Tuesday 6 October 2009

Upgrade to shibboleth-idp2.1.3

Shibboleth-idp 2.1.3 brings some great news, like properties now working inside attribute-resolver.

Unfortunately this upgrade should be taken seriously: I just unpacked the src, noticed a minor glitch from my previous setup (StoredID requires now just one dependency, no more), then suddently all connection from IE were broken with a white page and the following trace in the logs:

 at java.lang.Thread.run(Thread.java:619) [na:1.6.0_12]
10:07:05.583 - ERROR [edu.internet2.middleware.shibboleth.idp.authn.provider.Use
rnamePasswordLoginServlet:143] - Unable to redirect to login page.
org.apache.jasper.JasperException: Exception in JSP: /login.jsp:10

7:     LoginContext loginContext = HttpServletHelper.getLoginContext(HttpServletHelper.getStorageService(application),
8:                                                                   application, request);
9:                                                                   
10:     EntityDescriptor entityDescriptor = HttpServletHelper.getRelyingPartyMetadata(loginContext.getRelyingPartyId(),
11:                                                    HttpServletHelper.getRelyingPartyConfirmationManager(application)); 
12:                                                     
13:     Session userSession = HttpServletHelper.getUserSession(request);

As Mozilla Firefox run great, I double checked configuration files until, out of desperation, upgraded tomcat from version 5.5 to 6. Issue solved.

Frankly speaking, it was written at Preparing Apache Tomcat for the Shibboleth Identity Provider, but this issue arises with Debian: with RedHat no trouble.

Now the fun part: property file in attribute-resolver.xml: it is now possible to modify in handler.xml the attribute-resolver.xml definition:
<Service id="shibboleth.AttributeResolver"
             xsi:type="attribute-resolver:ShibbolethAttributeResolver">
        <ConfigurationResource file="/opt/shibboleth-idp/conf/attribute-resolver.xml" xsi:type="resource:FilesystemResource" >
        <ResourceFilter xsi:type="PropertyReplacement"
                        xmlns="urn:mace:shibboleth:2.0:resource"
                        propertyFile="/opt/shibboleth-idp/conf/my.properties"/>
        </ConfigurationResource>
    </Service>

where my.properies is:
bind_dn = cn=admin,dc=test,dc=com
bind_pw = WN./NHmh

which translates in attribute-resolver.xml:
 <resolver:DataConnector id="ldap1" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
        ldapURL="ldap://localhost" 
 baseDN="ou=people,dc=test,dc=com" 
 principal="${bind_dn}"
        principalCredential="${bind_pw}"
 useStartTLS="true">
        <FilterTemplate>
            <![CDATA[
                (uid=$requestContext.principalName)
            ]]>
        </FilterTemplate> 
    </resolver:DataConnector>

More examples at Dealing with Sensitive Configuration Information