search

Uninett / mod_auth_mellon

An Apache module with a simple SAML 2.0 service provider
207 stars 182 forks source link

Error adding IdP to lasso server object. Cannot load metadata from /etc/apache2/mellon/ #20

Closed krism74 closed 9 years ago

krism74 commented 9 years ago

Hello Auth_mellon newbie here and need some help , I am getting the following error Lasso-WARNING **: 2015-04-03 12:27:27 Cannot load metadata from /etc/apache2/mellon/

Following is my setup

  1. Apache2.4 running on virtualbox (ubuntu 14.10) with auth_mellon.
  2. Tomcat7.0.59 running on same virtualbox with openam installed.
  3. Followed the steps listed on the this page[https://github.com/UNINETT/mod_auth_mellon/wiki/GenericSetup] to configure auth_mellon . Followed the steps listed here as well for openam (http://mkchendil.blogspot.com/2015/02/apache-and-openam-saml-federation.html)

Here is my output in the log

(process:4447): Lasso-WARNING **: 2015-04-03 12:27:27 Cannot load metadata from /etc/apache2/mellon/openamidp.xml [Fri Apr 03 12:27:27.993608 2015] [:error] [pid 4447] [client 127.0.0.1:35048] Error adding metadata "/etc/apache2/mellon/openamidp.xml" to lasso server objects: Failed to add new provider.. [Fri Apr 03 12:27:27.993624 2015] [:error] [pid 4447] [client 127.0.0.1:35048] Error adding IdP to lasso server object. Please verify the following configuration directives: MellonIdPMetadataFile and MellonIdPPublicKeyFile.

(process:4447): Lasso-WARNING **: 2015-04-03 12:27:28 Cannot load metadata from /etc/apache2/mellon/openamidp.xml [Fri Apr 03 12:27:28.025581 2015] [:error] [pid 4447] [client 127.0.0.1:35048] Error adding metadata "/etc/apache2/mellon/openamidp.xml" to lasso server objects: Failed to add new provider.. [Fri Apr 03 12:27:28.025593 2015] [:error] [pid 4447] [client 127.0.0.1:35048] Error adding IdP to lasso server object. Please verify the following configuration directives: MellonIdPMetadataFile and MellonIdPPublicKeyFile.

\ This is my idp.xml ***

<EntityDescriptor entityID="http://openam.krishna-virtualbox.com:81/openam">
  <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
                    </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://openam.krishna-virtualbox.com:81/openam/ArtifactResolver/metaAlias/idp"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://openam.krishna-virtualbox.com:81/openam/IDPSloRedirect/metaAlias/idp" ResponseLocation="http://openam.krishna-virtualbox.com:81/openam/IDPSloRedirect/metaAlias/idp"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://openam.krishna-virtualbox.com:81/openam/IDPSloPOST/metaAlias/idp" ResponseLocation="http://openam.krishna-virtualbox.com:81/openam/IDPSloPOST/metaAlias/idp"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://openam.krishna-virtualbox.com:81/openam/IDPSloSoap/metaAlias/idp"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://openam.krishna-virtualbox.com:81/openam/IDPMniRedirect/metaAlias/idp" ResponseLocation="http://openam.krishna-virtualbox.com:81/openam/IDPMniRedirect/metaAlias/idp"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://openam.krishna-virtualbox.com:81/openam/IDPMniPOST/metaAlias/idp" ResponseLocation="http://openam.krishna-virtualbox.com:81/openam/IDPMniPOST/metaAlias/idp"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://openam.krishna-virtualbox.com:81/openam/IDPMniSoap/metaAlias/idp"/>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://openam.krishna-virtualbox.com:81/openam/SSORedirect/metaAlias/idp"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://openam.krishna-virtualbox.com:81/openam/SSOPOST/metaAlias/idp"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://openam.krishna-virtualbox.com:81/openam/SSOSoap/metaAlias/idp"/>
    <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://openam.krishna-virtualbox.com:81/openam/NIMSoap/metaAlias/idp"/>
    <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://openam.krishna-virtualbox.com:81/openam/AIDReqSoap/IDPRole/metaAlias/idp"/>
    <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://openam.krishna-virtualbox.com:81/openam/AIDReqUri/IDPRole/metaAlias/idp"/>
  </IDPSSODescriptor>
</EntityDescriptor>

