Using Novell Access Manager's SAML Identity Server (NAM) with a Shibboleth SAML Service Providers (SP) allows your users to use their existing LDAP credentials for single sign-on access to the Shibboleth framework as well as any web applications protected by NAM.
In a previous document Integrating Novell's Access Manager with Shibboleth's IDP Server, a SAML2 SP-initiated SSO exchange between a Novell Access Manager 3.1 SAML2 Service Provider (SP) and a Shibboleth SAML2 Identity Provider (IdP) was described. The roles are reversed in the following document, where Shibboleth acts as the SAML SP, and Access Manager as the IdP server.
This cool solution will show you how to add a Shibboleth SP to your NAM implementation using a federated authentication via SAML 2.0. By using SAML 2.0, your users authenticate to NAM as they typically do using their existing LDAP credentials provided by your corporate directory. The Shibboleth SP can consume the SAML assertion and authenticates users without the need to synchronize passwords with the local user store. Once configured, your users will have SSO access to all your web resources protected by NAM through either the Access Gateway or using federation protocols.
Setup details:
- Novell Access Manager Identity Server setup as a SAML2 Identity provider (IDP) to send an assertion to a Shibboleth SAML2 Service Provider (SP)
- Apache server Shibboleth module acting as the SAML2 Service Provider
- JBOSS server running required Application
The JBOSS application being accessed by users is protected by the Apache Shibboleth module.
When the user hits the protected JBOSS path, Apache will detect that it needs to forward the request to the Shibboleth module/process, which in turn will use a HTTP POST binding to send the SAML Authentication Request to the Access Manager SAML2 IDP Server.
The Access Manager SAML2 IDP Server will validate the Authenticate Request, present the users with a valid login page, and then validate the user's submitted credentials. Assuming credential validation is successful, an Authentication Response including the assertion will be send back from the IDP Server to the Apache fronted Shibboleth SP.
Apache will use the AJP connector to forward the request to the JBOSS backend to process the response.
Configuration Details:
Novell Access Manager Configuration:
- Define an Attribute Map on the IDP server with the Attributes required by the SP
In our setup, we wanted to send customizable string attributes – most setups would send LDAP attributes. When using such customizable string attributes, entries must exist for each attribute. In our example, we mapped some LDAP attributes to the customisation strings using the following mapping configuration – note that it is not always required to sent attributes at authentication to the SP, but our application required it:
We then created an Attribute Set (called it PX) under the Identity Servers -> Shared Settings -> Attribute Sets field and added the various customisation strings in there as shown below:
- Define the Shibboleth SP configuration at the IDP server
From the SAML2 configuration link in the Access Manager Administration Console, select the option to create a new Service Provider. Add a name for this SP and add the metadata text from the Shibboleth SP. A sample Shibboleth SP metadata is included below:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_330d3f85f3853d942b17c6e67508c6c8" entityID="https://shibsp.lab.novell.com/shibboleth"> <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:Extensions> <DiscoveryResponse xmlns="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://shibsp.lab.novell.com/Shibboleth.sso/DS" index="1"/> </md:Extensions> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:KeyName>shibsp.lab.novell.com</ds:KeyName> <ds:X509Data> <ds:X509SubjectName>CN=shibsp.lab.novell.com</ds:X509SubjectName> <ds:X509Certificate>MIIDITCCAgmgAwIBAgIJAOURaX1S9TI1MA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNV : </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:KeyName>shibsp.lab.novell.com</ds:KeyName> <ds:X509Data> <ds:X509SubjectName>CN=shibsp.lab.novell.com</ds:X509SubjectName> <ds:X509Certificate>MIIDITCCAgmgAwIBAgIJAOURaX1S9TI1MA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNV : </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibsp.lab.novell.com/Shibboleth.sso/SLO/POST"/> <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibsp.lab.novell.com/Shibboleth.sso/NIM/POST"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibsp.lab.novell.com/Shibboleth.sso/SAML2/POST" index="0"/> </md:SPSSODescriptor> </md:EntityDescriptor>Note: Make sure that the trusted root of the Service Provider X509 certificate is added to the IDP truststore (Security -> Trusted roots) - Define the Attributes to send back to the SP in the SAML2 configuration – go to our newly created SAML2 SP and click the Attributes TAB. Select all attributes from the 'Available' table so that they are under the 'Send with Authentication' section
Shibboleth Service Provider Configuration:
The configuration on the SP side is done by modifying the Shibboleth2.xml file (reference at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration). The default file was used as a baseline with the following changes:
- A Session Initiator is used to configure login behavior for a given Shibboleth SP. Session Initiators are configured in shibboleth2.xml using <SessionInitiator>elements. In our setup, we had to point to the Novell IDP server with the contract type we wanted to execute on that IDP server.
