Time needed to have a working shibboleth2.1 IdP with google was a morning.
My difficulties: I was longly blocked by:
ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:564] - No user identified by login handler.
11:48:45.683 - ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:527] - Authentication failed with the error:
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationException: No user identified by login handler.
at edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.validateSuccessfulAuthentication(AuthenticationEngine.java:565) [shibboleth-identityprovider-2.1.0.jar:na]
[...]
It means login handler is not working. In my case, in conf/handler.xml, I forgot to comment
<loginhandler type="RemoteUser">
<authenticationmethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</authenticationmethod>
</loginhandler>
which happens to be before Username/password login handler. So SAML2 Redirect SSO tried wrong unconfigured handler and a error was issued.
Instead this error:
ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:453] - Passive
authentication required but no login handlers available
to support it
means nothing: just so-called lazy session doesn't work because no previous session is present. Just log-in to another service to see this un-harming error disappear.
I read somewhere to disable the attribute release of the transientId to google.com. I did as directed, but I'm not really sure if a useful trick.
3 comments:
Hello, i'm currently working on an integration similar to yours.Did you made the validation against a Database or LDAP?
Thanks in advance.
Hello,
I'm working on an integration similar to yours. Did you made the validation of users against a Database or LDAP?
Thanks in advance!
LDAP; I don't know of easy working way to validate users against Database.
Attribute Authority is a whole different thing: of course it is possible to gather attributes from LDAP or from db.
Post a Comment