gluufederation / oxshibboleth Goto Github PK

Shibboleth project for the Gluu Server's SAML IDP functionality.

License: MIT License

Java 100.00%

oxshibboleth's Introduction

oxShibboleth

About The Project

This project contains modification and installation files for Gluu's Shibboleth IDP implementation. It works out of the box by delegating authentication to oxAuth , working in tandem with the latter to provide outbound SAML Single Sign-On (SSO). This also comes with the advantage of sharing useful information between the SAML IDP and oxAuth e.g. the entitID of the Relying Party.

Project Structure

The project is organized into a a series of subproject/modules which each have different uses.

idp-conf. Since IDP 4.1.x , the Shibboleth IDP project moved almost all system configuration xml files into jars, and made them classpath loadable. Given how somewhat limiting this can be as it is sometimes required to modify core system configuration files for some specific functionalities, this module was created to hold such modifications and act as an in-replacement jar for Shibboleth IDP's core configuration jar. It is to note however that the aim would be to retire and completely remove this module as better ways are found to add functionality without modifying core system files in Shibboleth IDP.
keygenerator. This module is a tiny application which was previously used to generate the cryptographic material for Shibboleth IDP's component called the "DataSealer". Given this functionality exists in Shibboleth IDP itself , the setup tool now relies on that fact to generate the required cryptographic material.
oxLogoServlet. This module is a simple servlet used to serve the logo used in various pages displayed by Shibboleth IDP during authentication.
oxShibbolethWebApp. This module unpacks the Shibboleth IDP war and repacks it with all the custom modifications (mostly in the form of jars) required to make Shibboleth IDP work in tandem with oxAuth.
shib-oxauth-authn. This module contains the plugin which delegates authentication from Shibboleth IDP to oxAuth.
static. This module contains Shibboleth IDP configuration file changes. The changes are mostly in the form of patch files. More on that later.

Prerequisites

The current mininum supported Shibboleth IDP version is 4.1.4

Building The Project

The project is a java based project, and uses the maven tool for builds. To build the project, open a terminal ,set it's current directory to the project's directory, and run mvn package

Additional Notes

This section will contains additional information about performing specific tasks when working on this project.

Creating a new configuration patch file

As mentionned above , the static module contains Shibboleth IDP configuration file changes. Those changes are stored as patch files. Patch files names are usually of the format xxx.<patch-content-description>.patch where xxx is a number between 000 and 999 and patch-content-description is a short description of what changes were made to the configuration file. Make sure to choose a unique number, which can be verified by checking the existing patches in oxShibboleth/static/src/patches. Here are the steps to make configuration changes and create patch files.

Clone the project. It will be assumed it will be in a directory named oxShibboleth
Build the project in it's current state. This will apply the existing patches.
Make a copy of oxShibboleth/static/target/classes/shibboleth-idp. This will contain the Shibboleth IDP configuration file with the patches applied. Rename it to shibboleth-idp.orig
Apply your changes to the shibboleth-idp directory.
Open a terminal whose current directory points to the directory where both shibboleth-idp.orig and shibboleth-idp reside then run diff -aurN shibboleth-idp.orig shibboleth-idp > xxx.<patch-content-description>.patch
Move the generated patch file to oxShibboleth/static/src/patches

oxshibboleth's People

Contributors

Stargazers

Watchers

Forkers

nagyistge uprightech cyberflamego imshakil

oxshibboleth's Issues

Upgrade to Shibboleth v3.3.0

https://wiki.shibboleth.net/confluence/display/NEWS/2016/11/10/Shibboleth+Identity+Provider+V3.3.0+Released

Shibboleth SP does not work

OS: Ubuntu 14.04.2
Package: gluu-server-3.0.0_2-RC1~trusty+Ub14.04_amd64.deb

Tested Shibboleth SP with the following config: but instead of IDP login page, unsupported request page appeared.

When I accessed the protected link, I got the follwoing:

The idp-process.log contains the following:

2017-02-05 20:07:03,940 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] - Message Handler:  No metadata returned for https://shib.info/shibboleth in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol
2017-02-05 20:07:03,942 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for relying party configuration shibboleth.UnverifiedRelyingParty
2017-02-05 20:07:03,943 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: InvalidProfileConfiguration

Create new Maven module/plugin

Core project: http://svn.shibboleth.net/view/java-identity-provider/trunk/

Build latest Shib V3, add a new module, integrate it in init.

Some SAML flows will fail when several tabs of the same browser window initiate them in a quick succession/simultaneously

Environment:

CentOS 7.4, gluu-server-3.1.2-1-4.centos7

Preconditions:

A vm with a Gluu Server instance running
A vm with two SAML2-able SPs configured to use the Gluu Server for SSO (proper tests have been conducted proving the TRs are functional)
A web browser which comes with support of "Reload all tabs" or similar feature OOTB ; both SPs sign-in urls (the ones which instantly trigger SAML SSO flow on following them) opened in the same browser window, in different tabs; no "Incognito" or similar mode must be enabled. For this test I would recommend to use Firefox.
[Optionally] A custom authentication method is configured at Gluu which has a pause waiting for user action during its flow and sends user to a 3rd party for authentication. In my case I used Passport-SAML setup and an another vm with a Gluu Server playing a role of remote IDP; Passport-SAML flow, when no IDP's id is sent in state, presents a remote IDP selection page, thus pauses execution awaiting user's input.

Steps to reproduce:

In case you have setup conforming to the item 4) of "Preconditions" (all steps needs to be done relatively quick, otherwise some expiration timer may run out):

Make sure no session does exist at SPs or IDPs (clear all cookies)
Initiate SAML flow at the first SP. Wait until you'll be redirected to the oxAuth/Passport script login page and presented with a list of possible remote IDPs, but don't select anything just yet
Switch to the 2nd tab and initiate SAML flow at the second SP. Wait until you'll be redirected to the oxAuth/Passport script login page and presented with a list of possible remote IDPs, don't select anything yet again
Switch to the 1st tab again, and now select your remote IDP from the list. Log in at remote IDP if needed, and wait until the flow will complete successfully (you should be taken back to your 1st SP's protected page)
Switch to the 2nd tab now where flow is still hanging at IDP selection page and select the same remote IDP as in step 4)

If it's too troublesome to create the complete Inbound SAML setup, it's possible to mimic required conditions with the following trick (it also presents another variation of triggering this issue at the same time, showing how else it may degrade user's experience):

Make sure no session does exist at SPs or IDPs (clear all cookies)
Make sure you have a separate browser window with 2 tabs containing protected pages of your 2 test SPs (so that by clicking "Reload all tabs" you could be sure they will start signing in simultaneously). It's very important to make sure those pages have been opened before, as some browsers may react unexpectedly if you just open an empty tab and will put url in there, than hit "Reload" button - it may simply not work, or some previous page will be loaded instead, if any. Firefox show this very behaviour.
Log in to oxTrust of the Gluu Server used for the test. This will ensure you'll have a session at oxAuth, but still you won't have session at IDP yet (thus it creates the required conditions for issue to manifest itself, as it hides somewhere in the interconnection between oxAuth and IDP/RemoteUser login handler)
Reload all tabs simultaneously. If your chosen browser doesn't have this option, I've noted that sometimes you may achieve the same result if you'll manage to find a way to do it manually as well, by very quickly switching to the 2nd tab and reloading it with "Crtr+R" or F5

Results:

In the case when Inbound SAML is used as described, the 2nd flow will fail after browser is redirected back to IDP's /RemoteUser callback endpoint from oxAuth, and IDP's error page is displayed. In the case when the other approach is used, one of the flows will fail (apparently they are in a race condition state and whichever is processed first will succeed, the other will fail). In both cases, the error message is the same. Here is the full log for the Inbound SAML case, below is the most relevant part which is registered at the time when IDP's error page is displayed:

2018-03-22 14:03:13,659 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:149] - Session validation successful. User is logged in
2018-03-22 14:03:13,722 - ERROR [net.shibboleth.ext.spring.error.ErrorRaisingController:55] - Propagating exception thrown by request to /idp/Authn/RemoteUser
2018-03-22 14:03:13,723 - ERROR [net.shibboleth.idp.authn.ExternalAuthenticationException:76] - 
net.shibboleth.idp.authn.ExternalAuthenticationException: No conversation state found in session for key (e2s1)
	at net.shibboleth.idp.authn.ExternalAuthentication.startExternalAuthentication(ExternalAuthentication.java:142)

Apparently it has something to do with how IDP or our customized RemoteUser handler handles stale auth requests/repsonses/sessions. After the first request is fully processed, a subsequent ones which were initiated very soon after it, but which responses are already "late" when they reach Gluu instance in question, are being dropped with no mitigation procedure in mind, possibly resulting in a bunch of tabs "stuck" in different erroneous states (there was a report from a customer who was inconvenienced by it)

Expected results:

If several pages were reloaded or loaded at once, initiating a bunch of (almost) simultaneous SAML signin flows (which is a common case when a browser is launched and a previous session is restored, or a "Reload all" button is used etc), after the very first request resulted in sessions created at oxAuth and IDP, when other (now stale) response from 3rd party services used for authentication will reach oxAuth/IDP, they should be silently discarded, and user's flow should be continued as if he was successfully authenticated in the end, returning him to the intended SP's which sent him here.
Caution is required when choosing a new design here as sub-optimal handling stale requests/responses may lead to security breaches!