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID="https://login.lab.novell.com/nidp/saml2/metadata"> <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html" authnContextComparison="exact"> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextDeclRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">secure/novl/saml2/uri</saml:AuthnContextDeclRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest> </SessionInitiator> <SessionInitiator type="Shib1" acsIndex="5"/> </SessionInitiator> - The Shibboleth version being used (2.3.1) always used the "HTTP-Redirect" as a binding protocol, instead of the "HTTP-Post" expected as per the default configuration in shibboleth2.xml. One way to enforce the POST binding is to use "outgoingBindings" in the shibboleth2.xml configuration to specify the binding protocol.
<SessionInitiator type="SAML2" Location="/Login" acsIndex="1" template="bindingTemplate.html" authnContextComparison="exact" outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
- The Shibboleth configuration file must also include the IDP metadata, or reference it in another file. For example
<MetadataProvider type="Chaining"> <MetadataProvider type="XML" file="novell-saml-metadata.xml"/> </MetadataProvider>where novell-saml-metadata.xml is the exported metadata from the Novell Identity Server (from https://login.lab.novell.com/nidp/saml2/metadata in our example), which includes key IDP single sign on and logout URLs, as well as certificate information used to validate signatures.
- The Shibboleth configuration file must define a mapping between the incoming attributes received within the SAML2 IDP assertion's <AttributeStatement> and the local attributes available on the Shibboleth SP. The <AttributeExtractor> element configures the Shibboleth SP to turn the SAML2 AttributeStatement content into local "attributes", the internal representation of information stored with user sessions. These attributes can then be used by the JBOSS application.
By default, the shibboleth2.xml includes the following entry pointing to the attributes
<!-- Map to extract attributes from SAML assertions. --> <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
In our scenario, we needed to map the 6 incoming attributes from the IDP servers assertion, to the SP local attributes. In our attribute-map.xml file, we mapped each of the 6 customization attributes we received.
Using the information from the SAML assertion received below, we took the remote Attribute name of "/op:OP/op:CustomizableStrings/op:CustomizableString1" and mapped it to a local attribute name of the SP of "userguid". This "userguid" attribute value will be passed to the JBOSS application. We repeated the same steps for all 6 customizable strings.
To do this, we added the following info to the "attribute-map.xml" file.
<Attribute name="/op:OP/op:CustomizableStrings/op:CustomizableString1" id="userguid" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" /> <Attribute name="/op:OP/op:CustomizableStrings/op:CustomizableString2" id="usermail" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" /> : : <Attribute name="/op:OP/op:CustomizableStrings/op:CustomizableString6" id="usertitle" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" />
Communication Flow:
- User hits the SP and is redirected to the Single Sign On service URL on the IDP server via Javascript auto submitting the Authentication Request. The request looks as follows
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://shibsp.lab.novell.com/Shibboleth.sso/SAML2/POST" Destination="https://login.lab.novell.com/nidp/saml2/sso" ID="_7739c0a43ce2b5cfb5918c0871a0d335" IssueInstant="2011-05-19T13:42:51Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://shibsp.lab.novell.com/shibboleth</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_7739c0a43ce2b5cfb5918c0871a0d335"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>S3xLclP3WEis5JKrKk0Im71uB7I=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>s+CxeRaSTTvpqXdGz+tBKjR8lnX20B4iMlV1oqsr7sTX6btRVytzR/OCQQiKqO7F : KJt0OLwhf2cTT8wGn8Bm6A==</ds:SignatureValue> <ds:KeyInfo><ds:KeyName>shibsp.lab.novell.com</ds:KeyName><ds:X509Data><ds:X509SubjectName>CN=shibsp.lab.novell.com</ds:X509SubjectName> <ds:X509Certificate> MIIDITCCAgmgAwIBAgIJAOURaX1S9TI1MA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNV : EL35YECXkF+Cwxt1Jq/5ShIPs/DQIsMDsqAb/jNCN1+RoaWWGA== </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature> <samlp:NameIDPolicy AllowCreate="1"/><samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextDeclRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">secure/novl/saml2/uri</saml:AuthnContextDeclRef> </samlp:RequestedAuthnContext></samlp:AuthnRequest>
- IDP server processes the authentication request and executes the 'secure/novl/saml2/uri' contract defined in the <saml:AuthnContextDeclRef> statement. The user is presented with the corresponding login page.
