Hi Fabrice,
In the SAML response sent after authentication, the encrypted data should have a unique attribute that should correspond to the user's username of an account in CloudStack. The global setting 'saml2.user.attribute' is default set to uid (I think, to make it work out of the box with a Ldap backed IdP server), change this attribute value to something else that is specific to the user attribute in your environment, restart management server and retry. Regards. ________________________________ From: Fabrice Pollet <[email protected]> Sent: 05 May 2017 12:13:55 To: Rohit Yadav; [email protected]; [email protected] Subject: Re: Shibboleth and CloudStack Hello, I made some changes in my configuration. Instead of editing the /etc/cloudstack/management/idp-metadata.xml file from my SP to force SSO-CAS authentication (https://idp.etrs.terre.defense.gouv.fr/idp/Authn/ RemoteUser), I modified the /opt/shibboleth-idp/conf/handler.xml file of my IdP: <!-- Login Handlers --> <ph:LoginHandler xsi:type="ph:RemoteUser"> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod> </ph:LoginHandler> This tells the IdP it can use that login mechanism (in this case CAS) when an SP asks for PasswordProtectedTransport. Both SP and IdP server hosts have the same timezone/time settings. It seems that the IdP and SP servers know their metadata reciprocally, but I don't know how to verify if the SP decrypts those of the IdP. Logs of the IdP in debug mode show that the authentication succeeded but I noticed some errors in debug mode (in red in the text): 12:50:43.820 - INFO [Shibboleth-Access:73] - 20170504T105043Z|172.16.96.7|idp.etrs.terre.defense.gouv.fr:443|/profile/SAML2/Redirect/SSO| 12:50:43.820 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/Redirect/SSO 12:50:43.820 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler 12:50:43.821 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:339] - LoginContext key cookie was not present in request 12:50:43.821 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:188] - Incoming request does not contain a login context, processing as first leg of request 12:50:43.821 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:366] - Decoding message with decoder binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' 12:50:43.821 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:76] - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter 12:50:43.822 - DEBUG [org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder:90] - Decoded RelayState: null 12:50:43.822 - DEBUG [org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder:127] - Base64 decoding and inflating SAML message 12:50:43.822 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:183] - Parsing message stream into DOM document 12:50:43.823 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:193] - Unmarshalling message DOM 12:50:43.823 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:205] - Message succesfully unmarshalled 12:50:43.823 - DEBUG [org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder:105] - Decoded SAML message 12:50:43.824 - DEBUG [org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder:112] - Extracting ID, issuer and issue instant from request 12:50:43.824 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: cloud.etrs.terre.defense.gouv.fr 12:50:43.824 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of cloud.etrs.terre.defense.gouv.fr 12:50:43.824 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID cloud.etrs.terre.defense.gouv.fr ... 12:50:43.827 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of cloud.etrs.terre.defense.gouv.fr 12:50:43.828 - DEBUG [PROTOCOL_MESSAGE:113] - <?xml version="1.0" encoding="UTF-8"?> <saml2p:AuthnRequest AssertionConsumerServiceURL="https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso";<https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso> Destination="https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO";<https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO> ForceAuthn="false" ID="85qrvu7c1kmg1tsc0gqmk4a1u2k60qed" IsPassive="false" IssueInstant="2017-05-04T10:50:43.719Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="cloud.etrs.terre.defense.gouv.fr" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">cloud.etrs.terre.defense.gouv.fr</saml2:Issuer> <saml2p:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </saml2p:RequestedAuthnContext> </saml2p:AuthnRequest> 12:50:43.828 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relying party configuration for cloud.etrs.terre.defense.gouv.fr 12:50:43.828 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:134] - No custom relying party configuration found for cloud.etrs.terre.defense.gouv.fr, looking up configuration based on metadata groups. 12:50:43.829 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: cloud.etrs.terre.defense.gouv.fr 12:50:43.829 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of cloud.etrs.terre.defense.gouv.fr 12:50:43.829 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID cloud.etrs.terre.defense.gouv.fr 12:50:43.831 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: cloud.etrs.terre.defense.gouv.fr 12:50:43.831 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of cloud.etrs.terre.defense.gouv.fr 12:50:43.831 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:157] - No custom or group-based relying party configuration found for cloud.etrs.terre.defense.gouv.fr. Using default relying party configuration. 12:50:43.831 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:130] - Evaluating security policy of type 'edu.internet2.middleware.shibboleth.common.security.ShibbolethSecurityPolicy' for decoded message 12:50:43.832 - DEBUG [org.opensaml.util.storage.ReplayCache:92] - Attempting to acquire lock for replay cache check 12:50:43.832 - DEBUG [org.opensaml.util.storage.ReplayCache:94] - Lock acquired 12:50:43.832 - DEBUG [org.opensaml.util.storage.ReplayCache:105] - Message ID 85qrvu7c1kmg1tsc0gqmk4a1u2k60qed was not a replay 12:50:43.832 - DEBUG [org.opensaml.util.storage.ReplayCache:132] - Writing message ID cloud.etrs.terre.defense.gouv.fr85qrvu7c1kmg1tsc0gqmk4a1u2k60qed to replay cache with expiration time 2017-05-04T12:55:43.832+02:00 12:50:43.832 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:308] - Checking child metadata provider for entity descriptor with entity ID: cloud.etrs.terre.defense.gouv.fr 12:50:43.833 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of cloud.etrs.terre.defense.gouv.fr 12:50:43.833 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:250] - Metadata document did not contain a descriptor for entity cloud.etrs.terre.defense.gouv.fr 12:50:43.833 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:317] - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity cloud.etrs.terre.defense.gouv.fr 12:50:43.833 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:286] - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity cloud.etrs.terre.defense.gouv.fr 12:50:43.836 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:308] - Checking child metadata provider for entity descriptor with entity ID: cloud.etrs.terre.defense.gouv.fr 12:50:43.836 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of cloud.etrs.terre.defense.gouv.fr 12:50:43.836 - INFO [org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule:100] - SAML protocol message was not signed, skipping XML signature processing 12:50:43.837 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:64] - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule 12:50:43.837 - DEBUG [org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule:64] - Constructing signed content string from URL query string SAMLRequest=jVPLjtowFN33KyLvyatQphYJooxGHWnaQSTTRXeufWEsEjvc66R8fp0ENCxaptv4%2BDx8ThbLU10FHSBpazKWhDELwEirtNln7KV8mNyxZf5hQaKu0oavWvdqtnBsgVywIgJ0%2Ft7aGmprwAKw0xJetk8Ze3WuIR5FsrKtCsEhhQ4QIVSwA0MQ7m3bhTv0AA3GRaLRS2nrWhiV9WIFWRbcexlthBu8XRi1am7x%2BeOoQbvTFUTF6ttTGm1BaQTpoqJ4ZsGDRQlDjoztREXAgsf7jN3Njti1c5kc6n3iSMb7Y32YiqRND5%2FiIyiPoo0g0h283SNq4dGQE8ZlLI2T%2BSSeTeJpmcR8FvPpx3CefP7Jgg1aZ6WtvmgzvmuLhltBmrgRNRB3kvdWeRrG%2FNcIIv61LDeTzXNRDgSdVoDfPTpj7z0pC35c%2Bkz7Pn3DhvjY4G3t5myU5WPhfEiI1wy3CcRlEix%2Fz%2BUiupbILws7jwvUUJFfloOTC9a2bgRq6jPBSUh3dsivUevKy29hd2X3v93ehEkue2r%2FuV%2FAb4uqb9QvClSJwlBj0Y1x%2FuonP0f9R7i34%2Bu%2FK%2F8D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=svf6JoGtWy5nIQaE%2Fm6qjHAvV%2FJHU7l1KrXF8RftV3cxLhlh3tr8vyk0Dmb2ShPUu81KBx8mKpv6bmcIhOdi%2FkZ7gZIcTwYnFDnn2vT%2B9keBgA6LTWejAPHFG6Q4AtltYlpeDElaX9JgA1FNqhNLIA1zhM9m5Ycblb4Ld5VlYYdGZeCfMd3Jsjcri14ASenAz8vF5%2BmZC6f1QCiAqwvf1Vo5qPUormcKG174S8LVYa5U%2FyfwC60d5y6Ajba5OvuaB7M%2F vI0FVpfsX