<div dir="ltr">Kedves Tagok!<div><br><div>Fenn vagyok (teljesen feleslegesen:) ) egy listán, ahol általában levelezési problémákkal kapcsolatos kérdések - és néha megoldások - olvashatók, most felmerült egy Shibboleth-Office 365 probléma.</div><div>Ha valakinek ebben tapasztalata van, talán tud hozzászólni.</div><div>üdv Magyar Zsuzsa </div><div><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Tim Ross</b> <span dir="ltr"><<a href="mailto:tross@calpoly.edu">tross@calpoly.edu</a>></span><br>Date: 2016-11-30 1:26 GMT+01:00<br>Subject: Office 365 and Shibboleth<br>To: <a href="mailto:HIED-EMAILADMIN@listserv.nd.edu">HIED-EMAILADMIN@listserv.nd.edu</a><br><br><br>I have a question for a small portion of those on the list. Those who are on Office 365 and use Shibboleth as their IDP.<br>
<br>
<br>
We recently attempted to upgrade from Shibboleth v2 to v3. It was just a DNS cutover between servers on the old version and servers on the new version. Since we currently only have a single Prod instance of Office 365, we can't test one piece of Shibboleth in Dev and Test. That is the ECP (SAML-P) piece that allows IMAP/POP clients to authenticate. We found that after a user's Shibboleth response times out (Microsoft servers cache that info for about 6 hours), IMAP/POP clients would start failing to connect/authenticate. From our Shibboleth logs the connections appeared to be successful, but apparently the Microsoft side didn't like something about the new Shibboleth Response. Unfortunately, unless we had captured Fiddler traces of the attempts, Microsoft Support won't sift through all their log data looking for the connections on their side.<br>
<br>
<br>
We thought we had found the answer through the Shibboleth forums regarding the change of one of the default settings within the ECP section from False to True. We tried changing this setting back to match the v2 setting, although Microsoft Support didn't think it would matter. Microsoft Support was right. We had the same issue and had to roll back again. Unfortunately, due to an error on my part, I also failed to get a Fiddler trace this time as well.<br>
<br>
<br>
Is anyone on the list on Shib version 3 and on Office 365? Any issues you ran into?<br>
<br>
<br>
Our Shib guy was able to generate the following error in our Dev Shib v3 environment using a little ECP tester tool he found:<br>
<br>
<br>
2016-11-28 13:47:50,682 - ERROR [org.opensaml.profile.action.<wbr>impl.DecodeMessage:73] - Profile Action DecodeMessage: Unable to decode incoming request<br>
org.opensaml.messaging.<wbr>decoder.<wbr>MessageDecodingException: Error unmarshalling message from input stream<br>
at org.opensaml.messaging.<wbr>decoder.servlet.<wbr>BaseHttpServletRequestXMLMessa<wbr>geDecoder.unmarshallMessage(<wbr>BaseHttpServletRequestXMLMessa<wbr>geDecoder.java:152)<br>
Caused by: net.shibboleth.utilities.java.<wbr>support.xml.<wbr>XMLParserException: Unable to parse inputstream, it contained invalid XML<br>
at net.shibboleth.utilities.java.<wbr>support.xml.BasicParserPool.<wbr>parse(BasicParserPool.java:<wbr>248)<br>
Caused by: org.xml.sax.SAXParseException: Premature end of file.<br>
<br>
<br>
<br>
Any help or thoughts would be appreciated.<br>
<br>
<br>
Thanks,<br>
<br>
<br>
Tim Ross<br>
<br>
Service Lead - Collaboration Applications<br>
<br>
Enterprise Applications Group<br>
<br>
Cal Poly State University, San Luis Obispo<br>
<br>
<br>
------------------------------<wbr>------------------------------<br>
To view or search the list archives, join or leave the list,<br>
or change your subscription options, see the web page at<br>
<<a href="http://listserv.nd.edu/archives/hied-emailadmin.html" rel="noreferrer" target="_blank">http://listserv.nd.edu/<wbr>archives/hied-emailadmin.html</a>><wbr>.<br>
</div><br></div></div></div>