- After the user submits their credentials, the IDP server validates them against the back end user store and assuming they are successful, generates the following Authentication Response to the SP:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Consent="urn:oasis:names:tc:SAML:2.0:consent:obtained" Destination="https://shibsp.lab.novell.com/Shibboleth.sso/SAML2/POST" ID="idkon090dzZ5KpsaEjwIhuSv-tBrE" InResponseTo="_7739c0a43ce2b5cfb5918c0871a0d335" IssueInstant="2011-05-19T13:42:56Z" Version="2.0"><saml:Issuer>https://login.lab.novell.com/nidp/saml2/metadata</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="idpE9Hc78tdOdXju5DyDbYcQRLx.U" IssueInstant="2011-05-19T13:42:56Z" Version="2.0"><saml:Issuer>https://login.lab.novell.com/nidp/saml2/metadata</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><CanonicalizationMethod xmlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#idpE9Hc78tdOdXju5DyDbYcQRLx.U"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">I2WvXWl0R90dbttEFicwFWvwDSA=</DigestValue></ds:Reference></ds:SignedInfo><SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#"> x/GkbBzadOFAKrWUh5/8P93rwIWGwaarQ5FZ7goBHFeES/vsaLhTDCaIdvBcc5UGVM0tn0R+r+Ml : QYpa3pKWkVVlKbdtZzlc+37v5d5p4ZkTYhwrCQ== </SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate> MIIFNzCCBB+gAwIBAgIkAhwR/6Qt6Yd25+PtUQyZa5OjBeTJOGrxG/ZDk76bAgITTSB9MA0GCSqG : hdfrMpTs/x/BzC9MluTE0sgQdE0Jm7ZTjvvMGg== </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://login.lab.novell.com/nidp/saml2/metadata" SPNameQualifier="https://shibsp.lab.novell.com/shibboleth">oNgMj2lgmcySxbDmms226ZbAs+CUwLLs5s+49Q==</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_7739c0a43ce2b5cfb5918c0871a0d335" NotOnOrAfter="2011-05-19T14:12:56Z" Recipient="https://shibsp.lab.novell.com/Shibboleth.sso/SAML2/POST"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-05-19T13:37:56Z" NotOnOrAfter="2011-05-19T13:47:56Z"><saml:AudienceRestriction><saml:Audience>https://shibsp.lab.novell.com/shibboleth</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-05-19T13:42:56Z" SessionIndex="idpE9Hc78tdOdXju5DyDbYcQRLx.U"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef><saml:AuthnContextDeclRef>secure/novl/saml2/uri</saml:AuthnContextDeclRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="/pp:PP/pp:CommonName/pp:AnalyzedName/pp:FN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xsd:string">Neil</saml:AttributeValue></saml:Attribute><saml:Attribute xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="/pp:PP/pp:CommonName/pp:AnalyzedName/pp:SN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xsd:string">Cashell</saml:AttributeValue></saml:Attribute><saml:Attribute xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="/op:OP/op:CustomizableStrings/op:CustomizableString5" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xsd:string">active</saml:AttributeValue></saml:Attribute><saml:Attribute xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="/op:OP/op:CustomizableStrings/op:CustomizableString4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xsd:string">Administrator</saml:AttributeValue></saml:Attribute><saml:Attribute xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="/op:OP/op:CustomizableStrings/op:CustomizableString1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xsd:string">F328D133-FE36-9E04-F642-436ED932EAC0</saml:AttributeValue></saml:Attribute><saml:Attribute xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="/op:OP/op:CustomizableStrings/op:CustomizableString3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xsd:string">ncashell@novell.com</saml:AttributeValue></saml:Attribute><saml:Attribute xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="/op:OP/op:CustomizableStrings/op:CustomizableString2" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xsd:string">08C0408F-02BC-B951-903E-028A7E85671B</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
The Authentication Response above is also POSTed via the browser. Using the same decoding technique as that presented in 1. above, decode the contents of the SAMLResponse POST variable to get the above assertion.
Troubleshooting SAML issues:
Since we are dealing with the SAML POST binding, it can greatly simplify the troubleshooting process because the required SAML details (Authentication request and response) are all going through the browser. With the ability to decode the HTTP requests on the browser (ieHTTPHeaders or Firefox HTTP header plug ins on browser), one can decode the request and response to/from the Novell Identity server. The following diagram shows the SAMLRequest that is POSTed to the Identity Server
The SAMLResponse includes the assertion details, but is both URL and base64 encoded. Cut and pasting the SAMLResponse value into a URL encoder initially base64 decoder will output the SAML response in legible format, with all appropriate tags. An example URL decoder is available at http://meyerweb.com/eric/tools/dencoder/ whilst a base64 online decoder is available at http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/
Another option to debug the entire authentication process at the Novell IDP server, including the SAML exchange is to enable verbose logging at the IDP server. By selecting the following IDP logging options, the /var/opt/novell/tomcat5/logs/catalina.out file will include all details required to troubleshoot SAML issues.
