shibboleth-dev - [Shib-Dev] InternetProtocol LoginHandler / Authentication
Subject: Shibboleth Developers
List archive
- From: "Noakes, Paul" <>
- To: <>
- Subject: [Shib-Dev] InternetProtocol LoginHandler / Authentication
- Date: Fri, 11 Dec 2009 13:02:34 -0000
Title: [Shib-Dev] InternetProtocol LoginHandler / Authentication
Dear All,
I have been trialling the InternetProtocol login handler and have the following override defined for my sp2 application:
<ApplicationOverride id="sp2" entityID="https://sso.etc/etc">
<Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/Shibboleth.sso" handlerSSL="false">
<SessionInitiator type="SAML2" Location="/Login" isDefault="true" defaultACSIndex="1" id="cmif"
entityID="https://sso.etc/idp/shibboleth" template="bindingTemplate.html"
authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol"/>
</Sessions>
With the following handler defined for the Idp:
<LoginHandler xsi:type="IPAddress" username="username" defaultDeny="true">
<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol</AuthenticationMethod>
<IPEntry>999.99.999.99/32</IPEntry> <!--IP masked-->
</LoginHandler>
On successful authentication everything works as expected. However when authentication fails, I receive an exception in the Idp:
…
12:54:23.091 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:444] - Completing user authentication process
12:54:23.091 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:503] - Validating authentication was performed successfully
12:54:23.091 - ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:508] - Error returned from login handler for authentication method urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol: Client failed IP address authentication
12:54:23.091 - ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:481] - Authentication failed with the error:
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationException: Client failed IP address authentication
…
Which results in the SP displaying the following sessionError:
opensaml::FatalProfileException
The system encountered an error at Fri Dec 11 12:54:23 2009
To report this problem, please contact the site administrator at mailto:".
Please include the following message in any email:
opensaml::FatalProfileException at (http://etc..)
SAML response contained an error.
Error from identity provider:
Status: urn:oasis:names:tc:SAML:2.0:status:Responder
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
I would expect the Idp to gracefully handle the authentication failure and for the SP to display the accessError. Am I missing something?
Kind Regards
Paul
--
Paul Noakes
Technical Architect
The British Library
www.bl.uk
t: +44 (0)1937 546475
m: +44 (0)7966 289132
- [Shib-Dev] InternetProtocol LoginHandler / Authentication, Noakes, Paul, 12/11/2009
- Re: [Shib-Dev] InternetProtocol LoginHandler / Authentication, Chad La Joie, 12/11/2009
- RE: [Shib-Dev] InternetProtocol LoginHandler / Authentication, Scott Cantor, 12/11/2009
- Re: [Shib-Dev] InternetProtocol LoginHandler / Authentication, Peter Schober, 12/11/2009
- RE: [Shib-Dev] InternetProtocol LoginHandler / Authentication, Scott Cantor, 12/11/2009
- Re: [Shib-Dev] InternetProtocol LoginHandler / Authentication, Peter Schober, 12/11/2009
- RE: [Shib-Dev] InternetProtocol LoginHandler / Authentication, Scott Cantor, 12/11/2009
- Re: [Shib-Dev] InternetProtocol LoginHandler / Authentication, Chad La Joie, 12/11/2009
Archive powered by MHonArc 2.6.16.