sXuR5NYw7Bcj8v49kSJw1CIU%2Fyzyd2UWJ6miXkQHnPtxrJjP8RCpGnERyrNZKzhukpr%2BOQ91%2B641Ujwv1%2FTT8SG1E91GZeJQBFMhc5wGglhuw4%2BRcY69rN1utX1cOH7YNFBjMiA27O5tq2FHp%2FOEg0ERdQniy%2FSUN6WLMGMXCZOCVesv3UAFfjhKbPaSDoOLNjNHuh6a%2FWpGF%2BXmYdLFY5m0Ic%2Bm3qSgnXe21u1frMAChloSwALR9xjoUzbAhCncDG8%2BQVuy%2Fpz4cwIXmCEHWeQ9dOUhv0eH4L73Iew3pqHfpsAJwqZW44QK9J1M5FFV3L4jqure1FnkiPuFemD5iaRmcYupjytnDurvq1M3ANkOT9sZw0g1WTrKlVJ8W%2F9LWlpOiB8mNRQOgKQV4ioe3gIdiUjfQQ%3D 12:50:43.837 - DEBUG [org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule:71] - Constructed signed content string for HTTP-Redirect DEFLATE SAMLRequest=jVPLjtowFN33KyLvyatQphYJooxGHWnaQSTTRXeufWEsEjvc66R8fp0ENCxaptv4%2BDx8ThbLU10FHSBpazKWhDELwEirtNln7KV8mNyxZf5hQaKu0oavWvdqtnBsgVywIgJ0%2Ft7aGmprwAKw0xJetk8Ze3WuIR5FsrKtCsEhhQ4QIVSwA0MQ7m3bhTv0AA3GRaLRS2nrWhiV9WIFWRbcexlthBu8XRi1am7x%2BeOoQbvTFUTF6ttTGm1BaQTpoqJ4ZsGDRQlDjoztREXAgsf7jN3Njti1c5kc6n3iSMb7Y32YiqRND5%2FiIyiPoo0g0h283SNq4dGQE8ZlLI2T%2BSSeTeJpmcR8FvPpx3CefP7Jgg1aZ6WtvmgzvmuLhltBmrgRNRB3kvdWeRrG%2FNcIIv61LDeTzXNRDgSdVoDfPTpj7z0pC35c%2Bkz7Pn3DhvjY4G3t5myU5WPhfEiI1wy3CcRlEix%2Fz%2BUiupbILws7jwvUUJFfloOTC9a2bgRq6jPBSUh3dsivUevKy29hd2X3v93ehEkue2r%2FuV%2FAb4uqb9QvClSJwlBj0Y1x%2FuonP0f9R7i34%2Bu%2FK%2F8D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256 12:50:43.837 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:126] - Attempting to validate SAML protocol message simple signature using context issuer: cloud.etrs.terre.defense.gouv.fr 12:50:43.837 - DEBUG [org.opensaml.security.MetadataCredentialResolver:167] - Forcing on-demand metadata provider refresh if necessary 12:50:43.838 - DEBUG [org.opensaml.security.MetadataCredentialResolver:215] - Attempting to retrieve credentials from cache using index: [cloud.etrs.terre.defense.gouv.fr,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING] 12:50:43.838 - DEBUG [org.opensaml.security.MetadataCredentialResolver:223] - Retrieved credentials from cache using index: [cloud.etrs.terre.defense.gouv.fr,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING] 12:50:43.838 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:74] - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria 12:50:43.839 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:74] - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria 12:50:43.839 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:74] - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria 12:50:43.839 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:105] - Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria 12:50:43.839 - DEBUG [org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine:159] - Attempting to verify signature using trusted credentials 12:50:43.839 - DEBUG [org.opensaml.xml.security.SigningUtil:241] - Verifying signature over input using public key of type RSA and JCA algorithm ID SHA256withRSA 12:50:43.842 - DEBUG [org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine:164] - Successfully verified signature using resolved trusted credential 12:50:43.842 - DEBUG [org.opensaml.xml.signature.impl.ChainingSignatureTrustEngine:81] - Signature was trusted by chain member: org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine 12:50:43.842 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:192] - Simple signature validation (with no request-derived credentials) was successful 12:50:43.842 - INFO [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:130] - Validation of request simple signature succeeded 12:50:43.842 - INFO [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:132] - Authentication via request simple signature succeeded for context issuer entity ID cloud.etrs.terre.defense.gouv.fr 12:50:43.842 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:64] - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule 12:50:43.843 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:81] - Rule can not handle this request, skipping processing 12:50:43.843 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:85] - Successfully decoded message. 12:50:43.843 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:191] - Checking SAML message intended destination endpoint against receiver endpoint 12:50:43.843 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:210] - Intended message destination endpoint: https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO 12:50:43.843 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:211] - Actual message receiver endpoint: https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO 12:50:43.844 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:219] - SAML message intended destination endpoint matched recipient endpoint 12:50:43.844 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:387] - Decoded request from relying party 'cloud.etrs.terre.defense.gouv.fr' 12:50:43.844 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: cloud.etrs.terre.defense.gouv.fr 12:50:43.844 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of cloud.etrs.terre.defense.gouv.fr 12:50:43.844 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID cloud.etrs.terre.defense.gouv.fr 12:50:43.849 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of cloud.etrs.terre.defense.gouv.fr 12:50:43.850 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:157] - No custom or group-based relying party configuration found for cloud.etrs.terre.defense.gouv.fr. Using default relying party configuration. 12:50:43.850 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:226] - Creating login context and transferring control to authentication engine 12:50:43.850 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:181] - Storing LoginContext to StorageService partition loginContexts, key 21082a8599b5ba28281416cfd7468ad128b893acaf51f88303c5fadd9ee0f77b 12:50:43.851 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:240] - Redirecting user to authentication engine at https://idp.etrs.terre.defense.gouv.fr:443/idp/AuthnEngine 12:50:43.855 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:209] - Processing incoming request 12:50:43.856 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:240] - Beginning user authentication process. 12:50:43.856 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:283] - Filtering configured LoginHandlers: {urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler@4fd79d84, urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler@54a66e0f, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler@54a66e0f} 12:50:43.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:288] - Filtering possible login handlers by requested authentication methods: [urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport] 12:50:43.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:296] - Filtering out login handler for authentication urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified, it does not provide a requested authentication method 12:50:43.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:332] - Filtering out previous session login handler because there is no existing IdP session 12:50:43.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:464] - Selecting appropriate login handler from filtered set {urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler@54a66e0f} 12:50:43.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:497] - Authenticating user with login handler of type edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler 12:50:43.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler:66] - Redirecting to https://idp.etrs.terre.defense.gouv.fr:443/idp/Authn/RemoteUser 12:50:52.152 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserAuthServlet:73] - Remote user identified as fabrice.pollet returning control back to authentication engine 12:50:52.153 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:144] - Returning control to authentication engine 12:50:52.153 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:209] - Processing incoming request 12:50:52.153 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:514] - Completing user authentication process 12:50:52.153 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:585] - Validating authentication was performed successfully 12:50:52.154 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:696] - Updating session information for principal fabrice.pollet 12:50:52.154 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:700] - Creating shibboleth session for principal fabrice.pollet 12:50:52.154 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:815] - Adding IdP session cookie to HTTP response 12:50:52.155 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:715] - Recording authentication and service information in Shibboleth session for principal: fabrice.pollet 12:50:52.155 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:560] - User fabrice.pollet authenticated with