After applying the settings to the IDP server, browse the catalina.out file and make sure
- the trusted SAML provider loads successfully. A message should appear in the log file indicating that the trusted provider has loaded with no errors, as shown below.
<amLogEntry> 2011-05-23T15:47:33Z INFO NIDS Application: AM#500105038: AMDEVICEID#E1E240D48F834C12: Loaded trusted provider ShibSP of protocol SAML 2 </amLogEntry>
If errors were detected in the metadata, an error code will be displayed here and documented under 'Novell Access Manager 3.1 Event Codes' at http://www.novell.com/documentation/novellaccessmanager31/eventcodes/?page=/documentation/novellaccessmanager31/eventcodes/data/bookinfo.html
- Make sure that the SAML AuthnRequest arrives from the Shibboleth service provider. The following statement should be visible in the catalina.out on the IDP server assuming the authentication request arrives:
************************* SAML2 POST message ******************************** Type: received RelayState: cookie:d248a811 <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://shibsp.lab.novell.com/Shibboleth.sso/SAML2/POST" Destination="https://login.lab.novell.com.com/nidp/saml2/sso" ID="_21941a5adc029d2291d27554890ae9a3" IssueInstant="2011-05-04T19:26:03Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://shibsp.lab.novell.com/shibboleth</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_21941a5adc029d2291d27554890ae9a3"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>uJXDDSa44fMaPb5K++KaAFulzr4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>lIubzCw8pHNbA58/NSD1saNlUyngretDBXqREmVVSSxyP64rpk/S/IdpWZcjj : Lhork0oRmOxAcHZiDoD2Jw== </ds:SignatureValue> <ds:X509Data> <ds:X509Certificate>MIIDITCCAgmgAwIBAgIJAOURaX1S9TI1MA0GCSqGSIb3DQEBBQUAMCkxJzAl : EL35YECXkF+Cwxt1Jq/5ShIPs/DQIsMDsqAb/jNCN1+RoaWWGA== </ds:X509Certificate> </ds:X509Data></ds:KeyInfo></ds:Signature><samlp:NameIDPolicy AllowCreate="1"/><samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextDeclRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">secure/twc/saml2/uri</saml:AuthnContextDeclRef> </samlp:RequestedAuthnContext></samlp:AuthnRequest> : ************************* End SAML2 message ****************************
The most common reason why the trusted provider will not load is that
- the X509 certificate in the SP metadata is not trusted: Add the trusted root (and intermediates if they exist) to the NIDP trusted root store (Security -> Trusted roots) or
- the X509 certificate or root points to a CRL or OCSP server that the IDP server cannot communicate with. You can confirm this by following the TID at http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7007282&sliceId=1&docTypeID=DT_TID_1_1&dialogID=237562778&stateId=0%200%20237564692
Make sure that the Authentication response is sent from the IDP server to the Shibboleth SP . The status should always indicate success and not an error. When all works fine, we should see the success status code, along with the assertion details, as follows. What is key is the response destination, subject (including NameID details) and certificate used to sign the response – the Shibboleth SP server must be setup to match this.
************************* SAML2 POST message ******************************** Type: sent Sent to: https://shibsp.lab.novell.com/Shibboleth.sso/SAML2... RelayState: <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Consent="urn:oasis:names:tc:SAML:2.0:consent:obtained" Destination="https://shibsp.lab.novell.com/Shibboleth.sso/SAML2/POST" ID="idkon090dzZ5KpsaEjwIhuSv-tBrE" InResponseTo="_7739c0a43ce2b5cfb5918c0871a0d335" IssueInstant="2011-05-19T13:42:56Z" Version="2.0"><saml:Issuer>https://login.lab.novell.com/nidp/saml2/metadata</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="idpE9Hc78tdOdXju5DyDbYcQRLx.U" IssueInstant="2011-05-19T13:42:56Z" Version="2.0"><saml:Issuer>https://login.lab.novell.com/nidp/saml2/metadata</saml:Issuer> : <saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://login.lab.novell.com/nidp/saml2/metadata" SPNameQualifier="https://shibsp.lab.novell.com/shibboleth">oNgMj2lgmcySxbDmms226ZbAs+CUwLLs5s+49Q==</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_7739c0a43ce2b5cfb5918c0871a0d335" NotOnOrAfter="2011-05-19T14:12:56Z" Recipient="https://shibsp.lab.novell.com/Shibboleth.sso/SAML2/POST"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-05-19T13:37:56Z" NotOnOrAfter="2011-05-19T13:47:56Z"><saml:AudienceRestriction><saml:Audience>https://shibsp.lab.novell.com/shibboleth</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-05-19T13:42:56Z" SessionIndex="idpE9Hc78tdOdXju5DyDbYcQRLx.U"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef><saml:AuthnContextDeclRef>secure/novl/saml2/uri</saml:AuthnContextDeclRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="/pp:PP/pp:CommonName/pp:AnalyzedName/pp:FN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xsd:string">Neil</saml:AttributeValue></saml:Attribute><saml:Attribute xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="/pp:PP/pp:CommonName/pp:AnalyzedName/pp:SN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xsd:string">Cashell</saml:AttributeValue></saml:Attribute> : </saml:AttributeStatement></saml:Assertion></samlp:Response>
Finally, we must try and verify that the Shibboleth SP consumes the assertion without problems. The logging configuration file on Shibboleth is at /etc/shibboleth/shibd.logger. Increasing the shibd.logger level to DEBUG will give you a lot of information, as shown below.
