[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Configuring SAML for Apache



Dear Mr. Kellomdki,

my problem is, that SAML doesn't recognize the IdP Server.
Please find attached the steps I've done:


1.)   I entered the metadata.xml with command: zxcot -a <MyMetdataFile.xml
This is the content of my metadata:
<md:EntitiesDescriptor validUntil="2022-03-20T12:03:28.807Z"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#<http://www.w3.org/2000/09/xm
ldsig>"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:alfa="acns:alfa"
    xmlns:mdui="urn:oasis:names:tc:SAM:metadata:ui">

<!-- this IDP -->
    <md:EntityDescriptor entityID="acns:AlfaTicket_E">
        <md:Extensions>
            <alfa:context app="IDP" env="E"/>
        </md:Extensions>
        <md:IDPSSODescriptor WantAuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
            <md:KeyDescriptor>
                <ds:KeyInfo>
                    <ds:X509Data>
                        <!-- certificate AlfaTicket_E.4 -->
                        <ds:X509Certificate>
MIIF1TCCBL2gAwIBAgITegAB4567ehJyyMB71QABAAHjnjANBgkqhkiG9w0BAQUF
ADBBMRMwEQYKCZImiZPyLGQBGRYDbmV0MRgwFgYKCZImiZPyLGQBGRYIcy1ncnVw
cGUxEDAOBgNVBAMTB0lTMlAxQVQwHhcNMTQwNzAxMTMyMDIxWhcNMTUwNzEzMDky
NjA4WjA9MQswCQYDVQQGEwJBVDEXMBUGA1UEChMOcyBJVCBTb2x1dGlvbnMxFTAT
BgNVBAMUDEFsZmFUaWNrZXRfRTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBANcmHBJyyYlnAbP7Sd0JAMRrVxTLNd7bD9BmY7kRqV0aqMWbgbT3qLLgkh62
Ate50RBp6k/vnZoodGt8nC9ed6Ym7m7glG8I9Z9YQDfOx2rS5vQGd6mL9xoys6ry
3p8YbtbOLchmhC4TPMd0tiuK7vjoz+qN3g/+75kuH3eeSLQvsN4te4lmIRVZ0oeA
zpnrrtmfOPxTTZsz6VO0We9C3RUCZ1Bn+FlV18c/o+FdBuNue3tHJtJiIX4VJud+
PoDw5xQas5qlTwfJ5C+Yx3Huus0nOJgqXnC1Uza4w5rU9uwbtuzvo2Q4OWMCRxI1
j9UIrnbKeyd+mUS/iYiQDi1r2ocCAwEAAaOCAsgwggLEMAsGA1UdDwQEAwIFoDAd
BgNVHQ4EFgQUL3SKcmEevjFvbzDo10huQ0Rc0PkwHwYDVR0jBBgwFoAUUIwz3hBd
UOrh/cUR1GKJm0XpbkYwgfgGA1UdHwSB8DCB7TCB6qCB56CB5IY4aHR0cDovL3B1
Ymxpc2gucGtpLmVyc3RlLWdyb3VwLm5ldC9jcmwvbXMvSVMyUDFBVCgxKS5jcmyG
gadsZGFwOi8vL0NOPUlTMlAxQVQoMSksQ049Q0RQLENOPVB1YmxpYyUyMEtleSUy
MFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9cy1ncnVw
cGUsREM9bmV0P2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RD
bGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCCAQEGCCsGAQUFBwEBBIH0MIHxMEUG
CCsGAQUFBzAChjlodHRwOi8vcHVibGlzaC5wa2kuZXJzdGUtZ3JvdXAubmV0L2Nl
cnQvbXMvSVMyUDFBVCgxKS5jcnQwgacGCCsGAQUFBzAChoGabGRhcDovLy9DTj1J
UzJQMUFULENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXMtZ3J1cHBlLERDPW5ldD9jQUNlcnRp
ZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA/
BgkrBgEEAYI3FQcEMjAwBigrBgEEAYI3FQiGgrdQgZGuEIbNmQaE8u8i8oEdgXqF
s5b1MYPegYEZAgFkAgEEMBUGA1UdJQQOMAwGCisGAQQBgjcKAwwwHQYJKwYBBAGC
NxUKBBAwDjAMBgorBgEEAYI3CgMMMA0GCSqGSIb3DQEBBQUAA4IBAQAgrQoUzNRm
06u7eO55kdlHe0XjyTzxzQ7VtvbWQUHzFcjXzyL7B3zTPq5PXuOZJ6kZMM6XdIX9
eVMATd7HWXJm1rgcXdl7ccEsjDQ/nMLi0cPTmgMaQqX2FrQEP/F+pFFSlQk5ifiM
F+cGIZpWyV7yrdwc0E9t0eD4HMCPqZTcM64jPZDWOH2rlv+2a1VIzIDmPD6gabf8
Tnl5vacN4D/25t9DEVrpwXuXww34FkRBE8AkHI+aD5aW7JeUjboi8QEBwfRUX673
c0/NFLpcImqTZIf8w7RH6/7X88OMNOxJT4PfGxCSi2cHhks/skQyhG27Sf+PZ79u
GNpDQNp3GmFn
                        </ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </md:KeyDescriptor>
            <md:NameIDFormat>acns:alfaid</md:NameIDFormat>
            <md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                Location="https://idp-e.alfa.s-mxs.net/kerberoslogin/samlwebs
so" />
            <md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                Location="https://idp-e.alfa.s-mxs.net/kerberoslogin/samlwebs
so" />
        </md:IDPSSODescriptor>
        <md:SPSSODescriptor WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
            <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                Location="https://idp-e.alfa.s-mxs.net/kerberoslogin/list";
index="0" isDefault="true" />
            <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                Location="https://idp-e.alfa.s-mxs.net/kerberoslogin/list?spI
d=http://sp-e.s-mxs.net/testServiceProvider"; index="1" />
        </md:SPSSODescriptor>
        <md:ContactPerson contactType="technical">
            <md:GivenName>Bernhard</md:GivenName>
            <md:SurName>Gruber</md:SurName>
            <md:EmailAddress>mailto:bernhard.gruber@xxxxxxxxxxxxxxxx</md:Emai
lAddress<mailto:bernhard.gruber@xxxxxxxxxxxxxxxx%3c/md:EmailAddress>>
            <md:TelephoneNumber>+43 (0)5 0100 - 15779</md:TelephoneNumber>
        </md:ContactPerson>
    </md:EntityDescriptor>


