Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 89268200C6D for ; Sun, 7 May 2017 15:27:37 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 87A5E160BB1; Sun, 7 May 2017 13:27:37 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id D9F68160B9A for ; Sun, 7 May 2017 15:27:34 +0200 (CEST) Received: (qmail 8647 invoked by uid 500); 7 May 2017 13:27:30 -0000 Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cloudstack.apache.org Delivered-To: mailing list users@cloudstack.apache.org Received: (qmail 8634 invoked by uid 99); 7 May 2017 13:27:30 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 07 May 2017 13:27:29 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 6B60DC066B for ; Sun, 7 May 2017 13:27:29 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.164 X-Spam-Level: X-Spam-Status: No, score=0.164 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2, HTML_TAG_BALANCE_BODY=0.712, KAM_LOTSOFHASH=0.25, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=shapeblue.onmicrosoft.com header.b=PxuzlwSv; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=shapeblue.onmicrosoft.com header.b=OxCPTE0C Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id AzLtDfRG3Prb for ; Sun, 7 May 2017 13:27:20 +0000 (UTC) Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0130.outbound.protection.outlook.com [104.47.0.130]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id B23B85F367 for ; Sun, 7 May 2017 13:27:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shapeblue.onmicrosoft.com; s=selector1-shapeblue-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=dc+GUtIGjpc8yQHhCin/oPjeENFEkBTDqtyu5XhfjXc=; b=PxuzlwSvqPQEwO5Q5PA79WWP4noyG/LSYqj+X67raAaRhegfxVfUlvJBU+2qN/9b7jSh3oo2kfLG82zSEg0JiRJgGqn9eG+AWgvZtXdL9SW68UHSoQp9ZyEvh2puCkJ9JMep2Ok7V4NpLYcm0LafJF9Qk92B+O1ifA7zltt+H3s= Received: from VI1PR07CA0001.eurprd07.prod.outlook.com (10.163.160.139) by HE1PR0701MB1980.eurprd07.prod.outlook.com (10.167.189.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1084.7; Sun, 7 May 2017 13:27:09 +0000 Received: from DB5EUR01FT036.eop-EUR01.prod.protection.outlook.com (2a01:111:f400:7e02::208) by VI1PR07CA0001.outlook.office365.com (2a01:111:e400:533d::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1084.7 via Frontend Transport; Sun, 7 May 2017 13:27:08 +0000 Authentication-Results: spf=fail (sender IP is 104.40.179.195) smtp.mailfrom=shapeblue.com; cloudstack.apache.org; dkim=fail (body hash did not verify) header.d=shapeblue.onmicrosoft.com;cloudstack.apache.org; dmarc=none action=none header.from=shapeblue.com; Received-SPF: Fail (protection.outlook.com: domain of shapeblue.com does not designate 104.40.179.195 as permitted sender) receiver=protection.outlook.com; client-ip=104.40.179.195; helo=smtpworker-in-1.xware-eu-1.o365.crossware.co.nz; Received: from smtpworker-in-1.xware-eu-1.o365.crossware.co.nz (104.40.179.195) by DB5EUR01FT036.mail.protection.outlook.com (10.152.5.59) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.1047.9 via Frontend Transport; Sun, 7 May 2017 13:27:08 +0000 Received: from EUR03-VE1-obe.outbound.protection.outlook.com (213.199.154.151) by smtpworker-in-1.xware-eu-1.o365.crossware.co.nz with Crossware for Office365; Sun, 7 May 2017 13:27:07 +0000 Received: from DB5PR07MB1205.eurprd07.prod.outlook.com (10.169.32.27) by DB5PR07MB1205.eurprd07.prod.outlook.com (10.169.32.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1084.7; Sun, 7 May 2017 13:27:05 +0000 Received: from DB5PR07MB1205.eurprd07.prod.outlook.com ([fe80::4440:94e7:d4ba:28e7]) by DB5PR07MB1205.eurprd07.prod.outlook.com ([fe80::4440:94e7:d4ba:28e7%14]) with mapi id 15.01.1084.011; Sun, 7 May 2017 13:27:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shapeblue.onmicrosoft.com; s=selector1-shapeblue-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=lHnTW2cwzvszD6LXKITo4PqqT6lIY81fua+gG0DgxWU=; b=OxCPTE0C/Ee9W4EHDZhL8Nzgqlq8K+rN0nwLoVgU1X2u2KrxdIJoK765Kb0betcBzYihgP15U6MLNU55BF+ycHi4+Dt0f6e2kHtMVzBldmyOG9r3xSZMuNTKlvIPBKQKpZ0psxdCttEwFeXAZOBOBJBvvnBypm8CnyJrT+KdiKg= From: Rohit Yadav To: "users@cloudstack.apache.org" , "fabrice.pollet@etrs.fr" Subject: Re: Shibboleth and CloudStack Thread-Topic: Shibboleth and CloudStack Thread-Index: AQHSvoRTIOQiMgRoHU6TJTSylw/piaHXxFDEgAEJd4CAAB68gIABl7TEgAZ6LgCAAWAFjoAC+nuAgAOUlOI= Date: Sun, 7 May 2017 13:27:05 +0000 Message-ID: References: <59008C2A.6010205@etrs.terre.defense.gouv.fr> <5901997D.2070306@etrs.terre.defense.gouv.fr>,<5901B345.6060207@etrs.terre.defense.gouv.fr> ,<59087842.9000001@etrs.terre.defense.gouv.fr> ,<590C1F2B.5050606@etrs.terre.defense.gouv.fr> In-Reply-To: <590C1F2B.5050606@etrs.terre.defense.gouv.fr> Accept-Language: en-IN, en-US Content-Language: en-IN X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: cloudstack.apache.org; dkim=none (message not signed) header.d=none;cloudstack.apache.org; dmarc=none action=none header.from=shapeblue.com; x-originating-ip: [2603:10a6:6:2f:cafe::48] x-ms-publictraffictype: Email X-Microsoft-Exchange-Diagnostics-untrusted: 1;DB5PR07MB1205;7:G+UfNTRtwxl8iUpByT+PbahfaYsOshW4iDvYq0LMaCY8rzRW5prLGIPkdofspnCh0knbJ0tBbmZrI2JWCpGK/YniqmoI6kLfJoclf18LqfuthMv1upVIyOPL99i35OixvlIa2XZ99/mvTh/8c+y1RiKJYKrnLQZXEWGW+xz5h6Qrp+Uvs1F6WK0jFJMOgfuL/OXyk/rb0f2ziJ5D4l5prpjawOE/e/1BFJgeFcTKVwCIQRcj5iw9IkrlfYhJ2v06kP97HBlsnDQwArlVINznpL1jITAVOmGmS2yXyL9/6WiMqnBfWwHw1uP19xiZdcI1MYrQLBgrreJ7+QEqlvUdcQ== X-MS-Office365-Filtering-Correlation-Id: 6f3cbe17-cae9-4590-3606-08d4954cc2d8 X-Microsoft-Antispam-Untrusted: UriScan:;BCL:0;PCL:0;RULEID:(22001)(2017030254075)(201703131423075)(201702281549075);SRVR:DB5PR07MB1205; X-Microsoft-Antispam-PRVS: x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(189930954265078)(131327999870524)(204487005885092)(788757137089)(49204369933175)(21532816269658)(17755550239193);UriScan:(158342451672863)(192374486261705)(189930954265078)(131327999870524)(204487005885092)(788757137089)(49204369933175)(21532816269658)(17755550239193); x-exchange-antispam-report-cfa-test: =?us-ascii?Q?BCL:0;PCL:0;RULEID:(6040450)(601004)(2401047)(8121501046)(50?= =?us-ascii?Q?05006)(93006095)(93001095)(10201501046)(3002001)(6041248)(20?= =?us-ascii?Q?161123558100)(201703131423075)(201702281528075)(201703061421?= =?us-ascii?Q?075)(201703061406153)(2016111802025)(20161123560025)(2016112?= =?us-ascii?Q?3562025)(20161123555025)(20161123564025)(6072148)(6043046);S?= =?us-ascii?Q?RVR:DB5PR07MB1205;BCL:0;PCL:0;RULEID:;SRVR:DB5PR07MB1205;BCL?= =?us-ascii?Q?:0;PCL:0;RULEID:(100000700033)(100105000095)(100000701033)(1?= =?us-ascii?Q?00105300095)(100000702033)(100105100095)(6040450)(601004)(24?= =?us-ascii?Q?01047)(8121501046)(13021025)(13023025)(13013025)(5005006)(10?= =?us-ascii?Q?0000703033)(100105400095)(93006095)(93003095)(10201501046)(3?= =?us-ascii?Q?002001)(6041248)(20161123558100)(2016111802025)(201703131423?= =?us-ascii?Q?075)(201702281528075)(201703061421075)(201703061406153)(2016?= =?us-ascii?Q?1123564025)(20161123562025)(20161123555025)(20161123560025)(?= =?us-ascii?Q?6043046)(6072148)(100000704033)(100105200095)(100000705033)(?= =?us-ascii?Q?100105500095);SRVR:HE1PR0701MB1980;BCL:0;PCL:0;RULEID:(10000?= =?us-ascii?Q?0800033)(100110000095)(100000801033)(100110300095)(100000802?= =?us-ascii?Q?033)(100110100095)(100000803033)(100110400095)(100000804033)?= =?us-ascii?Q?(100110200095)(100000805033)(100110500095);SRVR:HE1PR0701MB1?= =?us-ascii?Q?980;?= x-forefront-prvs: 03008837BD X-Forefront-Antispam-Report-Untrusted: SFV:NSPM;SFS:(10019020)(39450400003)(39410400002)(39400400002)(39830400002)(377424004)(40764003)(15404003)(45984002)(99286003)(81166006)(55016002)(3660700001)(6506006)(5660300001)(8676002)(6306002)(478600001)(54896002)(19627405001)(2501003)(9686003)(5250100002)(99946001)(345774005)(3480700004)(6436002)(8936002)(76176999)(5890100001)(16297215004)(54356999)(236005)(2950100002)(606005)(33656002)(14971765001)(25786009)(551544002)(50986999)(53546009)(7906003)(189998001)(7116003)(229853002)(575784001)(86362001)(74316002)(966004)(2900100001)(93886004)(7696004)(53946003)(2906002)(3280700002)(38730400002)(53386004)(6116002)(53936002)(7736002)(102836003)(579004)(559001);DIR:OUT;SFP:1102;SCL:1;SRVR:DB5PR07MB1205;H:DB5PR07MB1205.eurprd07.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en; SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-CWesigProcessed: Y X-MAIL_SIG_VERSION: 4.0.2.3904 X-MAIL_SIG_SERVER: smtpworker-in-1.xware-eu-1.o365.crossware.co.nz X-MAIL_SIG_CONFIGNAME: Plain Text for Mailing Lists etc X-MAIL_SIG_CONFIGNAMEPLIED: Plain Text for Mailing Lists etc Content-Type: multipart/alternative; boundary="_000_DB5PR07MB12050B473DA5D785A3C4ECC5E9E90DB5PR07MB1205eurp_" MIME-Version: 1.0 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR07MB1205 X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR01FT036.eop-EUR01.prod.protection.outlook.com X-Forefront-Antispam-Report: CIP:104.40.179.195;IPV:CAL;CTRY:;EFV:NLI;SFV:NSPM;SFS:(10019020)(39830400002)(39450400003)(39410400002)(39400400002)(2980300002)(1110001)(1109001)(339900001)(15404003)(189002)(40764003)(377424004)(199003)(45984002)(9170700003)(236005)(8936002)(7736002)(6306002)(105606002)(512944002)(99286003)(551544002)(9686003)(6506006)(54896002)(229853002)(7906003)(956001)(85426001)(74316002)(3720700001)(53936002)(53946003)(14971765001)(19627405001)(7696004)(575784001)(478600001)(86362001)(93886004)(5250100002)(966004)(3480700004)(606005)(84326002)(61614004)(2900100001)(345774005)(5890100001)(7116003)(2906002)(6116002)(102836003)(55016002)(356003)(2501003)(76176999)(16297215004)(106466001)(5660300001)(53546009)(54356999)(99946001)(81166006)(50986999)(25786009)(2950100002)(38730400002)(15974865002)(33656002)(189998001)(8676002)(53386004)(579004)(559001);DIR:OUT;SFP:1102;SCL:1;SRVR:HE1PR0701MB1980;H:smtpworker-in-1.xware-eu-1.o365.crossware.co.nz;FPR:;SPF:Fail;MLV:sfv;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: 