2011-05-09 13:31:16 DEBUG OpenSAML.MessageDecoder.SAML2 [948]: extracting issuer from SAML 2.0 protocol message 2011-05-09 13:31:16 DEBUG OpenSAML.MessageDecoder.SAML2 [948]: message from (https://login.lab.novell.com/nidp/saml2/metadata) 2011-05-09 13:31:16 DEBUG OpenSAML.MessageDecoder.SAML2 [948]: searching metadata for message issuer... 2011-05-09 13:31:16 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [948]: evaluating message flow policy (replay checking on, expiration 60) 2011-05-09 13:31:16 DEBUG XMLTooling.StorageService [948]: inserted record (idEJaQLk8VZz8O3YjbvkLyDjnJE2Y) in context (MessageFlow) 2011-05-09 13:31:16 DEBUG Shibboleth.SSO.SAML2 [948]: processing message against SAML 2.0 SSO profile 2011-05-09 13:31:16 DEBUG Shibboleth.SSO.SAML2 [948]: extracting issuer from SAML 2.0 assertion 2011-05-09 13:31:16 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [948]: evaluating message flow policy (replay checking on, expiration 60) 2011-05-09 13:31:16 DEBUG XMLTooling.StorageService [948]: inserted record (idriAq9MTIU3ziUZ7Iv.rGwXRiatY) in context (MessageFlow) 2011-05-09 13:31:16 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [948]: validating signature profile 2011-05-09 13:31:16 DEBUG XMLTooling.TrustEngine.ExplicitKey [948]: attempting to validate signature with the peer's credentials 2011-05-09 13:31:16 DEBUG XMLTooling.TrustEngine.ExplicitKey [948]: signature validated with credential 2011-05-09 13:31:16 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [948]: signature verified against message issuer 2011-05-09 13:31:16 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation [948]: assertion satisfied bearer confirmation requirements 2011-05-09 13:31:16 DEBUG Shibboleth.SSO.SAML2 [948]: SSO profile processing completed successfully 2011-05-09 13:31:16 DEBUG Shibboleth.SSO.SAML2 [948]: extracting pushed attributes... 2011-05-09 13:31:16 DEBUG Shibboleth.AttributeExtractor.XML [948]: skipping unmapped NameID with format (urn:oasis:names:tc:SAML:2.0:nameid-format:transient) 2011-05-09 13:31:16 DEBUG Shibboleth.AttributeDecoder.String [948]: decoding SimpleAttribute (userguid) from SAML 2 Attribute (/op:OP/op:CustomizableStrings/op:CustomizableString1) with 1 value(s) 2011-05-09 13:31:16 DEBUG Shibboleth.AttributeFilter [948]: filtering 1 attribute(s) from (https://login.lab.novell.com/nidp/saml2/metadata) 2011-05-09 13:31:16 DEBUG Shibboleth.AttributeFilter [948]: applying filtering rule(s) for attribute (userguid) from (https://login.lab.novell.com/nidp/saml2/metadata) 2011-05-09 13:31:16 DEBUG Shibboleth.SSO.SAML2 [948]: resolving attributes... 2011-05-09 13:31:16 DEBUG Shibboleth.AttributeResolver.Query [948]: found AttributeStatement in input to new session, skipping query 2011-05-09 13:31:16 DEBUG Shibboleth.SessionCache [948]: creating new session 2011-05-09 13:31:16 DEBUG Shibboleth.SessionCache [948]: storing new session... 