P.S.
I've also noted there is a proposal for RemoteUser handler's re-design. If this work already has begun, it seems like a perfect opportunity to make sure the new design also considers the issue described here.

Load Config from HTTPS

Currently we load config from the filesystem. This makes it really hard to cluster... In Shib IDP v3 there is a way to load config from https. This would make our lives way easier.,

See Shib IDP Docs page on HTTPResource

RequestedAuthnContext throws weird page

I was testing a SAML client that included this in the AuthnRequest

<samlp:AuthnRequest
   <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>
            urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
        </saml:AuthnContextClassRef>
   </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

I was surprised when I got back this form... which is certainly not going to work:

As a starting position, maybe we should just update this page with html that redirects to oxAuth?

Or return an error page that says RequestedAuthnContext not supported.

Seeing SAMLResponse in Header but SP is not getting Assertion

So my SP post_assert block is getting this error:

Error: Expected 1 Assertion or 1 EncryptedAssertion; found 0

In my Networking tab I can see the SAMLResponse:

SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWwycDpSZXNwb25zZSBEZXN0aW5hdGlvbj......

Why is my SP getting this error? I am able to login and be authenticated, this error is only thrown during the post_assert block.

app.post("/dashboard", function (req, res) {
  console.log("sp: Asserting login");
  var options = { request_body: req.body };
  sp.post_assert(idp, options, function (err, saml_response) {
    if (err != null){
      console.log("error in post assert \nsaml_response: " + saml_response);     // saml_response return undefined
      console.log(err);
      return res.send(500);   // currently throwing this error
    }
    console.log('running post_assert func');
    // Save name_id and session_index for logout
    last_response = saml_response.user.attributes['urn:oid:URN_ID];        // store username in variable
    name_id = saml_response.user.name_id;
    session_index = saml_response.user.session_index;

    console.log('running res.sendfile');
    res.sendfile("./dist/PAGE_FILES/index.html");
    console.log('/dashboard post complete');
  });
});

Here is my idp process log error. Now, my attribute-filter.xml file is actually completely empty. We've identified this as a problem already but the SP was actually working a couple days ago even with the empty file.

2018-09-17 14:09:47,387 - ERROR [net.shibboleth.utilities.java.support.service.AbstractReloadableService:231] - Service 'shibboleth.AttributeFilterService': Reload for shibboleth.AttributeFilterService failed
net.shibboleth.utilities.java.support.service.ServiceException: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 1 in XML document from file [/opt/shibboleth-idp/conf/attribute-filter.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Premature end of file.
	at net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:336)
Caused by: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 1 in XML document from file [/opt/shibboleth-idp/conf/attribute-filter.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Premature end of file.
	at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:399)
Caused by: org.xml.sax.SAXParseException: Premature end of file.
	at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:203)
2018-09-17 14:09:49,416 - WARN [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:402] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Entire metadata document from '/opt/shibboleth-idp/metadata/F951A1BEAF1B974D000260183AE800067189DB97-sp-metadata.xml' was expired at time of loading, existing metadata retained
2018-09-17 14:09:49,417 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:306] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Next refresh cycle for metadata provider '/opt/shibboleth-idp/metadata/F951A1BEAF1B974D000260183AE800067189DB97-sp-metadata.xml' will occur on '2018-09-17T14:14:49.417Z' ('2018-09-17T14:14:49.417Z' local time)

Check the IdP-initiated flow capability

Ryan Kinzy: ... they want to do an IDP initiated workflow for a customer.
...

SAML standard:
"SAML V2.0 supports both the IdP-initiated and SP-initiated flows."
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html

/opt/shibboleth-idp/metadata/idp-metadata.xml (No such file or directory)

[11:14:58] Valentino Pecaoco: in v2, when going to /idp/shibboleth the IDP XML metadata shows
[11:15:15] Valentino Pecaoco: But in v3, it throws an error
[11:15:33] Dmitry Ogn: It's bug
[11:15:43] Valentino Pecaoco: /opt/shibboleth-idp/metadata/idp-metadata.xml (No such file or directory)
[11:15:44] Dmitry Ogn: It should show
[11:16:25] Dmitry Ogn: Maybe something happend in installer
[11:16:52] Dmitry Ogn: I tested it - metadata should be intalled.
[11:16:55] Valentino Pecaoco: The files under /opt/shibboleth-idp/metadata are re-rendered with IDP LDAP id as prefix
[11:19:15] Valentino Pecaoco: In v2, even if the files get re-rendered, it is ok
[11:20:20] Valentino Pecaoco: But, is this is bug with idp.war and not in our code?
[11:21:10] Valentino Pecaoco: Or idp-metadata.xml should not have been deleted and should just be modified?
[11:24:18] Valentino Pecaoco: Ok, for now I'll try to comment out code that modifies the files under /metadata folder
[11:24:34] Valentino Pecaoco: And see how it goes

Remove jaas.config config

Remove LDAP settings from V2 and V3 configurations.

Mike Schwartz: this is not used anyway
Mike Schwartz: the shib IDP uses the oxauth login module.
Mike Schwartz: it should actualy be removed.
Mike Schwartz: because its storing the DM password in the clear...
Dmitry Ogn: Ok... But current V2 has same configuration with login to LDAP.
Mike Schwartz: yes, but its not used.
Mike Schwartz: this file probably dates back to 2009

Error in relying-party.xml when "encryptNameIDs" set to "conditional"

Based on this ticket, idp service failed to start when using Configure Relying Party and set "encryptNameIDs" to "conditional".

GLUU.root@ubuntu:~# service idp restart
Stopping Jetty: OK
Starting Jetty: . . . . . . . . . . . . . . FAILED Wed Mar 14 22:39:53 UTC 2018

GLUU.root@ubuntu:/opt/shibboleth-idp/logs# grep -i -e 'encryptNameIds' /opt/shibboleth-idp/conf/relying-party.xml
p:encryptNameIDs="false"
p:encryptNameIDs="false"
p:encryptNameIDs="false"
p:encryptNameIDs="false"
p:encryptNameIds-ref="EncryptNoConfidentiality"
GLUU.root@ubuntu:/opt/shibboleth-idp/logs#

Error in Logs
at net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:336)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.RelyingPartyOverrides': Cannot create inner bean 'FC74F0095CC370350002DE56040A000654963FC4' of type [net.shibboleth.idp.saml.relyingparty.impl.RelyingPartyConfigurationSupport] while setting bean property 'sourceList' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'FC74F0095CC370350002DE56040A000654963FC4' defined in file [/opt/shibboleth-idp/conf/relying-party.xml]: Cannot create inner bean 'SAML2.SSO$child#1a256d80' of type [net.shibboleth.idp.saml.saml2.profile.config.BrowserSSOProfileConfiguration] while setting bean property 'profileConfigurations' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'SAML2.SSO$child#1a256d80' defined in file [/opt/shibboleth-idp/conf/relying-party.xml]: Error setting property values; nested exception is org.springframework.beans.NotWritablePropertyException: Invalid property 'encryptNameIds' of bean class [net.shibboleth.idp.saml.saml2.profile.config.BrowserSSOProfileConfiguration]: Bean property 'encryptNameIds' is not writable or has an invalid setter method. Did you mean 'encryptNameIDs'?
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'FC74F0095CC370350002DE56040A000654963FC4' defined in file [/opt/shibboleth-idp/conf/relying-party.xml]: Cannot create inner bean 'SAML2.SSO$child#1a256d80' of type [net.shibboleth.idp.saml.saml2.profile.config.BrowserSSOProfileConfiguration] while setting bean property 'profileConfigurations' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'SAML2.SSO$child#1a256d80' defined in file [/opt/shibboleth-idp/conf/relying-party.xml]: Error setting property values; nested exception is org.springframework.beans.NotWritablePropertyException: Invalid property 'encryptNameIds' of bean class [net.shibboleth.idp.saml.saml2.profile.config.BrowserSSOProfileConfiguration]: Bean property 'encryptNameIds' is not writable or has an invalid setter method. Did you mean 'encryptNameIDs'?
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'SAML2.SSO$child#1a256d80' defined in file [/opt/shibboleth-idp/conf/relying-party.xml]: Error setting property values; nested exception is org.springframework.beans.NotWritablePropertyException: Invalid property 'encryptNameIds' of bean class [net.shibboleth.idp.saml.saml2.profile.config.BrowserSSOProfileConfiguration]: Bean property 'encryptNameIds' is not writable or has an invalid setter method. Did you mean 'encryptNameIDs'?
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1518)
Caused by: org.springframework.beans.NotWritablePropertyException: Invalid property 'encryptNameIds' of bean class [net.shibboleth.idp.saml.saml2.profile.config.BrowserSSOProfileConfiguration]: Bean property 'encryptNameIds' is not writable or has an invalid setter method. Did you mean 'encryptNameIDs'?
at org.springframework.beans.BeanWrapperImpl.createNotWritablePropertyException(BeanWrapperImpl.java:243)

