3

I'm trying to get a test server setup as a Shibboleth SP using IIS 7.5 and I'm stuck. I'm using the https://idp.testshib.org/idp/shibboleth IdP but it never asks for credentials or redirects to the testshib site. Here's what I've got so far:

Computer Name = TestBox2.SHIB.Local

shibboleth2.xml:

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
logger="c:/opt/shibboleth-sp/etc/shibboleth/syslog.logger" clockSkew="180">

<!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
<OutOfProcess logger="c:/opt/shibboleth-sp/etc/shibboleth/shibd.logger">
    <!--
    <Extensions>
        <Library path="odbc-store.so" fatal="true"/>
    </Extensions>
    -->
</OutOfProcess>

<!-- The InProcess section contains settings affecting web server modules/filters. -->
<InProcess logger="c:/opt/shibboleth-sp/etc/shibboleth/native.logger">
    <ISAPI normalizeRequest="true">
        <!--
        Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
        required so that the proper <Host> in the request map above is found without
        having to cover every possible DNS/IP combination the user might enter.
        The port and scheme can usually be omitted, so the HTTP request's port and
        scheme will be used.
        -->
        <Site id="1" scheme="https" sslport="443" name="TestBox2.SHIB.Local"/>
    </ISAPI>
</InProcess>

<!-- 
     Be sure to change this port number to the one matching what you used
     when installing shibd on your system.  Default for Windows systems
     seems to be 1600, so that is what is used here, however if you
     install on a different port, write that in here.
-->
<TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/>

<!-- Windows RequestMapper -->
<!-- The RequestMap defines portions of the webspace to protect; TestBox2.SHIB.Local/secure here. -->
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMap -->
<RequestMapper type="Native">
    <RequestMap applicationId="default">
        <Host name="TestBox2.SHIB.Local">
            <Path name="secure" authType="shibboleth" requireSession="true"/>
        </Host>
    </RequestMap>
</RequestMapper>

<!-- The entityID is the name TestShib made for your SP. -->
<ApplicationDefaults entityID="https://TestBox2.SHIB.Local/shibboleth"
    REMOTE_USER="eppn">

    <!-- You should use secure cookies if at all possible.  See cookieProps in this Wiki article. -->
    <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions -->
    <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true" cookieProps="; path=/; secure">

        <!-- Triggers a login request directly to the TestShib IdP. -->
        <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
        <SSO entityID="https://idp.testshib.org/idp/shibboleth">
            SAML2 SAML1
        </SSO>

        <!-- SAML and local-only logout. -->
        <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceLogout -->
        <Logout>SAML2 Local</Logout>

        <!--
            Handlers allow you to interact with the SP and gather more information.  Try them out!
            Attribute values received by the SP through SAML will be visible at:
            http://TestBox2.SHIB.Local/Shibboleth.sso/Session
        -->

        <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
        <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

        <!-- Status reporting service. -->
        <Handler type="Status" Location="/Status" acl="127.0.0.1 192.168.200.110"/>

        <!-- Session diagnostic service. -->
        <Handler type="Session" Location="/Session" showAttributeValues="true"/>

        <!-- JSON feed of discovery information. -->
        <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>

    </Sessions>

    <!-- Error pages to display to yourself if something goes horribly wrong. -->
    <Errors supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg" 
            styleSheet="/shibboleth-sp/main.css"/>

    <!-- Loads and trusts a metadata file that describes only the Testshib IdP and how to communicate with it. -->
    <MetadataProvider type="XML" uri="http://www.testshib.org/metadata/testshib-providers.xml"
         backingFilePath="testshib-two-idp-metadata.xml" reloadInterval="180000" />

    <!-- Attribute and trust options you shouldn't need to change. -->
    <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
    <AttributeResolver type="Query" subjectMatch="true"/>
    <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

    <!-- Your SP generated these credentials.  They're used to talk to IdP's. -->
    <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

</ApplicationDefaults>

<!-- Security policies you shouldn't change unless you know what you're doing. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

</SPConfig>

Status Page results

Error when I try accessing the /secure area:

(I'd link to it but I'm not allowed... new user; I linked it for you -- cstamas)

cstamas
  • 6,607
  • 24
  • 42
compcentral
  • 179
  • 2
  • 7
  • do you have the c:\inetpub\wwwroot\Secure dir with some content? Some test text in an index.html – cstamas Nov 01 '11 at 12:58
  • I tried adding something and if I do, the file loads without restricting access or redirecting to the IdP. – compcentral Nov 01 '11 at 13:04
  • That most likely means the module is not loaded. – cstamas Nov 01 '11 at 13:45
  • What module? Take a look at the Status output that I linked. The status is okay and shibboleth seems to be running. I also get the metadata file if I go to https://testbox2.shib.local/Shibboleth.sso/Metadata – compcentral Nov 01 '11 at 15:20

0 Answers0