Shibboleth Integration

Nikhil

# 8 years, 4 months ago

Can you please let me know What version of plugin are you using?

Thanks,
Nikhil

Ted

# 8 years, 4 months ago

v3.4

Thanks,
Ted

Nikhil

# 8 years, 4 months ago

Ted,

Please update the plugin. It should work then. Go to plugins in WP admin and click on “Update now” against miniorange plugin.

Thanks,
Nikhil

Ted

# 8 years, 4 months ago

Hello Nikhil,

Thanks again for the help in resolving the miniOrange/SSO/Shibboleth integration issues we were having with our Production WP site. Everyone involved is very happy that the site is now working/available, and it is being actively used.

As I mentioned at the end, we had the final task of also getting our companion Development WP site to work as well. Will you be able to help resolve the issues we are having with the Dev site. The Dev site authenticates against a separate Shib Dev/Test Shibboleth IdP server. All of the MO plugin IdP, SP, Attribute, etc. settings have been configured accordingly for the Shib IdP Dev/Test server (and comparing to the Production site, as a reference), and appear to be correct, but the issue/symptom being received is the same “NameID… Missing” error being received (and with a blank page) (and after successfully authenticating), similar to the original error that we had had with the Prod site:

Fatal error: Uncaught exception ‘Exception’ with message ‘Missing <saml:NameID> or <saml:EncryptedID> in <saml:Subject>.’ in D:\OIT_DEV\IEEDev.med.jhmi.edu\wp-content\plugins\miniorange-saml-20-single-sign-on\Assertion.php:140 Stack trace: #0 D:\OIT_DEV\IEEDev.med.jhmi.edu\wp-content\plugins\miniorange-saml-20-single-sign-on\Assertion.php(112): SAML2_Assertion->parseSubject(Object(DOMElement)) #1 D:\OIT_DEV\IEEDev.med.jhmi.edu\wp-content\plugins\miniorange-saml-20-single-sign-on\Response.php(63): SAML2_Assertion->__construct(Object(DOMElement)) #2 D:\OIT_DEV\IEEDev.med.jhmi.edu\wp-content\plugins\miniorange-saml-20-single-sign-on\mo_login_saml_sso_widget.php(288): SAML2_Response->__construct(Object(DOMElement)) #3 [internal function]: mo_login_validate(”) #4 D:\OIT_DEV\IEEDev.med.jhmi.edu\wp-includes\plugin.php(503): call_user_func_array(‘mo_login_valida…’, Array) #5 D:\OIT_DEV\IEEDev.med.jhmi.edu\wp-settings.php(353): do_action(‘init’) #6 D:\OIT_DEV\IEEDev.med.jhmi.edu\wp-config.php(97): require_once(‘D:\\OIT_DEV\\IEE in D:\OIT_DEV\IEEDev.med.jhmi.edu\wp-content\plugins\miniorange-saml-20-single-sign-on\Assertion.php on line 140

The configuration has been compared between our working Prod and the Dev a few times and appear to be correct, but we may be missing something. Will you be able to help.

Thanks,
Ted

Nikhil

# 8 years, 4 months ago

Hi Ted,

Please verify these:

In conf/attribute-resolver.xml, confirm that you have following configuration:

<resolver:AttributeDefinition id=”transientId” xsi:type=”ad:TransientId”

xmlns=”urn:mace:shibboleth:2.0:resolver:ad”>

<resolver:AttributeEncoder xsi:type=”enc:SAML2StringNameID”

nameFormat=”urn:oasis:names:tc:SAML:2.0:nameid-format:transient”/>

</resolver:AttributeDefinition>

In conf/attribute-filter.xml, confirm that you have released the transientId attribute to relying party like this:

<afp:AttributeFilterPolicy id=”releaseTransientIdToAnyone”>

<afp:PolicyRequirementRule xsi:type=”basic:ANY”/>

<afp:AttributeRule attributeID=”transientId”>

<afp:PermitValueRule xsi:type=”basic:ANY”/>

</afp:AttributeRule>

</afp:AttributeFilterPolicy>

Once this is done, configure the plugin’s attribute mapping tab like the way we did earlier.

Thanks,
Nikhil

Ted

# 8 years, 4 months ago

Nikhil,

Thanks for your reply. We will follow up and check the settings below.

Thanks,
Ted

Ted

# 8 years, 4 months ago

I’m not sure what I’m missing here, but it’s still not working.

Ted

nIKHIL

# 8 years, 4 months ago

Hi Ted,

Please follow the below-mentioned steps and verify:
Open the SP metadata file (in browser) that you have used to configure shibboleth. (You might have copied it to the metadata folder of shibboleth installation)
Verify that you have the following 6 lines in the content of SP metadata:
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>

It might happen that you would be using the older plugin. We had replaced the new version of premium plugin in the staging instance as well when we were resolving it.

Thanks,
Nikhil

Ted

# 8 years, 4 months ago

Nikhil,

Thanks for your reply, FYI – we uninstalled and reinstalled the latest Premium version (from scratch), just for the sake of doing it, because I remembered that in the course of the prior troubleshooting with our Production website, you had us do that there. So, having done that on our Development site, we’ll try and test with the information.

Thanks,
Ted

Nikhil

# 8 years, 4 months ago

Ted,

Can you get the metadata for me, as outlined here?

https://ieedev.med.jhmi.edu/wp-content/plugins/miniorange-saml-20-single-sign-on/metadata.php

Thanks!

Kevin

# 8 years, 4 months ago

The metadata is not a valid xml file.

Thanks,
Kevin

Nikhil

# 8 years, 4 months ago

Hi Kevin,

Please find the attached metadata.xml. It should work.

Thanks,
Nikhil

Ted

# 8 years, 4 months ago

Yep, that did the trick. Thanks!

Ted

Ted

# 8 years, 4 months ago

Yes, the Dev site appears to be OK.

Kevin and Nikhil – Thanks very much for all of your help, time, and efforts in also getting the Development site to work, as well. It is greatly appreciated by all.

Thanks,

Ted

Viewing 14 posts - 1 through 14 (of 14 total)

The topic ‘Shibboleth Integration’ is closed to new replies.