SAML IDP exception

During SAML request processing:

2017-08-30 14:18:44,310 - ERROR [org.apache.velocity:96] - Exception in macro #springMessage called at error.vm[line 56, column 68]
2017-08-30 14:18:44,330 - ERROR [java.lang.RuntimeException:76] -
java.lang.RuntimeException: java.lang.IllegalStateException: Exception occurred rendering view org.springframework.web.servlet.view.velocity.VelocityView: name 'error'; URL [error.vm]
at net.shibboleth.idp.profile.impl.RethrowingFlowExecutionExceptionHandler.handle(RethrowingFlowExecutionExceptionHandler.java:40)
Caused by: java.lang.IllegalStateException: Exception occurred rendering view org.springframework.web.servlet.view.velocity.VelocityView: name 'error'; URL [error.vm]
at org.springframework.webflow.mvc.view.AbstractMvcView.render(AbstractMvcView.java:200)
Caused by: org.springframework.web.util.NestedServletException: Method invocation failed during rendering of Velocity view with name 'error': Invocation of method 'getMessage' in class org.springframework.web.servlet.support.RequestContext threw exception org.springframework.context.NoSuchMessageException: No message found under code 'idp.logo' for locale 'en_US'. at org/springframework/web/servlet/view/velocity/spring.vm[line 27, column 57]; reference [springMacroRequestContext], method 'getMessage'; nested exception is org.springframework.context.NoSuchMessageException: No message found under code 'idp.logo' for locale 'en_US'.
at org.springframework.web.servlet.view.velocity.VelocityView.mergeTemplate(VelocityView.java:526)
Caused by: org.springframework.context.NoSuchMessageException: No message found under code 'idp.logo' for locale 'en_US'.
at org.springframework.context.support.AbstractMessageSource.getMessage(AbstractMessageSource.java:159)
2017-08-30 14:18:44,348 - ERROR [org.apache.velocity:96] - Exception in macro #springMessage called at error.vm[line 56, column 68]

Remove ShibbolethSSO and SAML 1

Remove from SAML metadata:

<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://goblin.gluu.info:9443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>

<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://goblin.gluu.info:9443/idp/profile/SAML1/SOAP/AttributeQuery"/>

<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://goblin.gluu.info/idp/profile/Shibboleth/SSO"/>

Also

<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">

Federated metadata is not loading in metadata-providers.xml

Current metadata-providers.xml.vm can't load any federated metadata.
A workaround is removing generate method and write new 'metadata-providers.xml.vml` like this: https://github.com/GluuFederation/support-docs/blob/master/troubleshooting/shibboleth/metadata_not_loading.md

We need to re-write 'generate' method properly as federated metadata can be loaded. It's happening in 3.1.1 as well.

Don't show stacktrace... ever

A customer was showing me a 500 error from shibboleth that printed a full Java stacktrace, which should only be present in the logs. We never want to publish a stacktrace to users.

Installer from

Download and install from official IDP v3 binary distribution. Pack as modified distribution with Gluu modules.

Example: https://github.com/GluuFederation/oxIdp/blob/master/pom.xml#L98

Add oxShibboleth to jenkins

setup.py should download oxShibboleth WAR from our repo.

Map AuthnContextClassRef --> acr in OpenID Connect

In SAML, an AuthnRequest may contain an AuthnContextClassRef like this

<samlp:AuthnRequest
   <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>
            urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
        </saml:AuthnContextClassRef>
   </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

It would be amazing if we could somehow sent this as the acr param in the openid connect authn request.

Also see this blog

Use authncontextclassref to trigger respecting OpenID Connect acr authz request

Consider this XML below.

<saml2p:authnrequest assertionconsumerserviceurl="https://mySP.test.com/saml/consumer" destination="http://myIDP.test.com:80/opensso/SSORedirect/metaAlias/idp" forceauthn="true" id="_07dfa23f929c647c0b4503e8c13a04f7" ispassive="false" issueinstant="2011-01-20T12:43:52.208Z" protocolbinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">my-alias</saml2:issuer>
<saml2p:nameidpolicy allowcreate="true" format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" spnamequalifier="my-alias">
<saml2p:requestedauthncontext comparison="minimum">

<!-- THIS COULD BE THE acr PARAM IN OPENID CONNECT -->
<saml2:authncontextclassref xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:authncontextclassref>

</saml2p:requestedauthncontext>
</saml2p:nameidpolicy></saml2p:authnrequest>

Got this from this blog on OpenSAML

It would be really cool if when we see this kind of request, we are able to map it to the respective authentication mechanism in oxAuth, i.e. it should be the same as the "Name" of the custom authentication script.

Load configuration from LDAP

Mike Schwartz: Upgrade Shib 3 to store config in LDAP
Mike Schwartz: There are three files we normally modify...
Mike Schwartz: relying-party.xml, attribute-filter.xml and attribute-release.xml

Update Idp to V3.3.3

Delete custom NameID from the GUI

Based on the this ticket - https://support.gluu.org/single-sign-on/5133/how-to-delete-custom-nameid-created-with-gui/ , There is no option to delete the previously created custom -nameid from attribute-resolver.xml file and LDAP.

SLO binding links are breaking IDP metadata

3.0.0 or 3.0.1 has SLO bindlink links (**) available in IDP metadata which are breaking SAML transaction.

(**)

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ce31.gluu.org/idp/profile/SAML2/Redirect/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ce31.gluu.org/idp/profile/SAML2/POST/SLO"/>
 <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://ce31.gluu.org/idp/profile/SAML2/POST-SimpleSign/SLO"/>
 <!--
 <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://ce31.gluu.org:8443/idp/profile/SAML2/SOAP/SLO"/>
 -->

Here is what a SP throw whenever we are trying to load this metadata ( with SLO links ):

017-02-15 07:25:51 ERROR XMLTooling.ParserPool : error on line 95, column 24, message: element 'SingleLogoutService' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*,ArtifactResolutionService*,SingleLogoutService*,ManageNameIDService*,NameIDFormat*,SingleSignOnService+,NameIDMappingService*,AssertionIDRequestService*,AttributeProfile*,Attribute*)'
2017-02-15 07:25:51 ERROR OpenSAML.MetadataProvider.XML : error while loading resource (/etc/shibboleth/ce31_gluu_org_metadata.xml): XML error(s) during parsing, check log for specifics
2017-02-15 07:25:51 CRIT Shibboleth.Application : error initializing MetadataProvider: XML error(s) during parsing, check log for specifics
2017-02-15 07:25:51 INFO Shibboleth.Application : no TrustEngine specified or installed, using default chain {ExplicitKey, PKIX}
2017-02-15 07:25:51 INFO Shibboleth.Application : building AttributeExtractor of type XML...

Validation failed as well for this; we can try to validate IDP metadata with SAML Validator

Or, we can try to 'register' our IDP by uploading metadata there in Testshib.org

If we remove SLO bindling links, it works okay; validation is good as well.

Check CAS protocol logout behaviour

Mike Schwartz: We need to make a list of logout use cases.
Mike Schwartz: And check to see what extent it's possible to do cross protocol logout.

Override Logout Functionality

SAML initiated logout doesn't work. We can probably redirect to OpenID Connect front channel logout, although SP's won't be notified about the logout event. Perhaps we can add SP's as sessions under the client (with respective logout URLs) so the iframes are rendered properly in the front channel logout page.

Another issue is that in a cluster, other shib IDP servers may have active sessions in memory. This solution may also require memcached session storage to really work in a cluster.

