

Setting up Shibboleth to secure part of a website

I've installed the Shibboleth module for apache on Ubuntu 10.04 using aptitude to install libapache2-mod-shib2 as per https://groups.google.com/group/shibboleth-users/browse_thread/thread/...

Shibboleth + IIS and Pound Reverse Proxy

Having a bit of a problem getting Shibboleth (SSO) working with ADFS and Pound. The main problem seems to be that: The website address will be https://website.domain.com Pound will then terminate ...

Enable Shibboleth for Single SSL Virtual host on server with many vhosts

We have a RHEL 5.5 server in production with a few NameBasedVirtual hosts listening on port 80. We have also have two (possibly mis-configured) SSL virtual hosts which use different Sockets as ...

AD FS - Send AD Attributes to Shibboleth SP

I have an AD FS claims provider set up and a Shibboleth SP successfully authenticating against it. When I log into the site that's protected by Shibboleth, the index shows all of the headers. I am ...

Upgrade Shibboleth to newest version on Ubuntu

I have an Ubuntu (12.04.4 LTS) web server running Shibboleth 2.4.3 I think Shibboleth was installed using apt-get dpkg --get-selections | grep shib libapache2-mod-shib2 install libshibsp5 ...

Support multiple IdPs in Shibboleth SP based on URL path

When URL path is /client1 the user should be directed to IdP of this client. When URL path is /client2 the user should be directed to IdP of that client etc. How do I configure this with Shibboleth ...

Shibboleth Could not locate Java.exe Please check the value for JAVA_HOME [closed]

I am trying to install Shibboleth for development on my local copy of windows 10. I am on the first step and stuck. After downloading the shibboleth identity provider I am not able to install as I ...

Custom Web Form for Shibboleth login

I recently deployed a server and website that authenticates with my university's Shibboleth authentication system. Functionally, it works great. Aesthetically, there is much When you go to the ...

Shibd not receiving proper POST request

I'm attempting to use mod_shib to provide with SSO for an application that is running in a tomcat container. There's an Apache server, running as a reverse proxy, in front of the Tomcat container. I ...

protect IIS site with Shibboleth SP on certain IP

I host a webserver and want customers to authenticate using their ADFS server. I cannot reach their server, they reach mine and theirs. This basically works. I now wonder if it's possible to setup ...

Why my websockets application deployed on tomcat is not getting the shibboleth headers?

My stack looks like this: Apache httpd server 2.4.12: with mod_shibd, mod_proxy_http & mod_proxy_wstunnel Shibboleth 2.5 Apache Tomcat 7.0.54 Our scenario looks like this: --------- -...

Shibboleth does pass attribute to server variable in PHP

I am building a SAML based federated authentication mechanism in which the IdP is ADFS 2.0 and the SP is Shibboleth running on Linux. I am able to do the following: Attempt to access a protected ...

How to Uninstall Shibbolet 2.5 from Windows 10 and Windows Server 2012

I'm attempting to uninstall shibboleth-sp-2.5.6.0-win64.msi from my Windows 10 PC.(I have the same problem on Windows Server 2012). It gets stuck with the following message: Please wait while the ...

Shibboleth SP doesn't redirect, no IdP authentication - Error 403.14 w/ IIS 7.5

I'm trying to get a test server setup as a Shibboleth SP using IIS 7.5 and I'm stuck. I'm using the https://idp.testshib.org/idp/shibboleth IdP but it never asks for credentials or redirects to the ...

Shibboleth 3 - SAML response for Attribute

I have configured Shibboleth 3 to give the SAML response containing the following Attribute Statement <saml2:AttributeStatement> <saml2:Attribute ...

Apache2/Shibboleth TCP connections stuck in CLOSE_WAIT

I run an Apache2 server which uses the Shibboleth daemon (shibd) as federated authentication module. Certain server connections using Shibboleth seem to stick permanently in CLOSE_WAIT state. tcp ...

Only one Shibboleth SP on reverse proxy for different sites

I am wondering if it is possible to only have one Shibboleth Service Provider (SP) if you pass requests to all your sites through one reverse proxy (with SSL offloading, etc.). So, let's say I have ...

Install Shibboleth on IIS with multiple sites

I'm installing shibboleth2, version 2.6.0.1 64 bit on a Windows 2008 Server. I've installed it at the server level and I have multiple sites hosted and are currently running. I've had one install ...

Switching between multiple authentication types on same URL

I have a secure SSO site that uses Shibboleth authentication and SAML identity provider. I need to allow a Google Search Appliance crawler to come index the URL's. I have a requirement to change on ...

Sending AD Attributes as AD FS claims to Shibboleth SP Attributes

I have an AD FS claims provider set up and a Shibboleth SP successfully authenticating against it. I am attempting to have the Active Directory attributes sent to the SP. I followed this article to ...

Shibboleth-Idp setup: Issue with the data-connectors in attribute-resolver.xml

I have setup the shibboleth-Idp as servelet in servelet container tomcat6. However, tomcat start the servelet fails to load. My data connectors are causing it. The code I am using for connectors is ...

Google (G Suit) Identity provider with nginx SAML2

You might heard about shibboleth and their great solutions as for Identity Provider (https://shibboleth.net/products/identity-provider.html) so is for Service Provider (e.g. nginx https://github.com/...

