Uninett/mod_auth_mellon

Error 400 on /mellon/postResponse

alextremblay opened this issue · 2 comments

alextremblay commented

Hello,

I apologize if the title of this issue seems non-descript, but it's all I've got to work with.

I'm trying to set up mellon as a service provider for a Shibboleth IdP that encrypts SAML Assertions before sedning them back, and I'm experiencing an issue where, on POSTing the SAML assertion to /mellon/postResponse, I get a 400 Bad Request error. No additional information, not mellon enty in any of the apache logs.

I thought I could find more information by setting the MellonDiagnostics directives, but I guess that requires an additional feature to be compiled in.

I've looked through open and closed issues, as well as the documentation, and have not been able to find any information on this, or how to troubleshoot further. At this point, I'm at a loss.

I saw a mention in a closed issue that you can encounter 400 Bad Request errors on /mellon/postResponse if your configured entityID doesn't match the "audience" configured for your IdP. I don't know what "audience" means in this context, but can confirm that the entityID configured in my IdP's metadata file for my service provider matches the entityID that I have configured in my Service Provier's configuration.

At this point I'm at a loss for how to troubleshoot this further.

Any help you could provide would be greatly appreciated!

olavmrk commented

Unfortunately this is very difficult to troubleshoot without anything in the logs. mod_auth_mellon should always log something when returning a "400 Bad Request"-error, so I am at a loss about what happens in your case. Have you tried to turn the log level of Apache up to debug and verified that you at least get something from mod_auth_mellon in that case?

alextremblay commented

Well now I feel like a fool. I forgot all about apache's LogLevel directive!
Mine was set to info. setting it to debug allowed me to see the problem:

[auth_mellon:error] [pid 17] [client 10.200.0.1:57690] Wrong Address in SubjectConfirmationData.Current address is "[Docker Container IP]", but should have been "[Authenticating User's IP]"

I was able to solve this issue by setting the following directive in my apache block:

MellonSubjectConfirmationDataAddressCheck "Off"

Thanks for your help @olavmrk!