This is my sp.xml

<EntityDescriptor entityID="http://openam.krishna-virtualbox.com/myEntityID" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIICzDCCAbQCCQC3QsCF32J63jANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDEx1v
cGVuYW0ua3Jpc2huYS12aXJ0dWFsYm94LmNvbTAeFw0xNTA0MDMxNzEwMTVaFw0y
NTA0MDIxNzEwMTVaMCgxJjAkBgNVBAMTHW9wZW5hbS5rcmlzaG5hLXZpcnR1YWxi
b3guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvAtgUCxnBpgd
NCpBOiUmx3qzc3lD0I+7elkG2yaiUPpNxZWTEIvq2J/XGiKX35TMEoJj/AW9HKtC
PMZqbPArinUFyhw2NQCfIKyT1Pvfs9bWjH2hozoLeIPY27pmIwWweBkwC6SVNVNz
N66qFCreerYmYg4WE5JVf9rxbLpTz+/O1CTQ3tBZxhMyPnXXCylJXnpqjU/DwzCb
LwxIS0331lWgK6gvK5nCzZ6mymUrcV6uMKAB2zu+Lwvf2l+AqtcIRx99KP2YzuKf
KrRMPjmfFj+bCy7CFCbwNLNDf/jPykmiBwN/6WMzHe1VsydjF2qNWeFbqnSiLZP5
ooHy8rgK1QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCFVxbInL/MkKijoZaVjt0a
1SZEPyKZUln38woBCEVPtl2KDI2SqOZWxKloVHtJtU2+ywoTHTOB9pmqIkWcmgYW
Bwfw5tXzCEGFvkAzpfUFfoBiZTwcSifR5/vCjSwbjFZ1CgshgAUUdVw8kQyPUZ4a
0R/PnR+AxCXlsB9Vq7YeXDqSIAoCDvwNbjS9w/sqlNAUh8rZzARrf6EN2ut6AyWE
nzOAa2eqdU83tzx+WLZ+o3e63DkcgEYB9qY0dMzI3IBLfMObYabrkuPNz7zArAXi
wwvd7H4BbQvwobA28WyCJx820S0iSFb9pke7xHJum89ztSHZtKYpxCWp2Dcyzpqc</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://openam.krishna-virtualbox.com/mellon/logout"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://openam.krishna-virtualbox.com/mellon/postResponse" index="0"/>
  </SPSSODescriptor>
</EntityDescriptor>

My Auth_mellon confguration in apache

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.

        ServerName openam.krishna-virtualbox.com
        ServerAdmin krishna.muthyala@verizon.com
        DocumentRoot /var/www/html

        AllowEncodedSlashes On
        AllowEncodedSlashes NoDecode

        Rewriteengine on
        ProxyRequests Off
        <Proxy http://openam.krishna-virtualbox.com:81>
                Require all granted
        </Proxy>

        ProxyPass /mellon/ ! nocanon
        ProxyPass / http://openam.krishna-virtualbox.com:81/mellon nocanon
        ProxyPassReverse / http://openam.krishna-virtualbox.com:81/mellon
        ReWriteRule     ^(.*);jsessionid=[A-Za-z0-9]+(.*)$ $1$2 [R,NE]

        <Location />
        MellonEnable "info"
        MellonSecureCookie On
        MellonSessionDump Off
        MellonUser "eduPersonPrincipalName"
        MellonSamlResponseDump Off
        MellonEndpointPath "/mellon"
        MellonSPPrivateKeyFile /etc/apache2/mellon/http_openam.krishna_virtualbox.com_myEntityID.key
        MellonSPCertFile /etc/apache2/mellon/http_openam.krishna_virtualbox.com_myEntityID.cert
        MellonIdPMetadataFile /etc/apache2/mellon/openamidp.xml
        MellonSPMetadataFile /etc/apache2/mellon/http_openam.krishna_virtualbox.com_myEntityID.xml

        RequestHeader unset CONF_FULL_NAME
        RequestHeader set CONF_FULL_NAME "%{MELLON_displayName}e" env=MELLON_displayName

        RequestHeader unset CONF_EMAIL
        RequestHeader set CONF_EMAIL "%{MELLON_mail}e" env=MELLON_mail
          </Location>

        <Location /auth_mellon.php>
    # This location will trigger an authentication request to the IdP.
                MellonEnable "auth"
        </Location>
        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        LogLevel info ssl:debug

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

Kindly suggest what might be wrong with my setup. Stuck with this issue for some time now and need some help

thanks Kris

olavmrk commented 9 years ago

Hi,

this iss an issue tracker, not a support forum. For these types of questions, you are probably better off asking on the mailing list.

My guess as to the cause of your error is that your IDP metadata is missing the proper XML namespaces. It doesn't declare the metadata namespace on the root element, nor the ds-namespace used for the key/certificate.