</md:EntitiesDescriptor>


2.)   The metadata-file was stored in the dir.: /var/zxid/cot.
As you can see in the screenshot there are five files in this dir. The file
with the name: XFsCJLxzsSoO0iQVxxI_g2lprc8 is my metadata-file. The other 4
files were installed by the make command.
[cid:image001.jpg@01D04AD2.8822BD30]

3.)   I created the zxid.conf file in dir: /var/zxid
Content:
[cid:image002.jpg@01D04AD2.8822BD30]

4.)   When I enter the command: https://10.18.114.50/html_protected/ in my
browser I get this page:
[cid:image003.jpg@01D04AD2.8822BD30]
There is no combo box for selecting the IdP?

5.)   When I click on the link:
https://10.18.115.50:443/html_protected/saml?o=B I get this page with my
metdata:
[cid:image004.jpg@01D04AD2.8822BD30]

No my question. What is missing, that I don't get the popup window with the
selection of my IdP-Server?
Is there anything I have to enter in the zxid.conf? I haven't found an example
in the internet.
Thank you for your help.

Best regards
Gerhard Gutschi

[demime 1.01d removed an attachment of type image/jpeg which had a name of image001.jpg]

[demime 1.01d removed an attachment of type image/jpeg which had a name of image002.jpg]

[demime 1.01d removed an attachment of type image/jpeg which had a name of image003.jpg]

[demime 1.01d removed an attachment of type image/jpeg which had a name of image004.jpg]