Unicon / shib-cas-authn3

Integrates an external CAS Server and Shibboleth IdPv3.
Apache License 2.0
22 stars 16 forks source link

IdP v3.2.1.1: No flow definition 'authn/Shibcas' found -- Windows platform #14

Closed crdaudt closed 8 years ago

crdaudt commented 8 years ago

My issue appears very similar to that posted by eryaza01 on Apr 21, 2015 (https://github.com/Unicon/shib-cas-authn3/issues/4). I have installed a new instance of Shibboleth IDP v3.2.1.1 on a Windows Server 2012 platform, and am attempting to install/configure shib-cas-authn3. I am also receiving the "No flow definition 'authn/Shibcas' found" error. The relevant error messages in idp-process.log are:

--BEGIN-- 2016-09-14 16:07:07,806 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception org.springframework.webflow.definition.registry.NoSuchFlowDefinitionException: No flow definition 'authn/Shibcas' found at org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl.getFlowDefinitionHolder(FlowDefinitionRegistryImpl.java:123) 2016-09-14 16:07:07,915 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: RuntimeException --END--

When I installed the IDP, I set idp.home to E:\shibboleth3\idp . My shibcas-authn-beans.xml and shibcas-authn-flow.xml files are both located E:\shibboleth3\idp\flows\authn\Shibcas . I am not sure why I am getting the error message.

jtgasper3 commented 8 years ago

Two things to check.

  1. The general-authn.xml file. Is the authn/Shibcas block defined there?
  2. Is Shibcas specified in the idp.properties as:
idp.authn.flows = Shibcas
crdaudt commented 8 years ago

Yes to both of your questions. I am attaching both files in this post (with keys/passwords masked). two_files.zip

crdaudt commented 8 years ago

Thanks, jtgasper3, for your suggestions. I am still struggling with this issue, so any other ideas? I have included the following for tomcat 8.0 CATALINA_OPTS:

-Didp.home=e:\shibboleth3\idp\ (I tried both with and without the tailing '\')

I also tried gleaning more information by setting idp.loglevel.idp to "DEBUG" in logback.xml, but that did not seem to provide any more relevant log information from what I already provided above.

Any ideas? Can anyone see any issues with my configuration of general-authn.xml or idp.properties (see uploaded zip file in my previous post)?

crdaudt commented 8 years ago

Here are a few more lines from my idp-process.log (with DEBUG lines included):

--BEGIN-- 2016-09-16 09:06:05,194 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:257] - Profile Action SelectAuthenticationFlow: No specific Principals requested 2016-09-16 09:06:05,210 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:292] - Profile Action SelectAuthenticationFlow: No usable active results available, selecting an inactive flow 2016-09-16 09:06:05,210 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:334] - Profile Action SelectAuthenticationFlow: Selecting inactive authentication flow authn/Shibcas 2016-09-16 09:06:05,304 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception org.springframework.webflow.definition.registry.NoSuchFlowDefinitionException: No flow definition 'authn/Shibcas' found at org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl.getFlowDefinitionHolder(FlowDefinitionRegistryImpl.java:123) 2016-09-16 09:06:05,491 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: RuntimeException --END--

mmoayyed commented 8 years ago

Is this a typo: shibcs-authn-beans.xml? or an actual name of the file?

mmoayyed commented 8 years ago

Also, what does your web.xml look like, if any?

crdaudt commented 8 years ago

Yes, I had misspelled shibcas-authn-bean.xml in my original post. I have corrected the spelling. I am attaching a copy of our web.xml file. path_to_web.xml_file.zip

crdaudt commented 8 years ago

OK, we have solved our issue by doing the following two changes:

  1. We added the following three lines to webapp\WEB-INF\web.xml before the ShibCas Auth Servelt settings (not sure if the order is important): BEGIN <context-param> <param-name>idp.home</param-name> <param-value>E:/shibboleth3/idp</param-value> </context-param> END I had not thought that this web.xml setting would be necessary in our shibboleth container, because I already had appended the setting "-Didp.home=E:\shibboleth3\idp\" to CATALINA_OPTS (since our implementation is on an MS Windows platform, I had used "tomcat8w.exe //ES//" to set this). However, for login flows to work, it appears that idp.home needs to be set as described above. This might be useful to include in Shibboleth documentation for those who use anything other than the default C:\opt\shibboleth-idp\ path for idp.home.
  2. We also discovered that our the metadata file generated by the Shibboleth installer MSI (located in metadata\idp-metatdata.xml) was created with ':8443' appended to the host name in every line where the Location URL was set. Our tomcat instance was set to using port 443 for web traffic, but I had failed to catch the port 8443 setting in the metadata file when I customized it for our site. In our case, I replaced every occurrence of 'Location="https://shib3pre.taylor.edu:8443/idp/..."' with 'Location="https://shib3pre.taylor.edu/idp/..."' fixed this.

Thanks, mmoayyed, for prompting me to look at our shibboleth container's web.xml file. I am curious as to why the global definition within CATALINA_OPTS was not sufficient. Also, did I miss some documentation about where to define idp.home? In any case, we are now able to move forward.

mmoayyed commented 8 years ago

Pleasure.

You should be able to do the same with -Didp.home=xyz but I admit I have never done that sort of thing on Windows. The debacle of "Backslash vs forward-slash" should really be reported to the U.N. :)

What was your global definition like? If I remember correctly, I think I set that value directly in startup.bat or catalina.bat.

mmoayyed commented 8 years ago

Neglected to mention that you're welcome to play around with those 2 batch files, and if you were able to work it out, please submit a PR to clarify this in the docs.

crdaudt commented 8 years ago

Sorry for the delayed response. And thanks again for your assistance in resolving my issue with my setting for idp.home not being recognized in my Windows installation of Shibboleth v3 IdP.

You asked what my tomcat global definition was like. My \conf\context.xml, \bin\catalina.bat, and \bin\startup.bat files are the original files from when I installed tomcat, so perhaps I could have set the value of idp.home in one of those files. However, since setting the value of idp.home in \webapp\WEB-INF\web.xml seems to work just fine, I have not bothered with testing with the tomcat files you mentioned.

You also asked that I submit a PR to clarify the additional requirement for setting idp.home for Windows installations in the docs. I believe the Shibboleth IdP docs that need to be updated are located at https://wiki.shibboleth.net/confluence/display/IDP30/ApacheTomcat8 and https://wiki.shibboleth.net/confluence/display/IDP30/WindowsInstallation. Also, in the shib-cas-authn3 download (https://github.com/Unicon/shib-cas-authn3), the same clarrification might be helpful in the Readme.md file. I am not sure how to submit a PR for these docs.

In conclusion, the solution to my issue with setting idp.home in my Windows installation was to also set it in \webapp\WEB-INF\web.xml (see my post two weeks ago).

mmoayyed commented 8 years ago

Gotcha. web.xml change is fine, and thinking more about this, you probably should update the shibboleth wiki to include that option as well, if needed. Dont think we need a PR here; for the wiki, you should just be able to log in with your IdP and edit away.

Thanks for the follow-up.

mapgrady commented 8 years ago

If one reads carefully, the Shib wiki already documents the need to set idp.home for Tomcat or Jetty, if not using the standard path and/or not using the "installed by the Shib IdP MSI version of Jetty". If you search for 'idp.home' on the wiki, you'll see that. Now the Tomcat doc really only highlights the standard path for a Linux install (although /opt/shibboleth-idp was also the standard path for a IdPv2 Windows install using Tomcat), so one could argue that the docs could use further clarification. But the basic idea is already mentioned.

On Oct 3, 2016, at 2:56 PM, Misagh Moayyed notifications@github.com wrote:

Gotcha. web.xml change is fine, and thinking more about this, you probably should update the shibboleth wiki to include that option as well, if needed. Dont think we need a PR here; for the wiki, you should just be able to log in with your IdP and edit away.

Thanks for the follow-up.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Unicon/shib-cas-authn3/issues/14#issuecomment-251209130, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3QiD222TgR5znwcZmiuSIqF-MjQSBMks5qwV4BgaJpZM4J9Nt_.

Michael A. Grady IAM Architect, Unicon, Inc.