1;DB5EUR01FT036;1:+eQp2ts+xpcgQy37cWETT8Kv+uAuFKV5SoEPkZjCaJQNjx2kRyqwEiuhJsU1ThAw3U4EaSdebtUzbvBPpbXVwXfcVMHrdSbuOKrI+vJcefXcBE4It9iDMQATMtVi0PLhFojsyMTcWVNudMFHG6XIMmhU/SQQhX2eY9du1vqaxH+7fDe9Pxpupkjlt1jrqBxp6lU2In993lOywZxc3mROjejz7yNXqQL1B2nQIcOR+vrp7rtK0AviNYK990Wl7BNWLa7akY2EdW/ZPEsk+UVSeRU5HpaPTsgo0RZuC6xVVJ3Qgwc5edAle6GESQtmBWOfkOXN3ys4JQsjIwNDOa1a0/Y9udd2Q4A14Pi/XWTajRhDVUXKWUwbiWgVUqlG8nVl6eDendPtbKUq4pWBOZ3/a+lENm03hPmzwjB1CLuU+y7tkpTMDhUSmkCLHDpnQzkmblnkpPtCJT7Ge6ALNNnpVCMNXLlWVyvEZ0mz7xiOhLHrHamH/X6dNywDQLT2qS+h X-CrossPremisesHeadersPromoted: DB5EUR01FT036.eop-EUR01.prod.protection.outlook.com X-CrossPremisesHeadersFiltered: DB5EUR01FT036.eop-EUR01.prod.protection.outlook.com X-DkimResult-Test: Failed X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(3002016)(2017030254075)(201703131423075);SRVR:HE1PR0701MB1980; X-Microsoft-Exchange-Diagnostics: 1;HE1PR0701MB1980;3:PZhA+ZL7OGsHgkKEeCwH/noerJNgz/bQl8ROMSuJLJpOkX4K1LSKCbeYnSua99fulXGb2BU636+6ICbiWjG3ZxnBPjRxbb8m8RXekMaGTN65WQNis15+9Vy0nXZc51hL27Oa46zUlnb/Xo+R79iImemigRDhEX6OCDQRXf8ukAD5JYHqrGluwe+DtVebEZjtaCsJq/NlzmRQ7VDi8C7IRlmPABDqUZVjepaHjtu4N2K6naxWG5mys2ijRROFtJlaM2TeW5njc3ORcwZTs46ETi6upCLDPbpUdwVjze02aF5OnSvfAyGSe9q8efftI/0RrTvNqS4GTjHErfUxgpURmwD+vVWY9mM6lZ+NBgF62nhK8Q0FFLDGuINjVa2NW1u/xQMI11taZeVaflpKF6DBhzbPi14matmQ27jFfrwwxZSFmJWZM3Pm77jwhb5+fi/R0WpiaYfdC55QWH+CAMuqPw== X-Microsoft-Exchange-Diagnostics: 1;HE1PR0701MB1980;25:GCvm1BrX2jb5HWf3GrwXdzLIc2rD4rxjRUtoWYz+cB1UOdfjxLoI6+UsRRE9j54JdWhdjGaYM5DHi348Ft61GORP6XxcTS2D3VOURlQgvFGnIcZxf/ajEqAe2lGB9lyB73byArwNMIGoFBYA2vjD3MgqpZzKcbNskY8JpYGKFehCMRCLKgUXzGeuDNzWWLYI95vXH7Ygauow2ZL3bU5VlYaU0V3f8L6CTR4wrhvwNiDbaZuYGBVplnbBtq+VRHoRcNfDlgtolEJaVJ7NZhAEv6NS25OH9xlIzc3wJ97GYjM4CMPlTYSlaUVY9U/JTn69aDESpifU7oKIyHoeY2Aw3r/USjf0wGBlG6ZUQenJ1R8fptaXAMiIfnQcA3YrtTYlp91ClQMrWEtCPmN+q/0bRIU481ninDjqtCwHDGANuhIL11n5j5U9rey4+sJXp4nIzcATQ0VXQu+UpoxYbBHYtBj2MEnCNFxxe/dkv2SwunQ=;31:3DX2IAM3O5qhpEYKGkuX1p8lNXablu5QG6lZtuLWLoyyywiP/5R7AWvMhcO8dhDAaeFuqxkTb7h08dGq+MQHMZGLGqt4dP1hSUtGFgWS+KWqz1mxh4YV73qmN6IkFOKVZn7D7BZdX9Z67lS26oLZuy9amC/iOoYphktsPZhU0Q2d4qo8vkPYJpXruiDRuF5Yp612pgsUgxX5F+PSLAGvZzWE495YqHuN0w4awDr8wcYtyVFwueHzmTEL4RbTczJc3Yt/BUVzBklzJab6Pxj5qA== X-Microsoft-Exchange-Diagnostics: 1;HE1PR0701MB1980;20:9gFJij7eyWx4/CAm1pLY4LtgjJ4NFMKOZCuxqYv/yVBigT7kj4rllx7GtES2wBnQj/NTtSL7+3Jhgzi517AdK55bWQT+AzV4I5riiusJymq69/DIGTN/fiyOOEUb/0p50DhfLGJAJvcVUMMunF0zdpk9ORANd8wf9l7T7E+pBV/CpKOpv670kDUQqI1BOyrDvwR11wipOZbMJ8oNbCuNSYWHmXj4Ce3G3s/T4K3G+d07htjFk5yF0RMtCVXu6Wuj X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;HE1PR0701MB1980;4:lFhLI3FcoqRVZB79sGttzeD/3Kv+m28HtEHQMKOV?= =?us-ascii?Q?wSN5/kqL+g+GD2zHguefAykae3DI7du2nKXEb6en+rKlV5lfMNzEL94BKqWp?= =?us-ascii?Q?PM70mSb7B186hmHsi4xbgqJdCuBCJfAja2zu5l8SBHzS8mzOpCeBf2oztmm/?= =?us-ascii?Q?5Eom32NXN2r9Ut4A+PCE5v8wE94DuyK0gZHZPC8t24q3BWRNlRDtiIC4RbYr?= =?us-ascii?Q?MHIDYXu36n7jL66SRE819vOELJKN9CI5wRrZSouCTsxkiXs/OsKngwW+aPGQ?= =?us-ascii?Q?IcMaF1awPK0CqBCmZ1GpW1gkxqB1SVsuJX2qyL3HT2BOD7fCIxSylQPi7ZQW?= =?us-ascii?Q?yrF6cyMxEwUnn+QFfQ+3pvC1QYfdc9mH9z1w6H0tKo6grea69Ai87niGxqz6?= =?us-ascii?Q?Yo4qC4vliKjjLd1/6xzSVPJxxWUtcgthQgKeQgDJlcTnCx+RRZVXKlf0Q4fR?= =?us-ascii?Q?jlBdV+OYwSvJzWxJVRY6tz4veFGQGUlS2i+8JQpbgTZmdecPFon9t8zWTVMN?= =?us-ascii?Q?NhvF4SdAM4SdAVAHRLWpk1XIPGPssULJlSIqhcOcy+U1rDB/Xf9RJyNk2WzH?= =?us-ascii?Q?M4XRi3/Kg/6hZN2C/NSzcLRRLOiGHhme51+0B05Q8F6c++pMzCDIytYObKXh?= =?us-ascii?Q?er368CvBcq6BH6+ShwtKjq5+oA70uVbhuV80/VaCmNcMzilKdDI7Uv1muAme?= =?us-ascii?Q?v9ttUtb7RkQyCyPKmIteXwQEx/TR62Vir72xZ9VsWgk5C11B7lfXaRlOLUVi?= =?us-ascii?Q?ndisS0wlLoQCA2zXDt2wuWt7g8wWmZ8yXGB3QyxBzE062l+wSS7tKDgQi26t?= =?us-ascii?Q?OHs05r/geTit/ioS2x8sa/6jrmWIfc3X+ty2gZycAsoSt69HEHe3d2g30AA8?= =?us-ascii?Q?tattJKIHwEdCS3i02VkAzUaxZOF8NfmFq1IbilgQMD8X6fhqtewR6oBRwaBs?= =?us-ascii?Q?cxN+GAgkUnPPG+zbag19mQPdP1CG3TigMLSatghWKB5tVJo+m2bDgkDp4uxF?= =?us-ascii?Q?tiwhA/cQgy62YI5MEKIeDNs46Xkr5SeDpO41e7P4Owj575ZU9xz1ruhoz/ed?= =?us-ascii?Q?Ob2YlSUn44LoE1Us5SpM+u3mP5F9keG4L+BbXSxmxivDwtVXUZDK2l36/zCA?= =?us-ascii?Q?8+dGqPzDsn5RO2iiQP4MC5CitbPnfPwMugFIMaiS8B7VffYUHarfmRSWMKvj?= =?us-ascii?Q?CrALWW3Ack8eQzydU4CJIN6/tno5PgAtjQ7FwFC3ogiX3KxGxKBvPWsZuRb4?= =?us-ascii?Q?JWlexfM1xxI49bmqw0fZguJ8F5iJGwKaHgHTIupEqtkLTq7CFDzjlzjPWo9D?= =?us-ascii?Q?9wul3n591ZX9aKwWB/fNuUMR/OqRTxHvsbpjovW2741CGt1bO+34RmTs12B9?= =?us-ascii?Q?9Y7COJ/JSjsOdP5hc2EV+f2i6IA/ynAgEgKkyTC3n/ulUKXv9JZXSI8/43Zt?= =?us-ascii?Q?BsmZt2hmlp/wixXFVzsjVFORON6XUOY7bOc34tpWyJpPQgCsvQTnqqBi8ht7?= =?us-ascii?Q?86ehHHWxXmvTun0Qxf+5x14wHCzXeUi2l0jrC9lqKqnaG+XcmqW/8dKhdSkE?= =?us-ascii?Q?jVsal5DqDx/LT+H4evun3Y02OG30shp0rCy/428=3D?= X-Forefront-PRVS: 03008837BD X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;HE1PR0701MB1980;23:vC3pKyFjHnNXRf417w7M4C+OGgIIGn/HfUb9288?= =?us-ascii?Q?G8xNofMVfGbLGjqWYYKKJtpJ9HR2/DlFSrPfh50F6BMFcwpbPCsHaanOFrFz?= =?us-ascii?Q?XQY8rAxQZrJOchhKug932kRElOF/4bSxawLcVRnUwZbv+vb0lg1RsbxzYOI/?= =?us-ascii?Q?taaCGxHr+LG9OdGpLvLva2ivIelvLDYci3nJMinCPOz712hrITtHjPHmDCjl?= =?us-ascii?Q?y5ulsZeKqWfxILKwq6P+GLgBLWxcTPONiKzIaGWYlImF4upaFZ4pIgL1uV3V?= =?us-ascii?Q?uUzxolQNUmKxTMflvMORsT7qt/aRODAUDwC9jhwe7LMims6ppMlJAwXqu3T8?= =?us-ascii?Q?15gkDjpFrmmjIlkoiBJvdTnd4Hu0QKmV0WtTzyqAuq4/ymE0p9tKaHaoHxCs?= =?us-ascii?Q?p8Y9/62OVnB+9eIvT0+wdR53fVR01jmPOMqekc2cKnV0udsxBdS/4/DCzOkH?= =?us-ascii?Q?z5vzNSLtXhPb13RjhudKXFnympNFXroy0tHgEQPxjEXH11CyOkJ+kH0id4x7?= =?us-ascii?Q?QMDSXPqsxYaMofhdpbh9zge4k+QY/rz/zL3qVN3gQUrRRWwaw8nULByNbqQP?= =?us-ascii?Q?+gHzL4SqaPpYvRFOpmcr+Nq6YZZGYUIrPsmdkTfF2ZJQUyVxKHhpnHg3FQI5?= =?us-ascii?Q?52H63Y7IFEP1KjFdqrii1RQ+CWfClnJN4PUwwTLB55hVgCm9sAaaK9QEBGhz?= =?us-ascii?Q?o2Zm7T0FLARQypu1QqCJGGdZ+DitmL8Y/y2fQ3V/JHUNH3xby8tnHifj7gC/?= =?us-ascii?Q?mKPtBuy73Y6dbDXjIsSSkeAeAJPtUmqwDdR+Z/ru1Ak7uLrxYO+wrHHuaaA2?= =?us-ascii?Q?4gSwuSHGJokfypIZZhIBxUn7URokb57yKo6Oyfl533Q67XXKQIajx9VXLAvT?= =?us-ascii?Q?mlV6pqUqWL14m+0TUvTYfprLMVjAIwJZq6ix1XmrXfwVdscwzWRu0ZFPSGqF?= =?us-ascii?Q?BlEiKDBQEUymnjKgbXR4rXZ+c01NMswgA9/WHAy2yhzpr1iPD6aseqL4T5YO?= =?us-ascii?Q?ojQzy07VvMF/m2oWCCXGYcH45+nSf9V1BsAzjWp3UGzK7wuGZpPPwrwqbep1?= =?us-ascii?Q?WSGPSTBju9JkE0gB2lTbKGYEtbLP0hHoSbGxxGs5NJkXuivWVqRPi/FI4hJW?= =?us-ascii?Q?O+JNjmKxtcvElR6KV9ibGfjinoTKxmK9D3yhA66IxTbB7/amSqmcUMt2JCun?= =?us-ascii?Q?iuxRnpLR/3mcs83I440LfdRiTUeYL88tDAyYWIZQk5Fq1r+VpUzQcoilAlc8?= =?us-ascii?Q?+JaLnDp7FWfliWUP14eTqH07lnOe5KU4UGm+mmWFKRe6r6TW2tjn/bkgRDAb?= =?us-ascii?Q?FQfr77XNzRa8bKvsmzzHnkNfff7scuYaV/aK3zHJEWOAq7yrczB/uMuNwS/F?= =?us-ascii?Q?GtRS3Um8NSdeBVie76za1RoI4H95x6k5xk5NNrg4bCnI7xemNwT/6KEPEHcF?= =?us-ascii?Q?a3vTfXDG3/l0psDYZGwnx988hs2oGEcacfqrWMu55HhgaRa4DPhFQdz7tnnP?= =?us-ascii?Q?3rwQVsnvRYj5UH/fPgWql1nmVSXmzVBjMNLzdAvSVO76Lec3ZVD2tcqySLsd?= =?us-ascii?Q?8U6IoFDF4R/Q4s2nH25RoS9NLTZ1V4kBKLPevmKz4cXuDjC4KJUUx6ohUd4V?= =?us-ascii?Q?aZsox8V+f7hNP9YUeQmuIYVVt731NFPwq5T1yL9Cm04FWFwhaGiNk/aoanJJ?= =?us-ascii?Q?+sek8b3q90kj/iLY30n9T/Sx7rVDXMC767dk434CpG67Ny+WvOetxufmWedq?= =?us-ascii?Q?hHCJA3SbH9IZNqZiBOdbW5ntt7I15TMs2ViDWNjOp4pOsnCNNEpF/QyGjedV?= =?us-ascii?Q?V+OOArDQSJq9x?= X-Microsoft-Exchange-Diagnostics: 1;HE1PR0701MB1980;6:2YoyxvgjwYgP1Q8qqr+aVvxFky/NDAs0kc9CsF8tSooGPuVDHGG88mcw15/NGrtS6v9+r8cJZ63SE1YriEmyEpEFtka6fMrHXvk1NEs0toNTt4SQvMWpkkW+r1k3UGI/hbGUIQqaXQ6bb144GJTHGKWIBCfzwDkdFVWKJrF6r0yasOO9v5oAsKb8R6CzJWtdSE1483qm7p04N38dcpsSG8YXA1UMRJRmsVGrxiOfna7vVP9BSdF1MKY45no8Wc7ViXIN+aSuFGUC5e9AQGSk4TJeywbbvJItesBqDBYdNF6F+dDQ5oivq95pEZYoU6IwBh+ToIETzJrlaCmS5SY8/dKAseXmepFGv/OIeKE8MGt7vFiB7g4LFbdQAObFvT3cm0Fzs+UJK+gPlCx7QSXWeqteOh71lB+SNCesM4M9gNUEcq36kXUXjLSfMcfUOjpt5cfoVUBWpe13RDiYYnDinOskrKfK4quF9QyIugLxhL9NPGTIy4b7ny+/uh9WsfIdzC/QTx+qYnbYEi9fvhCY+g== X-Microsoft-Exchange-Diagnostics: 1;HE1PR0701MB1980;5:lcV36rfsVvS1JAdvaHEOasd9Yvxx1YYsxS2IlCAJIH5XxvNQu0y3RjPqoAvshluZo4SOdWWtcFUjKnPjSp/8ZhQo/KMx7Nvi0P6N8BjnY/hrXjodBeN/Mr8YunHKOFrsiQzoq1+FUcxhSrnkvxUWbjah1zftveQSQvsXPQQcAHdzeOHBuKBOEnWfJnqbri0vTFJuuuipZM845tcWZ2nfbIP1pYcCirBkjQpnaBq0Ju53IP9Uqc4ueNW9kO1knGQ6i6cpwbrOVcoGd3euQ0ZeU6zvRJkQAAfeGTNYCVg6ycJVzquIeZFBb3JqRbQp9m50h6YSCPTVUvR7OWy3JOWscld13RkCcRl6pbp5Ud9rt9DIvYMpWLu0twzoTVdI5bbqbMohZxZv4OrPbnrjVtVKlw26Skv4Ucsq8sD6QFGQbC76dv4ggzs+cV56NK3YnrgV8OIsEGqazPrCSctd+NTyYqn2Ex9yZl7ws/IwQi6U6Z9kkpO6Di26tZnflqwF5F8x;24:6L3lVMTcXesTUFLGxlTcX0hh5Z3W1H6EoDWo9yJhaAiCy5XCTzlbd2iBHTG5BQ1OfzSlvuibQ5B/OizBr/TQvoeVH98Qy6Th+nn4HM2MPjg= X-Microsoft-Exchange-Diagnostics: 1;HE1PR0701MB1980;7:YTWx2Y4E0/5bNUX6jzR3a/pAfIap1udfjB9MO1QVGI9YVXSdiHOuk3mbfhfynLwX2WX52A/b2tPJhTypsvyylhN4HlSy+JcDqSybbbK4YqDsz6LNm/NBEB6WxzMxgq43o2nVwe6UFL3XJa3lfM1BVHhHBKcIbXDNv6qlTKfP7qVDNbNcbDh79u+zMDGlGc7VlKVIwsJNelFJdGA/SdY/Oz639bg1E52fhOT01tHhQwnJ6sQeLj2CDiYMe8y3YlUGaD9buPfPSkYfK6ua2pOOBJ2JY6bim4UNvplO10t553Vr6KJfxoXtcWLXrJpLYajx0utP7a8XZnDbnRegKfZEIQ== X-OriginatorOrg: shapeblue.