Search code examples
active-directoryldapshibboleth

Shibboleth Attribute Query SAML error: Inbound message issuer was not authenticated

idp-process.log

ERROR [org.opensaml.ws.security.provider.MandatoryAuthenticatedMessageRule:37] - Inbound message issuer was not authenticated.

shibd.log

ERROR OpenSAML.SOAPClient [109]: SOAP client detected a SAML error: (urn:oasis:names:tc:SAML:2.0:status:Responder) (Message did not meet security requirements)

ERROR Shibboleth.AttributeResolver.Query [109]: attribute authority returned a SAML error

The Shibboleth Authentication process is working properly. The Active Directory server (LDAP) is configured properly to work over SSL, which was verified using LDP.exe. I also coded a simple Java program to try to connect to the Active Directory server over SSL protocol. I was able to connect to the server using port 636, passed user credentials including password, and the server responded properly.

Certificates are already trusted by corresponding JVM cacerts.

Setup instructions are already followed as documented from https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverLDAPDataConnector

However, there is still an error during Attribute query from the Active Directory server. Below are snippet of the configurations.

Any idea as to why there is an error on the Attribute Query?

Thanks.

attribute-resolver.xml

<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
    ldapURL="ldaps://WIN-1GB01UK5SL6.VECISADTEST.com" 
    baseDN="CN=Users,DC=vecisadtest,DC=com" 
    principal="Administrator@vecisadtest.com"
    principalCredential="XXX"
    useStartTLS="false"
    >
    <dc:FilterTemplate>
        <![CDATA[
            (uid=$requestContext.principalName)
        ]]>
    </dc:FilterTemplate>

    <StartTLSTrustCredential xsi:type="sec:X509Filesystem"
    xmlns="urn:mace:shibboleth:2.0:resolver:dc"
    id="UA_AD_CA_Certificate">
      <sec:Certificate>C:\Progs\ShibbolethIdP\certs\VECISADTEST.pem</sec:Certificate>
    </StartTLSTrustCredential>

    <StartTLSAuthenticationCredential xsi:type="sec:X509Filesystem"
    xmlns="urn:mace:shibboleth:2.0:resolver:dc"
    id="IdPtoLDAPCredential">
        <sec:PrivateKey>C:\Progs\ShibbolethIdP\credentials\idp.key</sec:PrivateKey>
        <sec:Certificate>C:\Progs\ShibbolethIdP\credentials\idp.crt</sec:Certificate>
    </StartTLSAuthenticationCredential>


</resolver:DataConnector>

login.config

edu.vt.middleware.ldap.jaas.LdapLoginModule required
  host="WIN-1GB01UK5SL6.VECISADTEST.com"
  port="636"
  base="CN=Users,DC=vecisadtest,DC=com"
  tls="false"
  serviceCredential="XXX"
  userRoleAttribute="sAMAccountName"
  serviceUser="Administrator@vecisadtest.com"
  ssl="true"
  subtreeSearch = "true"
  userField="sAMAccountName";

idp-metadata.xml

<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.janet.org:8444/idp/profile/SAML1/SOAP/AttributeQuery"/><AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.janet.org:8444/idp/profile/SAML2/SOAP/AttributeQuery"/>

Thanks.

Solution

  • The issue was resolved by updating the config file shibboleth2.xml on the Service Provider. The signing attribute must be set to true.

    [Shibboleth Service Provider install location] \etc\shibboleth\shibboleth2.xml

    SPConfig > ApplicationDefaults@signing

    Default installation of Shibboleth Service Provider 2.5.2, signing attribute is false.