If I'm reading the shibboleth-2.0-idp-profile-handler.xsd right, the
elements must be placed in the file in a specific order:
<xsd:element name="ProfileHandlerGroup">
<xsd:annotation>
<xsd:documentation>Root of a profile handler configuration
file.</xsd:documentation>
</xsd:annotation>
<xsd:complexType>
<xsd:sequence>
<xsd:element name="ErrorHandler" type="ErrorHandlerType"/>
<xsd:element name="ProfileHandler" type="RequestHandlerType"
minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="LoginHandler" type="LoginHandlerType"
minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
Put the CAS-Shib LoginHandler down with the other LoginHandler elements
(after the ProfileHandlers).
Andy
On Wed, 25 Jun 2014, Ben Branch wrote:
> Chris,
>
> I should have posted the full xml file to show that I believe those pieces
> are in the handler.xml
>
> Full handler.xml:
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xmlns:shib-cas="http://unicon.net/shib-cas/authn";
>
> xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler
>
> classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd
> http://unicon.net/shib-cas/authn
> classpath:/schema/casLoginHandler.xsd">
>
>
> <!-- CAS/Shib IDP External Login Handler. propertiesFile attribute is
> optional -->
> <ph:LoginHandler xsi:type="shib-cas:CasLoginHandler"
> propertiesFile="/opt/shibboleth-idp/conf/cas-shib.properties">
>
> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
> <shib-cas:paramBuilder
> class="net.unicon.idp.authn.provider.extra.EntityIdParameterBuilder" />
> </ph:LoginHandler>
>
> <!-- Error Handler -->
> <ph:ErrorHandler xsi:type="ph:JSPErrorHandler" jspPagePath="/error.jsp"/>
>
> <!-- Profile Handlers -->
> <!--
> All profile handlers defined below are accessed via the Servlet path
> "/profile" so if your profile
> handler's request path is "/Status" then the full path is
> "<servletContextName>/profile/Status"
> -->
> <ph:ProfileHandler xsi:type="ph:Status">
> <ph:RequestPath>/Status</ph:RequestPath>
> </ph:ProfileHandler>
>
> <ph:ProfileHandler xsi:type="ph:SAMLMetadata"
> metadataFile="/opt/shibboleth-idp/metadata/idp-metadata.xml">
> <ph:RequestPath>/Metadata/SAML</ph:RequestPath>
> </ph:ProfileHandler>
>
> <ph:ProfileHandler xsi:type="ph:ShibbolethSSO"
> inboundBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
>
> outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:profiles:browser-post
>
> urn:oasis:names:tc:SAML:1.0:profiles:artifact-01">
> <ph:RequestPath>/Shibboleth/SSO</ph:RequestPath>
> </ph:ProfileHandler>
>
> <ph:ProfileHandler xsi:type="ph:SAML1AttributeQuery"
> inboundBinding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
>
> outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding">
> <ph:RequestPath>/SAML1/SOAP/AttributeQuery</ph:RequestPath>
> </ph:ProfileHandler>
>
> <ph:ProfileHandler xsi:type="ph:SAML1ArtifactResolution"
> inboundBinding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
>
> outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding">
> <ph:RequestPath>/SAML1/SOAP/ArtifactResolution</ph:RequestPath>
> </ph:ProfileHandler>
>
> <ph:ProfileHandler xsi:type="ph:SAML2SSO"
> inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
> outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
>
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
>
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
> <ph:RequestPath>/SAML2/POST/SSO</ph:RequestPath>
> </ph:ProfileHandler>
>
> <ph:ProfileHandler xsi:type="ph:SAML2SSO"
> inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
>
> outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
>
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
>
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
> <ph:RequestPath>/SAML2/POST-SimpleSign/SSO</ph:RequestPath>
> </ph:ProfileHandler>
>
> <ph:ProfileHandler xsi:type="ph:SAML2SSO"
> inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>
> outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
>
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
>
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
> <ph:RequestPath>/SAML2/Redirect/SSO</ph:RequestPath>
> </ph:ProfileHandler>
>
> <ph:ProfileHandler xsi:type="ph:SAML2SSO"
> inboundBinding="urn:mace:shibboleth:2.0:profiles:AuthnRequest"
>
> outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
>
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
>
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
> <ph:RequestPath>/SAML2/Unsolicited/SSO</ph:RequestPath>
> </ph:ProfileHandler>
>
> <ph:ProfileHandler xsi:type="ph:SAML2ECP"
> inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
>
> outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
> <ph:RequestPath>/SAML2/SOAP/ECP</ph:RequestPath>
> </ph:ProfileHandler>
>
> <ph:ProfileHandler xsi:type="ph:SAML2SLO"
> inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>
> outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
>
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
>
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
>
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