method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport 12:50:52.155 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:161] - Returning control to profile handler 12:50:52.155 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:177] - Redirecting user to profile handler at https://idp.etrs.terre.defense.gouv.fr:443/idp/profile/SAML2/Redirect/SSO 12:50:52.160 - INFO [Shibboleth-Access:73] - 20170504T105052Z|172.16.96.7|idp.etrs.terre.defense.gouv.fr:443|/profile/SAML2/Redirect/SSO| 12:50:52.160 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/Redirect/SSO 12:50:52.160 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler 12:50:52.160 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:588] - Unbinding LoginContext 12:50:52.160 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:614] - Expiring LoginContext cookie 12:50:52.160 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:625] - Removed LoginContext, with key 21082a8599b5ba28281416cfd7468ad128b893acaf51f88303c5fadd9ee0f77b, from StorageService partition loginContexts 12:50:52.161 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:172] - Incoming request contains a login context and indicates principal was authenticated, processing second leg of request 12:50:52.161 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: cloud.etrs.terre.defense.gouv.fr 12:50:52.161 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of cloud.etrs.terre.defense.gouv.fr 12:50:52.161 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID cloud.etrs.terre.defense.gouv.fr 12:50:52.161 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: cloud.etrs.terre.defense.gouv.fr 12:50:52.169 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:157] - No custom or group-based relying party configuration found for cloud.etrs.terre.defense.gouv.fr. Using default relying party configuration. 12:50:52.169 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth 12:50:52.170 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth 12:50:52.170 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:99] - Filtering peer endpoints. Supported peer endpoint bindings: [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact] 12:50:52.171 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:114] - Removing endpoint https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso because its binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect is not supported 12:50:52.171 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:69] - Selecting endpoint by ACS URL 'https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso' and protocol binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' for request '85qrvu7c1kmg1tsc0gqmk4a1u2k60qed' from entity 'cloud.etrs.terre.defense.gouv.fr' 12:50:52.171 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:478] - Resolving attributes for principal 'fabrice.pollet' for SAML request from relying party 'cloud.etrs.terre.defense.gouv.fr' 12:50:52.171 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:119] - shibboleth.AttributeResolver resolving attributes for principal fabrice.pollet 12:50:52.171 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:275] - Specific attributes for principal fabrice.pollet were not requested, resolving all attributes. 12:50:52.172 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute uid for principal fabrice.pollet 12:50:52.172 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:354] - Resolving data connector myLDAP for principal fabrice.pollet 12:50:52.173 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:308] - Search filter: (uid=fabrice.pollet) 12:50:52.190 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute uid containing 1 values 12:50:52.190 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute email for principal fabrice.pollet 12:50:52.190 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute email containing 1 values 12:50:52.190 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute transientId for principal fabrice.pollet 12:50:52.191 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.TransientIdAttributeDefinition:97] - Building transient ID for request 85qrvu7c1kmg1tsc0gqmk4a1u2k60qed; outbound message issuer: https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth, inbound message issuer: cloud.etrs.terre.defense.gouv.fr, principal identifer: fabrice.pollet 12:50:52.191 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.TransientIdAttributeDefinition:115] - Created transient ID _fa7d6de2b4e946248d8f52c948470df6 for request 85qrvu7c1kmg1tsc0gqmk4a1u2k60qed 12:50:52.191 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute transientId containing 1 values 12:50:52.191 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute eduPersonScopedAffiliation for principal fabrice.pollet 12:50:52.191 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute eduPersonScopedAffiliation containing 1 values 12:50:52.191 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:473] - Attribute uid has 1 values after post-processing 12:50:52.192 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:473] - Attribute email has 1 values after post-processing 12:50:52.192 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:473] - Attribute transientId has 1 values after post-processing 12:50:52.192 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:473] - Attribute eduPersonScopedAffiliation has 1 values after post-processing 12:50:52.192 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:137] - shibboleth.AttributeResolver resolved, for principal fabrice.pollet, the attributes: [uid, email, transientId, eduPersonScopedAffiliation] 12:50:52.192 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:71] - shibboleth.AttributeFilterEngine filtering 4 attributes for principal fabrice.pollet 12:50:52.193 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy releaseToAllRenaterSps is active for principal fabrice.pollet 12:50:52.193 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.match.saml.AbstractEntityGroupMatchFunctor:77] - Entity descriptor does not have a parent object, unable to check if entity is in group https://federation.renater.fr/ 12:50:52.193 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:134] - Filter policy releaseToAllRenaterSps is not active for principal fabrice.pollet 12:50:52.193 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy releaseToCocoEduGainSp is active for principal fabrice.pollet 12:50:52.193 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.match.saml.AbstractEntityGroupMatchFunctor:77] - Entity descriptor does not have a parent object, unable to check if entity is in group https://federation.renater.fr/edugain/ 12:50:52.193 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.match.saml.AbstractEntityAttributeMatchFunctor:175] - Descriptor for cloud.etrs.terre.defense.gouv.fr does not contain any EntityAttributes 12:50:52.194 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:134] - Filter policy releaseToCocoEduGainSp is not active for principal fabrice.pollet 12:50:52.194 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy releaseTransientIdToAnyone is active for principal fabrice.pollet 12:50:52.194 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:139] - Filter policy releaseTransientIdToAnyone is active for principal fabrice.pollet 12:50:52.194 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing permit value rule for attribute transientId for principal fabrice.pollet 12:50:52.194 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy releaseUidAndEmailToAnyone is active for principal fabrice.pollet 12:50:52.194 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:139] - Filter policy releaseUidAndEmailToAnyone is active for principal fabrice.pollet 12:50:52.195 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing permit value rule for attribute uid for principal fabrice.pollet 12:50:52.195 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing permit value rule for attribute email for principal fabrice.pollet 12:50:52.195 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy cloud.etrs.terre.defense.gouv.fr is active for principal fabrice.pollet 12:50:52.195 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:139] - Filter policy cloud.etrs.terre.defense.gouv.fr is active for principal fabrice.pollet 12:50:52.195 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing permit value rule for attribute uid for principal fabrice.pollet 12:50:52.196 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy e5.onthehub.com is active for principal fabrice.pollet 12:50:52.196 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:134] - Filter policy e5.onthehub.com is not active for principal fabrice.pollet 12:50:52.196 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute uid has 1 values after filtering 12:50:52.196 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute email has 1 values after filtering 12:50:52.196 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute transientId has 1 values after filtering 12:50:52.196 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:106] - Removing attribute from return set, no more values: eduPersonScopedAffiliation 12:50:52.197 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:114] - Filtered attributes for principal fabrice.pollet. The following attributes remain: [uid, email, transientId] 12:50:52.197 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:505] - Creating attribute statement in response to SAML request '85qrvu7c1kmg1tsc0gqmk4a1u2k60qed' from relying party 'cloud.etrs.terre.defense.gouv.fr' 12:50:52.197 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:247] - Encoded attribute uid with encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder 12:50:52.197 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:247] - Encoded attribute email with encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder 12:50:52.198 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:263] - Attribute transientId was not encoded (filtered by query, or no SAML2AttributeEncoder attached). 