Questions[shibboleth](server)

In order to implement SSO, I have been working with some IdP and a Shibboleth SP install without being able to answer this question.

On the IdP side I have a few metadata files that describes some applications. Those files can contain a certificate, but if nothing is given, communication works still fine. If I put the same files on the SP side, it still works fine even when putting some random characters as certificate.

Could someone explain to me really how it works and what is the purpose of those X509 certificates in those metadata file (IdP) side?

I run an Apache2 server which uses the Shibboleth daemon (shibd) as federated authentication module. Certain server connections using Shibboleth seem to stick permanently in CLOSE_WAIT state.

tcp       38      0 blah.blah:57346 shib.server.:8443 CLOSE_WAIT 
tcp       38      0 blah.blah:45601 shib.server2:8443 CLOSE_WAIT
tcp       38      0 blah.blah:41737 shib.server3:5057 CLOSE_WAIT 

From what I can find out, CLOSE_WAIT means that when the remote server disconnects, the local application is failing to close the connection, as it should. I suspect shibd is responsible somehow.

Needless to say, if enough CLOSE_WAIT connections accumulate, I have a problem.

Trying to get rid of the CLOSE_WAIT connections by simply using

/etc/init.d/networking restart

does not work. In fact networking seems to refuse to close down and restart, and I get a SIOCADDRT: File exists error (ie networking is trying to start without having stopped first). Same problem with ifup -a

So I have two questions - one may be easy, and one harder.

1. What's a good way to force networking to restart, and force whatever connections are stuck in CLOSE_WAIT to clear?
2. Any ideas about how to fix shibboleth and force shibd module to behave?

I'm trying to get a test server setup as a Shibboleth SP using IIS 7.5 and I'm stuck. I'm using the https://idp.testshib.org/idp/shibboleth IdP but it never asks for credentials or redirects to the testshib site. Here's what I've got so far:

Computer Name = TestBox2.SHIB.Local

shibboleth2.xml:

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
logger="c:/opt/shibboleth-sp/etc/shibboleth/syslog.logger" clockSkew="180">

<!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
<OutOfProcess logger="c:/opt/shibboleth-sp/etc/shibboleth/shibd.logger">
    <!--
    <Extensions>
        <Library path="odbc-store.so" fatal="true"/>
    </Extensions>
    -->
</OutOfProcess>

<!-- The InProcess section contains settings affecting web server modules/filters. -->
<InProcess logger="c:/opt/shibboleth-sp/etc/shibboleth/native.logger">
    <ISAPI normalizeRequest="true">
        <!--
        Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
        required so that the proper <Host> in the request map above is found without
        having to cover every possible DNS/IP combination the user might enter.
        The port and scheme can usually be omitted, so the HTTP request's port and
        scheme will be used.
        -->
        <Site id="1" scheme="https" sslport="443" name="TestBox2.SHIB.Local"/>
    </ISAPI>
</InProcess>

<!-- 
     Be sure to change this port number to the one matching what you used
     when installing shibd on your system.  Default for Windows systems
     seems to be 1600, so that is what is used here, however if you
     install on a different port, write that in here.
-->
<TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/>

<!-- Windows RequestMapper -->
<!-- The RequestMap defines portions of the webspace to protect; TestBox2.SHIB.Local/secure here. -->
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMap -->
<RequestMapper type="Native">
    <RequestMap applicationId="default">
        <Host name="TestBox2.SHIB.Local">
            <Path name="secure" authType="shibboleth" requireSession="true"/>
        </Host>
    </RequestMap>
</RequestMapper>

<!-- The entityID is the name TestShib made for your SP. -->
<ApplicationDefaults entityID="https://TestBox2.SHIB.Local/shibboleth"
    REMOTE_USER="eppn">

    <!-- You should use secure cookies if at all possible.  See cookieProps in this Wiki article. -->
    <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions -->
    <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true" cookieProps="; path=/; secure">

        <!-- Triggers a login request directly to the TestShib IdP. -->
        <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
        <SSO entityID="https://idp.testshib.org/idp/shibboleth">
            SAML2 SAML1
        </SSO>

        <!-- SAML and local-only logout. -->
        <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceLogout -->
        <Logout>SAML2 Local</Logout>

        <!--
            Handlers allow you to interact with the SP and gather more information.  Try them out!
            Attribute values received by the SP through SAML will be visible at:
            http://TestBox2.SHIB.Local/Shibboleth.sso/Session
        -->

        <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
        <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

        <!-- Status reporting service. -->
        <Handler type="Status" Location="/Status" acl="127.0.0.1 192.168.200.110"/>

        <!-- Session diagnostic service. -->
        <Handler type="Session" Location="/Session" showAttributeValues="true"/>

        <!-- JSON feed of discovery information. -->
        <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>

    </Sessions>

    <!-- Error pages to display to yourself if something goes horribly wrong. -->
    <Errors supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg" 
            styleSheet="/shibboleth-sp/main.css"/>

    <!-- Loads and trusts a metadata file that describes only the Testshib IdP and how to communicate with it. -->
    <MetadataProvider type="XML" uri="http://www.testshib.org/metadata/testshib-providers.xml"
         backingFilePath="testshib-two-idp-metadata.xml" reloadInterval="180000" />

    <!-- Attribute and trust options you shouldn't need to change. -->
    <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
    <AttributeResolver type="Query" subjectMatch="true"/>
    <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

    <!-- Your SP generated these credentials.  They're used to talk to IdP's. -->
    <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

</ApplicationDefaults>

<!-- Security policies you shouldn't change unless you know what you're doing. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

</SPConfig>

Status Page results

Error when I try accessing the /secure area:

(I'd link to it but I'm not allowed... new user; I linked it for you -- cstamas)

I've gotten a Shibboleth Server Provider (SP) up and running, and I'm using the TestShib Identity Provider (IdP) for testing.

The configuration appears to be all correct, and when I requested my secured directory I was sent to the IdP where I logged in and then was sent back to https://example.org/Shibboleth.sso/SAML2/POST where I am getting a generic error message.

Checking the logs, I am told:

found encrypted assertions, but no CredentialResolver was available

I have rechecked the configuration, and there I have:

<CredentialResolver type="File" key="/etc/shibboleth/sp-key.pem" certificate="/etc/shibboleth/sp-cert.pem"/>

Both of these files are present at those locations.

I've restarted apache and retried, but still get the same error.

I don't know if it makes a difference - but only a subdirectory of the site has been secured - the documentroot is publicly available.

Do you know if it is possible to use Nginx with Shibboleth?