IdP v3.2.1.1: No flow definition 'authn/Shibcas' found -- Windows platform about shib-cas-authn3 HOT 13 CLOSED

Two things to check.

1. The general-authn.xml file. Is the authn/Shibcas block defined there?
2. Is Shibcas specified in the idp.properties as:

idp.authn.flows = Shibcas

from shib-cas-authn3.

Yes to both of your questions. I am attaching both files in this post (with keys/passwords masked).
two_files.zip

from shib-cas-authn3.

Thanks, jtgasper3, for your suggestions. I am still struggling with this issue, so any other ideas? I have included the following for tomcat 8.0 CATALINA_OPTS:

-Didp.home=e:\shibboleth3\idp
(I tried both with and without the tailing '')

I also tried gleaning more information by setting idp.loglevel.idp to "DEBUG" in logback.xml, but that did not seem to provide any more relevant log information from what I already provided above.

Any ideas? Can anyone see any issues with my configuration of general-authn.xml or idp.properties (see uploaded zip file in my previous post)?

from shib-cas-authn3.

Here are a few more lines from my idp-process.log (with DEBUG lines included):

--BEGIN--
2016-09-16 09:06:05,194 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:257] - Profile Action SelectAuthenticationFlow: No specific Principals requested
2016-09-16 09:06:05,210 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:292] - Profile Action SelectAuthenticationFlow: No usable active results available, selecting an inactive flow
2016-09-16 09:06:05,210 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:334] - Profile Action SelectAuthenticationFlow: Selecting inactive authentication flow authn/Shibcas
2016-09-16 09:06:05,304 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
org.springframework.webflow.definition.registry.NoSuchFlowDefinitionException: No flow definition 'authn/Shibcas' found
at org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl.getFlowDefinitionHolder(FlowDefinitionRegistryImpl.java:123)
2016-09-16 09:06:05,491 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: RuntimeException
--END--

from shib-cas-authn3.

Is this a typo: shibcs-authn-beans.xml? or an actual name of the file?

from shib-cas-authn3.

Also, what does your web.xml look like, if any?

from shib-cas-authn3.

Yes, I had misspelled shibcas-authn-bean.xml in my original post. I have corrected the spelling. I am attaching a copy of our web.xml file.
path_to_web.xml_file.zip

from shib-cas-authn3.

OK, we have solved our issue by doing the following two changes:

1. We added the following three lines to webapp\WEB-INF\web.xml before the ShibCas Auth Servelt settings (not sure if the order is important):
   BEGIN
   <context-param>
<param-name>idp.home</param-name>
<param-value>E:/shibboleth3/idp</param-value>
</context-param>
   END
   I had not thought that this web.xml setting would be necessary in our shibboleth container, because I already had appended the setting "-Didp.home=E:\shibboleth3\idp" to CATALINA_OPTS (since our implementation is on an MS Windows platform, I had used "tomcat8w.exe //ES//<name_of_apache_service>" to set this). However, for login flows to work, it appears that idp.home needs to be set as described above. This might be useful to include in Shibboleth documentation for those who use anything other than the default C:\opt\shibboleth-idp\ path for idp.home.
2. We also discovered that our the metadata file generated by the Shibboleth installer MSI (located in metadata\idp-metatdata.xml) was created with ':8443' appended to the host name in every line where the Location URL was set. Our tomcat instance was set to using port 443 for web traffic, but I had failed to catch the port 8443 setting in the metadata file when I customized it for our site. In our case, I replaced every occurrence of 'Location="https://shib3pre.taylor.edu:8443/idp/..."' with 'Location="https://shib3pre.taylor.edu/idp/..."' fixed this.

Thanks, mmoayyed, for prompting me to look at our shibboleth container's web.xml file. I am curious as to why the global definition within CATALINA_OPTS was not sufficient. Also, did I miss some documentation about where to define idp.home? In any case, we are now able to move forward.

from shib-cas-authn3.

Pleasure.

You should be able to do the same with -Didp.home=xyz but I admit I have never done that sort of thing on Windows. The debacle of "Backslash vs forward-slash" should really be reported to the U.N. :)

What was your global definition like? If I remember correctly, I think I set that value directly in startup.bat or catalina.bat.

from shib-cas-authn3.

Neglected to mention that you're welcome to play around with those 2 batch files, and if you were able to work it out, please submit a PR to clarify this in the docs.

from shib-cas-authn3.

Sorry for the delayed response. And thanks again for your assistance in resolving my issue with my setting for idp.home not being recognized in my Windows installation of Shibboleth v3 IdP.

You asked what my tomcat global definition was like. My \conf\context.xml, \bin\catalina.bat, and \bin\startup.bat files are the original files from when I installed tomcat, so perhaps I could have set the value of idp.home in one of those files. However, since setting the value of idp.home in <shibboleth_idp>\webapp\WEB-INF\web.xml seems to work just fine, I have not bothered with testing with the tomcat files you mentioned.

You also asked that I submit a PR to clarify the additional requirement for setting idp.home for Windows installations in the docs. I believe the Shibboleth IdP docs that need to be updated are located at https://wiki.shibboleth.net/confluence/display/IDP30/ApacheTomcat8 and https://wiki.shibboleth.net/confluence/display/IDP30/WindowsInstallation. Also, in the shib-cas-authn3 download (https://github.com/Unicon/shib-cas-authn3), the same clarrification might be helpful in the Readme.md file. I am not sure how to submit a PR for these docs.

In conclusion, the solution to my issue with setting idp.home in my Windows installation was to also set it in <shibboleth_idp>\webapp\WEB-INF\web.xml (see my post two weeks ago).

from shib-cas-authn3.

Gotcha. web.xml change is fine, and thinking more about this, you probably should update the shibboleth wiki to include that option as well, if needed. Dont think we need a PR here; for the wiki, you should just be able to log in with your IdP and edit away.

Thanks for the follow-up.

from shib-cas-authn3.

If one reads carefully, the Shib wiki already documents the need to set idp.home for Tomcat or Jetty, if not using the standard path and/or not using the "installed by the Shib IdP MSI version of Jetty". If you search for 'idp.home' on the wiki, you'll see that. Now the Tomcat doc really only highlights the standard path for a Linux install (although /opt/shibboleth-idp was also the standard path for a IdPv2 Windows install using Tomcat), so one could argue that the docs could use further clarification. But the basic idea is already mentioned.

On Oct 3, 2016, at 2:56 PM, Misagh Moayyed [email protected] wrote:

Gotcha. web.xml change is fine, and thinking more about this, you probably should update the shibboleth wiki to include that option as well, if needed. Dont think we need a PR here; for the wiki, you should just be able to log in with your IdP and edit away.

Thanks for the follow-up.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub #14 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/AA3QiD222TgR5znwcZmiuSIqF-MjQSBMks5qwV4BgaJpZM4J9Nt_.

Michael A. Grady
IAM Architect, Unicon, Inc.

from shib-cas-authn3.