Purpose of the x509 certificate in metadata files on the IdP side (SSO structure)

In order to implement SSO, I have been working with some IdP and a Shibboleth SP install without being able to answer this question. On the IdP side I have a few metadata files that describes some ...

Is there a way to configure shibboleth on tomcat without having to use httpd apache?

I have working setup of shibboleth configured via httpd apache and then pass it on to tomcat. Now is it possible to get rid of httpd portion alone and have tomcat handle shibboleth authentication by ...

Logging X-Forwarded-For IP in Shibboleth's Audit Logs

This is a follow up from my earlier question on capturing the X-Forwarded-For IP address in across multiple proxies. Now, I'm looking to capture the Client's IP in the application's (Shibboleth's IdP) ...

ADFS 2.0 and Shibboleth SP 2.5.3 - Unable to locate Metadata

I am attempting to use Shibboleth SP (64-bit on Windows Server 2008 R2) to authenticate with ADFS 2.0 (64-bit Windows Server 2008 R2). When I browse to the Shibboleth protected site, I get a 500 error ...

AuthType shibboleth configured without corresponding module

I am trying to set up a shibboleth configuration but have now hit an error I do not know how to deal with: When accessing a site, which I configured to be protected by shibboleth, I receive a 500 ...

Scandinavian characters get messed up in Shibboleth SP header attributes

I have Shibboleth SP 2.5 with Apache 2.4 in front of Domino 9.0.1 server on Windows server 2008 R2. This is the beginning of the incoming SAML message from Shibboleth SP debug log: <?xml version="...

Shibboleth SP - Signing and Encryption Key

I have a Shibboleth SP installed on Server 2012 R2. I tried to submit the metadata to be imported into the IDP and was told that without having the signing or encryption key, they won't be able to ...

Why shibboleth IdP idp-metadata.xml recommends 8443 for SOAP?

After the install.sh of 2.4.0 Shibboleth Identity Server, the idp-metadata.xml file is created. Why is that? Is not enough secure to use the standard HTTPS/443 port? <ArtifactResolutionService ...

Skipping unmapped SAML 2.0 attribute, even though name and nameFormat matchf

SP running Shibboleth 2.5.6. For one particular IdP, I have these attribute mappings: <Attribute name="role" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="role" /...

Shibboleth - opensaml::FatalProfileException

I have configured and installed shibboleth Idp and sp on a Ubuntu machine locally. The Idp is configured with LDAP. I am trying to access the secure.html file which hosted in Apache and secured by ...

.htaccess AuthType not what I expected

I'm working on a new project at work in PhP, and have come across something I'm unfamiliar with/can't find any help with. In the .htaccess file for the directory I see AuthType UWNetID require valid-...

Configuring Shibboleth SAML 2.0 with ADFS 3.0 with Fedration Errors

I'm trying to configure ADFS 3.0 and SAML 2.0. Currently, I get this error whenever I restart shibd and httpd. 2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 2702, message: ...

ShibRequestSetting REMOTE_ADDR setting and Apache RequestHeader

I have Apache/Shibboleth serving requests to a reverse proxy and directly to web clients. When a request comes through the proxy I extract the original IP address and attempt to send it to shibboleth. ...

Shibboleth SP, IIS

I have a Shibboleth SP instance on Server 2008 R2 and everything is authenticating fine with the IdP. I was testing protecting a single page and that is working fine by doing the following in the ...

Shibboleth/Nginx run on non-standard port

Our team runs all our Nginx installations on 8443 instead of 443 for the obvious reason that you don't need to be root to listen on the port, and so the process can be started and stopped with lower ...

Shibboleth, IIS 7.5, Tomcat

I am trying to set up Shibboleth SP on a Server 2008 R2/ IIS 7.5 machine. IIS throws the following error when browsing to localhost: HTTP Error 500.0 - Internal Server Error Calling LoadLibraryEx on ...

Using Shibboleth with ADFS doesn't work

I'm trying to familiarize myself with Shibboleth 2.5.3 and Active Directory Federation Services (tried both 2.0 and 3.0). What I'd like to achieve is having an Apache server authenticate against ADFS ...

Shibboleth - Secure whole IIS application

I've setup shibboleth SP on my server and now I want to protect my IIS folders. I followed a few tutorials and used this syntax in my shibboleth2.xml file: <RequestMapper type="Native"> &...

Advantage Integrating Shibboleth With ADFS

Can someone explain what the advantage of integrating Shibboleth with Microsoft ADFS is? I have been researching both products and it seems like they have similar offerings. There are many articles ...

apache, shibboleth, load balancing alias, ssl

Good morning folks Could you give me a bit of help with the following problem ? I have a dns load balancing mechanism and an alias (hostAlias) which may point to host01, or host02 I want to ...

ADFS without domain

Is it possible to run a ADFS 2.0 without connecting the server to a domain? We are using Shibboleth as claims provider, so we actually don't need active directory here. We manage to setup the ADFS (...

Intranet corporate SSO for webapps against Active Directory

I am trying to plan and implement a SSO solution in a corporate environment that serves intranet web applications running on CentOS: Corporate portal (Drupal backend) Project management (Project.NET) ...
Translating... 0%