2011-05-09 13:31:16 DEBUG XMLTooling.StorageService [948]: inserted record (session) in context (_1c6d1d37259d9e298239e3e6312c7c5c) 2011-05-09 13:31:16 DEBUG XMLTooling.StorageService [948]: updated record (yWYRyukCTBTB+47YpPKI06bxjNqu9YHfivHN2A==) in context (NameID) 2011-05-09 13:31:16 DEBUG XMLTooling.StorageService [948]: inserted record (idriAq9MTIU3ziUZ7Iv.rGwXRiatY) in context (_1c6d1d37259d9e298239e3e6312c7c5c) 2011-05-09 13:31:16 INFO Shibboleth.SessionCache [948]: new session created: ID (_1c6d1d37259d9e298239e3e6312c7c5c) IdP (https://login.lab.novell.com/nidp/saml2/metadata) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (68.170.18.123) 2011-05-09 13:31:16 DEBUG Shibboleth.SSO.SAML2 [948]: ACS returning via redirect to: https://login.lab.novell.com/static/refresh2.html 2011-05-09 13:31:24 DEBUG Shibboleth.Listener [946]: dispatching message (find::StorageService::SessionCache) 2011-05-09 13:31:24 DEBUG XMLTooling.StorageService [946]: updated expiration of valid records in context (_1c6d1d37259d9e298239e3e6312c7c5c) 2011-05-09 13:31:31 DEBUG Shibboleth.Listener [940]: dispatching message (find::StorageService::SessionCache) 2011-05-09 13:31:31 DEBUG XMLTooling.StorageService [940]: updated expiration of valid records in context (_1c6d1d37259d9e298239e3e6312c7c5c) 2011-05-09 13:33:14 INFO XMLTooling.StorageService : purged 12 expired record(s) from storage 2011-05-09 13:43:14 DEBUG Shibboleth.Listener [939]: dispatching message (default/Login::run::SAML2SI) 2011-05-09 13:43:14 DEBUG OpenSAML.MessageEncoder.SAML2POST [939]: validating input 2011-05-09 13:43:14 DEBUG OpenSAML.MessageEncoder.SAML2POST [939]: signing and marshalling the message 2011-05-09 13:43:14 DEBUG XMLTooling.Signature [939]: applying signature 2011-05-09 13:43:14 DEBUG XMLTooling.Signature [939]: creating signature reference(s) 2011-05-09 13:43:14 DEBUG XMLTooling.Signature [939]: computing signature 2011-05-09 13:43:14 DEBUG OpenSAML.MessageEncoder.SAML2POST [939]: marshalled message: %0AdENvbÑ# 2011-05-09 13:43:14 DEBUG OpenSAML.MessageEncoder.SAML2POST [939]: message encoded, sending HTML form template to client 2011-05-09 13:43:15 DEBUG Shibboleth.Listener [950]: dispatching message (default/SAML2/POST) 2011-05-09 13:43:15 DEBUG OpenSAML.MessageDecoder.SAML2POST [950]: validating input 2011-05-09 13:43:15 DEBUG OpenSAML.MessageDecoder.SAML2POST [950]: decoded SAML message: <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://shibsp.lab.novell.com/Shibboleth.sso/SAML2/POST" ID="idqDqxWd5wDaXAZaq6pAflCdEtqus" InResponseTo="_a9e9090a83f91484534e525392e91b73" IssueInstant="2011-05-09T17:43:14Z" Version="2.0"><saml:Issuer>https://login.lab.novell.com/nidp/saml2/metadata</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="idCrZcUlFZeWvBLZcXAldih3DU.y0" IssueInstant="2011-05-09T17:43:14Z" Version="2.0"><saml:Issuer>https://login.lab.novell.com/nidp/saml2/metadata</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#idCrZcUlFZeWvBLZcXAldih3DU.y0"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>xGDMQMbTK5BUkjlTGEQUHHn5SQA=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> BK18XnxCs53hR7pe61bvmKbrc1EISu/B+iGqhOp+CPYrhMKh1cQbYLi19aaqNH0+0aYU2G+4+cSj 3+yDsaDLN/0Zg3SLuhfiEPgiV52MoxvF+dogjPuyd/C5AJKzJFA1TIhtYEtu1xGOXX91vM6GMlRK IJ8ehDMLfNtnlMjgh4FPQPn8z7LUMUVp3yQrOZYAFJGSffgRvMUvAWiBOMuz0+YZATBe02A/fjQ1 tBK/O5aJOVPeIwQWlcg3HwX5DziOnx2yJFMipLYkpqGSu99719IEl2rACb38Otl3TL4Qir0ST1bO JdN26OdcaYEt27EJdJoFHEKSa+XfkByKRXiOMg== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIFNTCCBB2gAwIBAgIkAhwR/6Rdh3yBhE5s3goa9n/2QBh8JY+sPuRRFwEVAgISoXnKMA0GCSqG