Shib configuration is trying to load 'openldap.crt' in 'gluu-openDJ' setup

oxShibboleth should detect ldap cert accordingly; in latest 3.1.2 when we install a Gluu Server with 'gluu-OpenDJ'; 'idp-process.log' is throwing below error.
I am not exactly sure how it's looking for 'openldap.crt' specifically but it should look for 'opendj.crt' for OpenDJ based installation.

Here is what idp-process.log saying:

2018-02-07 10:36:40,566 - ERROR [net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean:180] - null: could not decode CertificateFile at class path resource [etc/certs/openldap.crt]: {}
java.io.FileNotFoundException: class path resource [etc/certs/openldap.crt] cannot be opened because it does not exist
	at org.springframework.core.io.ClassPathResource.getInputStream(ClassPathResource.java:172)
2018-02-07 10:36:40,583 - WARN [net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:549] - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'siteLDAP': Cannot create inner bean '(inner bean)#95ed5f4' of type [org.ldaptive.DefaultConnectionFactory] while setting bean property 'connectionFactory'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#95ed5f4': Cannot create inner bean '(inner bean)#30a92d4b' of type [org.ldaptive.ConnectionConfig] while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#30a92d4b': Cannot create inner bean '(inner bean)#612af1ea' of type [org.ldaptive.ssl.SslConfig] while setting bean property 'sslConfig'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#612af1ea': Cannot create inner bean '(inner bean)#40263b8c' of type [net.shibboleth.idp.attribute.resolver.spring.dc.ldap.impl.CredentialConfigFactoryBean] while setting bean property 'credentialConfig'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#40263b8c': Cannot create inner bean '(inner bean)#763527c3' of type [net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean] while setting bean property 'trustCredential'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#763527c3': Invocation of init method failed; nested exception is org.springframework.beans.FatalBeanException: Could not decode provided CertificateFile: class path resource [etc/certs/openldap.crt]; nested exception is java.io.FileNotFoundException: class path resource [etc/certs/openldap.crt] cannot be opened because it does not exist
2018-02-07 10:36:40,585 - ERROR [net.shibboleth.utilities.java.support.service.AbstractReloadableService:231] - Service 'shibboleth.AttributeResolverService': Reload for shibboleth.AttributeResolverService failed
net.shibboleth.utilities.java.support.service.ServiceException: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'siteLDAP': Cannot create inner bean '(inner bean)#95ed5f4' of type [org.ldaptive.DefaultConnectionFactory] while setting bean property 'connectionFactory'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#95ed5f4': Cannot create inner bean '(inner bean)#30a92d4b' of type [org.ldaptive.ConnectionConfig] while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#30a92d4b': Cannot create inner bean '(inner bean)#612af1ea' of type [org.ldaptive.ssl.SslConfig] while setting bean property 'sslConfig'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#612af1ea': Cannot create inner bean '(inner bean)#40263b8c' of type [net.shibboleth.idp.attribute.resolver.spring.dc.ldap.impl.CredentialConfigFactoryBean] while setting bean property 'credentialConfig'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#40263b8c': Cannot create inner bean '(inner bean)#763527c3' of type [net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean] while setting bean property 'trustCredential'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#763527c3': Invocation of init method failed; nested exception is org.springframework.beans.FatalBeanException: Could not decode provided CertificateFile: class path resource [etc/certs/openldap.crt]; nested exception is java.io.FileNotFoundException: class path resource [etc/certs/openldap.crt] cannot be opened because it does not exist
	at net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:336)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'siteLDAP': Cannot create inner bean '(inner bean)#95ed5f4' of type [org.ldaptive.DefaultConnectionFactory] while setting bean property 'connectionFactory'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#95ed5f4': Cannot create inner bean '(inner bean)#30a92d4b' of type [org.ldaptive.ConnectionConfig] while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#30a92d4b': Cannot create inner bean '(inner bean)#612af1ea' of type [org.ldaptive.ssl.SslConfig] while setting bean property 'sslConfig'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#612af1ea': Cannot create inner bean '(inner bean)#40263b8c' of type [net.shibboleth.idp.attribute.resolver.spring.dc.ldap.impl.CredentialConfigFactoryBean] while setting bean property 'credentialConfig'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#40263b8c': Cannot create inner bean '(inner bean)#763527c3' of type [net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean] while setting bean property 'trustCredential'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#763527c3': Invocation of init method failed; nested exception is org.springframework.beans.FatalBeanException: Could not decode provided CertificateFile: class path resource [etc/certs/openldap.crt]; nested exception is java.io.FileNotFoundException: class path resource [etc/certs/openldap.crt] cannot be opened because it does not exist
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#95ed5f4': Cannot create inner bean '(inner bean)#30a92d4b' of type [org.ldaptive.ConnectionConfig] while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#30a92d4b': Cannot create inner bean '(inner bean)#612af1ea' of type [org.ldaptive.ssl.SslConfig] while setting bean property 'sslConfig'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#612af1ea': Cannot create inner bean '(inner bean)#40263b8c' of type [net.shibboleth.idp.attribute.resolver.spring.dc.ldap.impl.CredentialConfigFactoryBean] while setting bean property 'credentialConfig'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#40263b8c': Cannot create inner bean '(inner bean)#763527c3' of type [net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean] while setting bean property 'trustCredential'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#763527c3': Invocation of init method failed; nested exception is org.springframework.beans.FatalBeanException: Could not decode provided CertificateFile: class path resource [etc/certs/openldap.crt]; nested exception is java.io.FileNotFoundException: class path resource [etc/certs/openldap.crt] cannot be opened because it does not exist
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#30a92d4b': Cannot create inner bean '(inner bean)#612af1ea' of type [org.ldaptive.ssl.SslConfig] while setting bean property 'sslConfig'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#612af1ea': Cannot create inner bean '(inner bean)#40263b8c' of type [net.shibboleth.idp.attribute.resolver.spring.dc.ldap.impl.CredentialConfigFactoryBean] while setting bean property 'credentialConfig'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#40263b8c': Cannot create inner bean '(inner bean)#763527c3' of type [net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean] while setting bean property 'trustCredential'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#763527c3': Invocation of init method failed; nested exception is org.springframework.beans.FatalBeanException: Could not decode provided CertificateFile: class path resource [etc/certs/openldap.crt]; nested exception is java.io.FileNotFoundException: class path resource [etc/certs/openldap.crt] cannot be opened because it does not exist
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#612af1ea': Cannot create inner bean '(inner bean)#40263b8c' of type [net.shibboleth.idp.attribute.resolver.spring.dc.ldap.impl.CredentialConfigFactoryBean] while setting bean property 'credentialConfig'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#40263b8c': Cannot create inner bean '(inner bean)#763527c3' of type [net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean] while setting bean property 'trustCredential'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#763527c3': Invocation of init method failed; nested exception is org.springframework.beans.FatalBeanException: Could not decode provided CertificateFile: class path resource [etc/certs/openldap.crt]; nested exception is java.io.FileNotFoundException: class path resource [etc/certs/openldap.crt] cannot be opened because it does not exist
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#40263b8c': Cannot create inner bean '(inner bean)#763527c3' of type [net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean] while setting bean property 'trustCredential'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#763527c3': Invocation of init method failed; nested exception is org.springframework.beans.FatalBeanException: Could not decode provided CertificateFile: class path resource [etc/certs/openldap.crt]; nested exception is java.io.FileNotFoundException: class path resource [etc/certs/openldap.crt] cannot be opened because it does not exist
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#763527c3': Invocation of init method failed; nested exception is org.springframework.beans.FatalBeanException: Could not decode provided CertificateFile: class path resource [etc/certs/openldap.crt]; nested exception is java.io.FileNotFoundException: class path resource [etc/certs/openldap.crt] cannot be opened because it does not exist
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1578)
Caused by: org.springframework.beans.FatalBeanException: Could not decode provided CertificateFile: class path resource [etc/certs/openldap.crt]; nested exception is java.io.FileNotFoundException: class path resource [etc/certs/openldap.crt] cannot be opened because it does not exist
	at net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean.getCertificates(BasicX509CredentialFactoryBean.java:182)
Caused by: java.io.FileNotFoundException: class path resource [etc/certs/openldap.crt] cannot be opened because it does not exist
	at org.springframework.core.io.ClassPathResource.getInputStream(ClassPathResource.java:172)
2018-02-07 10:36:41,158 - INFO [net.shibboleth.utilities.java.support.service.AbstractReloadableService:258] - Service 'shibboleth.RelyingPartyResolverService': Reloading service configuration
2018-02-07 10:36:41,160 - INFO [net.shibboleth.ext.spring.util.SchemaTypeAwareXMLBeanDefinitionReader:317] - Loading XML bean definitions from file [/opt/shibboleth-idp/conf/relying-party.xml]
2018-02-07 10:36:41,175 - INFO [net.shibboleth.ext.spring.util.SchemaTypeAwareXMLBeanDefinitionReader:317] - Loading XML bean definitions from file [/opt/shibboleth-idp/conf/credentials.xml]
2018-02-07 10:36:41,184 - INFO [net.shibboleth.ext.spring.util.SchemaTypeAwareXMLBeanDefinitionReader:317] - Loading XML bean definitions from file [/opt/shibboleth-idp/system/conf/relying-party-system.xml]
2018-02-07 10:36:41,198 - INFO [net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:581] - Refreshing ApplicationContext:shibboleth.RelyingPartyResolverService: startup date [Wed Feb 07 10:36:41 UTC 2018]; parent: Root WebApplicationContext
2018-02-07 10:36:41,254 - INFO [net.shibboleth.utilities.java.support.service.AbstractReloadableService:258] - Service 'shibboleth.ReloadableCASServiceRegistry': Reloading service configuration
2018-02-07 10:36:41,256 - INFO [net.shibboleth.ext.spring.util.SchemaTypeAwareXMLBeanDefinitionReader:317] - Loading XML bean definitions from file [/opt/shibboleth-idp/conf/cas-protocol.xml]
2018-02-07 10:36:41,273 - INFO [net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:581] - Refreshing ApplicationContext:shibboleth.ReloadableCASServiceRegistry: startup date [Wed Feb 07 10:36:41 UTC 2018]; parent: Root WebApplicationContext
2018-02-07 10:36:41,304 - INFO [net.shibboleth.ext.spring.service.ReloadableSpringService:380] - Service 'shibboleth.ReloadableCASServiceRegistry': Completed reload and swapped in latest configuration for service 'shibboleth.ReloadableCASServiceRegistry'
2018-02-07 10:36:41,305 - INFO [net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:982] - Closing ApplicationContext:shibboleth.ReloadableCASServiceRegistry: startup date [Wed Feb 07 10:21:41 UTC 2018]; parent: Root WebApplicationContext
2018-02-07 10:36:41,306 - INFO [net.shibboleth.ext.spring.service.ReloadableSpringService:387] - Service 'shibboleth.ReloadableCASServiceRegistry': Reload complete
2018-02-07 10:36:41,455 - INFO [net.shibboleth.ext.spring.service.ReloadableSpringService:380] - Service 'shibboleth.RelyingPartyResolverService': Completed reload and swapped in latest configuration for service 'shibboleth.RelyingPartyResolverService'
2018-02-07 10:36:41,456 - INFO [net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:982] - Closing ApplicationContext:shibboleth.RelyingPartyResolverService: startup date [Wed Feb 07 10:21:40 UTC 2018]; parent: Root WebApplicationContext
2018-02-07 10:36:41,461 - INFO [net.shibboleth.ext.spring.service.ReloadableSpringService:387] - Service 'shibboleth.RelyingPartyResolverService': Reload complete
[root@ksutest logs]# cd /opt/shibboleth-idp/conf/