> <ph:RequestPath>/SAML2/Redirect/SLO</ph:RequestPath>
> </ph:ProfileHandler>
>
> <ph:ProfileHandler xsi:type="ph:SAML2SLO"
> inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
> outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
>
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
>
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
>
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
> <ph:RequestPath>/SAML2/POST/SLO</ph:RequestPath>
> </ph:ProfileHandler>
>
> <ph:ProfileHandler xsi:type="ph:SAML2SLO"
> inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
>
> outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
>
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
>
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
>
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
> <ph:RequestPath>/SAML2/POST-SimpleSign/SLO</ph:RequestPath>
> </ph:ProfileHandler>
>
> <ph:ProfileHandler xsi:type="ph:SAML2SLO"
> inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
>
> outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
> <ph:RequestPath>/SAML2/SOAP/SLO</ph:RequestPath>
> </ph:ProfileHandler>
>
> <ph:ProfileHandler xsi:type="ph:SAML2SLO"
> inboundBinding="urn:mace:shibboleth:2.0:profiles:LocalLogout">
> <ph:RequestPath>/Logout</ph:RequestPath>
> </ph:ProfileHandler>
>
> <ph:ProfileHandler xsi:type="ph:SAML2AttributeQuery"
> inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
>
> outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
> <ph:RequestPath>/SAML2/SOAP/AttributeQuery</ph:RequestPath>
> </ph:ProfileHandler>
>
> <ph:ProfileHandler xsi:type="ph:SAML2ArtifactResolution"
> inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
>
> outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
> <ph:RequestPath>/SAML2/SOAP/ArtifactResolution</ph:RequestPath>
> </ph:ProfileHandler>
>
> <!-- Login Handlers -->
> <ph:LoginHandler xsi:type="ph:RemoteUser">
>
> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
> </ph:LoginHandler>
>
> <!-- Login handler that delegates the act of authentication to an external
> system. -->
> <!-- This login handler and the RemoteUser login handler will be merged in
> the next major release. -->
> <!--
> <ph:LoginHandler xsi:type="ph:ExternalAuthn">
>
> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
> <ph:QueryParam name="foo" value="bar" />
> </ph:LoginHandler>
> -->
>
> <!-- Username/password login handler -->
> <!--
> <ph:LoginHandler xsi:type="ph:UsernamePassword"
>
> jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">
>
> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
> </ph:LoginHandler>
> -->
>
> <!--
> Removal of this login handler will disable SSO support, that is it
> will require the user to authenticate
> on every request.
> -->
> <ph:LoginHandler xsi:type="ph:PreviousSession">
>
> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</ph:AuthenticationMethod>
> </ph:LoginHandler>
>
> </ph:ProfileHandlerGroup>
>
> Ben Branch
> UNIX/Linux Administrator
> University of Central Oklahoma
> ITIL Foundation v3, Network+, RHCSA
>
> 100 N. University Drive, Box 122
> Edmond, OK 73034
> D: 405.974.2649 | M: 405.550.6804 | [email protected] | www.uco.edu
>
> “I am wiser than this man, for neither of us appears to know anything great
> and good; but he fancies he knows something, although he knows nothing;
> whereas I, as I do not know anything, so I do not fancy I do. In this
> trifling particular, then, I appear to be wiser than he, because I do not
> fancy I know what I do not know.” - Socrates
>
> -----Original Message-----
> From: Charles Hasegawa [mailto:[email protected]]
> Sent: Wednesday, June 25, 2014 1:04 PM
> To: [email protected]
> Subject: Re: [cas-user] CAS-Shib Integration: Getting an error when deploying
> the idp.war
>
> ok, seeing that their definition of login handler is expecting an
> ErrorHandler.
>
> You should check that they have a valid file. The expectation was that they'd
> ADD to the existing handler.xml, not just have a file with the header and
> loginHandler. They still need all the other stuff.
>
>
>
> ----- Original Message -----
> From: "Ben Branch" <[email protected]>
> To: [email protected]
> Sent: Wednesday, June 25, 2014 10:18:38 AM
> Subject: [cas-user] CAS-Shib Integration: Getting an error when deploying the
> idp.war
>
>
>
>
> All,
>
>
>
> I’ve been following the Unicon guide on how to integrate Shibboleth with CAS.
> I thought I had everything configured properly, but that does not appear to
> be the case. I’m getting the following error in my catalina.out:
>
>
>
> Jun 25, 2014 11:32:47 AM org.apache.jk.server.JkMain start
>
> at org.apache.catalina.core.StandardService.start(StandardService.java:516)
>
> at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
>
> at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:606)
>
> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
>
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
>
> Caused by:
> edu.internet2.middleware.shibboleth.common.service.ServiceException:
> Configuration was not loaded for shibboleth.HandlerManager service, error
> creating components.
