Help Getting Started

[styfle]

This project looks really cool!

I am trying to see if shibboleth-idp can be used to replace an old instance of ADFS.

So I followed the instructions in the README but some of this is far over my head.

Here's what I tried so far:

docker run -it -v ~/shibboleth-config:/ext-mount --rm unicon/shibboleth-idp:3.3.3 init-idp.sh
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
openssl x509 -text -noout -in certificate.pem
openssl pkcs12 -inkey key.pem -in certificate.pem -export -out idp-browser.p12
mv idp-browser.p12 ~/shibboleth-config/customized-shibboleth-idp/credentials
docker run -p 4443:4443 -v ~/shibboleth-config/customized-shibboleth-idp:/opt/shibboleth-idp unicon/shibboleth-idp:3.3.3

I get the following output:

Running Jetty:
2018-08-30 19:36:10.181:INFO::main: Logging initialized @187ms
2018-08-30 19:36:10.840:INFO:oejs.Server:main: jetty-9.3.23.v20180228, build timestamp: 2018-02-28T21:46:51Z, git hash: 0554f8d8b4c884de6e35a9f7a5481b78e2f34b4f
2018-08-30 19:36:11.033:INFO:oejs.AbstractNCSARequestLog:main: Opened /opt/shib-jetty-base/logs/2018_08_30.request.log
2018-08-30 19:36:11.041:INFO:oejdp.ScanningAppProvider:main: Deployment monitor [file:///opt/shib-jetty-base/webapps/] at interval 1
2018-08-30 19:36:11.593:INFO:oeja.AnnotationConfiguration:main: Scanning elapsed time=122ms
2018-08-30 19:36:11.972:INFO:oejsh.ContextHandler:main: Started o.e.j.w.WebAppContext@457e2f02{/idp,[file:///tmp/jetty-0.0.0.0-8443-webapp-_idp-any-2425043297902816392.dir/webinf/, file:///opt/shibboleth-identity-provider-3.3.3/webapp/],AVAILABLE}{/opt/shibboleth-idp/webapp/}
2018-08-30 19:36:12.351:INFO:oejs.AbstractConnector:main: Started ServerConnector@57e09e93{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}
Exception in thread "main" MultiException[java.io.IOException: keystore password was incorrect, java.io.IOException: keystore password was incorrect]
        at org.eclipse.jetty.server.Server.doStart(Server.java:391)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
        at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1540)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1462)
        Suppressed: java.io.IOException: keystore password was incorrect
                at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059)
                at java.security.KeyStore.load(KeyStore.java:1445)
                at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:52)
                at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1037)
                at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:254)
                at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:221)
                at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
                at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
                at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113)
                at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:72)
                at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
                at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
                at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113)
                at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:268)
                at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
                at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235)
                at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
                at org.eclipse.jetty.server.Server.doStart(Server.java:406)
                ... 4 more
        Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
                ... 22 more
Caused by: java.io.IOException: keystore password was incorrect
        at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059)
        at java.security.KeyStore.load(KeyStore.java:1445)
        at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:52)
        at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1037)
        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:254)
        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:221)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113)
        at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:72)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113)
        at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:268)
        at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
        at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
        at org.eclipse.jetty.server.Server.doStart(Server.java:406)
        ... 4 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        ... 22 more

I probably did something wrong. Any help would be appreciated. Thanks! 👍

[jtgasper3]

Glad that you like it. If you are integrating with ADFS via SAML2 this should work. You'll likely need to change the attribute-resolver.xml to use ADFS SAML attribute name instead of the urn:oids that higher ed uses.

What password did you use to create the idp-browser.p12 file with? Was it changeme? If not then you can set an env to set it at runtime: https://github.com/Unicon/shibboleth-idp-dockerized/blob/master/Dockerfile#L12

Also, this is the testbed I used to test this and the other IDP/SP images I maintain: https://github.com/UniconLabs/dockerized-idp-testbed

[styfle]

You'll likely need to change the attribute-resolver.xml to use ADFS SAML attribute name instead of the urn:oids that higher ed uses.

I don't know what that means 🙃 I found the conf/attribute-resolver.xml file which has 4 hits for urn:oid. Not sure what to do with that.

I used password abc123. It looks like adding the two env vars prevented the error.

docker run -p 4443:4443 -e JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=abc123 -e JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=abc123 -v ~/shibboleth-config/customized-shibboleth-idp:/opt/shibboleth-idp unicon/shibboleth-idp:3.3.3

When I browse to https://10.0.75.2:4443 I get "your connection is not secure" So I add the exception and reload the page. Then I see a 404.

Is this expected?

[jtgasper3]

In the raw XML sent from the IdP to the SP, are SAML attributes. Shib uses something like "urn:oid:2.4.2.11" to represent "givenName" ADFS uses something like: "https://schemas.org/2018/name". If you open up ADFS this is a list of attribute friendly names and the full value. If you are trying to mimic ADFS, you'll want to change the resolver config to use the ADFS equivalents.

Yes, that's expected. hit /idp (oir click the link) and you'll see the default page. You'll need to config an SP to hit the IDP in order to see the login page.

[styfle]

Thanks I'll try connecting Shib to ADFS tomorrow and see how it goes.

This is what I get when I visit /idp in my browser

[jtgasper3]

Closing this. It's old, but also this project really only supports the Docker image and not the IdP itself.