Shibboleth Developers

[Chad La Joie <>]

I'm not sure what else you thought would happen?  The IdP recorded the 
authentication as a failure and it returned a failure message back to 
the SP.  One could certainly argue that the log message shouldn't be at 
the error level, but that's hardly an issue.

Noakes, Paul wrote:
> Dear All,
>
> I have been trialling the InternetProtocol login handler and have the
> following override defined for my sp2 application:
>
> <ApplicationOverride id="sp2" entityID="https://sso.etc/etc";>
>         <Sessions lifetime="28800" timeout="3600" checkAddress="false"
> handlerURL="/Shibboleth.sso" handlerSSL="false">
>                 <SessionInitiator type="SAML2" Location="/Login"
> isDefault="true" defaultACSIndex="1" id="cmif"
>         
> entityID="https://sso.etc/idp/shibboleth";
> template="bindingTemplate.html" 
> 	
> authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetPro
> tocol"/>
>         </Sessions>
>
> With the following handler defined for the Idp:
>
>         <LoginHandler xsi:type="IPAddress" username="username"
> defaultDeny="true">
>         
> <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetPro
> tocol</AuthenticationMethod>
>                 <IPEntry>999.99.999.99/32</IPEntry>         <!--IP masked-->
>         </LoginHandler>
>
> On successful authentication everything works as expected.  However when
> authentication fails, I receive an exception in the Idp:
>
> ...
> 12:54:23.091 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:444]
> - Completing user authentication process
> 12:54:23.091 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:503]
> - Validating authentication was performed successfully
> 12:54:23.091 - ERROR
> [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:508]
> - Error returned from login handler for authentication method
> urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol: Client failed
> IP address authentication
> 12:54:23.091 - ERROR
> [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:481]
> - Authentication failed with the error:
> edu.internet2.middleware.shibboleth.idp.authn.AuthenticationException:
> Client failed IP address authentication
> ...
>
> Which results in the SP displaying the following sessionError:
> opensaml::FatalProfileException
> The system encountered an error at Fri Dec 11 12:54:23 2009 
> To report this problem, please contact the site administrator at
> ;. 
> Please include the following message in any email:
> opensaml::FatalProfileException at (http://etc..)
> SAML response contained an error.
> Error from identity provider:
>         Status: urn:oasis:names:tc:SAML:2.0:status:Responder
>         Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
>
> I would expect the Idp to gracefully handle the authentication failure
> and for the SP to display the accessError.  Am I missing something?
>
> Kind Regards
>
> Paul
> --
> Paul Noakes
> Technical Architect
> The British Library
> www.bl.uk
> <file:///C:/Documents%20and%20Settings/PNoakes/Application%20Data/Micros
> oft/Signatures/www.bl.uk> 
>
> t: +44 (0)1937 546475
> m: +44 (0)7966 289132

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
 http://www.switch.ch