12:50:52.198 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:527] - Filtering out potential name identifier attributes which can not be encoded by edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder 12:50:52.198 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:546] - Removing attribute uid, it can not be encoded via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder 12:50:52.198 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:546] - Removing attribute email, it can not be encoded via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder 12:50:52.198 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:541] - Retaining attribute transientId which may be encoded to via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder 12:50:52.199 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:566] - Filtering out potential name identifier attributes which do not support one of the following formats: [urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, urn:oasis:names:tc:SAML:2.0:nameid-format:transient] 12:50:52.199 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:585] - Retaining attribute transientId which may be encoded as a name identifier of format urn:oasis:names:tc:SAML:2.0:nameid-format:transient 12:50:52.199 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:690] - Selecting attribute to be encoded as a name identifier by encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder 12:50:52.199 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:717] - Selecting the first attribute that can be encoded in to a name identifier 12:50:52.199 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:501] - Name identifier for relying party 'cloud.etrs.terre.defense.gouv.fr' will be built from attribute 'transientId' 12:50:52.199 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:868] - Using attribute 'transientId' supporting NameID format 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID for relying party 'cloud.etrs.terre.defense.gouv.fr' 12:50:52.200 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:572] - Determining if SAML assertion to relying party 'cloud.etrs.terre.defense.gouv.fr' should be signed 12:50:52.200 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:653] - IdP relying party configuration 'default' indicates to sign assertions: true 12:50:52.200 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:583] - Determining signing credntial for assertion to relying party 'cloud.etrs.terre.defense.gouv.fr' 12:50:52.200 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:599] - Signing assertion to relying party cloud.etrs.terre.defense.gouv.fr 12:50:52.200 - DEBUG [org.opensaml.common.SAMLObjectHelper:56] - Examing signed object for content references with exclusive canonicalization transform 12:50:52.201 - DEBUG [org.opensaml.common.SAMLObjectHelper:70] - Saw exclusive transform, declaring non-visible namespaces on signed object 12:50:52.201 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:100] - Starting to marshall {http://www.w3.org/2000/09/xmldsig#}Signature 12:50:52.201 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:103] - Creating XMLSignature object 12:50:52.202 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:113] - Adding content to XMLSignature. 12:50:52.202 - DEBUG [org.opensaml.common.impl.SAMLObjectContentReference:173] - Adding list of inclusive namespaces for signature exclusive canonicalization transform 12:50:52.202 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:118] - Creating Signature DOM element 12:50:52.203 - DEBUG [org.opensaml.xml.signature.Signer:76] - Computing signature over XMLSignature object 12:50:52.214 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:274] - Attempting to encrypt assertion to relying party 'cloud.etrs.terre.defense.gouv.fr' 12:50:52.218 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:279] - Assertion to be encrypted is: <?xml version="1.0" encoding="UTF-8"?> <saml2:Assertion ID="_3dcfe0e7bc0bd318d70314e0c6b38e0f" IssueInstant="2017-05-04T10:50:52.198Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema";<http://www.w3.org/2001/XMLSchema>> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";<http://www.w3.org/2000/09/xmldsig#>> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";<http://www.w3.org/2001/10/xml-exc-c14n#>/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";<http://www.w3.org/2000/09/xmldsig#rsa-sha1>/> <ds:Reference URI="#_3dcfe0e7bc0bd318d70314e0c6b38e0f"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";<http://www.w3.org/2000/09/xmldsig#enveloped-signature>/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";<http://www.w3.org/2001/10/xml-exc-c14n#>> <ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";<http://www.w3.org/2001/10/xml-exc-c14n#>/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";<http://www.w3.org/2000/09/xmldsig#sha1>/> <ds:DigestValue>YgpD3KMsgxt8+cXzdw1OP36tOws=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>Xs6CVhcA+bKej3xKo145EucCv6yRVbWsFvueVVSxIuYR/vKmdbx92c1f7HOiFrFwQ9wVRodd4OmgrHFoIXZITBPAVPs7k9XInnbBicUPmJoJBnxoY5hraCQdNlVSGr1upplJ3XCDvWWxvamNoDdr4t/Zpw6jkwPriV7fbHvyOt3+2idKhQQGXKvyMmQ921RnLtVaBoP/rlQFZOkZ1LBgHtTWPhdf4Z4CIEBoOuRF/+lPTkSvkl5MnGcHCtV32QCiuu6fy0lfmG3nk0crDjNUjVUP1xTFc7UJtje4wB06DHSj+xgfov5Et6JPx2GhSgxlHMfaLTyn/boCDb9I4HZB2A==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDZTCCAk2gAwIBAgIUJ8+wj9VvvaWkYWc7Lv9ZrozEz5wwDQYJKoZIhvcNAQEFBQAwKTEnMCUG A1UEAwweaWRwLmV0cnMudGVycmUuZGVmZW5zZS5nb3V2LmZyMB4XDTE1MDYwNDEyNDMzM1oXDTM1 MDYwNDEyNDMzM1owKTEnMCUGA1UEAwweaWRwLmV0cnMudGVycmUuZGVmZW5zZS5nb3V2LmZyMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAncSOI7ZLCUW1YAQxsXx9sGUhIETkAQD0rW31 036RsUcxJKHvSfvHLz9t95F0OmCw4K+gVFFobxoOzwWrfNkQKNLmWJjfqVWe7euL5S6a5CLdzvos DCIaP63/9JAlAlAPvVQ3JYH08FcLQL2zcbxshZJBvsAQrSOOnkytXndkmpjlvPZNn3HbofiSA2CD DfNjIgFq1AS0nGJyuHSDD+Foi2TsU8ejirYVZPxn8wacxpt9GtIuY/tleYTjdH41kskaXqRGoN0X 7aC2Xea357hf950lEbacTOxztYITIJFZVkQjjea+YdGU9fsjrAkxuAyXX5yHD9SU8t9Px1Y/jwVW xwIDAQABo4GEMIGBMB0GA1UdDgQWBBRV5pi3YXYkaI4CLWcEtD2SiRteWTBgBgNVHREEWTBXgh5p ZHAuZXRycy50ZXJyZS5kZWZlbnNlLmdvdXYuZnKGNWh0dHBzOi8vaWRwLmV0cnMudGVycmUuZGVm ZW5zZS5nb3V2LmZyL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBBQUAA4IBAQB7c5PZS50wlcNU HGNv0QbHmFIEl2qSVW5p+y4lZX3QBEy+dyKw9qaTFGDD+qLfa9QKo6s31uLocW7aGmG2ok6U0XjT 7fCKIR8YljugdZfetCw5BiHRIaDzVhj8ozZPmb0OxlTecpJ/gQ3wik7Qo9ZPU/wLObyVcxGBeIiQ xXhCTu0Gqvl2UUV1Jwo4OEt5Vb6oBjN7HMDjCSaG+Q/uQK0g4lfhJr2ZvpDrAy+f5ZJcccgz4uPJ k0hqdydB6gHGIbSYVt1X89vWWYYigdavCrEx/mzNsCIdNuvFCFWQxDTr62aRd9Ib9VdrTc4GL7w+ Gi7Ne++PRgzXlaUPwIb+uQ6Z</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth";<https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth>>_fa7d6de2b4e946248d8f52c948470df6</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData Address="172.16.96.7" InResponseTo="85qrvu7c1kmg1tsc0gqmk4a1u2k60qed" NotOnOrAfter="2017-05-04T10:55:52.198Z" Recipient="https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso";<https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso>/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2017-05-04T10:50:52.198Z" NotOnOrAfter="2017-05-04T10:55:52.198Z"> <saml2:AudienceRestriction> <saml2:Audience>cloud.etrs.terre.defense.gouv.fr</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2017-05-04T10:50:52.155Z" SessionIndex="_a61ad6be527397b4b7bdc9064a0b4957"> <saml2:SubjectLocality