Version:

Manifest-Version: 1.0
Implementation-Title: OX Shibboleth IDP
Implementation-Version: 3.1.2.Final
Archiver-Version: Plexus Archiver
Built-By: tomcat
Implementation-Build: 
Implementation-Vendor-Id: org.xdi
Created-By: Apache Maven 3.3.9
Build-Jdk: 1.8.0_121

Manifest-Version: 1.0
Implementation-Title: oxTrust Server
Implementation-Version: 3.1.2.Final
Archiver-Version: Plexus Archiver
Built-By: tomcat
Implementation-Build: 9de781cd23764ec11b234af65cd055d159a83877
Implementation-Vendor-Id: org.xdi
Created-By: Apache Maven 3.3.9
Build-Jdk: 1.8.0_121

Shib IDP doesn't release NameID

NameID generation is enabled in configuration. My IDP test instance does not release it.
Nothing NameID-related has been changed.

saml-openid-auth-client integration

Metadata validation throwing error

[12:52:21] Zamil Khan: Metadata validation still throwing error for the logout and zip file download

[19:19:09] smukhija: Dmitry, /idp/shibboleth metadata is failing xml validation
[19:19:14] smukhija:
THE XML IS INVALID.

Line: 86 | Column: 0 --> Element '{urn:oasis:names:tc:SAML:2.0:metadata}SingleLogoutService': This element is not expected. Expected is one of ( {urn:oasis:names:tc:SAML:2.0:metadata}SingleSignOnService, {urn:oasis:names:tc:SAML:2.0:metadata}NameIDMappingService, {urn:oasis:names:tc:SAML:2.0:metadata}AssertionIDRequestService, {urn:oasis:names:tc:SAML:2.0:metadata}AttributeProfile, {urn:oasis:names:tc:SAML:2.0:assertion}Attribute ).

Scope should use domain, not hostname

Google SSO with Shibboleth is broken

I am getting following error on browser after getting redirected from admin.google.com

https://host/idp/profile/SAML2/Redirect/SSO?SAMLRequest=xxxxxx&RelayState=https%3A%2F%2Faccounts.google.com%2FCheckCookie%3Fcontinue%3Dhttps%253A%252F%252Fadmin.google.com%252FDashboard%26service%3DCPanel%26hl%3Den%26checkedDomains%3Dyoutube%26checkConnection%3Dyoutube%253A161%253A1%26pstMsg%3D1%26skipvpage%3Dtrue
HTTP ERROR 500

Problem accessing /idp/profile/SAML2/Redirect/SSO. Reason:

Server Error

Caused by:

org.springframework.web.util.NestedServletException: Method invocation failed during rendering of Velocity view with name 'error': Invocation of method 'getMessage' in class org.springframework.web.servlet.support.RequestContext threw exception org.springframework.context.NoSuchMessageException: No message found under code 'idp.logo' for locale 'en_US'. at org/springframework/web/servlet/view/velocity/spring.vm[line 27, column 57]; reference [springMacroRequestContext], method 'getMessage'; nested exception is org.springframework.context.NoSuchMessageException: No message found under code 'idp.logo' for locale 'en_US'.
at org.springframework.web.servlet.view.velocity.VelocityView.mergeTemplate(VelocityView.java:526)
at org.springframework.web.servlet.view.velocity.VelocityView.doRender(VelocityView.java:464)
at org.springframework.web.servlet.view.velocity.VelocityView.renderMergedTemplateModel(VelocityView.java:294)
at org.springframework.web.servlet.view.AbstractTemplateView.renderMergedOutputModel(AbstractTemplateView.java:167)
at org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:303)
at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1257)
at org.springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:1037)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:980)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:897)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:845)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1772)
at net.shibboleth.idp.log.SLF4JMDCServletFilter.doFilter(SLF4JMDCServletFilter.java:72)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759)
at net

Remove SAML 1.1, Shib 1.0 and Artifact Resolution Profile from SAML metadata features

I was going through the IDP metadata, and I wanted to remove unused stuff to keep the metadata as short and simple as possible!

Disable the AttributeAuthority Service. The firewall blocks the SOAP endpoints anyway. I believe this XML should not even show up in the metadata
In the <IDPSSODescriptor>... section of the metadata, remove support for SAML 1.1 and Shibboleth 1.0 endpoints and <ArtifactResolutionService>, but add the urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress NameIDFormat

'SAML2Logout' Relying party configuration availability

I think it's worthy to add 'SAML2Logout' RP config in v3. A screencast shared on how Logout is behaving in 3.1.4 + Shibboleth SP: https://youtu.be/u7pRM1NtKOg

Shibboleth SAML2Logout Configuration doc: https://wiki.shibboleth.net/confluence/display/IDP30/SAML2LogoutConfiguration

When I am initiating a combined logout ( SP logout url + IdP logout ) from SP, this is what coming in idp-process.log:

2018-12-26 01:33:31,089 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder:99] - Decoded RelayState: null
2018-12-26 01:33:31,090 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder:131] - Base64 decoding and inflating SAML message
2018-12-26 01:33:31,091 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder:114] - Decoded SAML message
2018-12-26 01:33:31,092 - DEBUG [PROTOCOL_MESSAGE:127] - 
<?xml version="1.0" encoding="UTF-8"?>
<samlp:LogoutRequest
    Destination="https://test314.gluu.org/idp/profile/SAML2/Redirect/SLO"
    ID="_074669f320c6ce76781c182648811181"
    IssueInstant="2018-12-26T09:33:30Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp1.gluu.org/shibboleth</saml:Issuer>
    <samlp:Extensions>
        <aslo:Asynchronous xmlns:aslo="urn:oasis:names:tc:SAML:2.0:protocol:ext:async-slo"/>
    </samlp:Extensions>
    <saml2:NameID
        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
        NameQualifier="https://test314.gluu.org/idp/shibboleth"
        SPNameQualifier="https://sp1.gluu.org/shibboleth" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">AAdzZWNyZXQxhzJwz9VbTiaAWIoKtujpAHQfR1cS6G2HDcZLzUOleVl0/3MYUwVpiEsTDTDUSFo9+BZMVGJRknAqmwkeT9KqyHrvVOiLCgS+D7uBPS4FDgrSfbeElpnxggpWyQcQf8EEoOsH</saml2:NameID>
    <samlp:SessionIndex>_ab7969aed5d79d88735956c5af9fd7ce</samlp:SessionIndex>
</samlp:LogoutRequest>

2018-12-26 01:33:31,094 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler' on INBOUND message context
2018-12-26 01:33:31,094 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.LogoutRequestImpl'
2018-12-26 01:33:31,108 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml1.binding.impl.SAML1ArtifactRequestIssuerHandler' on INBOUND message context
2018-12-26 01:33:31,109 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.LogoutRequestImpl'
2018-12-26 01:33:31,110 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLProtocolAndRoleHandler' on INBOUND message context
2018-12-26 01:33:31,110 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.LogoutRequestImpl'
2018-12-26 01:33:31,114 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler' on INBOUND message context
2018-12-26 01:33:31,114 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.LogoutRequestImpl'
2018-12-26 01:33:31,114 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver:162] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Resolved 1 candidates via EntityIdCriterion: EntityIdCriterion [id=https://sp1.gluu.org/shibboleth]
2018-12-26 01:33:31,114 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:590] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Attempting to filter candidate EntityDescriptors via resolved Predicates
2018-12-26 01:33:31,115 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:612] - Metadata Resolver FilesystemMetadataResolver SiteSP1: After predicate filtering 1 EntityDescriptors remain
2018-12-26 01:33:31,115 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:264] - Resolved 1 source EntityDescriptors
2018-12-26 01:33:31,115 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:275] - Resolved 1 RoleDescriptor candidates via role criteria, performing predicate filtering
2018-12-26 01:33:31,115 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:376] - Attempting to filter candidate RoleDescriptors via resolved Predicates
2018-12-26 01:33:31,115 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:398] - After predicate filtering 1 RoleDescriptors remain
2018-12-26 01:33:31,115 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:144] - Message Handler:  org.opensaml.saml.common.messaging.context.SAMLMetadataContext added to MessageContext as child of org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext
2018-12-26 01:33:31,116 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler' on INBOUND message context
2018-12-26 01:33:31,116 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.LogoutRequestImpl'
2018-12-26 01:33:31,124 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:130] - Message Handler:  Selecting default AttributeConsumingService, if any
2018-12-26 01:33:31,124 - DEBUG [org.opensaml.saml.metadata.support.AttributeConsumingServiceSelector:186] - Resolving AttributeConsumingService candidates from SPSSODescriptor
2018-12-26 01:33:31,124 - DEBUG [org.opensaml.saml.metadata.support.AttributeConsumingServiceSelector:141] - AttributeConsumingService candidate list was empty, can not select service
2018-12-26 01:33:31,124 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:138] - Message Handler:  No AttributeConsumingService selected
2018-12-26 01:33:31,125 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:132] - Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching RelyingPartyContext based on SAML peer https://sp1.gluu.org/shibboleth
2018-12-26 01:33:31,125 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:293] - Resolving relying party configuration
2018-12-26 01:33:31,125 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:305] - Checking if relying party configuration EntityNames[https://sp1.gluu.org/shibboleth,] is applicable
2018-12-26 01:33:31,125 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:307] - Relying party configuration EntityNames[https://sp1.gluu.org/shibboleth,] is applicable
2018-12-26 01:33:31,126 - DEBUG [net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:136] - Profile Action SelectRelyingPartyConfiguration: Found relying party configuration EntityNames[https://sp1.gluu.org/shibboleth,] for request
2018-12-26 01:33:31,128 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/logout is not available for RP configuration EntityNames[https://sp1.gluu.org/shibboleth,] (RPID https://sp1.gluu.org/shibboleth)
2018-12-26 01:33:31,156 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration
2018-12-26 01:33:31,157 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:154] - No SAMLBindingContext or binding URI available, error must be handled locally

generate ZIP file - attribute-map.xml - released attribute strings are not replaced

With reference to this ticket https://support.gluu.org/single-sign-on/5260/saml-trust-relationship-generate-zip-file-attribute-mapxml-released-attribute-strings-are-not-replaced/, Attributes name is not in valid format when you download Shibboleth3 configuration files for the selected TR.

Steps to reproduce: 1. Create a new TR
2. Click "Shibboleth 3 configuration files" ZIP file.
Check attribute-map.xml

Actual output -

<Attribute name="urn:oid:$attrParams.attributeOids.get($attribute.name)" id="emailVerified"/>
<Attribute name="urn:oid:$attrParams.attributeOids.get($attribute.name)" id="iname"/>
<Attribute name="urn:oid:$attrParams.attributeOids.get($attribute.name)" id="c"/>
<Attribute name="urn:oid:$attrParams.attributeOids.get($attribute.name)" id="gluuStatus"/>
<Attribute name="urn:oid:$attrParams.attributeOids.get($attribute.name)" id="givenName"/>

Metadata validation failing for any sp in 3.1.4 fresh installation

Situation: Any SP metadata validation is failing
This is somehow related to this issue?
How to reproduce:
- Try to create trust relationship with attached metadata ( it's a Shibboleth SP vanilla metadata ). Please rename that file to 'abc.xml'
  localsp_gluu_org_shib_sp_metadata.xml.txt
- You will see error like below in identity.logs:
```
2018-10-22 13:16:20,996 ERROR [qtp804611486-197] 
[apache.velocity.runtime.parser.node.ASTComparisonNode] (ASTComparisonNode.java:100) - Left 
side ($trustParams.trustEntityIds.get($trustRelationship.inum).size()) of comparison operation has null 
value at attribute-filter.xml.vm[line 8, column 93]
```
- Gluu Server is validating the metadata [ Status: Validation Scheduled ]
- Finally Gluu Server can't validate it with below error in identity.logs:

2018-10-22 13:29:45,181 WARN  [Thread-267] [org.opensaml.xml.parse.LoggingErrorHandler] (LoggingErrorHandler.java:56) - XML Parsing Error
org.xml.sax.SAXParseException: schema_reference.4: Failed to read schema document 'http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd', because 1) could not find the document; 2) the document could not be read; 3) the root element of the document is not <xsd:schema>.
	at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:203) ~[?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.warning(ErrorHandlerWrapper.java:99) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:392) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.reportSchemaErr(XSDHandler.java:4154) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.reportSchemaWarning(XSDHandler.java:4149) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.getSchemaDocument1(XSDHandler.java:2491) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.getSchemaDocument(XSDHandler.java:2193) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.resolveSchema(XSDHandler.java:2084) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.constructTrees(XSDHandler.java:1014) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.parseSchema(XSDHandler.java:625) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaLoader.loadSchema(XMLSchemaLoader.java:610) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaLoader.loadGrammar(XMLSchemaLoader.java:569) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaLoader.loadGrammar(XMLSchemaLoader.java:535) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.jaxp.validation.XMLSchemaFactory.newSchema(XMLSchemaFactory.java:254) [?:1.8.0_181]
	at org.opensaml.xml.schema.SchemaBuilder.buildSchema(SchemaBuilder.java:271) [xmltooling-1.4.6.jar:?]
	at org.opensaml.xml.schema.SchemaBuilder.buildSchema(SchemaBuilder.java:153) [xmltooling-1.4.6.jar:?]
	at org.opensaml.xml.schema.SchemaBuilder.buildSchema(SchemaBuilder.java:124) [xmltooling-1.4.6.jar:?]
	at org.opensaml.xml.schema.SchemaBuilder.buildSchema(SchemaBuilder.java:88) [xmltooling-1.4.6.jar:?]
	at org.gluu.oxtrust.ldap.service.Shibboleth3ConfService.validateMetadata(Shibboleth3ConfService.java:1406) [classes/:?]
	at org.gluu.oxtrust.ldap.service.MetadataValidationTimer.validateMetadata(MetadataValidationTimer.java:184) [classes/:?]
	at org.gluu.oxtrust.ldap.service.MetadataValidationTimer.procesMetadataValidation(MetadataValidationTimer.java:113) [classes/:?]
	at org.gluu.oxtrust.ldap.service.MetadataValidationTimer.processMetadataValidationTimerEvent(MetadataValidationTimer.java:103) [classes/:?]
	at org.gluu.oxtrust.ldap.service.MetadataValidationTimer$Proxy$_$$_WeldSubclass.processMetadataValidationTimerEvent$$super(Unknown Source) [classes/:?]
	at sun.reflect.GeneratedMethodAccessor636.invoke(Unknown Source) ~[?:?]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_181]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_181]
	at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocationContext.proceedInternal(TerminalAroundInvokeInvocationContext.java:51) [weld-core-impl-3.0.5.Final.jar:3.0.5.Final]
	at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:78) [weld-core-impl-3.0.5.Final.jar:3.0.5.Final]
	at org.xdi.service.cdi.async.AsynchronousInterceptor$1.get(AsynchronousInterceptor.java:36) [oxcore-service-3.1.4.Final.jar:?]
	at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590) [?:1.8.0_181]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]
Caused by: java.net.UnknownHostException: shibboleth.net
	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184) ~[?:1.8.0_181]
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_181]
	at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_181]
	at java.net.Socket.connect(Socket.java:538) ~[?:1.8.0_181]
	at sun.net.NetworkClient.doConnect(NetworkClient.java:180) ~[?:1.8.0_181]
	at sun.net.www.http.HttpClient.openServer(HttpClient.java:463) ~[?:1.8.0_181]
	at sun.net.www.http.HttpClient.openServer(HttpClient.java:558) ~[?:1.8.0_181]
	at sun.net.www.http.HttpClient.<init>(HttpClient.java:242) ~[?:1.8.0_181]
	at sun.net.www.http.HttpClient.New(HttpClient.java:339) ~[?:1.8.0_181]
	at sun.net.www.http.HttpClient.New(HttpClient.java:357) ~[?:1.8.0_181]
	at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1220) ~[?:1.8.0_181]
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1156) ~[?:1.8.0_181]
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1050) ~[?:1.8.0_181]
	at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:984) ~[?:1.8.0_181]
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564) ~[?:1.8.0_181]
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) ~[?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:647) ~[?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(XMLVersionDetector.java:148) ~[?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.opti.SchemaParsingConfig.parse(SchemaParsingConfig.java:583) ~[?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.opti.SchemaParsingConfig.parse(SchemaParsingConfig.java:686) ~[?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.opti.SchemaDOMParser.parse(SchemaDOMParser.java:530) ~[?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.getSchemaDocument(XSDHandler.java:2181) ~[?:1.8.0_181]

Federation TR is not presenting SP list link

No 'Select entityID of this Trust Relationship' option for federated SP.

When we move to create a 'Federated/Aggregate' trust relationship, it should provide us a link from where we can select our desired SP's entityID. Nothing showing in 3.0.0.

This is how a federated trust relationship should work, check out 'Federated' section here

In 3.0.0 Beta 6, there is nothing; only this:

However, I can see that oxTrust is actually loading that metadata from log. See the huge amount of entityID list below:

How to reproduce the issue:

oxTrust version:

GLUU.root@test:~# cat /opt/jetty-9.3/temp/jetty-localhost-8082-identity.war-_identity-any-8581219010741998174.dir/webapp/META-INF/MANIFEST.MF
Manifest-Version: 1.0
Implementation-Title: oxTrust Server
Implementation-Version: 3.0.0-SNAPSHOT
Archiver-Version: Plexus Archiver
Built-By: tomcat
Implementation-Build: ae91c
Implementation-Vendor-Id: org.xdi
Build-Jdk: 1.7.0_79
Created-By: Apache Maven 3.3.9

GLUU.root@test:~#

Create a 'URI' method Trust Relationship with InCommon metadata ( http://md.incommon.org/InCommon/InCommon-metadata.xml )
After successful validation of above TR, let's move forward.
Create a new Trust Relationship, select Metadata Type: 'Federation/Aggregate'. Nothing comes.
Go back to home screen; try to create new TR, this time select 'Metadata Location: Federation'. A new drop down will appear named 'Federation Name' but it's not presenting anything.

no. 4 and no. 5 are confusing.

Here is suggested working scenario:

Create New TR
Entity Type: Federation, 'Federation Name' will appear and from where we can select our 'InCommon' or whichever Federation we added already.
After selecting 'InCommon' or any other federation, a new link will appear which will allow us to select our desired entityID.

If you want, I can share a screen recording.

Metadata validation failing for any sp in 3.1.4 fresh installation

Situation: Any SP metadata validation is failing
This is somehow related to this issue?
How to reproduce:
- Try to create trust relationship with attached metadata ( it's a Shibboleth SP vanilla metadata ). Please rename that file to 'abc.xml'
  localsp_gluu_org_shib_sp_metadata.xml.txt
- You will see error like below in identity.logs:
```
2018-10-22 13:16:20,996 ERROR [qtp804611486-197] 
[apache.velocity.runtime.parser.node.ASTComparisonNode] (ASTComparisonNode.java:100) - Left 
side ($trustParams.trustEntityIds.get($trustRelationship.inum).size()) of comparison operation has null 
value at attribute-filter.xml.vm[line 8, column 93]
```
- Gluu Server is validating the metadata [ Status: Validation Scheduled ]
- Finally Gluu Server can't validate it with below error in identity.logs:

2018-10-22 13:29:45,181 WARN  [Thread-267] [org.opensaml.xml.parse.LoggingErrorHandler] (LoggingErrorHandler.java:56) - XML Parsing Error
org.xml.sax.SAXParseException: schema_reference.4: Failed to read schema document 'http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd', because 1) could not find the document; 2) the document could not be read; 3) the root element of the document is not <xsd:schema>.
	at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:203) ~[?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.warning(ErrorHandlerWrapper.java:99) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:392) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.reportSchemaErr(XSDHandler.java:4154) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.reportSchemaWarning(XSDHandler.java:4149) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.getSchemaDocument1(XSDHandler.java:2491) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.getSchemaDocument(XSDHandler.java:2193) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.resolveSchema(XSDHandler.java:2084) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.constructTrees(XSDHandler.java:1014) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.parseSchema(XSDHandler.java:625) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaLoader.loadSchema(XMLSchemaLoader.java:610) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaLoader.loadGrammar(XMLSchemaLoader.java:569) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaLoader.loadGrammar(XMLSchemaLoader.java:535) [?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.jaxp.validation.XMLSchemaFactory.newSchema(XMLSchemaFactory.java:254) [?:1.8.0_181]
	at org.opensaml.xml.schema.SchemaBuilder.buildSchema(SchemaBuilder.java:271) [xmltooling-1.4.6.jar:?]
	at org.opensaml.xml.schema.SchemaBuilder.buildSchema(SchemaBuilder.java:153) [xmltooling-1.4.6.jar:?]
	at org.opensaml.xml.schema.SchemaBuilder.buildSchema(SchemaBuilder.java:124) [xmltooling-1.4.6.jar:?]
	at org.opensaml.xml.schema.SchemaBuilder.buildSchema(SchemaBuilder.java:88) [xmltooling-1.4.6.jar:?]
	at org.gluu.oxtrust.ldap.service.Shibboleth3ConfService.validateMetadata(Shibboleth3ConfService.java:1406) [classes/:?]
	at org.gluu.oxtrust.ldap.service.MetadataValidationTimer.validateMetadata(MetadataValidationTimer.java:184) [classes/:?]
	at org.gluu.oxtrust.ldap.service.MetadataValidationTimer.procesMetadataValidation(MetadataValidationTimer.java:113) [classes/:?]
	at org.gluu.oxtrust.ldap.service.MetadataValidationTimer.processMetadataValidationTimerEvent(MetadataValidationTimer.java:103) [classes/:?]
	at org.gluu.oxtrust.ldap.service.MetadataValidationTimer$Proxy$_$$_WeldSubclass.processMetadataValidationTimerEvent$$super(Unknown Source) [classes/:?]
	at sun.reflect.GeneratedMethodAccessor636.invoke(Unknown Source) ~[?:?]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_181]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_181]
	at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocationContext.proceedInternal(TerminalAroundInvokeInvocationContext.java:51) [weld-core-impl-3.0.5.Final.jar:3.0.5.Final]
	at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:78) [weld-core-impl-3.0.5.Final.jar:3.0.5.Final]
	at org.xdi.service.cdi.async.AsynchronousInterceptor$1.get(AsynchronousInterceptor.java:36) [oxcore-service-3.1.4.Final.jar:?]
	at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590) [?:1.8.0_181]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]
Caused by: java.net.UnknownHostException: shibboleth.net
	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184) ~[?:1.8.0_181]
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_181]
	at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_181]
	at java.net.Socket.connect(Socket.java:538) ~[?:1.8.0_181]
	at sun.net.NetworkClient.doConnect(NetworkClient.java:180) ~[?:1.8.0_181]
	at sun.net.www.http.HttpClient.openServer(HttpClient.java:463) ~[?:1.8.0_181]
	at sun.net.www.http.HttpClient.openServer(HttpClient.java:558) ~[?:1.8.0_181]
	at sun.net.www.http.HttpClient.<init>(HttpClient.java:242) ~[?:1.8.0_181]
	at sun.net.www.http.HttpClient.New(HttpClient.java:339) ~[?:1.8.0_181]
	at sun.net.www.http.HttpClient.New(HttpClient.java:357) ~[?:1.8.0_181]
	at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1220) ~[?:1.8.0_181]
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1156) ~[?:1.8.0_181]
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1050) ~[?:1.8.0_181]
	at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:984) ~[?:1.8.0_181]
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564) ~[?:1.8.0_181]
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) ~[?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:647) ~[?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(XMLVersionDetector.java:148) ~[?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.opti.SchemaParsingConfig.parse(SchemaParsingConfig.java:583) ~[?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.opti.SchemaParsingConfig.parse(SchemaParsingConfig.java:686) ~[?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.opti.SchemaDOMParser.parse(SchemaDOMParser.java:530) ~[?:1.8.0_181]
	at com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.getSchemaDocument(XSDHandler.java:2181) ~[?:1.8.0_181]