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 May 2017 13:27:08.4147 (UTC) X-MS-Exchange-CrossTenant-Id: fc8906f6-e50e-4dad-98a0-ec2e3abe14f5 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=fc8906f6-e50e-4dad-98a0-ec2e3abe14f5;Ip=[104.40.179.195];Helo=[smtpworker-in-1.xware-eu-1.o365.crossware.co.nz] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB1980 archived-at: Sun, 07 May 2017 13:27:37 -0000 --_000_DB5PR07MB12050B473DA5D785A3C4ECC5E9E90DB5PR07MB1205eurp_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Hi Fabrice, In the SAML response sent after authentication, the encrypted data should h= ave a unique attribute that should correspond to the user's username of an = account in CloudStack. The global setting 'saml2.user.attribute' is default= set to uid (I think, to make it work out of the box with a Ldap backed IdP= server), change this attribute value to something else that is specific to= the user attribute in your environment, restart management server and retr= y. Regards. ________________________________ From: Fabrice Pollet Sent: 05 May 2017 12:13:55 To: Rohit Yadav; users@cloudstack.apache.org; fabrice.pollet@etrs.fr Subject: Re: Shibboleth and CloudStack Hello, I made some changes in my configuration. Instead of editing the /etc/clouds= tack/management/idp-metadata.xml file from my SP to force SSO-CAS authentic= ation (https://idp.etrs.terre.defense.gouv.fr/idp/Authn/ RemoteUser), I mod= ified the /opt/shibboleth-idp/conf/handler.xml file of my IdP: urn:o= asis:names:tc:SAML:2.0:ac:classes:unspecified urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtec= tedTransport This tells the IdP it can use that login mechanism (in this case CAS) when = an SP asks for PasswordProtectedTransport. Both SP and IdP server hosts have the same timezone/time settings. It seems= that the IdP and SP servers know their metadata reciprocally, but I don't = know how to verify if the SP decrypts those of the IdP. Logs of the IdP in debug mode show that the authentication succeeded but I = noticed some errors in debug mode (in red in the text): 12:50:43.820 - INFO [Shibboleth-Access:73] - 20170504T105043Z|172.16.96.7|i= dp.etrs.terre.defense.gouv.fr:443|/profile/SAML2/Redirect/SSO| 12:50:43.820 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPPr= ofileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile han= dler for request path: /SAML2/Redirect/SSO 12:50:43.820 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPPr= ofileHandlerManager:97] - shibboleth.HandlerManager: Located profile handle= r of the following type for the request path: edu.internet2.middleware.shib= boleth.idp.profile.saml2.SSOProfileHandler 12:50:43.821 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServ= letHelper:339] - LoginContext key cookie was not present in request 12:50:43.821 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2= .SSOProfileHandler:188] - Incoming request does not contain a login context= , processing as first leg of request 12:50:43.821 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2= .SSOProfileHandler:366] - Decoding message with decoder binding 'urn:oasis:= names:tc:SAML:2.0:bindings:HTTP-Redirect' 12:50:43.821 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:76= ] - Beginning to decode message from inbound transport of type: org.opensam= l.ws.transport.http.HttpServletRequestAdapter 12:50:43.822 - DEBUG [org.opensaml.saml2.binding.decoding.HTTPRedirectDefla= teDecoder:90] - Decoded RelayState: null 12:50:43.822 - DEBUG [org.opensaml.saml2.binding.decoding.HTTPRedirectDefla= teDecoder:127] - Base64 decoding and inflating SAML message 12:50:43.822 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:18= 3] - Parsing message stream into DOM document 12:50:43.823 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:19= 3] - Unmarshalling message DOM 12:50:43.823 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:20= 5] - Message succesfully unmarshalled 12:50:43.823 - DEBUG [org.opensaml.saml2.binding.decoding.HTTPRedirectDefla= teDecoder:105] - Decoded SAML message 12:50:43.824 - DEBUG [org.opensaml.saml2.binding.decoding.BaseSAML2MessageD= ecoder:112] - Extracting ID, issuer and issue instant from request 12:50:43.824 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadata= Provider:253] - Checking child metadata provider for entity descriptor with= entity ID: cloud.etrs.terre.defense.gouv.fr 12:50:43.824 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadata= Provider:520] - Searching for entity descriptor with an entity ID of cloud.= etrs.terre.defense.gouv.fr 12:50:43.824 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadata= Provider:167] - Metadata document does not contain an EntityDescriptor with= the ID cloud.etrs.terre.defense.gouv.fr ... 12:50:43.827 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadata= Provider:520] - Searching for entity descriptor with an entity ID of cloud.= etrs.terre.defense.gouv.fr 12:50:43.828 - DEBUG [PROTOCOL_MESSAGE:113] - Destination=3D"https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2= /Redirect/SSO" ForceAuthn=3D"false" ID=3D"85qrvu7c1kmg1tsc0gqmk4a1u2k60qed" IsPassive=3D"false" IssueInstant=3D"2017-05-04T10:50:43.719Z" ProtocolBinding=3D"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName=3D"cloud.etrs.terre.defense.gouv.fr" Version=3D"2.0" xmlns= :saml2p=3D"urn:oasis:names:tc:SAML:2.0:protocol"> clo= ud.etrs.terre.defense.gouv.fr urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransp= ort 12:50:43.828 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingpar= ty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relyin= g party configuration for cloud.etrs.terre.defense.gouv.fr 12:50:43.828 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingpar= ty.provider.SAMLMDRelyingPartyConfigurationManager:134] - No custom relying= party configuration found for cloud.etrs.terre.defense.gouv.fr, looking up= configuration based on metadata groups. 12:50:43.829 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadata= Provider:253] - Checking child metadata provider for entity descriptor with= entity ID: cloud.etrs.terre.defense.gouv.fr 12:50:43.829 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadata= Provider:520] - Searching for entity descriptor with an entity ID of cloud.= etrs.terre.defense.gouv.fr 12:50:43.829 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadata= Provider:167] - Metadata document does not contain an EntityDescriptor with= the ID cloud.etrs.terre.defense.gouv.fr 12:50:43.831 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadata= Provider:253] - Checking child metadata provider for entity descriptor with= entity ID: cloud.etrs.terre.defense.gouv.fr 12:50:43.831 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadata= Provider:520] - Searching for entity descriptor with an entity ID of cloud.= etrs.terre.defense.gouv.fr 12:50:43.831 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingpar= ty.provider.SAMLMDRelyingPartyConfigurationManager:157] - No custom or grou= p-based relying party configuration found for cloud.etrs.terre.defense.gouv= .fr. Using default relying party configuration. 12:50:43.831 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:13= 0] - Evaluating security policy of type 'edu.internet2.middleware.shibbolet= h.common.security.ShibbolethSecurityPolicy' for decoded message 12:50:43.832 - DEBUG [org.opensaml.util.storage.ReplayCache:92] - Attemptin= g to acquire lock for replay cache check 12:50:43.832 - DEBUG [org.opensaml.util.storage.ReplayCache:94] - Lock acqu= ired 12:50:43.832 - DEBUG [org.opensaml.util.storage.ReplayCache:105] - Message = ID 85qrvu7c1kmg1tsc0gqmk4a1u2k60qed was not a replay 12:50:43.832 - DEBUG [org.opensaml.util.storage.ReplayCache:132] - Writing = message ID cloud.etrs.terre.defense.gouv.fr85qrvu7c1kmg1tsc0gqmk4a1u2k60qed= to replay cache with expiration time 2017-05-04T12:55:43.832+02:00 12:50:43.832 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadata= Provider:308] - Checking child metadata provider for entity descriptor with= entity ID: cloud.etrs.terre.defense.gouv.fr 12:50:43.833 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadata= Provider:520] - Searching for entity descriptor with an entity ID of cloud.= etrs.terre.defense.gouv.fr 12:50:43.833 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadata= Provider:250] - Metadata document did not contain a descriptor for entity c= loud.etrs.terre.defense.gouv.fr 12:50:43.833 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadata= Provider:317] - Metadata document did not contain any role descriptors of t= ype {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity cloud.= etrs.terre.defense.gouv.fr 12:50:43.833 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadata= Provider:286] - Metadata document does not contain a role of type {urn:oasi= s:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:= names:tc:SAML:2.0:protocol for entity cloud.etrs.terre.defense.gouv.fr 12:50:43.836 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadata= Provider:308] - Checking child metadata provider for entity descriptor with= entity ID: cloud.etrs.terre.defense.gouv.fr 12:50:43.836 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadata= Provider:520] - Searching for entity descriptor with an entity ID of cloud.= etrs.terre.defense.gouv.fr 12:50:43.836 - INFO [org.opensaml.common.binding.security.SAMLProtocolMessa= geXMLSignatureSecurityPolicyRule:100] - SAML protocol message was not signe= d, skipping XML signature processing 12:50:43.837 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSi= gnatureSecurityPolicyRule:64] - Evaluating simple signature rule of type: o= rg.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule 12:50:43.837 - DEBUG [org.opensaml.saml2.binding.security.SAML2HTTPRedirect= DeflateSignatureRule:64] - Constructing signed content string from URL quer= y string SAMLRequest=3DjVPLjtowFN33KyLvyatQphYJooxGHWnaQSTTRXeufWEsEjvc66R8= fp0ENCxaptv4%2BDx8ThbLU10FHSBpazKWhDELwEirtNln7KV8mNyxZf5hQaKu0oavWvdqtnBsg= VywIgJ0%2Ft7aGmprwAKw0xJetk8Ze3WuIR5FsrKtCsEhhQ4QIVSwA0MQ7m3bhTv0AA3GRaLRS2= nrWhiV9WIFWRbcexlthBu8XRi1am7x%2BeOoQbvTFUTF6ttTGm1BaQTpoqJ4ZsGDRQlDjoztREX= Agsf7jN3Njti1c5kc6n3iSMb7Y32YiqRND5%2FiIyiPoo0g0h283SNq4dGQE8ZlLI2T%2BSSeTe= JpmcR8FvPpx3CefP7Jgg1aZ6WtvmgzvmuLhltBmrgRNRB3kvdWeRrG%2FNcIIv61LDeTzXNRDgS= dVoDfPTpj7z0pC35c%2Bkz7Pn3DhvjY4G3t5myU5WPhfEiI1wy3CcRlEix%2Fz%2BUiupbILws7= jwvUUJFfloOTC9a2bgRq6jPBSUh3dsivUevKy29hd2X3v93ehEkue2r%2FuV%2FAb4uqb9QvClS= JwlBj0Y1x%2FuonP0f9R7i34%2Bu%2FK%2F8D&SigAlg=3Dhttp%3A%2F%2Fwww.w3.org%2F20= 01%2F04%2Fxmldsig-more%23rsa-sha256&Signature=3Dsvf6JoGtWy5nIQaE%2Fm6qjHAvV= %2FJHU7l1KrXF8RftV3cxLhlh3tr8vyk0Dmb2ShPUu81KBx8mKpv6bmcIhOdi%2FkZ7gZIcTwYn= FDnn2vT%2B9keBgA6LTWejAPHFG6Q4AtltYlpeDElaX9JgA1FNqhNLIA1zhM9m5Ycblb4Ld5VlY= YdGZeCfMd3Jsjcri14ASenAz8vF5%2BmZC6f1QCiAqwvf1Vo5qPUormcKG174S8LVYa5U%2Fyfw= C60d5y6Ajba5OvuaB7M%2F vI0FVpfsX sXuR5NYw7Bcj8v49kSJw1CIU%2Fyzyd2UWJ6miXkQH= nPtxrJjP8RCpGnERyrNZKzhukpr%2BOQ91%2B641Ujwv1%2FTT8SG1E91GZeJQBFMhc5wGglhuw= 4%2BRcY69rN1utX1cOH7YNFBjMiA27O5tq2FHp%2FOEg0ERdQniy%2FSUN6WLMGMXCZOCVesv3U= AFfjhKbPaSDoOLNjNHuh6a%2FWpGF%2BXmYdLFY5m0Ic%2Bm3qSgnXe21u1frMAChloSwALR9xj= oUzbAhCncDG8%2BQVuy%2Fpz4cwIXmCEHWeQ9dOUhv0eH4L73Iew3pqHfpsAJwqZW44QK9J1M5F= FV3L4jqure1FnkiPuFemD5iaRmcYupjytnDurvq1M3ANkOT9sZw0g1WTrKlVJ8W%2F9LWlpOiB8= mNRQOgKQV4ioe3gIdiUjfQQ%3D 12:50:43.837 - DEBUG [org.opensaml.saml2.binding.security.SAML2HTTPRedirect= DeflateSignatureRule:71] - Constructed signed content string for HTTP-Redir= ect DEFLATE SAMLRequest=3DjVPLjtowFN33KyLvyatQphYJooxGHWnaQSTTRXeufWEsEjvc6= 6R8fp0ENCxaptv4%2BDx8ThbLU10FHSBpazKWhDELwEirtNln7KV8mNyxZf5hQaKu0oavWvdqtn= BsgVywIgJ0%2Ft7aGmprwAKw0xJetk8Ze3WuIR5FsrKtCsEhhQ4QIVSwA0MQ7m3bhTv0AA3GRaL= RS2nrWhiV9WIFWRbcexlthBu8XRi1am7x%2BeOoQbvTFUTF6ttTGm1BaQTpoqJ4ZsGDRQlDjozt= REXAgsf7jN3Njti1c5kc6n3iSMb7Y32YiqRND5%2FiIyiPoo0g0h283SNq4dGQE8ZlLI2T%2BSS= eTeJpmcR8FvPpx3CefP7Jgg1aZ6WtvmgzvmuLhltBmrgRNRB3kvdWeRrG%2FNcIIv61LDeTzXNR= DgSdVoDfPTpj7z0pC35c%2Bkz7Pn3DhvjY4G3t5myU5WPhfEiI1wy3CcRlEix%2Fz%2BUiupbIL= ws7jwvUUJFfloOTC9a2bgRq6jPBSUh3dsivUevKy29hd2X3v93ehEkue2r%2FuV%2FAb4uqb9Qv= ClSJwlBj0Y1x%2FuonP0f9R7i34%2Bu%2FK%2F8D&SigAlg=3Dhttp%3A%2F%2Fwww.w3.org%2= F2001%2F04%2Fxmldsig-more%23rsa-sha256 12:50:43.837 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSi= gnatureSecurityPolicyRule:126] - Attempting to validate SAML protocol messa= ge simple signature using context issuer: cloud.etrs.terre.defense.gouv.fr 12:50:43.837 - DEBUG [org.opensaml.security.MetadataCredentialResolver:167]= - Forcing on-demand metadata provider refresh if necessary 12:50:43.838 - DEBUG [org.opensaml.security.MetadataCredentialResolver:215]= - Attempting to retrieve credentials from cache using index: [cloud.etrs.t= erre.defense.gouv.fr,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,= urn:oasis:names:tc:SAML:2.0:protocol,SIGNING] 12:50:43.838 - DEBUG [org.opensaml.security.MetadataCredentialResolver:223]= - Retrieved credentials from cache using index: [cloud.etrs.terre.defense.= gouv.fr,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:nam= es:tc:SAML:2.0:protocol,SIGNING] 12:50:43.838 - DEBUG [org.opensaml.xml.security.credential.criteria.Evaluab= leCredentialCriteriaRegistry:74] - Registry located evaluable criteria clas= s org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredential= Criteria for criteria class org.opensaml.xml.security.criteria.EntityIDCrit= eria 12:50:43.839 - DEBUG [org.opensaml.xml.security.credential.criteria.Evaluab= leCredentialCriteriaRegistry:74] - Registry located evaluable criteria clas= s org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCri= teria for criteria class org.opensaml.xml.security.criteria.UsageCriteria 12:50:43.839 - DEBUG [org.opensaml.xml.security.credential.criteria.Evaluab= leCredentialCriteriaRegistry:74] - Registry located evaluable criteria clas= s org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCreden= tialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgor= ithmCriteria 12:50:43.839 - DEBUG [org.opensaml.xml.security.credential.criteria.Evaluab= leCredentialCriteriaRegistry:105] - Registry could not locate evaluable cri= teria for criteria class org.opensaml.security.MetadataCriteria 12:50:43.839 - DEBUG [org.opensaml.xml.signature.impl.ExplicitKeySignatureT= rustEngine:159] - Attempting to verify signature using trusted credentials 12:50:43.839 - DEBUG [org.opensaml.xml.security.SigningUtil:241] - Verifyin= g signature over input using public key of type RSA and JCA algorithm ID SH= A256withRSA 12:50:43.842 - DEBUG [org.opensaml.xml.signature.impl.ExplicitKeySignatureT= rustEngine:164] - Successfully verified signature using resolved trusted cr= edential 12:50:43.842 - DEBUG [org.opensaml.xml.signature.impl.ChainingSignatureTrus= tEngine:81] - Signature was trusted by chain member: org.opensaml.xml.signa= ture.impl.ExplicitKeySignatureTrustEngine 12:50:43.842 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSi= gnatureSecurityPolicyRule:192] - Simple signature validation (with no reque= st-derived credentials) was successful 12:50:43.842 - INFO [org.opensaml.common.binding.security.BaseSAMLSimpleSig= natureSecurityPolicyRule:130] - Validation of request simple signature succ= eeded 12:50:43.842 - INFO [org.opensaml.common.binding.security.BaseSAMLSimpleSig= natureSecurityPolicyRule:132] - Authentication via request simple signature= succeeded for context issuer entity ID cloud.etrs.terre.defense.gouv.fr 12:50:43.842 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSi= gnatureSecurityPolicyRule:64] - Evaluating simple signature rule of type: o= rg.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule 12:50:43.843 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSi= gnatureSecurityPolicyRule:81] - Rule can not handle this request, skipping = processing 12:50:43.843 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:85= ] - Successfully decoded message. 12:50:43.843 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageD= ecoder:191] - Checking SAML message intended destination endpoint against r= eceiver endpoint 12:50:43.843 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageD= ecoder:210] - Intended message destination endpoint: https://idp.etrs.terre= .defense.gouv.fr/idp/profile/SAML2/Redirect/SSO 12:50:43.843 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageD= ecoder:211] - Actual message receiver endpoint: https://idp.etrs.terre.defe= nse.gouv.fr/idp/profile/SAML2/Redirect/SSO 12:50:43.844 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageD= ecoder:219] - SAML message intended destination endpoint matched recipient = endpoint 12:50:43.844 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2= .SSOProfileHandler:387] - Decoded request from relying party 'cloud.etrs.te= rre.defense.gouv.fr' 12:50:43.844 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadata= Provider:253] - Checking child metadata provider for entity descriptor with= entity ID: cloud.etrs.terre.defense.gouv.fr 12:50:43.844 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadata= Provider:520] - Searching for entity descriptor with an entity ID of cloud.= etrs.terre.defense.gouv.fr 12:50:43.844 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadata= Provider:167] - Metadata document does not contain an EntityDescriptor with= the ID cloud.etrs.terre.defense.gouv.fr 12:50:43.849 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadata= Provider:520] - Searching for entity descriptor with an entity ID of cloud.= etrs.terre.defense.gouv.fr 12:50:43.850 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingpar= ty.provider.SAMLMDRelyingPartyConfigurationManager:157] - No custom or grou= p-based relying party configuration found for cloud.etrs.terre.defense.gouv= .fr. Using default relying party configuration. 12:50:43.850 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2= .SSOProfileHandler:226] - Creating login context and transferring control t= o authentication engine 12:50:43.850 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServ= letHelper:181] - Storing LoginContext to StorageService partition loginCont= exts, key 21082a8599b5ba28281416cfd7468ad128b893acaf51f88303c5fadd9ee0f77b 12:50:43.851 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2= .SSOProfileHandler:240] - Redirecting user to authentication engine at http= s://idp.etrs.terre.defense.gouv.fr:443/idp/AuthnEngine 12:50:43.855 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:209] - Processing incoming request 12:50:43.856 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:240] - Beginning user authentication process. 12:50:43.856 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:283] - Filtering configured LoginHandlers: {urn:oasis:names:t= c:SAML:2.0:ac:classes:PreviousSession=3Dedu.internet2.middleware.shibboleth= .idp.authn.provider.PreviousSessionLoginHandler@4fd79d84, urn:oasis:names:t= c:SAML:2.0:ac:classes:unspecified=3Dedu.internet2.middleware.shibboleth.idp= .authn.provider.RemoteUserLoginHandler@54a66e0f, urn:oasis:names:tc:SAML:2.= 0:ac:classes:PasswordProtectedTransport=3Dedu.internet2.middleware.shibbole= th.idp.authn.provider.RemoteUserLoginHandler@54a66e0f} 12:50:43.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:288] - Filtering possible login handlers by requested authent= ication methods: [urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedT= ransport] 12:50:43.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:296] - Filtering out login handler for authentication urn:oas= is:names:tc:SAML:2.0:ac:classes:unspecified, it does not provide a requeste= d authentication method 12:50:43.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:332] - Filtering out previous session login handler because t= here is no existing IdP session 12:50:43.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:464] - Selecting appropriate login handler from filtered set = {urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=3Dedu.in= ternet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler@54a= 66e0f} 12:50:43.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:497] - Authenticating user with login handler of type edu.int= ernet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler 12:50:43.