Address="172.16.96.7"/> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";<http://www.w3.org/2001/XMLSchema-instance> xsi:type="xs:string">fabrice.pollet</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";<http://www.w3.org/2001/XMLSchema-instance> xsi:type="xs:string">[email protected]<mailto:[email protected]></saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> 12:50:52.221 - DEBUG [org.opensaml.security.MetadataCredentialResolver:167] - Forcing on-demand metadata provider refresh if necessary 12:50:52.221 - DEBUG [org.opensaml.security.MetadataCredentialResolver:215] - Attempting to retrieve credentials from cache using index: [cloud.etrs.terre.defense.gouv.fr,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,ENCRYPTION] 12:50:52.222 - DEBUG [org.opensaml.security.MetadataCredentialResolver:223] - Retrieved credentials from cache using index: [cloud.etrs.terre.defense.gouv.fr,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,ENCRYPTION] 12:50:52.222 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:74] - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria 12:50:52.222 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:74] - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria 12:50:52.222 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:74] - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria 12:50:52.222 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:105] - Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria 12:50:52.223 - DEBUG [org.opensaml.xml.security.SecurityHelper:292] - Unable to determine length in bits of specified Key instance 12:50:52.223 - DEBUG [org.opensaml.xml.encryption.Encrypter:645] - Generating random symmetric data encryption key from algorithm URI: http://www.w3.org/2001/04/xmlenc#aes128-cbc 12:50:52.223 - DEBUG [org.opensaml.xml.encryption.Encrypter:429] - Encrypting XMLObject using algorithm URI http://www.w3.org/2001/04/xmlenc#aes128-cbc with content mode false 12:50:52.225 - DEBUG [org.opensaml.xml.encryption.Encrypter:330] - Encrypting encryption key with algorithm: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p 12:50:52.234 - DEBUG [org.opensaml.xml.encryption.Encrypter:291] - Dynamically generating KeyInfo from Credential for EncryptedKey using generator: org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory$X509KeyInfoGenerator 12:50:52.235 - DEBUG [org.opensaml.saml2.encryption.Encrypter:423] - Placing EncryptedKey elements inline inside EncryptedData 12:50:52.235 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:331] - secondarily indexing user session by name identifier 12:50:52.237 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:796] - Encoding response to SAML request 85qrvu7c1kmg1tsc0gqmk4a1u2k60qed from relying party cloud.etrs.terre.defense.gouv.fr 12:50:52.237 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder:49] - Beginning encode message to outbound transport of type: org.opensaml.ws.transport.http.HttpServletResponseAdapter 12:50:52.237 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPPostEncoder:124] - Invoking Velocity template to create POST body 12:50:52.238 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPPostEncoder:158] - Encoding action url of 'https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso' with encoded value 'https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso' 12:50:52.238 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPPostEncoder:162] - Marshalling and Base64 encoding SAML message 12:50:52.240 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder:97] - Marshalling message 12:50:52.260 - DEBUG [PROTOCOL_MESSAGE:74] - <?xml version="1.0" encoding="UTF-8"?> <saml2p:Response Destination="https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso";<https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso> ID="_f554e0c08f61f5c6d18529e5b2f16884" InResponseTo="85qrvu7c1kmg1tsc0gqmk4a1u2k60qed" IssueInstant="2017-05-04T10:50:52.198Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:Status> <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <xenc:EncryptedData Id="_3ad94c1af74ab0a0a43cda26ce51a8ff" Type="http://www.w3.org/2001/04/xmlenc#Element";<http://www.w3.org/2001/04/xmlenc#Element> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";<http://www.w3.org/2001/04/xmlenc#>> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc";<http://www.w3.org/2001/04/xmlenc#aes128-cbc> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";<http://www.w3.org/2001/04/xmlenc#>/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";<http://www.w3.org/2000/09/xmldsig#>> <xenc:EncryptedKey Id="_549b0b744e7bdde94d3f44a410a115c2" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";<http://www.w3.org/2001/04/xmlenc#>> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";<http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";<http://www.w3.org/2001/04/xmlenc#>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";<http://www.w3.org/2000/09/xmldsig#sha1> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";<http://www.w3.org/2000/09/xmldsig#>/> </xenc:EncryptionMethod> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIErzCCApcCBgFbR6o7sTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBBcGFjaGVDbG91ZFN0 YWNrMB4XDTE3MDQwNjA5MDYzMFoXDTIwMDQwNzA5MDYzMFowGzEZMBcGA1UEAxMQQXBhY2hlQ2xv dWRTdGFjazCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALMN5Irps++bJ4S7SCATm3Ni W+SYl75N/TbQXPHPrSWuZDRZOVVsgf6vCN/IAYsBUUD5Lej+aAhZra8SzI0RBtloIdx6xQHZTp3q DbnvSW3pBIKb1m/KHpcvr6AFelUw82h13jYzp4QnPxragalY5g0do5UHeki+olHTgYu/TFiLAmrE LxKFMOBKaZ+W4aYeootdCL1pXsFgRx/WXY2XS2e3wXxFXxRp9T35Mtuslz8eq8X5ipRyWiA+/1Q8 g3YjFengkP5w3xgSsTjF0HiBnP7g9OCu01M1M35vNxyoEvKgIT61Fm8VDuuxT9BWhKBKN5lZ1rSM NCvsykdiSwXGo1NpKfG4iHeDUSZHsFIdwsthfK9Rs0VPCG+IcR93IYDGJOqX05tiI2WvN/T23W/T kNPTDt8mZJh8HuiWAHij6OIb3DJxK2l2czxNq2OLJX27dHKQDf0LcNg9Cm8fzBLKkpyZlypuC1o2 60SY9XdkwLSbOhRkSWazFkW641EGv9QFUBs8AkPbos9DUVKA7ciHXPSIeiLEVdjbNMiuWJUmqF22 nefs99H7CvtMaSwSPGpMkYVljPGn+6M06EbNfxdd4quVVgnXOxXDJKV8E+1qCAT1nxQNkIZdoZZw 14RmoyCngV83eUf4mPjpux1IJhKJSOBnHFKCboMNcUgONSVRrRuLAgMBAAEwDQYJKoZIhvcNAQEL BQADggIBABnJ2QT4s23RN0+v3F7H6ODuNcYMMl4JZN4VvDsAr2xBvRltMkmlcZgK5XRO47Gt1rdN 7fbm7xDsl0KblZ3PWHkBCuM0Zpw2nDx53AIkCk/lEw7sdAqAr1blgL56xTQLis43PLl7j4o+ZXFI 1Ny2eiyVRasffBQSlR4SoCN+mmXN4AygVxgR0zSlBKCV65CVX+5E8nKo1CrVzk4Pl3m6chKB+5J7 NvfvOvJAli1dsspjJd7SnyxJem4G0vC6t65Jzj+vFpBPsrj7VPa9YcrnDLOHy3Ljooad9agPkliY JOvBRKkD8eoOMvoRSUg5f6VUAzO228UBcfS4OTZvkuKNyl2uYJ9pZFTEJ8zA+ikWZBUl4Ot6LYG3 smHsAxIpm7rubLVOF0GV8dhcMcDjDK5+7lLkaFRHTjZZeanISVBWbe3zc8P8gRdFZvi3CJalubPd UQer2pUySILFJkfZx+5STf6cargpAEfnvWTvx1bRFqsh1NTOiWXJuL3QL3K9vPxhaIXgjmRFJVMb y3Tt3ifMbqssaC7odRmKZx/bLyrgC6Uni+oJDkiDtyVD1oFtmnbQd8wZ6x25W+z6i0wtcDWLYoW0 HVpfDgXKwxuSNTdO1XYA48p98z6la+HXkhEML3EFU60+cxmvtfuu7JIOjSxWQw6dktxLKGZ+KPhB 2HWwtuca</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";<http://www.w3.org/2001/04/xmlenc#>> <xenc:CipherValue>j2ag5FlXMev12oyot1E7EMlzNHCun9eMKa9ELYMn9hB4pQwZl3JHZfdRXjPNH1ZMlPx9YqoVN21ZBqLOpdg9Ehni4Vp2ATDfyQ3plG7XkjK6k23nGUaenNgU3M9FJNbWROlYEQu+nLQwNJ3rl9A9QlLVZgDKiswFg2SNpCraqQOF8UiCeu5RSh+V90hJ8KAFnloSev2P3e23E5Y5M3Cb8R9rsBjFk1zUGdywbutnn4XavgbyPVkoGbYO8YUGcgE3L9k41RCAEiSgShPiHYj+I9o2SkpfsELbSs4VkWnpUHBJ3j5kZmA2XFjaKJsTA55qKMhoqSIzOK7GW5J3zfTdvJRfeiJVGPjHb8cIRb8h+clpgJhN6XGvb6i43ZCXDtgfSzz6pqMfgi1Q0u8h6A5qAOZQJ5fJqDUhUtLLw14Gf7QOYZed3VOoqLXdftJ4oDI3f8lFj0386zY4hqtnH8m2+7FotkMh+GNWTX680AnmV9NutbAlLkFXrT1ciJaeDb0io6IJyoNXU47PMv61vCNoUAGVMO2eqa3fpRpQooua0VRb4cnYeUeibI3z/N0SLX+OpyxhSaGmxnmheu2JgBM6fgX5n0/oZMISBWSbG24xXn7yrp3wwaYNQx/sv5QiRnqCI1JbTllEIsmdDgD/kLJ8VR2XTMDGYxB1jBczjRAu8q0=</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";<http://www.w3.org/2001/04/xmlenc#>> <xenc:CipherValue>yRzRwLLs5rSBH+9HwhIen/a1PsIvaqV7xZTeTG+pAOE/GVVxTNRY5eFYTr+VVc0LYQTjECP5obr275MWUHLEOGdDy5/IUNuLS6Q3hgVn6pmhs3QkgzZ6R1mX6c1+RceSjGZRieXps0HoDKCMq8wVgb7LBebP8zjCTPaS3TMK4JsYOaDTPWwrjfI7RybI6itPzczNnwQ21Hkv+mXZXR5hkaVlrRGg99dKwGlpb07uMJTOAgju9vX/0BNC7hcQKD4yp2hhuSUzEo97EVcI5JYvW0y2U/JJu8O0FKvuDxhjRLPhZqJm7HzRyEOVEp9yi3E3oWg9krtFphqbZcWPrBw1MUDcAP4xWyYcKmBDXthhXp2Z78XTpQKwtn8vB/sML/4YFVXyADRBTi0pcgFUKW9CEV2lONnRqt1YPPnXEK4tUvJDaNzyDTjs+jLOIMN5BDK87f/bZw8fzCyPGA2a36X0xAZouw9Vz6YHLvO4GYBLuOLVafCYQC2ViykCjwCZJck4WoUDUVNwVbMpuXGEt5KuuvHYtuRSO8ZC5SPAI7vaGZuPwQmLDHvYNtaltr/eI96xwcQPnoadr/eWWyz3f5zeuQ3mJ7zEoow1tRqrmKAPWBLRiAoPehL1GJie7DDe+r1GpaWcCiyRncUebm8pchnRlsi503nXfr+i92K12i1dCueneLSWAsVYiU9njzaxFqOeUpxFPG0Cd246iznzMOg7sZjaucdix5VWi6I5rADuv48fRMv5BpAT9dloQ/iQiERgX+7GfKNkvSgZ/QW3C7tQ55ZO32glXzODkGXxsw4sB2oawMQlSaJOvYtcMhmPDRA9lLZRUXDH35xLhivuRsHgE6o+7Hv7kuF6adevlEGFtF8EON4MiOgy3FPQYw7UatKnqyXjFvbrr3cFfAXSmVShqEc5a5x3xaVD3+C81jJjA2/NlZKS5FdmLHcCsRCooQPzRKexac sPcR95XZ4 