[HREF-admin] Fwd: Office 365 and Shibboleth

Zsuzsanna Magyar magyarzsuzsa44 at gmail.com
2016. Dec. 1., Cs, 06:57:50 CET 

Kedves Tagok!

Fenn vagyok (teljesen feleslegesen:) ) egy listán, ahol általában
levelezési problémákkal kapcsolatos kérdések - és néha megoldások -
olvashatók, most felmerült egy Shibboleth-Office 365 probléma.
Ha valakinek ebben tapasztalata van, talán tud hozzászólni.
üdv Magyar Zsuzsa

---------- Forwarded message ----------
From: Tim Ross <tross at calpoly.edu>
Date: 2016-11-30 1:26 GMT+01:00
Subject: Office 365 and Shibboleth
To: HIED-EMAILADMIN at listserv.nd.edu


I have a question for a small portion of those on the list.  Those who are
on Office 365 and use Shibboleth as their IDP.


We recently attempted to upgrade from Shibboleth v2 to v3.  It was just a
DNS cutover between servers on the old version and servers on the new
version.  Since we currently only have a single Prod instance of Office
365, we can't test one piece of Shibboleth in Dev and Test.  That is the
ECP (SAML-P) piece that allows IMAP/POP clients to authenticate.  We found
that after a user's Shibboleth response times out (Microsoft servers cache
that info for about 6 hours), IMAP/POP clients would start failing to
connect/authenticate.  From our Shibboleth logs the connections appeared to
be successful, but apparently the Microsoft side didn't like something
about the new Shibboleth Response.  Unfortunately, unless we had captured
Fiddler traces of the attempts, Microsoft Support won't sift through all
their log data looking for the connections on their side.


We thought we had found the answer through the Shibboleth forums regarding
the change of one of the default settings within the ECP section from False
to True.  We tried changing this setting back to match the v2 setting,
although Microsoft Support didn't think it would matter.  Microsoft Support
was right.  We had the same issue and had to roll back again.
Unfortunately, due to an error on my part, I also failed to get a Fiddler
trace this time as well.


Is anyone on the list on Shib version 3 and on Office 365?  Any issues you
ran into?


Our Shib guy was able to generate the following error in our Dev Shib v3
environment using a little ECP tester tool he found:


2016-11-28 13:47:50,682 - ERROR
[org.opensaml.profile.action.impl.DecodeMessage:73]
- Profile Action DecodeMessage: Unable to decode incoming request
org.opensaml.messaging.decoder.MessageDecodingException: Error
unmarshalling message from input stream
        at org.opensaml.messaging.decoder.servlet.
BaseHttpServletRequestXMLMessageDecoder.unmarshallMessage(
BaseHttpServletRequestXMLMessageDecoder.java:152)
Caused by: net.shibboleth.utilities.java.support.xml.XMLParserException:
Unable to parse inputstream, it contained invalid XML
        at net.shibboleth.utilities.java.support.xml.BasicParserPool.
parse(BasicParserPool.java:248)
Caused by: org.xml.sax.SAXParseException: Premature end of file.



Any help or thoughts would be appreciated.


Thanks,


Tim Ross

Service Lead - Collaboration Applications

Enterprise Applications Group

Cal Poly State University, San Luis Obispo


------------------------------------------------------------
To view or search the list archives, join or leave the list,
or change your subscription options, see the web page at
<http://listserv.nd.edu/archives/hied-emailadmin.html>.
--------- következő rész ---------
Egy csatolt HTML állomány át lett konvertálva...
URL: <https://listserv.niif.hu/pipermail/href-admin/attachments/20161201/6fe98b85/attachment.html>

További információk a(z) HREF-admin levelezőlistáról