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provide= r.RemoteUserLoginHandler:66] - Redirecting to https://idp.etrs.terre.defens= e.gouv.fr:443/idp/Authn/RemoteUser 12:50:52.152 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provide= r.RemoteUserAuthServlet:73] - Remote user identified as fabrice.pollet retu= rning control back to authentication engine 12:50:52.153 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:144] - Returning control to authentication engine 12:50:52.153 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:209] - Processing incoming request 12:50:52.153 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:514] - Completing user authentication process 12:50:52.153 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:585] - Validating authentication was performed successfully 12:50:52.154 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:696] - Updating session information for principal fabrice.pol= let 12:50:52.154 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:700] - Creating shibboleth session for principal fabrice.poll= et 12:50:52.154 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:815] - Adding IdP session cookie to HTTP response 12:50:52.155 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:715] - Recording authentication and service information in Sh= ibboleth session for principal: fabrice.pollet 12:50:52.155 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:560] - User fabrice.pollet authenticated with method urn:oasi= s:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport 12:50:52.155 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:161] - Returning control to profile handler 12:50:52.155 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.Authent= icationEngine:177] - Redirecting user to profile handler at https://idp.etr= s.terre.defense.gouv.fr:443/idp/profile/SAML2/Redirect/SSO 12:50:52.160 - INFO [Shibboleth-Access:73] - 20170504T105052Z|172.16.96.7|i= dp.etrs.terre.defense.gouv.fr:443|/profile/SAML2/Redirect/SSO| 12:50:52.160 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPPr= ofileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile han= dler for request path: /SAML2/Redirect/SSO 12:50:52.160 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPPr= ofileHandlerManager:97] - shibboleth.HandlerManager: Located profile handle= r of the following type for the request path: edu.internet2.middleware.shib= boleth.idp.profile.saml2.SSOProfileHandler 12:50:52.160 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServ= letHelper:588] - Unbinding LoginContext 12:50:52.160 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServ= letHelper:614] - Expiring LoginContext cookie 12:50:52.160 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServ= letHelper:625] - Removed LoginContext, with key 21082a8599b5ba28281416cfd74= 68ad128b893acaf51f88303c5fadd9ee0f77b, from StorageService partition loginC= ontexts 12:50:52.161 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2= .SSOProfileHandler:172] - Incoming request contains a login context and ind= icates principal was authenticated, processing second leg of request 12:50:52.161 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadata= Provider:253] - Checking child metadata provider for entity descriptor with= entity ID: cloud.etrs.terre.defense.gouv.fr 12:50:52.161 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadata= Provider:520] - Searching for entity descriptor with an entity ID of cloud.= etrs.terre.defense.gouv.fr 12:50:52.161 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadata= Provider:167] - Metadata document does not contain an EntityDescriptor with= the ID cloud.etrs.terre.defense.gouv.fr 12:50:52.161 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadata= Provider:253] - Checking child metadata provider for entity descriptor with= entity ID: cloud.etrs.terre.defense.gouv.fr 12:50:52.169 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingpar= ty.provider.SAMLMDRelyingPartyConfigurationManager:157] - No custom or grou= p-based relying party configuration found for cloud.etrs.terre.defense.gouv= .fr. Using default relying party configuration. 12:50:52.169 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadata= Provider:253] - Checking child metadata provider for entity descriptor with= entity ID: https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth 12:50:52.170 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadata= Provider:520] - Searching for entity descriptor with an entity ID of https:= //idp.etrs.terre.defense.gouv.fr/idp/shibboleth 12:50:52.170 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelec= tor:99] - Filtering peer endpoints. Supported peer endpoint bindings: [urn= :oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign, urn:oasis:names:tc:= SAML:2.0:bindings:HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Arti= fact] 12:50:52.171 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelec= tor:114] - Removing endpoint https://cloud.etrs.terre.defense.gouv.fr/clien= t/api?command=3DsamlSso because its binding urn:oasis:names:tc:SAML:2.0:bin= dings:HTTP-Redirect is not supported 12:50:52.171 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelec= tor:69] - Selecting endpoint by ACS URL 'https://cloud.etrs.terre.defense.g= ouv.fr/client/api?command=3DsamlSso' and protocol binding 'urn:oasis:names:= tc:SAML:2.0:bindings:HTTP-POST' for request '85qrvu7c1kmg1tsc0gqmk4a1u2k60q= ed' from entity 'cloud.etrs.terre.defense.gouv.fr' 12:50:52.171 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2= .AbstractSAML2ProfileHandler:478] - Resolving attributes for principal 'fab= rice.pollet' for SAML request from relying party 'cloud.etrs.terre.defense.= gouv.fr' 12:50:52.171 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.ShibbolethAttributeResolver:119] - shibboleth.AttributeRe= solver resolving attributes for principal fabrice.pollet 12:50:52.171 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.ShibbolethAttributeResolver:275] - Specific attributes fo= r principal fabrice.pollet were not requested, resolving all attributes. 12:50:52.172 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute ui= d for principal fabrice.pollet 12:50:52.172 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.ShibbolethAttributeResolver:354] - Resolving data connect= or myLDAP for principal fabrice.pollet 12:50:52.173 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.dataConnector.LdapDataConnector:308] - Search filter: (ui= d=3Dfabrice.pollet) 12:50:52.190 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute uid= containing 1 values 12:50:52.190 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute em= ail for principal fabrice.pollet 12:50:52.190 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute ema= il containing 1 values 12:50:52.190 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute tr= ansientId for principal fabrice.pollet 12:50:52.191 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.attributeDefinition.TransientIdAttributeDefinition:97] - = Building transient ID for request 85qrvu7c1kmg1tsc0gqmk4a1u2k60qed; outboun= d message issuer: https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth, in= bound message issuer: cloud.etrs.terre.defense.gouv.fr, principal identifer= : fabrice.pollet 12:50:52.191 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.attributeDefinition.TransientIdAttributeDefinition:115] -= Created transient ID _fa7d6de2b4e946248d8f52c948470df6 for request 85qrvu7= c1kmg1tsc0gqmk4a1u2k60qed 12:50:52.191 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute tra= nsientId containing 1 values 12:50:52.191 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute ed= uPersonScopedAffiliation for principal fabrice.pollet 12:50:52.191 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute edu= PersonScopedAffiliation containing 1 values 12:50:52.191 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.ShibbolethAttributeResolver:473] - Attribute uid has 1 va= lues after post-processing 12:50:52.192 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.ShibbolethAttributeResolver:473] - Attribute email has 1 = values after post-processing 12:50:52.192 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.ShibbolethAttributeResolver:473] - Attribute transientId = has 1 values after post-processing 12:50:52.192 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.ShibbolethAttributeResolver:473] - Attribute eduPersonSco= pedAffiliation has 1 values after post-processing 12:50:52.192 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= resolver.provider.ShibbolethAttributeResolver:137] - shibboleth.AttributeRe= solver resolved, for principal fabrice.pollet, the attributes: [uid, email,= transientId, eduPersonScopedAffiliation] 12:50:52.192 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:71] - shibboleth.Attr= ibuteFilterEngine filtering 4 attributes for principal fabrice.pollet 12:50:52.193 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if = filter policy releaseToAllRenaterSps is active for principal fabrice.pollet 12:50:52.193 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.match.saml.AbstractEntityGroupMatchFunctor:77] - Entity = descriptor does not have a parent object, unable to check if entity is in g= roup https://federation.renater.fr/ 12:50:52.193 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:134] - Filter policy = releaseToAllRenaterSps is not active for principal fabrice.pollet 12:50:52.193 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if = filter policy releaseToCocoEduGainSp is active for principal fabrice.pollet 12:50:52.193 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.match.saml.AbstractEntityGroupMatchFunctor:77] - Entity = descriptor does not have a parent object, unable to check if entity is in g= roup https://federation.renater.fr/edugain/ 12:50:52.193 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.match.saml.AbstractEntityAttributeMatchFunctor:175] - De= scriptor for cloud.etrs.terre.defense.gouv.fr does not contain any EntityAt= tributes 12:50:52.194 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:134] - Filter policy = releaseToCocoEduGainSp is not active for principal fabrice.pollet 12:50:52.194 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if = filter policy releaseTransientIdToAnyone is active for principal fabrice.po= llet 12:50:52.194 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:139] - Filter policy = releaseTransientIdToAnyone is active for principal fabrice.pollet 12:50:52.194 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing per= mit value rule for attribute transientId for principal fabrice.pollet 12:50:52.194 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if = filter policy releaseUidAndEmailToAnyone is active for principal fabrice.po= llet 12:50:52.194 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:139] - Filter policy = releaseUidAndEmailToAnyone is active for principal fabrice.pollet 12:50:52.195 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing per= mit value rule for attribute uid for principal fabrice.pollet 12:50:52.195 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing per= mit value rule for attribute email for principal fabrice.pollet 12:50:52.195 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if = filter policy cloud.etrs.terre.defense.gouv.fr is active for principal fabr= ice.pollet 12:50:52.195 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:139] - Filter policy = cloud.etrs.terre.defense.gouv.fr is active for principal fabrice.pollet 12:50:52.195 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing per= mit value rule for attribute uid for principal fabrice.pollet 12:50:52.196 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if = filter policy e5.onthehub.com is active for principal fabrice.pollet 12:50:52.196 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:134] - Filter policy = e5.onthehub.com is not active for principal fabrice.pollet 12:50:52.196 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute uid = has 1 values after filtering 12:50:52.196 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute emai= l has 1 values after filtering 12:50:52.196 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute tran= sientId has 1 values after filtering 12:50:52.196 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:106] - Removing attri= bute from return set, no more values: eduPersonScopedAffiliation 12:50:52.197 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= filtering.provider.ShibbolethAttributeFilteringEngine:114] - Filtered attri= butes for principal fabrice.pollet. The following attributes remain: [uid,= email, transientId] 12:50:52.197 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2= .AbstractSAML2ProfileHandler:505] - Creating attribute statement in respons= e to SAML request '85qrvu7c1kmg1tsc0gqmk4a1u2k60qed' from relying party 'cl= oud.etrs.terre.defense.gouv.fr' 12:50:52.197 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= provider.ShibbolethSAML2AttributeAuthority:247] - Encoded attribute uid wit= h encoder of type edu.internet2.middleware.shibboleth.common.attribute.enco= ding.provider.SAML2StringAttributeEncoder 12:50:52.197 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= provider.ShibbolethSAML2AttributeAuthority:247] - Encoded attribute email w= ith encoder of type edu.internet2.middleware.shibboleth.common.attribute.en= coding.provider.SAML2StringAttributeEncoder 12:50:52.198 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.= provider.ShibbolethSAML2AttributeAuthority:263] - Attribute transientId was= not encoded (filtered by query, or no SAML2AttributeEncoder attached). 12:50:52.198 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.Abstr= actSAMLProfileHandler:527] - Filtering out potential name identifier attrib= utes which can not be encoded by edu.internet2.middleware.shibboleth.common= .attribute.encoding.SAML2NameIDEncoder 12:50:52.198 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.Abstr= actSAMLProfileHandler:546] - Removing attribute uid, it can not be encoded = via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2Name= IDEncoder 12:50:52.198 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.Abstr= actSAMLProfileHandler:546] - Removing attribute email, it can not be encode= d via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2Na= meIDEncoder 12:50:52.198 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.Abstr= actSAMLProfileHandler:541] - Retaining attribute transientId which may be e= ncoded to via edu.internet2.middleware.shibboleth.common.attribute.encoding= .SAML2NameIDEncoder 12:50:52.199 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.Abstr= actSAMLProfileHandler:566] - Filtering out potential name identifier attrib= utes which do not support one of the following formats: [urn:oasis:names:tc= :SAML:2.0:nameid-format:persistent, urn:oasis:names:tc:SAML:1.1:nameid-form= at:emailAddress, urn:oasis:names:tc:SAML:2.0:nameid-format:transient] 12:50:52.199 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.Abstr= actSAMLProfileHandler:585] - Retaining attribute transientId which may be e= ncoded as a name identifier of format urn:oasis:names:tc:SAML:2.0:nameid-fo= rmat:transient 12:50:52.199 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.Abstr= actSAMLProfileHandler:690] - Selecting attribute to be encoded as a name id= entifier by encoder of type edu.internet2.middleware.shibboleth.common.attr= ibute.encoding.SAML2NameIDEncoder 12:50:52.199 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.Abstr= actSAMLProfileHandler:717] - Selecting the first attribute that can be enco= ded in to a name identifier 12:50:52.199 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.Abstr= actSAMLProfileHandler:501] - Name identifier for relying party 'cloud.etrs.= terre.defense.gouv.fr' will be built from attribute 'transientId' 12:50:52.199 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2= .AbstractSAML2ProfileHandler:868] - Using attribute 'transientId' supportin= g NameID format 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to cr= eate the NameID for relying party 'cloud.etrs.terre.defense.gouv.fr' 12:50:52.200 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2= .AbstractSAML2ProfileHandler:572] - Determining if SAML assertion to relyin= g party 'cloud.etrs.terre.defense.gouv.fr' should be signed 12:50:52.200 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2= .AbstractSAML2ProfileHandler:653] - IdP relying party configuration 'defaul= t' indicates to sign assertions: true 12:50:52.200 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2= .AbstractSAML2ProfileHandler:583] - Determining signing credntial for asser= tion to relying party 'cloud.etrs.terre.defense.gouv.fr' 12:50:52.200 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2= .AbstractSAML2ProfileHandler:599] - Signing assertion to relying party clou= d.etrs.terre.defense.gouv.fr 12:50:52.200 - DEBUG [org.opensaml.common.SAMLObjectHelper:56] - Examing si= gned object for content references with exclusive canonicalization transfor= m 12:50:52.201 - DEBUG [org.opensaml.common.SAMLObjectHelper:70] - Saw exclus= ive transform, declaring non-visible namespaces on signed object 12:50:52.201 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:1= 00] - Starting to marshall {http://www.w3.org/2000/09/xmldsig#}Signature 12:50:52.201 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:1= 03] - Creating XMLSignature object 12:50:52.202 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:1= 13] - Adding content to XMLSignature. 12:50:52.202 - DEBUG [org.opensaml.common.impl.SAMLObjectContentReference:1= 73] - Adding list of inclusive namespaces for signature exclusive canonical= ization transform 12:50:52.202 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:1= 18] - Creating Signature DOM element 12:50:52.203 - DEBUG [org.opensaml.xml.signature.Signer:76] - Computing sig= nature over XMLSignature object 12:50:52.214 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2= .AbstractSAML2ProfileHandler:274] - Attempting to encrypt assertion to rely= ing party 'cloud.etrs.terre.defense.gouv.fr' 12:50:52.218 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2= .AbstractSAML2ProfileHandler:279] - Assertion to be encrypted is: > https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth > /> /> /> > /> /> YgpD3KMsgxt8+cXzdw1OP36tOws=3D Xs6CVhcA+bKej3xKo145EucCv6yRVbWsFvueVVSxIuYR/vKm= dbx92c1f7HOiFrFwQ9wVRodd4OmgrHFoIXZITBPAVPs7k9XInnbBicUPmJoJBnxoY5hraCQdNlV= SGr1upplJ3XCDvWWxvamNoDdr4t/Zpw6jkwPriV7fbHvyOt3+2idKhQQGXKvyMmQ921RnLtVaBo= P/rlQFZOkZ1LBgHtTWPhdf4Z4CIEBoOuRF/+lPTkSvkl5MnGcHCtV32QCiuu6fy0lfmG3nk0crD= jNUjVUP1xTFc7UJtje4wB06DHSj+xgfov5Et6JPx2GhSgxlHMfaLTyn/boCDb9I4HZB2A=3D=3D= MIIDZTCCAk2gAwIBAgIUJ8+wj9VvvaWkYWc7Lv9= ZrozEz5wwDQYJKoZIhvcNAQEFBQAwKTEnMCUG A1UEAwweaWRwLmV0cnMudGVycmUuZGVmZW5zZS5nb3V2LmZyMB4XDTE1MDYwNDEyNDMzM1oXDTM= 1 MDYwNDEyNDMzM1owKTEnMCUGA1UEAwweaWRwLmV0cnMudGVycmUuZGVmZW5zZS5nb3V2LmZyMII= B IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAncSOI7ZLCUW1YAQxsXx9sGUhIETkAQD0rW3= 1 036RsUcxJKHvSfvHLz9t95F0OmCw4K+gVFFobxoOzwWrfNkQKNLmWJjfqVWe7euL5S6a5CLdzvo= s DCIaP63/9JAlAlAPvVQ3JYH08FcLQL2zcbxshZJBvsAQrSOOnkytXndkmpjlvPZNn3HbofiSA2C= D DfNjIgFq1AS0nGJyuHSDD+Foi2TsU8ejirYVZPxn8wacxpt9GtIuY/tleYTjdH41kskaXqRGoN0= X 7aC2Xea357hf950lEbacTOxztYITIJFZVkQjjea+YdGU9fsjrAkxuAyXX5yHD9SU8t9Px1Y/jwV= W xwIDAQABo4GEMIGBMB0GA1UdDgQWBBRV5pi3YXYkaI4CLWcEtD2SiRteWTBgBgNVHREEWTBXgh5= p ZHAuZXRycy50ZXJyZS5kZWZlbnNlLmdvdXYuZnKGNWh0dHBzOi8vaWRwLmV0cnMudGVycmUuZGV= m ZW5zZS5nb3V2LmZyL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBBQUAA4IBAQB7c5PZS50wlcN= U HGNv0QbHmFIEl2qSVW5p+y4lZX3QBEy+dyKw9qaTFGDD+qLfa9QKo6s31uLocW7aGmG2ok6U0Xj= T 7fCKIR8YljugdZfetCw5BiHRIaDzVhj8ozZPmb0OxlTecpJ/gQ3wik7Qo9ZPU/wLObyVcxGBeIi= Q xXhCTu0Gqvl2UUV1Jwo4OEt5Vb6oBjN7HMDjCSaG+Q/uQK0g4lfhJr2ZvpDrAy+f5ZJcccgz4uP= J k0hqdydB6gHGIbSYVt1X89vWWYYigdavCrEx/mzNsCIdNuvFCFWQxDTr62aRd9Ib9VdrTc4GL7w= + Gi7Ne++PRgzXlaUPwIb+uQ6Z >_fa7d6de2b4e946248d8f52= c948470df6 /> cloud.etrs.terre.defense.gouv.fr urn:oasis:names:tc:SAML:2.0:ac:clas= ses:PasswordProtectedTransport xsi:type=3D"xs:string">fabrice.poll= et xsi:type=3D"xs:string">fabrice.poll= et@etrs.terre.defense.gouv.fr 12:50:52.221 - DEBUG [org.opensaml.security.MetadataCredentialResolver:167]= - Forcing on-demand metadata provider refresh if necessary 12:50:52.221 - DEBUG [org.opensaml.security.MetadataCredentialResolver:215]= - Attempting to retrieve credentials from cache using index: [cloud.etrs.t= erre.defense.gouv.fr,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,= urn:oasis:names:tc:SAML:2.0:protocol,ENCRYPTION] 12:50:52.222 - DEBUG [org.opensaml.security.MetadataCredentialResolver:223]= - Retrieved credentials from cache using index: [cloud.etrs.terre.defense.