cZXsmGZjPOF/xWeEcVIeEzrN8Mps5rRbDdCC+f86xzqW5JMAgWocu7ae1Ee06+Pex60TJOMMdH36Op01hEWGu8wCvFFLNf118Utfs8gcPebI96Pqg4+CB3xSu5t09CrhmKDcpgfAeft22BuNTnqQgEy8IgVueSz0fmm8uhxqJ+Tz4JNT57z2jyTGq7bqwU7oEz5LV9JsVqkQzgL2MbY6lSymTaOyZVjIwie2eH/CkBL4TT6+waJeiJsXF5aDsT17swdRUOcq2jxr92lCKg3pbK1yTwqwMDAAHHNgNSkVm8Nlf0p0MrtLR+CXhnd3JHeyMbpIMYLEF3qiwp+Jz5YY1LdqI4MqkcTUlI3WfPz/53KDUKciuAubBwJPy/ZGUAToTNawPZ905AaAms819JTV+a0tLMCEpMR73KVBsASZynmVmNk10Y7j1byrt5kckNWbyZ+96pNK68my39K/ioHdxgmPuhmHP8wwX49RRVeIkS3GC4An/ZyL5d5wf5JrwHsTNC/99b6cmhfM53VbYtu0MEXSexF/bukEfkIOJ3HT5aA0ro+efSKgCPEiJwyNlyX9KJGqRNA8Fv2LGT8Ik+p/B3fMZPIhshLrn+67ojVICu0vqHNOSik72shKFOWQfDMlr819NNYwJeMq2vip3KQKW6j4j6RiCP6CjRAS7KlE4XWu7NMu/nC+fEjZ8XjS7hIcNRpVlkWKWdDoDuclMb+q7FaOT7Q2lh9H0YwX92fmJAcg1ji0wRP5qt8QvjQDiXeFgqOcy3ufcm2iWMFkwk7rHO1/pmqdljX7iRQvmzzguk79UfLUXxJOZs19zlH+kYnWnD6HCnkdG+SXuK4Z4OvAIJS7DBT0zryI+f54UfxTKfrQjUbcZW1UWb3cdUXDoOe7de/7PtpbdOzWVZ45nlYdZSEK3IgWzuAgCbs40WsjJp1WzeabgeAzMD8B2Iz1AnMqSALjGEb9gEw5OcOia9PJu3Ve4QskZc sxJ2I7Nji W7+plH3x+Jyig7q0CQ+nDDxsSqm440g3dD+qhgQG1jx7aFugsjiVa/ebTbPmpQLphWicbgv75RvELF4V1hRoiJ0wiopZkco56tXd3gwVI8zc/dJloPTRVX/ofSUmRz1Tqo0ctDAQ/3jWee0HRCkIYd7KhmOorVhfOsLxssyEa/F4QjZ5T4lhCTScGYCvTvDGzIBzjVmcf7lL7ouhw5bWx3SZcSGhCbLqMpbZx6/bviWyH92o4gf/lLYx5rqWKet1p74lGq9klYxxgDJLRNUGtm6FGOjFcJz389CA3u5I81GbpiQMRx8GGAT+2xO94P6p1UzTHRrHJm/4ytQXdhXgxnwFgddVNmK5pR3VxQJcYRvp7p/afrowbFeOl+6+N9LWEdN/at0zCUo5eUEFCa4AJpWqWxxY9SloV2oG5B+zDu4ev8qKJlNRfoS/w1eksPfOJjA2tNoCvYpHkyaBv8hXHUM5nr8n57oNoRBnpQEbUWx95bdcr2W/41GejApQ0/eWAN6B0/T4zdi7b7iJP9hIAzbQG5xqaupNUOzEGy8hD+wOvmjxMF9ZxKi1QY2BA5c1GzP44gAB08hhrLdFEJHsQvClpU2XtudZjuEHfHblFOmwj+UmRUHAAQ8q4IDmnwUozEevvLPFC9YF5GVl24+7l49rIjYD7bTc33xi2hf4ls2WNJx0lRoQ27LLVkKu8Np98GQ4VWXYPWC7cS5LdW/XQnbuMTB9mhIHoWTMB1HYGrUR529GefuMT90qD5QKKqdI3zMb9xTF3/claM+Xi+kYhp6PBp5D0YlXcmRmtpJoieZi0VuaedMW8P4MJn+GM4O1VBaBvOfP/SYPJ3Jxz7pQR/Qa4RT1I70UbhE79jQ0+l18eh8mArCargPwmyquv1WWe55WEoYIwcTVP6uTq/2yZGtLs1jtKhOM+6UMqJFDZid73uVWwBC5I1C/OJv3AZvn582kUh1DevutngVng9gzw9UXxN6OUu ypPNCrZMU oZHdIt4xJ5monquKgVWH/+IgprnaCg5oGSd2tJ+suTCrnRvgonQ7gEUdDgsLjdPd5gAy9qB/NHkXTIwJya5P7Jc3+/GewZGZ4xop8ar7uEwlFNUFWffuwjgUo6jps2LDgIztnImzs1d+FBlE57EkZkFUIbnmcOHSo8wUfO/hwNFIThFZwXWSEhllfkWQ/Aoo6RbKP776Adg/Zo3aa6P5q03Uf3loQeMDQcE5wYNYEGLNaOrvGLLhT5hV8XCd6BAcMi4ei1F991XnO7Xj3zJmm209yQybSEc0+lIoiW1+bd/uWQl/PdDEVnCy/nXoEPhaK0mko0ot7tYKEmGJjUWSsWP3QTspFu4RJPT6Cw+713qgi/wHbXKATaH5JEe9T8JE4z8r6MdboQEVBv42m/zPj59D2h92+fxwgBcO0qeDFg9gy6Gl8qg8p75MD78bQGb5gAFVh97n+ffp3cs5LDKXH1w7E51CN+m+MVBMOaw1Q+kq2Sv8LJk2w96QqWosECq84IUf0f6E6U9AWFJsRJaUCMsYxEOM8P+G8HaM430bsQpYabvnC6pU0JEIF5I7o8S+0bhmvhVMoK0IKufU28Z15qhGxhEK5NtJO7C49UgLfrb85aZxW5pyoJhpTyVtn7Q9d1yI/sAF6y0LRxIromiRIAqEd6JT2FbHA9DXQwG3X0sgjcRwOGW/WWGCbzdKTx5IdYQYLCR+fu5l1tBRxjkXurUsgVab1CJUHcz7BJKnh7IiO4B7S5Vz5154Pze/vXP83Jxk6LATVm+RL/oyZwRRiF6p9QLkci7biFwx68FjPnFaQ2XVl7lzUJONMmYj8mxoCkHKN0BOSGIwabCIuzGk1UlaArK4uM9QOZBmaxVKKLCUll8N4rwwPFpmFx6jGO1P7DKB6O+CbCIo4LNwy2J46wDrjnWVE1FiEhOYLYhmT/OuoySwB5EKJFysChhzJeo/m8Y7KZu/aG8c04JcWq6V3aKvQJ9jSG 9UBytP6ak oH9cidEgnNCs3EqidqURchWDBUYtNHM1lt7l/+gmvpC6c0tRHwF9v7EpwnPqagXIszPlSspxq8Pisirfp2dijPHTKPgGIATPUr+OIelObtNr7o0WDUehhPsKWdnlTLvZ3wDpkNSgxsvULc+5n8l5onPCbgCBWNhIPiesGWjrYP9+dJBPYKiDvcycG8uSAYU9jN9RsL9lDEr0/RUvBOeSDfghjNsd71sf4DM4+yHuarCc1M9nBiJQ/TH1sPS/ejwXRBviNwePSiYY1JCDeyKQ2cHHqD6YHAvec4FFVfNLb8yUFmMl6TaB7dDomtfHUOvTtmL8YUAR/hMJOH9gsnj2aTvEmJwx1JamcrcQ8xYoa74xQhuxcifUMxhmzDxMMrHi4F+uj1WI39M6jBUtEQbcRS7sY4T3B038wET+Ndi+dF4Oc3tdq8Pm7D4wUcvoNRHlSvsWyMXZ8slNYmUBvq/6PVqDC5Cc2u4FpNu+g30GYBDF1HIpYoxQrN3MVWWLzn92Eb7KZsFlCALb24XZs151/gv7iqPa0Ru/DUJpowzJOf0yZL5f5cWHuC+wkWSi2AG25wjtpKx3ma5yvs4xQS/TlluH3w2L0eUliEmruM6E2Wxnu/7lnn3T4As/7K/OJ/bEf4ag3ZPcXvXk0oVNFbOCZ2og7IzxPEk93QSxD6bMPuLMltVuLXAcuoR/9oyuPoehTPqpspBCvNUB3t1eP+lRHWMJSy3ESI6nlt1bfxM3gXtQDvzswrd6dLtGzr7+0qwPZmCnDnaQMpn7akuZFO73njUXm5SoqGfOQnVsClq485tcjVVfkjHUpoVmYMTgUH03kvGzBOwfSel6lVSdZyB0GeJjZmXJQcisKiWOotSutAObK0brGH2UvC4xWyVco45z8DhPU8uaQks2Fskc5VaQfIlrkhDqJjkoy7hn8lqqWJCb5eRMf18NLytsQC1elWmoLa/r4FUvSC0z/JE4oHhk/w4D5r1euK /EpdQ6ZR9 cnCVo2/Tt2SJnZ3L9mdpvloVSpSm6OwygVhPMznGp17Gt2gxzOic4u1Z/A4aSBJBGGWbpIScvyG36/iV0+WEhSCGXZf/VaYk+4dBjTrdo5VaqV9HIfCWrAmtxnQDlhQsxDoZGYr6R4gJ/7i6YV1VmVxzxUv6ORuulbtnVjUK6HlqoScJlWOX/gFv5V979eB+XnOZhw6zfzMLikctgLM3HEz2muL7+wE+TTH3kyuFIIXP6nCgYEsLjg8te4by8Do7bwFclCn9/yH6F3ZHW9zQlGmlsLZYWp6il79mRwW8ZEZIBfRnfIzUdsCOoSz8xtZgjpcjbz5LXkjHukAQmeXExmHahIW1s2/ekQpUismTArLRYlerZ8o5GSOMjPTztwZRFMTV4RN/QTJyrMPMi3cJuLQI6mNdZNb6bIZO1lJz2FB+HAAP+AgO/mwW/A82vy+yM5Y8AOX6BWETUC9kZzcsygLPuFU7h/hKe6EmH5mpyUuTZEWdyHx1QdH+iTT/thzfdqgRHDzctWgEYz1wy/Goz/Ac4WDAEzlAP+0TWQK6cO8HPsLJx6pFIyn/5oC5nOME8T5X3KuC9EmbJrrfrl6EvIRljy9LqcGvOXA1k+K/ZxD2fsg4wVJZwrxumxkVvuSG3h3grHEUvAhqs0wjadXA3fFTeom74JWswnaVoFNjNkX6CmzK2/GF5V017jJemxApmua7my5S8FOkp64i1bQ8o+JIQt1AlkXBZyJ7DkS5GARpI3nIDBeZ9M9xwcRjpKt8T8aqguyX69n3MLSXVP/psqNseOSmRZzSOOevLwiwJ+MvXcacZhmJzjfOc/fL2WwA+GzLM6TnnRskLBb/oEHEs//L+l7n7t3GihBTYVny633bWS07dwT9cL6GwtNjFqkCl/xoj9yYB/R9f5/M464r165q1cmEkvdZIhr6SYIB2lhF4PJTGhZa43P/fCnbJcb6slSe/VUL0lcQyGS0ycguo8z7qxkKQc CVLzAiHds CJNoY5QvH1RjJY/x0bV8p6OskEPhkkUH8mM59jXHPUafEm/PqMApDrt0tCGN33p6oS95dqfHgx780VS0+QLq/kwLcxwJhLZn1+ptA/NZgl2gUhXHt5IoFwfoSnOa5B5V5jQ/9mXsGXbFty6MNBoQiJcSTYzAB2KFjhgiUY4SHwf4k+FGBZxPWLQSJRlBcPvw1VWOj1UZYDbtTR3bqUj1AJzoRsFAqvnQxqGHpCI/BHzcQySXWpEbR+/cgh9BSj5Ld8ruX51n2+1FKvtDJq/Vy6XJ0Jw3u138gdmfX45KqumPd+Kw4ubp7jv+o3BHtxLsouLCjBL0JKk4Ms+8AFqAW/46I=</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </saml2:EncryptedAssertion> </saml2p:Response> 12:50:52.262 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder:56] - Successfully encoded message. 12:50:52.262 - INFO [Shibboleth-Audit:1028] - 20170504T105052Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|85qrvu7c1kmg1tsc0gqmk4a1u2k60qed|cloud.etrs.terre.defense.gouv.fr|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_f554e0c08f61f5c6d18529e5b2f16884|fabrice.pollet|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,email,transientId,|_fa7d6de2b4e946248d8f52c948470df6|| At the CloudStack SP the authentication failed: 2017-05-04 15:01:27,164 DEBUG [c.c.a.ApiServlet] (catalina-exec-8:ctx-70e81e62) (logid:2f838354) ===START=== 172.16.96.7 -- POST command=samlSso 2017-05-04 15:01:27,164 DEBUG [c.c.a.ApiServlet] (catalina-exec-8:ctx-70e81e62) (logid:2f838354) Session cookie is marked secure! 2017-05-04 15:01:27,219 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] (catalina-exec-8:ctx-70e81e62) (logid:2f838354) Received SAMLResponse in response to id=vf4gl2406lrritgfmqqif535ssf7f2ns 2017-05-04 15:01:27,222 DEBUG [c.c.a.ApiServlet] (catalina-exec-8:ctx-70e81e62) (logid:2f838354) Authentication failure: <?xml version="1.0" encoding="UTF-8"?><loginresponse cloud-stack-version="4.9.2.0"><errorcode>531</errorcode><errortext>Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name.</errortext></loginresponse> 2017-05-04 15:01:27,222 DEBUG [c.c.a.ApiServlet] (catalina-exec-8:ctx-70e81e62) (logid:2f838354) ===END=== 172.16.96.7 -- POST command=samlSso Thank you again for your help. Le 03/05/2017 11:17, Rohit Yadav a écrit : Hi Fabrice, Ensure that both SP and IdP server hosts have the same timezone/time settings. Consider setting up NTP on them etc. Next, another reason it failed to log into CloudStack (even though I can see successful authentication at the IdP side) is that SP (cloudstack mgmt server) has incorrect IdP metadata or certificates to verify and decrypt the encrypted tokens in the saml2 response. Please verify this as well. Regards. [email protected]<mailto:[email protected]> www.shapeblue.com<http://www.shapeblue.com> @shapeblue ________________________________ From: Fabrice Pollet <[email protected]><mailto:[email protected]> Sent: 02 May 2017 17:44:58 To: Rohit Yadav; [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: Re: Shibboleth and CloudStack Hello, Thank you very much for your answer. Maybe I misunderstood because in my current configuration, CloudStack refers to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword without any modification and that corresponds to the native authentication of my IdP. I wanted CloudStack to return to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser which corresponds to my SSO-CAS. So I followed your hack but by modifying in /etc/cloudstack/management/idp-metadata.xml https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO by https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser. This time CloudStack redirects well towards my SSO-CAS it is a progress. Unfortunately, authentication does not succeed. Here are the logs of the IdP at the time of the connection: 11:09:55.290 - INFO [Shibboleth-Access:73] - 20170502T090955Z|172.16.96.7|idp.etrs.terre.defense.gouv.fr:443|/profile/SAML2/Redirect/SSO| 11:09:55.378 - DEBUG [PROTOCOL_MESSAGE:74] - <?xml version="1.0" encoding="UTF-8"?