>
> at
> edu.internet2.middleware.shibboleth.common.config.BaseService.loadContext(BaseService.java:192)
>
> at
> edu.internet2.middleware.shibboleth.common.config.BaseReloadableService.initialize(BaseReloadableService.java:148)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:606)
>
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1414)
>
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1375)
>
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1335)
>
> ... 39 more
>
> Caused by: org.xml.sax.SAXParseException; lineNumber: 14; columnNumber: 66;
> cvc-complex-type.2.4.a: Invalid content was found starting with element
> 'ph:LoginHandler'. One of
> '{"urn:mace:shibboleth:2.0:idp:profile-handler":ErrorHandler}' is expected.
>
> at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown
> Source)
>
> at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source)
>
> at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
>
> at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
>
> at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
>
> at
> org.apache.xerces.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(Unknown
> Source)
>
> at org.apache.xerces.impl.xs.XMLSchemaValidator.reportSchemaError(Unknown
> Source)
>
> at org.apache.xerces.impl.xs.XMLSchemaValidator.handleStartElement(Unknown
> Source)
>
> at org.apache.xerces.impl.xs.XMLSchemaValidator.startElement(Unknown Source)
>
> at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown
> Source)
>
> at
> org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
> Source)
>
> at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
> Source)
>
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
>
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
>
> at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
>
> at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
>
> at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
>
> at
> edu.internet2.middleware.shibboleth.common.config.SpringDocumentLoader.loadDocument(SpringDocumentLoader.java:56)
>
> at
> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:396)
>
> at
> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:342)
>
> at
> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:310)
>
> at
> org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:143)
>
> at
> edu.internet2.middleware.shibboleth.common.config.SpringConfigurationUtils.populateRegistry(SpringConfigurationUtils.java:89)
>
> at
> edu.internet2.middleware.shibboleth.common.config.BaseService.loadContext(BaseService.java:170)
>
> ... 47 more
>
>
>
> Jun 25, 2014 11:32:47 AM org.apache.catalina.core.StandardContext start
>
> SEVERE: Error listenerStart
>
> Jun 25, 2014 11:32:47 AM org.apache.catalina.core.StandardContext start
>
> SEVERE: Context [/idp] startup failed due to previous errors
>
>
>
>
>
> My /opt/shibboleth-idp/handler.xml (as per the Unicon guide):
>
> <ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler"
>
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>
> xmlns:shib-cas="http://unicon.net/shib-cas/authn";
>
> xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler
>
> classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd
>
> http://unicon.net/shib-cas/authn
>
> classpath:/schema/casLoginHandler.xsd">
>
>
>
>
>
> <!-- CAS/Shib IDP External Login Handler. propertiesFile attribute is
> optional -->
>
> <ph:LoginHandler xsi:type="shib-cas:CasLoginHandler"
>
> propertiesFile="/opt/shibboleth-idp/conf/cas-shib.properties">
>
> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
>
> <shib-cas:paramBuilder
> class="net.unicon.idp.authn.provider.extra.EntityIdParameterBuilder" />
>
> </ph:LoginHandler>
>
>
>
> -------------------------------------------------------------------
>
>
>
> I’m not really sure where to go on this, I believe I have everything setup
> properly, but I do not understand why I am still receiving this error
> message. Any help on this would be greatly appreciated.
>
>
>
>
>
> Ben Branch
> UNIX/Linux Administrator
>
> University of Central Oklahoma
>
> ITIL Foundation v3, Network+, RHCSA
>
> 100 N. University Drive, Box 122
>
> Edmond, OK 73034
>
> D: 405.974.2649 | M: 405.550.6804 | bbranch@uco. edu | www.uco.edu
>
>
>
> “ I am wiser than this man, for neither of us appears to know anything great
> and good; but he fancies he knows something, although he knows nothing;
> whereas I, as I do not know anything, so I do not fancy I do. In this
> trifling particular, then, I appear to be wiser than he, because I do not
> fancy I know what I do not know. ” - Socrates
>
>
> **Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and
> Green! Please print this e-mail only if absolutely necessary!
>
> **CONFIDENTIALITY** -This e-mail (including any attachments) may contain
> confidential, proprietary and privileged information. Any unauthorized
> disclosure or use of this information is prohibited. -- You are currently
> subscribed to [email protected] as: [email protected] To
> unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
>
> **Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and
> Green! Please print this e-mail only if absolutely necessary!
>
> **CONFIDENTIALITY** This e-mail (including any attachments) may contain
> confidential, proprietary and privileged information. Any unauthorized
> disclosure or use of this information is prohibited.
>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
