Thursday, 4 December 2008

Shibboleth and gmail integration

I started from Will document.

Time needed to have a working shibboleth2.1 IdP with google was a morning.

My difficulties: I was longly blocked by:

ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:564] - No user identified by login handler.

11:48:45.683 - ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:527] - Authentication failed with the error:

edu.internet2.middleware.shibboleth.idp.authn.AuthenticationException: No user identified by login handler.

at edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.validateSuccessfulAuthentication(AuthenticationEngine.java:565) [shibboleth-identityprovider-2.1.0.jar:na]
[...]

It means login handler is not working. In my case, in conf/handler.xml, I forgot to comment

<loginhandler type="RemoteUser">
<authenticationmethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</authenticationmethod>

</loginhandler>

which happens to be before Username/password login handler. So SAML2 Redirect SSO tried wrong unconfigured handler and a error was issued.

Instead this error:

ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:453] - Passive
authentication required but no login handlers available
to support it

means nothing: just so-called lazy session doesn't work because no previous session is present. Just log-in to another service to see this un-harming error disappear.

I read somewhere to disable the attribute release of the transientId to google.com. I did as directed, but I'm not really sure if a useful trick.

3 comments:

Unknown said...

Hello, i'm currently working on an integration similar to yours.Did you made the validation against a Database or LDAP?

Thanks in advance.

Unknown said...

Hello,

I'm working on an integration similar to yours. Did you made the validation of users against a Database or LDAP?

Thanks in advance!

Francesco said...

LDAP; I don't know of easy working way to validate users against Database.

Attribute Authority is a whole different thing: of course it is possible to gather attributes from LDAP or from db.