> <saml2p:Response Destination="https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso";<https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso> ID="_3b1e03d6935882d3eb5d3f9242fb1426" InResponseTo="ni2j9u3i4d749ask9434jsgon0i9g7u2" IssueInstant="2017-05-02T09:09:55.320Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:Status> <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <xenc:EncryptedData Id="_61daeafb4f216c1e291b2130c8b56a35" Type="http://www.w3.org/2001/04/xmlenc#Element";<http://www.w3.org/2001/04/xmlenc#Element> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";<http://www.w3.org/2001/04/xmlenc#>> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc";<http://www.w3.org/2001/04/xmlenc#aes128-cbc> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";<http://www.w3.org/2001/04/xmlenc#>/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";<http://www.w3.org/2000/09/xmldsig#>> <xenc:EncryptedKey Id="_bae1f2d4c0b08c4fa70aa7169117c880" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";<http://www.w3.org/2001/04/xmlenc#>> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";<http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";<http://www.w3.org/2001/04/xmlenc#>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";<http://www.w3.org/2000/09/xmldsig#sha1> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";<http://www.w3.org/2000/09/xmldsig#>/> </xenc:EncryptionMethod> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIErzCCApcCBgFbR6o7sTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBBcGFjaGVDbG91ZFN0 YWNrMB4XDTE3MDQwNjA5MDYzMFoXDTIwMDQwNzA5MDYzMFowGzEZMBcGA1UEAxMQQXBhY2hlQ2xv dWRTdGFjazCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALMN5Irps++bJ4S7SCATm3Ni W+SYl75N/TbQXPHPrSWuZDRZOVVsgf6vCN/IAYsBUUD5Lej+aAhZra8SzI0RBtloIdx6xQHZTp3q DbnvSW3pBIKb1m/KHpcvr6AFelUw82h13jYzp4QnPxragalY5g0do5UHeki+olHTgYu/TFiLAmrE LxKFMOBKaZ+W4aYeootdCL1pXsFgRx/WXY2XS2e3wXxFXxRp9T35Mtuslz8eq8X5ipRyWiA+/1Q8 g3YjFengkP5w3xgSsTjF0HiBnP7g9OCu01M1M35vNxyoEvKgIT61Fm8VDuuxT9BWhKBKN5lZ1rSM NCvsykdiSwXGo1NpKfG4iHeDUSZHsFIdwsthfK9Rs0VPCG+IcR93IYDGJOqX05tiI2WvN/T23W/T kNPTDt8mZJh8HuiWAHij6OIb3DJxK2l2czxNq2OLJX27dHKQDf0LcNg9Cm8fzBLKkpyZlypuC1o2 60SY9XdkwLSbOhRkSWazFkW641EGv9QFUBs8AkPbos9DUVKA7ciHXPSIeiLEVdjbNMiuWJUmqF22 nefs99H7CvtMaSwSPGpMkYVljPGn+6M06EbNfxdd4quVVgnXOxXDJKV8E+1qCAT1nxQNkIZdoZZw 14RmoyCngV83eUf4mPjpux1IJhKJSOBnHFKCboMNcUgONSVRrRuLAgMBAAEwDQYJKoZIhvcNAQEL BQADggIBABnJ2QT4s23RN0+v3F7H6ODuNcYMMl4JZN4VvDsAr2xBvRltMkmlcZgK5XRO47Gt1rdN 7fbm7xDsl0KblZ3PWHkBCuM0Zpw2nDx53AIkCk/lEw7sdAqAr1blgL56xTQLis43PLl7j4o+ZXFI 1Ny2eiyVRasffBQSlR4SoCN+mmXN4AygVxgR0zSlBKCV65CVX+5E8nKo1CrVzk4Pl3m6chKB+5J7 NvfvOvJAli1dsspjJd7SnyxJem4G0vC6t65Jzj+vFpBPsrj7VPa9YcrnDLOHy3Ljooad9agPkliY JOvBRKkD8eoOMvoRSUg5f6VUAzO228UBcfS4OTZvkuKNyl2uYJ9pZFTEJ8zA+ikWZBUl4Ot6LYG3 smHsAxIpm7rubLVOF0GV8dhcMcDjDK5+7lLkaFRHTjZZeanISVBWbe3zc8P8gRdFZvi3CJalubPd UQer2pUySILFJkfZx+5STf6cargpAEfnvWTvx1bRFqsh1NTOiWXJuL3QL3K9vPxhaIXgjmRFJVMb y3Tt3ifMbqssaC7odRmKZx/bLyrgC6Uni+oJDkiDtyVD1oFtmnbQd8wZ6x25W+z6i0wtcDWLYoW0 HVpfDgXKwxuSNTdO1XYA48p98z6la+HXkhEML3EFU60+cxmvtfuu7JIOjSxWQw6dktxLKGZ+KPhB 2HWwtuca</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";<http://www.w3.org/2001/04/xmlenc#>> <xenc:CipherValue>BwCwEsRgA3OFiHNpd3bfHAo5Q3zt6YlqbKlg9HRpL6U2ID2Hm7KI9FojAPS5JpSh14mreSNylN2myr9jUOJ+OpeCfRdjtSNuck3O/k42g/Eu5nNmzn9cFOSbFqSQXvsdYVzsbMeGID1J9cq5FfVeu6RcebZr7Ebo5tOTdJqmKi2BScB/fz8Yy/2p6xh/JWYhsVCeSwvHuHKrDYCFf5eg0XcoP/tgrA65U7P7utrKrjMgSq5Dn5XkaXc9L9+wov9VnpdKrRU2TENFdZIW5RO1PKc5nwP3/ivEkuYs2ax+lvvkYpNqEiAQyQmt1T1VvctyLC0MplMDX8YEMRIfhNAyJskYbp5rP1ZHGhfu76cVTzdt4AouCNvxRYPZ5uhy47jeEy0ZewEz65ImqGgKNoZ4FwH5UwTTHGZak5MJ3LmTd9bfwfz7sUK3TGsISdbFCVxkthQvGBmOHNHb8BbKaNUV8Px8DH0IV1jvCiXUBlzwFpnRjG06hSpmmllyu3WaQixPqZ1BjgjAOXrUdhxLrBRyXEbKeFdGxidJYcqQaBpn4H83ZNPBriQ3Ya39NJGkfkVlU8tvpif3tH1fNWJ0SBNDZWIUjyu4OKFxjiebsP2QF6miep9YscNffQdPt9k0h2siTQJCpH/DM2RMQOna/AKARUeyD39jsutvhpj3TQzplzw=</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";<http://www.w3.org/2001/04/xmlenc#>> <xenc:CipherValue>KXBwY7UOS1KcHaNefUMtdK/6Jlmm78KYhs62nxNAectfTT5Sw3l289hLgeaIZ0RRsO1XqQk+ew43mMm6QaWjvcEDGij2C+TEGl2maIkhxpW71ZeeMyP6dAW78/TDJBJfLUEbTR1jb+q7hfJDKgMdyGfQ9ErEdvQjbz8vRMYiq7fdkNzqVTpXzcc7KXbpGtSQqyJYetAGFPx2wsJreeHsQPvIJrI42ER8LOLyv/FnXi+w4YXrzL14e0Qhmyry07Z8B6gC3DA+C8pmDs9xn99nEfAC6xZctDeIzC0+KpGav9NfACfvqs+X2DleZGckzsSomDxssiv4ArAbTSV/dRlbBUWfIGBgwALVhrBDyuCkBXrYNYqm7QF6bKSmAOlKVYC+lqFdI8CLHH7QiEO2S1UHYNRSIjUPXtef1CXGWM2jhmPYc51VBxsrcoY0ei0/nx9WVLcN5OHxnb8dz5Lm5yJJRa16k+7/rYDi8KvGTQj6jTEkQFjoxr7VeDHHAEdt5D8/Xm0PuvAXGTEvOntlaLbXkMqFxBe9usAkFqf6CRm3Qin2O7dUuipWJVZE1f7gnZyGCV0woVgnSQ2vo5quz5ABveXzlsuypMkD/bwavgLYNQR9c4eIJDqcUlPC2zm5XM18mgdxxQpp90E3Kb29j1OGfDh6F35x2rYg3k1/jJeMlDlbANprwyw1eM+qGijDcdYNoJEMRF9Utpt1ePDSOhBBPyPiTg7lgBo0m/gBnHR26TTTDGMruCm7SSNrYJIf1KR6HFalEaUZn7kpSBINkyoCOOyW78L8pqy0+m1ZcCfsYBzHsSd8kXyavYESCGIB58oIzPFB7VK1SiKrWvZCRkXw0AZllfy3cntpGopCBopjivUxycsNHPTIp0sZDpkpRC9it3vGcJDIueuPoco1cdoM05gTLg2rNU7StPukDAwKZSRJ2RY0kN cnoeNIoQL c5IAM4PuCFk FhOQYVAI+ dmIxc5F74uDctiONoNX6zVyp3OSZHiNoN/WrSkA7OsefciO+DaU1XLc87CSqvR8eOG41VjSlxpzkHBjUOiOtz52BKlFtuDLlKFX/5W6XQYNHp69PhYjuXd6vryvNWSPVgoVDJ5R10s+W2JvnQXlgD0MVlgJQs905+yi1fugYYYuA2P0NIEu3/Ky4U4CLxmGM3NIAkTWpjpFhHxv8il3x4TLPs2BB49gV1FOF3E5oXYg37bY1k0aeJA/DDxm2QXLP31Q4jdOAwdL5o6gIbeHV2g4WEUeMHg3zMfuL3jcJi/JA7A6MJEDyYCC32Z42DfUYgocmIwlOTs6y2ujxKqAWfKYC9n6bu5Wxj2zU8dZlmA7Os1UYZZbz9ZaRFMp3aN31/x1dasSP2yCoLpcjgiWsQDTBOn596V9OXmK14Z6K/+Ba51dfT3UWc4vTSb603AB0yNV4Y4vclSFxM47qPb2kU2qtgZyEOVKDy6OekNVW+az8+IitTH/f2Fk+HgM4Ro6MrCLkjbwvriL3NZmIcTm3eV3cGDf752fmDI/wYXc8tMXMcNQQo+S8Gf76rLy9TffWX4DvIPQkG4o278c1RRwl58+O1arAcsAvhMNGiwzHDVhTCrzVWebifphXBzOjDN3cNm4I0HC/nmiuWprQy7IAkNatmQIRa5AevmmFYNd5rSvptyxVPBLcCCWxXcgB8nAosQp2nsTsE01UTfptvEPDPwc3BPbc8S4I2o5hhE5LCDquDmi3o5VbBmEGoOlt8pcpvtF99ogvSYo9nXPjt8XMwxWyfR52ch4XbGqLXrSiQejGBwhMeIj02wdiEZU3jI7VyCvidZIbAfSwIFb7M0zke/zNK0rYLMqiRM/T6IeBCBd+a+F6afyokHEDO7jQsCAsQ+AtQwfAgCeoZO9X7Tn1gDKBBLMoIhAcXJaVvwIdd52DliYffnK906NaT64M+KBKGLESDyJJJ2 mJQd/E0mo svNUHOJ13bV cR5qPFT2v p0hnodqi4q8wEdv7jGlYt8qOpVgmNgMT9hBtuS3dDoQ0wRKao2XpXIAUjW/SbCEG4FwzlTZR6a9oMd3WoU3YQr5+nsGM6ryzW3vZzt3zkQqCiuwgd86MhVJ+N1HGOQr7ZUWUsd42BXXpWEfpDFWMtke4apztJwrYS9YnOpH6dOkCgu5uKelChsSMaov+Undj9ioejbd7pta9J2TYsO14cq6Hv+G++TjNfP5O4XcOU804xIRCRZwC/jIrbkJMQ9XKYPwjsrhwBo1eC3eXeUCFvmr4yOfVoEAKWp9Go59wIEC8fPFdU6UUNSUYDchZa9l7tS+N7iZu4fcVmye6m8uKqsBQww8Fbk1kS06K5/QXD1T14H5bzs6eR+QHEsRoqDxR1+WNYjZm+c1qTd5eu5f1N+tWkmXmn0ko34QUUOjwR7JRPum6WTizh57S/aCYxNjx2qPk2QYXIP1tNXGkOTc7qq/u3fc+KGN8wEsLwfbd2j0n1fAsWbxv6q/RBdgIzl142W+m4EEoHKrOhctI3VOi+xoEcoCF/AQuTsBm3617qfZcWRqFR0t0RVivCo9jutqXmkTdkIWbLW+elocN/lYNXRgOO+VtK8E39NQ2wbwYh2vCoqrNB61+MAketA/2UBblTBKnPe0ipYRV0isSQXoxVlRLfAAfqXES9DyRsCmu9vlnYxT0cyeHlgT8czCWypSRwxSX9V3tWxQVuXaktxIE5wU9VGOQzieP0z1EA5Plr5e2FbdtsS87eEC5yvYVLccEU4ni44HCGFqPUNHnMJtjGtqoSq56SBeBEy8WQVUB3PSckRnZE9F5/BYyACiSdw3E1EIB0algS/LuotpijriG2JODouCnFleVcraMdp2VweqDH3pxjRQbOdboyj7n2YuYR+RrDspwnjczmiiiL9+708PwZnGie+etvYTDFoKIHURQVLxid9mS87JBcpfzIXKPxSS89HdTk2 jvFXR4VmU VYA0nJ4VJzy CWnArSZJp fvhyhuydFXAOhhE3tDqIJ120kXarGnaF1Yp2ZBZuX4UsV/jR1R6faqYTc7ynAzEnQ4zGj9d20O/4exiK9DRMGBaRYP4R6DRRDyKqC2Cqt2N2O4fcxYOfKeMNTmwHDBAU0tBlsZDCSHl/3Hr5eHdUXEH8D1AaF9rWvq3SI/aV0cSoyk7eIZ2AGzRs9lljHLoa6U65ichrz//1CueBDKc1pcomDTfAt1uSmeBe/cCNjhdpaB2dokgRUxNXGPENAtSYpoZrfBp/jjxUy83rdDVc5aW2qTnM9UQi3XJFv02jDIlTmIVI3+cDZQTHieExXCBgsAXMCcncEXY8Q2bDd1IUkDlTzUWf8lbr6YbDzmxYP2SFIXSjzAWRKIHKRGnLuETUw6FS9fpc4101VdkGVicv09RQsg3n1SHHmvmEH0HxxwZD4OgmSNKDmsfBLGaANEA0Ke+tDzIjQO2QjpLS9p7PsarE126WPvNHa1mNss0G22SI1s60xXYbcjFBXktT99m6ofIS36e4mLwH7F9NFWuKNqxofjoVtvcKcru3OeaChm+jl3ZcMEJPbQf8xBAvYWwGc3QJSpGw1NSbIO5sOeT/CjMjKux02nvFg0nBceRbTZ05cPjSErS2HwleXXEsicXgp9bcFf4oRGWNCVIvkItkUNijg/Rl9Y7xNv+ZVUCkN3DyOmg4GhzNnIFGDAPpqDXzx7uyLApSiWJe39VDq76muNOw0UQ7r6p7YUv7pGxJ7fjan8h97uBtdkZLHv4nOcZUFesMykAmy6cd1vIe41rujylDs+dTkYWsoIuLV71zqMGhufLyew7nSxX5kK+9wkPzxvF6o7HHXKOGr5oGVxV5/S6wmbZ4lGoUeRrYaYPIEnkhKDlikug6gXngK1Xrr7qd4pRLW2p2LRaYYk5wdlI3DucQuDbu1u6393Rv7AL0ZGVcQm2qWOMUiLT2V8VK4iy6lenFCX4zck 623fOxs7y 1EsyVyV0DIV RWXQODN9J HzVXQfBOrO7zY/91W8PwAYOy0hbw7uT/ZzKTMzGsEZN6ftGct5K/GiwoRyA/RV9edo1ghsNjjyuMp3IvGitp+IKPIZ1D+I9uZVygclePhSlxPZ4ceasZEExxyPNCVyvH1GJ3gMKW8WX2nuIU1ODESUcnRz40IMIFrnzgFpk//xzhoX7jk/90lBCntvb2xVaEk7+YKS2791ePmt+aydoaeYBiuR8lj8kpm9gTBQPtIFG6igBIHfP6Qh/hrg23ZIQ15CMBxD7ZlJCpxPzD+g9/ZJYj2iaiONOecN2F+pI07cxmWYbl3z6FhBysQAcF5KU10GjCjdoVyGBnvLAWlA8/PIbcTFvFAMNq/r8I2RXRRvZK1f+WYAzuvYkQ6FvNxTvyBZ5W3ywg0UTOIXhJYSxj3fhmT7S57PWgsLQQc2GCgspwsacQFtcD9FJNydvCyPi5eBt+OHZ8gjw+MJs8pHyK6Rs/Hwr62TPnwwNizTTe+dWrWwSdlYNFRnG5MhCVw4dfKo5rzCtABN3H7qpUGt94/DeiGKPm5dVmZUYZk3wv4wQfxsn5VlKeZxeowwql3KgYdyyHxYVWZSmFi87roxYAdFz+UAZtxnWN8YejkwQKYAcbdCZhLllzRJX/bqtCgtfCgl+coeP7OSR6eqP+YPlE5RoXrKEAz544jyLRUcbw6iiIeLTozHiTwIubRji0bxJybFr48ePKsDyIW2xpY7YjpRXVc2xOOzJE+ZXbymD/8LSdR42c0nNBW+sIgGP0raVpLATxr35bj9B+vh37oTnVEN4JyYgrVvhjlhlErnaLFIZ0G2U73tjiJD/361q62PPBC4jWeDHNK5VnNe4pPIczsYEwwQTh2EtAtpn0CCKn179HRGl5mlj9LhX3JzaZPGEmDPzS0JfiU15YxlAlgrG35x5mahZcc/oHjZyZc7XVqwlPk0GCdAGhfrnRwcedDwVsGGvNg49ciq dCjPREKkn XMqFO+KAq+w 2kePK+OMi 