SIb3DQEBBQUAMEExGjAYBgNVBAsTEU9yZ2FuaXphdGlvbmFsIENBMSMwIQYDVQQKFBppbnRyX2Fk bWluX2NvbnNvbGVfMDFfdHJlZTAeFw0xMDA4MzExNTA2NDdaFw0xMjA4MzExNTA2NDdaMEAxFTAT BgNVBAMTDHRlc3Qtc2lnbmluZzEWMBQGA1UECxMNYWNjZXNzTWFuYWdlcjEPMA0GA1UEChMGbm92 ZWxsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArCuSzAv6KPYybbWy/xI1OHqjjiYc pRJ/9u0kEfOziNCW5pfIAmT1mzOi/dSnTD6e7zAhDdgbo7AXNR6fNy3N0F/ftVjkuH4pMsWdADGP jyHePzAQSmEciQebV2UlC0GizrfLE6vUye7Sy09v0Tb8hyLQFy7RCAcKb65YIJ1DyBGpLXPXTd6d Rp35EZeDaK7XBC9/d4dfpwJGiOPaqHMgClZheqR9yvGEefEUvmwHYwqb8PuoE5N7W7ko/nhxaOXS JMiBksIp8PX4sDhdj0siadXtkjbfxuFoNeFuwc7sK8VnvGnlbViDQveXk4krUojTqrMFaqQLNymz DMBsUGU0mQIDAQABo4ICFDCCAhAwHQYDVR0OBBYEFN9kRaFsdLNMrMbbTP+X+qo5U8/zMB8GA1Ud IwQYMBaAFN8bQ6QFk+jRu/C26BT6U4BCFhhzMIIBzAYLYIZIAYb4NwEJBAEEggG7MIIBtwQCAQAB Af8THU5vdmVsbCBTZWN1cml0eSBBdHRyaWJ1dGUodG0pFkNodHRwOi8vZGV2ZWxvcGVyLm5vdmVs bC5jb20vcmVwb3NpdG9yeS9hdHRyaWJ1dGVzL2NlcnRhdHRyc192MTAuaHRtMIIBSKAaAQEAMAgw BgIBAQIBRjAIMAYCAQECAQoCAWmhGgEBADAIMAYCAQECAUYwCDAGAgEBAgEKAgFpogYCARcBAf+j ggEEoFgCAQICAgD/AgEAAw0AgAAAAAAAAAAAAAAAAwkAgAAAAAAAAAAwGDAQAgEAAgh///////// /wEBAAIEBvDfSDAYMBACAQACCH//////////AQEAAgQG8N9IoVgCAQICAgD/AgEAAw0AQAAAAAAA AAAAAAAAAwkAQAAAAAAAAAAwGDAQAgEAAgh//////////wEBAAIEEf+kXTAYMBACAQACCH////// ////AQEAAgQR/6Rdok4wTAIBAgIBAAICAP8DDQCAAAAAAAAAAAAAAAADCQCAAAAAAAAAADASMBAC AQACCH//////////AQEAMBIwEAIBAAIIf/////////8BAQAwDQYJKoZIhvcNAQEFBQADggEBAEOp VuJi6WvnekphZEJhFydTI3kigIykOIbMnl/Q8A/i2xRzpb0wTDviKZH8BKbxrl2fbvPt388PjzO3 cy5ufpxAxBtXCMEUyVOK1XwJ+AW2c1eOBgEShA8Zv0K01CfyEUMZ5CO2wYw1MmiuAmELOyIa9ZaE vnr4b1fhR9vnL1KUneLQHk2chIbPI880eahwarIpCp0SquXZkCi13Ak9u1RQU+auY7PNdP4SNoEj FnuU+aB1nZgUCod7IDRpEHHMiHbfmkQbPrK/UBEbQEaad4V4ctv6v9hZgs5y22upH6IDCHczAX4m i/shQWGNwRN9ltnqiQlYtxrj4MCO7Hn6fZY= </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://login.lab.novell.com/nidp/saml2/metadata" SPNameQualifier="https://shibsp.lab.novell.com/shibboleth">yWYRyukCTBTB+47YpPKI06bxjNqu9YHfivHN2A==</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_a9e9090a83f91484534e525392e91b73" NotOnOrAfter="2011-05-09T18:13:14Z" Recipient="https://shibsp.lab.novell.com/Shibboleth.sso/SAML2/POST"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-05-09T17:38:14Z" NotOnOrAfter="2011-05-09T17:48:14Z"><saml:AudienceRestriction><saml:Audience>https://shibsp.lab.novell.com/shibboleth</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-05-09T17:31:13Z" SessionIndex="CAF0592A773758E4838F84D57AA14C88" SessionNotOnOrAfter="2011-05-09T18:13:14Z"><saml:AuthnContext><saml:AuthnContextDeclRef>secure/novl/saml2/uri</saml:AuthnContextDeclRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="/op:OP/op:CustomizableStrings/op:CustomizableString1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue type="xs:string">C65A6D34-2633-2132-A4A5-F6CC5E168157</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response> 2011-05-09 13:43:15 DEBUG OpenSAML.MessageDecoder.SAML2 [950]: extracting issuer from SAML 2.0 protocol message 2011-05-09 13:43:15 DEBUG OpenSAML.MessageDecoder.SAML2 [950]: message from (https://login.lab.novell.com/nidp/saml2/metadata) 2011-05-09 13:43:15 DEBUG OpenSAML.MessageDecoder.SAML2 [950]: searching metadata for message issuer... 