eduPerson schema update

Community ticket: https://support.gluu.org/feature-request/5404/gluu-using-outdated-eduperson-ldap-schema/

SLO page is not included in IDP metadata

There is no SLO binding or URL in the standard Gluu Server IDP metadata.

conversation state not found for a key

I can see following log trace in idp-process.log

ERROR [net.shibboleth.idp.authn.ExternalAuthenticationException:76] - net.shibboleth.idp.authn.ExternalAuthenticationException: No conversation state found in session for key (e1s1) at net.shibboleth.idp.authn.ExternalAuthentication.startExternalAuthentication(ExternalAuthentication.java:142)

while redirecting user on redirct uri in passport authentication

Update Shib to work correctly with oxAuth 3.1.0

Initial issue was:

Can't proceed with CAS testing, seems like Shib integration doesn't work:

Problem accessing /idp/Authn/RemoteUser. Reason:

    Server Error
Caused by:

java.lang.NoSuchMethodError: org.jboss.resteasy.client.ClientResponse.getLocationLink()Lorg/jboss/resteasy/spi/Link;
 at org.xdi.oxauth.client.BaseResponse.<init>(BaseResponse.java:36)
 at org.xdi.oxauth.client.BaseResponseWithErrors.<init>(BaseResponseWithErrors.java:33)
 at org.xdi.oxauth.client.TokenResponse.<init>(TokenResponse.java:42)
 at org.xdi.oxauth.client.TokenClient.exec(TokenClient.java:280)
 at org.xdi.oxauth.client.TokenClient.execAuthorizationCode(TokenClient.java:84)

Implement SLO from SP/IDP/oxAuth

The entry point of logout flow should be: https://sp.gluu.org/Shibboleth.sso/Logout

IDP breaks deployment

When I select the SAML IDP for installation, I can't even login to oxTrust. If I don't install the IDP component, oxTrust installs ok.

I get this message:

Logs:

Caused by:
org.gluu.site.ldap.persistence.exception.EntryPersistenceException: Failed to find entry with baseDN: inum=@!C1D3.F094.7A2B.E9B6!0002!CECA.D884!0006!1191.2E9B,ou=trustRelationships,inum=@!C1D3.F094.7A2B.E9B6!0002!CECA.D884,ou=appliances,o=gluu, filter: (&(objectClass=top)(objectClass=gluuSAMLconfig))
.
.
.
Caused by:
LDAPSearchException(resultCode=32 (no such object), numEntries=0, numReferences=0, errorMessage='no such object', matchedDN='ou=trustRelationships,inum=@!C1D3.F094.7A2B.E9B6!0002!CECA.D884,ou=appliances,o=gluu')

CE 3.0.0 Shibboleth: Unable to create Trust Relationship [ File method ]

Situation: Trying to create a trust relationship with SP metadata but it's failing.

Background check:

Seems like oxTrust is generating ldap entry for new trust relationship
But oxTrust is unable to transfer metadata from /opt/shibboleth-idp/temp_metadata location to /opt/shibboleth-idp/metadata after validation checking.
Which is resulting System Error with stack trace "Unable to read metadata" ( Because it's not present in /metadata location ).

Stack trace:

As you can see, when I went to create a new TR; it's metadata is inside temp_metadata:

jetty@proxy:/opt/shibboleth-idp/temp_metadata$ ls
79A0789975C4F4890002C85F45860006BE899BFD-sp-metadata.xml1D0D.B83C  79A0789975C4F4890002C85F45860006FF0E277D-sp-metadata.xml109F.AAA6
jetty@proxy:/opt/shibboleth-idp/temp_metadata$

However it's not transferring to stable 'metadata' location ( The workflow is: after validating metadata; it should be transferred to 'metadata' location )

jetty@proxy:/opt/shibboleth-idp/metadata$ ls
79A0789975C4F4890002C85F4586000620B378B3-sp-metadata.xml  idp-metadata.xml
jetty@proxy:/opt/shibboleth-idp/metadata$ pwd
/opt/shibboleth-idp/metadata
jetty@proxy:/opt/shibboleth-idp/metadata$

From oxtrust.log: http://pastebin.com/PeDYttGc

JAR Archive with static IDP3 files

IDP3 has 3 parts to install with gluu-server installer:

idp.war, created by oxShibboleth POM script.
templates in community-edition-setup for configuration with setup.py
A big set of static files (unchaged during installation) - XML configs, velosity tempaltes, flow configs, etc.

Create separate JAR file with IDP3's static files. Add downloading step in setup.py

Support ForceAuthn=true

Section 4.1.3.4 of the SAML-Profile document (in the Web SSO Profile section), it specifies:

The ForceAuthn <AuthnRequest>attribute, if present with a value of true, obligates the identity provider to freshly establish this identity, rather than relying on an existing session it may have with the principal.

It would be nice if we could support this.

In OpenID Connect we can use the prompt=login parameter to do something similar.

Create authentication flow to replace RemoteUser flow

Now our oxShibboleth authentication based on servlet filters and empty RemoteUser flow.
This solution has limited capabilities:

No ForceAuthn support in RemoteUser flow.
No server-side session support (so logout distribution is impossible).

SAML metadata is not processing properly

Two situations in 3.1.0 RC2:

After uploading metadata, IDP is storing that as E3CCCC59179506D50002EC5321BD00064AB92AD4-sp-metadata.xml31A7.3F8C [ Note that '31A7.3F8C' part after .abc-sp-metadata.xml ]. Correct one should be: E3CCCC59179506D50002EC5321BD00064AB92AD4-sp-metadata.xml
IDP is not cleaning that metadata even after I delete the trust relationship from oxTrust. Screenshot attached.

Restore previous configuration for nameid generation

According to @yurem , it was decided to remove elements related to SAML1 nameid generation from /opt/shibboleth-idp/conf/saml-nameid.xml in 3.1.4. It turned out that by simply removing it from there the whole nameid generation process is sabotaged, inlcuding SAML2 nameids. Apparently, this bean element is referenced from other parts of configuration, which need to be modified in tandem with this file.

It may be better to restore this file to its original state until better solution is found. For this text provided below must be re-added to /opt/gluu/jetty/identity/conf/shibboleth3/idp/saml-nameid.xml.vm:

    <!-- SAML 1 NameIdentifier Generation -->
    <util:list id="shibboleth.SAML1NameIdentifierGenerators">

        <ref bean="shibboleth.SAML1TransientGenerator" />

        <!--
        <bean parent="shibboleth.SAML1AttributeSourcedGenerator"
            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
            p:attributeSourceIds="#{ {'mail'} }" />
        -->

    </util:list>

Update our Saml authentication code to use IDP 3 flows

In our IDP3 we uses old IDP2 filters to do Saml authentication. But IDP3 has flow specially developed for this. There are case when our old integration led to errors. Person in some circumstances not getting login form because we are not initialization flow properly.