= gouv.fr,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:nam= es:tc:SAML:2.0:protocol,ENCRYPTION] 12:50:52.222 - DEBUG [org.opensaml.xml.security.credential.criteria.Evaluab= leCredentialCriteriaRegistry:74] - Registry located evaluable criteria clas= s org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredential= Criteria for criteria class org.opensaml.xml.security.criteria.EntityIDCrit= eria 12:50:52.222 - DEBUG [org.opensaml.xml.security.credential.criteria.Evaluab= leCredentialCriteriaRegistry:74] - Registry located evaluable criteria clas= s org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCreden= tialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgor= ithmCriteria 12:50:52.222 - DEBUG [org.opensaml.xml.security.credential.criteria.Evaluab= leCredentialCriteriaRegistry:74] - Registry located evaluable criteria clas= s org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCri= teria for criteria class org.opensaml.xml.security.criteria.UsageCriteria 12:50:52.222 - DEBUG [org.opensaml.xml.security.credential.criteria.Evaluab= leCredentialCriteriaRegistry:105] - Registry could not locate evaluable cri= teria for criteria class org.opensaml.security.MetadataCriteria 12:50:52.223 - DEBUG [org.opensaml.xml.security.SecurityHelper:292] - Unabl= e to determine length in bits of specified Key instance 12:50:52.223 - DEBUG [org.opensaml.xml.encryption.Encrypter:645] - Generati= ng random symmetric data encryption key from algorithm URI: http://www.w3.o= rg/2001/04/xmlenc#aes128-cbc 12:50:52.223 - DEBUG [org.opensaml.xml.encryption.Encrypter:429] - Encrypti= ng XMLObject using algorithm URI http://www.w3.org/2001/04/xmlenc#aes128-cb= c with content mode false 12:50:52.225 - DEBUG [org.opensaml.xml.encryption.Encrypter:330] - Encrypti= ng encryption key with algorithm: http://www.w3.org/2001/04/xmlenc#rsa-oaep= -mgf1p 12:50:52.234 - DEBUG [org.opensaml.xml.encryption.Encrypter:291] - Dynamica= lly generating KeyInfo from Credential for EncryptedKey using generator: or= g.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory$X509KeyInfoGenerat= or 12:50:52.235 - DEBUG [org.opensaml.saml2.encryption.Encrypter:423] - Placin= g EncryptedKey elements inline inside EncryptedData 12:50:52.235 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2= .SSOProfileHandler:331] - secondarily indexing user session by name identif= ier 12:50:52.237 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.Abstr= actSAMLProfileHandler:796] - Encoding response to SAML request 85qrvu7c1kmg= 1tsc0gqmk4a1u2k60qed from relying party cloud.etrs.terre.defense.gouv.fr 12:50:52.237 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder:49= ] - Beginning encode message to outbound transport of type: org.opensaml.ws= .transport.http.HttpServletResponseAdapter 12:50:52.237 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPPostEncoder:1= 24] - Invoking Velocity template to create POST body 12:50:52.238 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPPostEncoder:1= 58] - Encoding action url of 'https://cloud.etrs.terre.defense.gouv.fr/clie= nt/api?command=3DsamlSso' with encoded value 'https://cloud.= etrs.terre.defense.gouv.fr/client/api?command=samlSso' 12:50:52.238 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPPostEncoder:1= 62] - Marshalling and Base64 encoding SAML message 12:50:52.240 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder:97= ] - Marshalling message 12:50:52.260 - DEBUG [PROTOCOL_MESSAGE:74] - ID=3D"_f554e0c08f61f5c6d18529e5b2f16884" InResponseTo=3D"85qrvu7c1kmg1tsc0gqmk4a1u2k60qed" IssueInstant=3D"2017-05-04T10:50:52.198Z" Version=3D"2.0" xmlns:saml2p= =3D"urn:oasis:names:tc:SAML:2.0:protocol"> https://idp.etrs.terre.defen= se.gouv.fr/idp/shibboleth xmlns:xenc=3D"http://www.w3.org/2001/04/xmlenc= #"> xmlns:xenc=3D"http://www.w3.org= /2001/04/xmlenc#"/> > > xmlns:xenc=3D"h= ttp://www.w3.org/2001/04/xmlenc#"> xmlns:ds=3D"http://www.w3.org= /2000/09/xmldsig#"/> MIIErzCCApcCBgFbR6o7sTANBgk= qhkiG9w0BAQsFADAbMRkwFwYDVQQDExBBcGFjaGVDbG91ZFN0 YWNrMB4XDTE3MDQwNjA5MDYzMFoXDTIwMDQwNzA5MDYzMFowGzEZMBcGA1UEAxMQQXBhY2hlQ2x= v dWRTdGFjazCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALMN5Irps++bJ4S7SCATm3N= i W+SYl75N/TbQXPHPrSWuZDRZOVVsgf6vCN/IAYsBUUD5Lej+aAhZra8SzI0RBtloIdx6xQHZTp3= q DbnvSW3pBIKb1m/KHpcvr6AFelUw82h13jYzp4QnPxragalY5g0do5UHeki+olHTgYu/TFiLAmr= E LxKFMOBKaZ+W4aYeootdCL1pXsFgRx/WXY2XS2e3wXxFXxRp9T35Mtuslz8eq8X5ipRyWiA+/1Q= 8 g3YjFengkP5w3xgSsTjF0HiBnP7g9OCu01M1M35vNxyoEvKgIT61Fm8VDuuxT9BWhKBKN5lZ1rS= M NCvsykdiSwXGo1NpKfG4iHeDUSZHsFIdwsthfK9Rs0VPCG+IcR93IYDGJOqX05tiI2WvN/T23W/= T kNPTDt8mZJh8HuiWAHij6OIb3DJxK2l2czxNq2OLJX27dHKQDf0LcNg9Cm8fzBLKkpyZlypuC1o= 2 60SY9XdkwLSbOhRkSWazFkW641EGv9QFUBs8AkPbos9DUVKA7ciHXPSIeiLEVdjbNMiuWJUmqF2= 2 nefs99H7CvtMaSwSPGpMkYVljPGn+6M06EbNfxdd4quVVgnXOxXDJKV8E+1qCAT1nxQNkIZdoZZ= w 14RmoyCngV83eUf4mPjpux1IJhKJSOBnHFKCboMNcUgONSVRrRuLAgMBAAEwDQYJKoZIhvcNAQE= L BQADggIBABnJ2QT4s23RN0+v3F7H6ODuNcYMMl4JZN4VvDsAr2xBvRltMkmlcZgK5XRO47Gt1rd= N 7fbm7xDsl0KblZ3PWHkBCuM0Zpw2nDx53AIkCk/lEw7sdAqAr1blgL56xTQLis43PLl7j4o+ZXF= I 1Ny2eiyVRasffBQSlR4SoCN+mmXN4AygVxgR0zSlBKCV65CVX+5E8nKo1CrVzk4Pl3m6chKB+5J= 7 NvfvOvJAli1dsspjJd7SnyxJem4G0vC6t65Jzj+vFpBPsrj7VPa9YcrnDLOHy3Ljooad9agPkli= Y JOvBRKkD8eoOMvoRSUg5f6VUAzO228UBcfS4OTZvkuKNyl2uYJ9pZFTEJ8zA+ikWZBUl4Ot6LYG= 3 smHsAxIpm7rubLVOF0GV8dhcMcDjDK5+7lLkaFRHTjZZeanISVBWbe3zc8P8gRdFZvi3CJalubP= d UQer2pUySILFJkfZx+5STf6cargpAEfnvWTvx1bRFqsh1NTOiWXJuL3QL3K9vPxhaIXgjmRFJVM= b y3Tt3ifMbqssaC7odRmKZx/bLyrgC6Uni+oJDkiDtyVD1oFtmnbQd8wZ6x25W+z6i0wtcDWLYoW= 0 HVpfDgXKwxuSNTdO1XYA48p98z6la+HXkhEML3EFU60+cxmvtfuu7JIOjSxWQw6dktxLKGZ+KPh= B 2HWwtuca > j2ag5FlXMev12oyot1E7EMlzNHCun9eMK= a9ELYMn9hB4pQwZl3JHZfdRXjPNH1ZMlPx9YqoVN21ZBqLOpdg9Ehni4Vp2ATDfyQ3plG7XkjK6= k23nGUaenNgU3M9FJNbWROlYEQu+nLQwNJ3rl9A9QlLVZgDKiswFg2SNpCraqQOF8UiCeu5RSh+= V90hJ8KAFnloSev2P3e23E5Y5M3Cb8R9rsBjFk1zUGdywbutnn4XavgbyPVkoGbYO8YUGcgE3L9= k41RCAEiSgShPiHYj+I9o2SkpfsELbSs4VkWnpUHBJ3j5kZmA2XFjaKJsTA55qKMhoqSIzOK7GW= 5J3zfTdvJRfeiJVGPjHb8cIRb8h+clpgJhN6XGvb6i43ZCXDtgfSzz6pqMfgi1Q0u8h6A5qAOZQ= J5fJqDUhUtLLw14Gf7QOYZed3VOoqLXdftJ4oDI3f8lFj0386zY4hqtnH8m2+7FotkMh+GNWTX6= 80AnmV9NutbAlLkFXrT1ciJaeDb0io6IJyoNXU47PMv61vCNoUAGVMO2eqa3fpRpQooua0VRb4c= nYeUeibI3z/N0SLX+OpyxhSaGmxnmheu2JgBM6fgX5n0/oZMISBWSbG24xXn7yrp3wwaYNQx/sv= 5QiRnqCI1JbTllEIsmdDgD/kLJ8VR2XTMDGYxB1jBczjRAu8q0=3D > yRzRwLLs5rSBH+9HwhIen/a1PsIvaqV7xZTeTG+pA= OE/GVVxTNRY5eFYTr+VVc0LYQTjECP5obr275MWUHLEOGdDy5/IUNuLS6Q3hgVn6pmhs3QkgzZ6= R1mX6c1+RceSjGZRieXps0HoDKCMq8wVgb7LBebP8zjCTPaS3TMK4JsYOaDTPWwrjfI7RybI6it= PzczNnwQ21Hkv+mXZXR5hkaVlrRGg99dKwGlpb07uMJTOAgju9vX/0BNC7hcQKD4yp2hhuSUzEo= 97EVcI5JYvW0y2U/JJu8O0FKvuDxhjRLPhZqJm7HzRyEOVEp9yi3E3oWg9krtFphqbZcWPrBw1M= UDcAP4xWyYcKmBDXthhXp2Z78XTpQKwtn8vB/sML/4YFVXyADRBTi0pcgFUKW9CEV2lONnRqt1Y= PPnXEK4tUvJDaNzyDTjs+jLOIMN5BDK87f/bZw8fzCyPGA2a36X0xAZouw9Vz6YHLvO4GYBLuOL= VafCYQC2ViykCjwCZJck4WoUDUVNwVbMpuXGEt5KuuvHYtuRSO8ZC5SPAI7vaGZuPwQmLDHvYNt= altr/eI96xwcQPnoadr/eWWyz3f5zeuQ3mJ7zEoow1tRqrmKAPWBLRiAoPehL1GJie7DDe+r1Gp= aWcCiyRncUebm8pchnRlsi503nXfr+i92K12i1dCueneLSWAsVYiU9njzaxFqOeUpxFPG0Cd246= iznzMOg7sZjaucdix5VWi6I5rADuv48fRMv5BpAT9dloQ/iQiERgX+7GfKNkvSgZ/QW3C7tQ55Z= O32glXzODkGXxsw4sB2oawMQlSaJOvYtcMhmPDRA9lLZRUXDH35xLhivuRsHgE6o+7Hv7kuF6ad= evlEGFtF8EON4MiOgy3FPQYw7UatKnqyXjFvbrr3cFfAXSmVShqEc5a5x3xaVD3+C81jJjA2/Nl= ZKS5FdmLHcCsRCooQPzRKexac sPcR95XZ4 cZXsmGZjPOF/xWeEcVIeEzrN8Mps5rRbDdCC+f8= 6xzqW5JMAgWocu7ae1Ee06+Pex60TJOMMdH36Op01hEWGu8wCvFFLNf118Utfs8gcPebI96Pqg4= +CB3xSu5t09CrhmKDcpgfAeft22BuNTnqQgEy8IgVueSz0fmm8uhxqJ+Tz4JNT57z2jyTGq7bqw= U7oEz5LV9JsVqkQzgL2MbY6lSymTaOyZVjIwie2eH/CkBL4TT6+waJeiJsXF5aDsT17swdRUOcq= 2jxr92lCKg3pbK1yTwqwMDAAHHNgNSkVm8Nlf0p0MrtLR+CXhnd3JHeyMbpIMYLEF3qiwp+Jz5Y= Y1LdqI4MqkcTUlI3WfPz/53KDUKciuAubBwJPy/ZGUAToTNawPZ905AaAms819JTV+a0tLMCEpM= R73KVBsASZynmVmNk10Y7j1byrt5kckNWbyZ+96pNK68my39K/ioHdxgmPuhmHP8wwX49RRVeIk= S3GC4An/ZyL5d5wf5JrwHsTNC/99b6cmhfM53VbYtu0MEXSexF/bukEfkIOJ3HT5aA0ro+efSKg= CPEiJwyNlyX9KJGqRNA8Fv2LGT8Ik+p/B3fMZPIhshLrn+67ojVICu0vqHNOSik72shKFOWQfDM= lr819NNYwJeMq2vip3KQKW6j4j6RiCP6CjRAS7KlE4XWu7NMu/nC+fEjZ8XjS7hIcNRpVlkWKWd= DoDuclMb+q7FaOT7Q2lh9H0YwX92fmJAcg1ji0wRP5qt8QvjQDiXeFgqOcy3ufcm2iWMFkwk7rH= O1/pmqdljX7iRQvmzzguk79UfLUXxJOZs19zlH+kYnWnD6HCnkdG+SXuK4Z4OvAIJS7DBT0zryI= +f54UfxTKfrQjUbcZW1UWb3cdUXDoOe7de/7PtpbdOzWVZ45nlYdZSEK3IgWzuAgCbs40WsjJp1= WzeabgeAzMD8B2Iz1AnMqSALjGEb9gEw5OcOia9PJu3Ve4QskZc sxJ2I7Nji W7+plH3x+Jyig= 7q0CQ+nDDxsSqm440g3dD+qhgQG1jx7aFugsjiVa/ebTbPmpQLphWicbgv75RvELF4V1hRoiJ0w= iopZkco56tXd3gwVI8zc/dJloPTRVX/ofSUmRz1Tqo0ctDAQ/3jWee0HRCkIYd7KhmOorVhfOsL= xssyEa/F4QjZ5T4lhCTScGYCvTvDGzIBzjVmcf7lL7ouhw5bWx3SZcSGhCbLqMpbZx6/bviWyH9= 2o4gf/lLYx5rqWKet1p74lGq9klYxxgDJLRNUGtm6FGOjFcJz389CA3u5I81GbpiQMRx8GGAT+2= xO94P6p1UzTHRrHJm/4ytQXdhXgxnwFgddVNmK5pR3VxQJcYRvp7p/afrowbFeOl+6+N9LWEdN/= at0zCUo5eUEFCa4AJpWqWxxY9SloV2oG5B+zDu4ev8qKJlNRfoS/w1eksPfOJjA2tNoCvYpHkya= Bv8hXHUM5nr8n57oNoRBnpQEbUWx95bdcr2W/41GejApQ0/eWAN6B0/T4zdi7b7iJP9hIAzbQG5= xqaupNUOzEGy8hD+wOvmjxMF9ZxKi1QY2BA5c1GzP44gAB08hhrLdFEJHsQvClpU2XtudZjuEHf= HblFOmwj+UmRUHAAQ8q4IDmnwUozEevvLPFC9YF5GVl24+7l49rIjYD7bTc33xi2hf4ls2WNJx0= lRoQ27LLVkKu8Np98GQ4VWXYPWC7cS5LdW/XQnbuMTB9mhIHoWTMB1HYGrUR529GefuMT90qD5Q= KKqdI3zMb9xTF3/claM+Xi+kYhp6PBp5D0YlXcmRmtpJoieZi0VuaedMW8P4MJn+GM4O1VBaBvO= fP/SYPJ3Jxz7pQR/Qa4RT1I70UbhE79jQ0+l18eh8mArCargPwmyquv1WWe55WEoYIwcTVP6uTq= /2yZGtLs1jtKhOM+6UMqJFDZid73uVWwBC5I1C/OJv3AZvn582kUh1DevutngVng9gzw9UXxN6O= Uu ypPNCrZMU oZHdIt4xJ5monquKgVWH/+IgprnaCg5oGSd2tJ+suTCrnRvgonQ7gEUdDgsLjd= Pd5gAy9qB/NHkXTIwJya5P7Jc3+/GewZGZ4xop8ar7uEwlFNUFWffuwjgUo6jps2LDgIztnImzs= 1d+FBlE57EkZkFUIbnmcOHSo8wUfO/hwNFIThFZwXWSEhllfkWQ/Aoo6RbKP776Adg/Zo3aa6P5= q03Uf3loQeMDQcE5wYNYEGLNaOrvGLLhT5hV8XCd6BAcMi4ei1F991XnO7Xj3zJmm209yQybSEc= 0+lIoiW1+bd/uWQl/PdDEVnCy/nXoEPhaK0mko0ot7tYKEmGJjUWSsWP3QTspFu4RJPT6Cw+713= qgi/wHbXKATaH5JEe9T8JE4z8r6MdboQEVBv42m/zPj59D2h92+fxwgBcO0qeDFg9gy6Gl8qg8p= 75MD78bQGb5gAFVh97n+ffp3cs5LDKXH1w7E51CN+m+MVBMOaw1Q+kq2Sv8LJk2w96QqWosECq8= 