2011-05-09 13:43:15 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [950]: evaluating message flow policy (replay checking on, expiration 60) 2011-05-09 13:43:15 DEBUG XMLTooling.StorageService [950]: inserted record (idqDqxWd5wDaXAZaq6pAflCdEtqus) in context (MessageFlow) 2011-05-09 13:43:15 DEBUG Shibboleth.SSO.SAML2 [950]: processing message against SAML 2.0 SSO profile 2011-05-09 13:43:15 DEBUG Shibboleth.SSO.SAML2 [950]: extracting issuer from SAML 2.0 assertion 2011-05-09 13:43:15 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [950]: evaluating message flow policy (replay checking on, expiration 60) 2011-05-09 13:43:15 DEBUG XMLTooling.StorageService [950]: inserted record (idCrZcUlFZeWvBLZcXAldih3DU.y0) in context (MessageFlow) 2011-05-09 13:43:15 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [950]: validating signature profile 2011-05-09 13:43:15 DEBUG XMLTooling.TrustEngine.ExplicitKey [950]: attempting to validate signature with the peer's credentials 2011-05-09 13:43:15 DEBUG XMLTooling.TrustEngine.ExplicitKey [950]: signature validated with credential 2011-05-09 13:43:15 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [950]: signature verified against message issuer 2011-05-09 13:43:15 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation [950]: assertion satisfied bearer confirmation requirements 2011-05-09 13:43:15 DEBUG Shibboleth.SSO.SAML2 [950]: SSO profile processing completed successfully 2011-05-09 13:43:15 DEBUG Shibboleth.SSO.SAML2 [950]: extracting pushed attributes... 2011-05-09 13:43:15 DEBUG Shibboleth.AttributeExtractor.XML [950]: skipping unmapped NameID with format (urn:oasis:names:tc:SAML:2.0:nameid-format:transient) 2011-05-09 13:43:15 DEBUG Shibboleth.AttributeDecoder.String [950]: decoding SimpleAttribute (userguid) from SAML 2 Attribute (/op:OP/op:CustomizableStrings/op:CustomizableString1) with 1 value(s) 2011-05-09 13:43:15 DEBUG Shibboleth.AttributeFilter [950]: filtering 1 attribute(s) from (https://login.lab.novell.com/nidp/saml2/metadata) 2011-05-09 13:43:15 DEBUG Shibboleth.AttributeFilter [950]: applying filtering rule(s) for attribute (userguid) from (https://login.lab.novell.com/nidp/saml2/metadata) 2011-05-09 13:43:15 DEBUG Shibboleth.SSO.SAML2 [950]: resolving attributes... 2011-05-09 13:43:15 DEBUG Shibboleth.AttributeResolver.Query [950]: found AttributeStatement in input to new session, skipping query011-05-09 13:43:15 DEBUG Shibboleth.SessionCache [950]: creating new session 2011-05-09 13:43:15 DEBUG Shibboleth.SessionCache [950]: storing new session... 2011-05-09 13:43:15 DEBUG XMLTooling.StorageService [950]: inserted record (session) in context (_758f7c9e808f13cb8c1b5dd9259989d1) 2011-05-09 13:43:15 DEBUG XMLTooling.StorageService [950]: updated record (yWYRyukCTBTB+47YpPKI06bxjNqu9YHfivHN2A==) in context (NameID) 2011-05-09 13:43:15 DEBUG XMLTooling.StorageService [950]: inserted record (idCrZcUlFZeWvBLZcXAldih3DU.y0) in context (_758f7c9e808f13cb8c1b5dd9259989d1) 2011-05-09 13:43:15 INFO Shibboleth.SessionCache [950]: new session created: ID (_758f7c9e808f13cb8c1b5dd9259989d1) IdP (https://login.lab.novell.com/nidp/saml2/metadata) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (68.170.18.123) 2011-05-09 13:43:15 DEBUG Shibboleth.SSO.SAML2 [950]: ACS returning via redirect to: https://shibsp.lab.novell.com/static/refresh2.html