3+rKzgWhurgI/hvpb+ucwhF5KpraIfJdzoTiwWYnxSGww2EJRXq/0ozIyQB9DZmOCD5tcHnKFjCjudgtiIbdBLmzxeNwG3SgDqPkkn31KK9jobWO5PGjCPUc6AvUD4GSYhw9En4xkRbsbbRztGCrXfpa0NpMysbo71YruK1gc9dccnwdSxTDZZEoxH8FqR6hUt5PAAxLi30UX5vqq9gXObzmlExIgeopyU2XkMIaa/HtAKPpCrZpeFQcbDC+bfos1vYUnGfVennTaFch47rWARdgLI1dGqq88lrJhfzKhS+ZWKHMDbdKs5OgNmvIt5kTWpbeie4qPW2volholu5wrmBz9Tpuhx7gwg/Zp3PeLCoPkvXCRAqQQKtZsnP+xKVW9+cugIN4GKLf60DbK897RRJcTP14nRo+tgYfdR2gKgZaiPNGXjz7wFUK7ApxSPEF//LBoLOOwSURVk4ckpPbam5M5KZydcAMRTxHbNUXlTPpcTCd/XkU0A/hsqVMvYBru2dcS0I9CQ4tfb8I2OTIZ2webSvgw0UjZmf+LHVRWiIhY+hMJ5aVpoLa3sVm22j9Yq+ZYIm+QbrRjJFBejzjeMgC8vJiL6hBgeEQDmInnpnYmR2AW6ZTjfNyyGTwwSCN9IqvJ5frJ9GAFv9PDnY78/tZuymXzzVaMxQPSqYsw+EXPTbn3onlJCoOUClG41s/kdwqebFguxUSm6MKZiEqirmY8VCalLF/W++jtQZbIeL8atplGe8A4R8dxIE25ArF3XXNykuGZQoJdlSZC/ZgNv6usBFUzZEuyB/luTkMW0V9dGO2otxR3xSYAR5d+mAzZsllaH/fOPD/904LijaO1+K8REwr3uUNe8hDZaErCTbnL09feZISe6+NykTw5runFqbiOlgGP6qvjc/qFLJy65LiQMj1+fWaz87UkshQH4nqOOROLFRP7HbeJI9UcXXoRQ2e/l2iDC 5gDaM7xmm A7HE91vLD4X CT6W5obbS C5t9COUSU88UubAzXX+DjFtRL/e0E94/nfpKiFDsRlWJJwKIFybBqezGksdmU21VEh/Z7vzNRvlmAAsz6vepof4cNL4PkHOhn8BSnFI6wDZahPj9WzIZ7ePeUkz5NpTdYfqX6VcHzANAgiygeLx8EaT9dCaOPj3PEGU/QkCcFKFcY1l8LGGUUW8Rudje0MRarcRh+ms51nwuoCAB5Gr+73GYb+2Ir3DYQme3ym0zGfsqTl8gR707/lvdxgVP3ShqSwvD6tr0rgd1r5pG8BESQbak9bFdq6cNZpTLVQ3/AsOd7FBdlWlPCE6I9eU70NNQy3iKxJljVb//5xrcjEDa9ulQc=</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </saml2:EncryptedAssertion> </saml2p:Response> 11:09:55.379 - INFO [Shibboleth-Audit:1028] - 20170502T090955Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|ni2j9u3i4d749ask9434jsgon0i9g7u2|cloud.etrs.terre.defense.gouv.fr|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_3b1e03d6935882d3eb5d3f9242fb1426|fabrice.pollet|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,email,transientId,|_9d5c99cfc524cd833e5e19406c95538e|| Here are the CloudStack logs: 2017-05-02 10:10:10,732 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) ===START=== 172.16.96.7 -- GET command=samlSso&idpid=https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth&response=json 2017-05-02 10:10:10,732 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) Session cookie is marked secure! 2017-05-02 10:10:10,735 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) Sending SAMLRequest id=mdp1ikdn2elvck5uilfbs266ahop200v 2017-05-02 10:10:10,903 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) ===END=== 172.16.96.7 -- GET command=samlSso&idpid=https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth&response=json Here is the error in the browser: https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso : <loginresponse cloud-stack-version="4.9.2.0"><errorcode>531</errorcode><errortext>Received SAML response for a SSO request that we may not have made or has expired, please try logging in again</errortext></loginresponse> Thank you again for your time. Le 28/04/2017 11:23, Rohit Yadav a écrit : Hi Fabrice, I looked at the IdP XML, with the SAML2 plugin enabled/configured in CloudStack when users click on login they will be redirected to https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO (with a saml token). After this, I'm not sure how your setup/IdP should behave on handling the redirection or use of the REMOTE_USER environment variable. A sort of a hack you can try is to replace the SSO URL in your xml file (saved in /etc/cloudstack/management/) to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword and see if that works for you. Regards. [email protected]<mailto:[email protected]> www.shapeblue.com<http://www.shapeblue.com> @shapeblue ________________________________ From: Fabrice Pollet <[email protected]><mailto:[email protected]> Sent: 27 April 2017 14:30:53 To: Rohit Yadav; [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: Re: Shibboleth and CloudStack I tried your solution to save the IdP metadata in file /etc/cloudstack/management/idp-metadata.xml and I found my IdP in the selection proposed by CloudStack. In any case it shows me the possibility of adding other IdP and that is very good. However, I come back to the same situation. My Cloud refers to the native authentication of my IdP instead of the SSO-CAS. I specify that my IdP has been working since 2015 with the Federation RENATER and that its external services are well redirected to our SSO-CAS. Maybe a REMOTE_USER environment variable problem between the SP and the IdP? Le 27/04/2017 09:10, Fabrice Pollet a écrit : Hello, The IdP metadata can also be read at this public URL https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth. The SP metadata is not public at the moment (see attached). For me the redirection should be done towards https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser (SSO-CAS) instead of https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword. My IdP server has the SP metadata (the "backingFile" is filled automatically). I will try your workaround. I would like to inform you and thank you in advance. Regards, Le 26/04/2017 17:29, Rohit Yadav a écrit : Hi Fabrice, I could not open the URLs (they are not public) so cannot verify the XML metadata. The IdP metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth will include list of supported IDP server endpoints that support http-redirect (binding is set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) based single-sign on. The current SAML2 plugin only supports and works with the Http-Redirect binding only. If you can share the xml with me, I can verify the SSO URL. Likely, the URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword must be one of the allowed SSO http-redirect based endpoints. You may try this workaround -- assuming your IdP server has the SP metadata (i.e. the xml that you get from "http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata";) added/enabled; you can download and save the IdP metadata (make any URL modification that you want) to be file such as 'idp-metadata.xml' in /etc/cloudstack/management on the management server(s) and then in the global setting set the 'saml2.idp.metadata.url' to the value 'idp-metadata.xml' (without the quotes). Then, restart the mgmt server(s), it will read the metadata from this file location instead of the URL. The SAML2 plugin also allows for multiple idps defined (for example, in case of a federation it will retrieve and list all the available SSO site, for example search for CAFe saml federation). Regards. ________________________________ From: Fabrice Pollet <[email protected]><mailto:[email protected]> Sent: 26 April 2017 17:31:46 To: [email protected]<mailto:[email protected]> Subject: Shibboleth and CloudStack Hello, I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0 as a service provider (SP) to our own identity provider Shibboleth 2.4.4 (IdP - Authentication Service and Authorization based on XML). I have completed the following CloudStack SAML2 settings: saml2.append.idpdomain = false saml2.default.idpid = néant saml2.enabled = true saml2.idp.metadata.url = http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth <http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth> saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client saml2.sigalg = SHA256 saml2.sp.id = cloud.etrs.terre.defense.gouv.fr saml2.sp.slo.url = https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo <https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo> saml2.sp.sso.url = https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso saml2.user.attribute = uid But the URL SSO-SAML2 https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso returns me to the native authentication URL of our IdP https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword instead of the SSO-CAS delegation URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser. The meta data of my SP are listed in my IdP (from the configuration file relying-party.xml): <!-- Metadonnées de ETRS CloudStack --> <metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr" xsi:type="metadata:FileBackedHTTPMetadataProvider" metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"; backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml"> </metadata:MetadataProvider> Thank you for your help. -- IEF MINDEF POLLET Fabrice TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA COMSIC BP18 35998 RENNES 9 France 821 354 34 82 / 02 99 84 34 82 [email protected]<mailto:[email protected]> (Internet) [email protected]<mailto:[email protected]> (Intradef) [email protected]<mailto:[email protected]> www.shapeblue.com<http://www.shapeblue.com> @shapeblue -- IEF MINDEF POLLET Fabrice TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA COMSIC BP18 35998 RENNES 9 France 821 354 34 82 / 02 99 84 34 82 [email protected]<mailto:[email protected]> (Internet) [email protected]<mailto:[email protected]> (Intradef) [email protected] www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