4IUf0f6E6U9AWFJsRJaUCMsYxEOM8P+G8HaM430bsQpYabvnC6pU0JEIF5I7o8S+0bhmvhVMoK0= IKufU28Z15qhGxhEK5NtJO7C49UgLfrb85aZxW5pyoJhpTyVtn7Q9d1yI/sAF6y0LRxIromiRIA= qEd6JT2FbHA9DXQwG3X0sgjcRwOGW/WWGCbzdKTx5IdYQYLCR+fu5l1tBRxjkXurUsgVab1CJUH= cz7BJKnh7IiO4B7S5Vz5154Pze/vXP83Jxk6LATVm+RL/oyZwRRiF6p9QLkci7biFwx68FjPnFa= Q2XVl7lzUJONMmYj8mxoCkHKN0BOSGIwabCIuzGk1UlaArK4uM9QOZBmaxVKKLCUll8N4rwwPFp= mFx6jGO1P7DKB6O+CbCIo4LNwy2J46wDrjnWVE1FiEhOYLYhmT/OuoySwB5EKJFysChhzJeo/m8= Y7KZu/aG8c04JcWq6V3aKvQJ9jSG 9UBytP6ak oH9cidEgnNCs3EqidqURchWDBUYtNHM1lt7l= /+gmvpC6c0tRHwF9v7EpwnPqagXIszPlSspxq8Pisirfp2dijPHTKPgGIATPUr+OIelObtNr7o0= WDUehhPsKWdnlTLvZ3wDpkNSgxsvULc+5n8l5onPCbgCBWNhIPiesGWjrYP9+dJBPYKiDvcycG8= uSAYU9jN9RsL9lDEr0/RUvBOeSDfghjNsd71sf4DM4+yHuarCc1M9nBiJQ/TH1sPS/ejwXRBviN= wePSiYY1JCDeyKQ2cHHqD6YHAvec4FFVfNLb8yUFmMl6TaB7dDomtfHUOvTtmL8YUAR/hMJOH9g= snj2aTvEmJwx1JamcrcQ8xYoa74xQhuxcifUMxhmzDxMMrHi4F+uj1WI39M6jBUtEQbcRS7sY4T= 3B038wET+Ndi+dF4Oc3tdq8Pm7D4wUcvoNRHlSvsWyMXZ8slNYmUBvq/6PVqDC5Cc2u4FpNu+g3= 0GYBDF1HIpYoxQrN3MVWWLzn92Eb7KZsFlCALb24XZs151/gv7iqPa0Ru/DUJpowzJOf0yZL5f5= cWHuC+wkWSi2AG25wjtpKx3ma5yvs4xQS/TlluH3w2L0eUliEmruM6E2Wxnu/7lnn3T4As/7K/O= J/bEf4ag3ZPcXvXk0oVNFbOCZ2og7IzxPEk93QSxD6bMPuLMltVuLXAcuoR/9oyuPoehTPqpspB= CvNUB3t1eP+lRHWMJSy3ESI6nlt1bfxM3gXtQDvzswrd6dLtGzr7+0qwPZmCnDnaQMpn7akuZFO= 73njUXm5SoqGfOQnVsClq485tcjVVfkjHUpoVmYMTgUH03kvGzBOwfSel6lVSdZyB0GeJjZmXJQ= cisKiWOotSutAObK0brGH2UvC4xWyVco45z8DhPU8uaQks2Fskc5VaQfIlrkhDqJjkoy7hn8lqq= WJCb5eRMf18NLytsQC1elWmoLa/r4FUvSC0z/JE4oHhk/w4D5r1euK /EpdQ6ZR9 cnCVo2/Tt2= SJnZ3L9mdpvloVSpSm6OwygVhPMznGp17Gt2gxzOic4u1Z/A4aSBJBGGWbpIScvyG36/iV0+WEh= SCGXZf/VaYk+4dBjTrdo5VaqV9HIfCWrAmtxnQDlhQsxDoZGYr6R4gJ/7i6YV1VmVxzxUv6ORuu= lbtnVjUK6HlqoScJlWOX/gFv5V979eB+XnOZhw6zfzMLikctgLM3HEz2muL7+wE+TTH3kyuFIIX= P6nCgYEsLjg8te4by8Do7bwFclCn9/yH6F3ZHW9zQlGmlsLZYWp6il79mRwW8ZEZIBfRnfIzUds= COoSz8xtZgjpcjbz5LXkjHukAQmeXExmHahIW1s2/ekQpUismTArLRYlerZ8o5GSOMjPTztwZRF= MTV4RN/QTJyrMPMi3cJuLQI6mNdZNb6bIZO1lJz2FB+HAAP+AgO/mwW/A82vy+yM5Y8AOX6BWET= UC9kZzcsygLPuFU7h/hKe6EmH5mpyUuTZEWdyHx1QdH+iTT/thzfdqgRHDzctWgEYz1wy/Goz/A= c4WDAEzlAP+0TWQK6cO8HPsLJx6pFIyn/5oC5nOME8T5X3KuC9EmbJrrfrl6EvIRljy9LqcGvOX= A1k+K/ZxD2fsg4wVJZwrxumxkVvuSG3h3grHEUvAhqs0wjadXA3fFTeom74JWswnaVoFNjNkX6C= mzK2/GF5V017jJemxApmua7my5S8FOkp64i1bQ8o+JIQt1AlkXBZyJ7DkS5GARpI3nIDBeZ9M9x= wcRjpKt8T8aqguyX69n3MLSXVP/psqNseOSmRZzSOOevLwiwJ+MvXcacZhmJzjfOc/fL2WwA+Gz= LM6TnnRskLBb/oEHEs//L+l7n7t3GihBTYVny633bWS07dwT9cL6GwtNjFqkCl/xoj9yYB/R9f5= /M464r165q1cmEkvdZIhr6SYIB2lhF4PJTGhZa43P/fCnbJcb6slSe/VUL0lcQyGS0ycguo8z7q= xkKQc CVLzAiHds CJNoY5QvH1RjJY/x0bV8p6OskEPhkkUH8mM59jXHPUafEm/PqMApDrt0tCG= N33p6oS95dqfHgx780VS0+QLq/kwLcxwJhLZn1+ptA/NZgl2gUhXHt5IoFwfoSnOa5B5V5jQ/9m= XsGXbFty6MNBoQiJcSTYzAB2KFjhgiUY4SHwf4k+FGBZxPWLQSJRlBcPvw1VWOj1UZYDbtTR3bq= Uj1AJzoRsFAqvnQxqGHpCI/BHzcQySXWpEbR+/cgh9BSj5Ld8ruX51n2+1FKvtDJq/Vy6XJ0Jw3= u138gdmfX45KqumPd+Kw4ubp7jv+o3BHtxLsouLCjBL0JKk4Ms+8AFqAW/46I=3D 12:50:52.262 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder:56= ] - Successfully encoded message. 12:50:52.262 - INFO [Shibboleth-Audit:1028] - 20170504T105052Z|urn:oasis:na= mes:tc:SAML:2.0:bindings:HTTP-Redirect|85qrvu7c1kmg1tsc0gqmk4a1u2k60qed|clo= ud.etrs.terre.defense.gouv.fr|urn:mace:shibboleth:2.0:profiles:saml2:sso|ht= tps://idp.etrs.terre.defense.gouv.fr/idp/shibboleth|urn:oasis:names:tc:SAML= :2.0:bindings:HTTP-POST|_f554e0c08f61f5c6d18529e5b2f16884|fabrice.pollet|ur= n:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,email,t= ransientId,|_fa7d6de2b4e946248d8f52c948470df6|| At the CloudStack SP the authentication failed: 2017-05-04 15:01:27,164 DEBUG [c.c.a.ApiServlet] (catalina-exec-8:ctx-70e81= e62) (logid:2f838354) =3D=3D=3DSTART=3D=3D=3D 172.16.96.7 -- POST command= =3DsamlSso 2017-05-04 15:01:27,164 DEBUG [c.c.a.ApiServlet] (catalina-exec-8:ctx-70e81= e62) (logid:2f838354) Session cookie is marked secure! 2017-05-04 15:01:27,219 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] (ca= talina-exec-8:ctx-70e81e62) (logid:2f838354) Received SAMLResponse in respo= nse to id=3Dvf4gl2406lrritgfmqqif535ssf7f2ns 2017-05-04 15:01:27,222 DEBUG [c.c.a.ApiServlet] (catalina-exec-8:ctx-70e81= e62) (logid:2f838354) Authentication failure: 531<= /errorcode>Failed to find admin configured username attribute in= the SAML Response. Please ask your administrator to check SAML user attrib= ute name. 2017-05-04 15:01:27,222 DEBUG [c.c.a.ApiServlet] (catalina-exec-8:ctx-70e81= e62) (logid:2f838354) =3D=3D=3DEND=3D=3D=3D 172.16.96.7 -- POST command= =3DsamlSso Thank you again for your help. Le 03/05/2017 11:17, Rohit Yadav a =E9crit : Hi Fabrice, Ensure that both SP and IdP server hosts have the same timezone/time settin= gs. Consider setting up NTP on them etc. Next, another reason it failed to log into CloudStack (even though I can se= e successful authentication at the IdP side) is that SP (cloudstack mgmt se= rver) has incorrect IdP metadata or certificates to verify and decrypt the = encrypted tokens in the saml2 response. Please verify this as well. Regards. rohit.yadav@shapeblue.com www.shapeblue.com @shapeblue ________________________________ From: Fabrice Pollet Sent: 02 May 2017 17:44:58 To: Rohit Yadav; users@cloudstack.apache.org; fabrice.pollet@etrs.fr Subject: Re: Shibboleth and CloudStack Hello, Thank you very much for your answer. Maybe I misunderstood because in my current configuration, CloudStack refer= s to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword without = any modification and that corresponds to the native authentication of my Id= P. I wanted CloudStack to return to https://idp.etrs.terre.defense.gouv.fr/idp= /Authn/RemoteUser which corresponds to my SSO-CAS. So I followed your hack but by modifying in /etc/cloudstack/management/idp-= metadata.xml https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redir= ect/SSO by https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser. This time CloudStack redirects well towards my SSO-CAS it is a progress. Un= fortunately, authentication does not succeed. Here are the logs of the IdP at the time of the connection: 11:09:55.290 - INFO [Shibboleth-Access:73] - 20170502T090955Z|172.16.96.7|i= dp.etrs.terre.defense.gouv.fr:443|/profile/SAML2/Redirect/SSO| 11:09:55.378 - DEBUG [PROTOCOL_MESSAGE:74] - ID=3D"_3b1e03d6935882d3eb5d3f9242fb1426" InResponseTo=3D"ni2j9u3i4d749ask9434jsgon0i9g7u2" IssueInstant=3D"2017-05-02T09:09:55.320Z" Version=3D"2.0" xmlns:saml2p= =3D"urn:oasis:names:tc:SAML:2.0:protocol"> https://idp.etrs.terre.defen= se.gouv.fr/idp/shibboleth xmlns:xenc=3D"http://www.w3.org/2001/04/xmlenc= #"> xmlns:xenc=3D"http://www.w3.org= /2001/04/xmlenc#"/> > > xmlns:xenc=3D"h= ttp://www.w3.org/2001/04/xmlenc#"> xmlns:ds=3D"http://www.w3.org= /2000/09/xmldsig#"/> MIIErzCCApcCBgFbR6o7sTANBgk= qhkiG9w0BAQsFADAbMRkwFwYDVQQDExBBcGFjaGVDbG91ZFN0 YWNrMB4XDTE3MDQwNjA5MDYzMFoXDTIwMDQwNzA5MDYzMFowGzEZMBcGA1UEAxMQQXBhY2hlQ2x= v dWRTdGFjazCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALMN5Irps++bJ4S7SCATm3N= i W+SYl75N/TbQXPHPrSWuZDRZOVVsgf6vCN/IAYsBUUD5Lej+aAhZra8SzI0RBtloIdx6xQHZTp3= q DbnvSW3pBIKb1m/KHpcvr6AFelUw82h13jYzp4QnPxragalY5g0do5UHeki+olHTgYu/TFiLAmr= E LxKFMOBKaZ+W4aYeootdCL1pXsFgRx/WXY2XS2e3wXxFXxRp9T35Mtuslz8eq8X5ipRyWiA+/1Q= 8 g3YjFengkP5w3xgSsTjF0HiBnP7g9OCu01M1M35vNxyoEvKgIT61Fm8VDuuxT9BWhKBKN5lZ1rS= M NCvsykdiSwXGo1NpKfG4iHeDUSZHsFIdwsthfK9Rs0VPCG+IcR93IYDGJOqX05tiI2WvN/T23W/= T kNPTDt8mZJh8HuiWAHij6OIb3DJxK2l2czxNq2OLJX27dHKQDf0LcNg9Cm8fzBLKkpyZlypuC1o= 2 60SY9XdkwLSbOhRkSWazFkW641EGv9QFUBs8AkPbos9DUVKA7ciHXPSIeiLEVdjbNMiuWJUmqF2= 2 nefs99H7CvtMaSwSPGpMkYVljPGn+6M06EbNfxdd4quVVgnXOxXDJKV8E+1qCAT1nxQNkIZdoZZ= w 14RmoyCngV83eUf4mPjpux1IJhKJSOBnHFKCboMNcUgONSVRrRuLAgMBAAEwDQYJKoZIhvcNAQE= L BQADggIBABnJ2QT4s23RN0+v3F7H6ODuNcYMMl4JZN4VvDsAr2xBvRltMkmlcZgK5XRO47Gt1rd= N 7fbm7xDsl0KblZ3PWHkBCuM0Zpw2nDx53AIkCk/lEw7sdAqAr1blgL56xTQLis43PLl7j4o+ZXF= I 1Ny2eiyVRasffBQSlR4SoCN+mmXN4AygVxgR0zSlBKCV65CVX+5E8nKo1CrVzk4Pl3m6chKB+5J= 7 NvfvOvJAli1dsspjJd7SnyxJem4G0vC6t65Jzj+vFpBPsrj7VPa9YcrnDLOHy3Ljooad9agPkli= Y JOvBRKkD8eoOMvoRSUg5f6VUAzO228UBcfS4OTZvkuKNyl2uYJ9pZFTEJ8zA+ikWZBUl4Ot6LYG= 3 smHsAxIpm7rubLVOF0GV8dhcMcDjDK5+7lLkaFRHTjZZeanISVBWbe3zc8P8gRdFZvi3CJalubP= d UQer2pUySILFJkfZx+5STf6cargpAEfnvWTvx1bRFqsh1NTOiWXJuL3QL3K9vPxhaIXgjmRFJVM= b y3Tt3ifMbqssaC7odRmKZx/bLyrgC6Uni+oJDkiDtyVD1oFtmnbQd8wZ6x25W+z6i0wtcDWLYoW= 0 HVpfDgXKwxuSNTdO1XYA48p98z6la+HXkhEML3EFU60+cxmvtfuu7JIOjSxWQw6dktxLKGZ+KPh= B 2HWwtuca > BwCwEsRgA3OFiHNpd3bfHAo5Q3zt6Ylqb= Klg9HRpL6U2ID2Hm7KI9FojAPS5JpSh14mreSNylN2myr9jUOJ+OpeCfRdjtSNuck3O/k42g/Eu= 5nNmzn9cFOSbFqSQXvsdYVzsbMeGID1J9cq5FfVeu6RcebZr7Ebo5tOTdJqmKi2BScB/fz8Yy/2= p6xh/JWYhsVCeSwvHuHKrDYCFf5eg0XcoP/tgrA65U7P7utrKrjMgSq5Dn5XkaXc9L9+wov9Vnp= dKrRU2TENFdZIW5RO1PKc5nwP3/ivEkuYs2ax+lvvkYpNqEiAQyQmt1T1VvctyLC0MplMDX8YEM= RIfhNAyJskYbp5rP1ZHGhfu76cVTzdt4AouCNvxRYPZ5uhy47jeEy0ZewEz65ImqGgKNoZ4FwH5= UwTTHGZak5MJ3LmTd9bfwfz7sUK3TGsISdbFCVxkthQvGBmOHNHb8BbKaNUV8Px8DH0IV1jvCiX= UBlzwFpnRjG06hSpmmllyu3WaQixPqZ1BjgjAOXrUdhxLrBRyXEbKeFdGxidJYcqQaBpn4H83ZN= PBriQ3Ya39NJGkfkVlU8tvpif3tH1fNWJ0SBNDZWIUjyu4OKFxjiebsP2QF6miep9YscNffQdPt= 9k0h2siTQJCpH/DM2RMQOna/AKARUeyD39jsutvhpj3TQzplzw=3D > KXBwY7UOS1KcHaNefUMtdK/6Jlmm78KYhs62nxNAe= ctfTT5Sw3l289hLgeaIZ0RRsO1XqQk+ew43mMm6QaWjvcEDGij2C+TEGl2maIkhxpW71ZeeMyP6= dAW78/TDJBJfLUEbTR1jb+q7hfJDKgMdyGfQ9ErEdvQjbz8vRMYiq7fdkNzqVTpXzcc7KXbpGtS= QqyJYetAGFPx2wsJreeHsQPvIJrI42ER8LOLyv/FnXi+w4YXrzL14e0Qhmyry07Z8B6gC3DA+C8= pmDs9xn99nEfAC6xZctDeIzC0+KpGav9NfACfvqs+X2DleZGckzsSomDxssiv4ArAbTSV/dRlbB= UWfIGBgwALVhrBDyuCkBXrYNYqm7QF6bKSmAOlKVYC+lqFdI8CLHH7QiEO2S1UHYNRSIjUPXtef= 1CXGWM2jhmPYc51VBxsrcoY0ei0/nx9WVLcN5OHxnb8dz5Lm5yJJRa16k+7/rYDi8KvGTQj6jTE= kQFjoxr7VeDHHAEdt5D8/Xm0PuvAXGTEvOntlaLbXkMqFxBe9usAkFqf6CRm3Qin2O7dUuipWJV= ZE1f7gnZyGCV0woVgnSQ2vo5quz5ABveXzlsuypMkD/bwavgLYNQR9c4eIJDqcUlPC2zm5XM18m= gdxxQpp90E3Kb29j1OGfDh6F35x2rYg3k1/jJeMlDlbANprwyw1eM+qGijDcdYNoJEMRF9Utpt1= ePDSOhBBPyPiTg7lgBo0m/gBnHR26TTTDGMruCm7SSNrYJIf1KR6HFalEaUZn7kpSBINkyoCOOy= W78L8pqy0+m1ZcCfsYBzHsSd8kXyavYESCGIB58oIzPFB7VK1SiKrWvZCRkXw0AZllfy3cntpGo= pCBopjivUxycsNHPTIp0sZDpkpRC9it3vGcJDIueuPoco1cdoM05gTLg2rNU7StPukDAwKZSRJ2= RY0kN cnoeNIoQL c5IAM4PuCFk FhOQYVAI+ dmIxc5F74uDctiONoNX6zVyp3OSZHiNoN/WrS= kA7OsefciO+DaU1XLc87CSqvR8eOG41VjSlxpzkHBjUOiOtz52BKlFtuDLlKFX/5W6XQYNHp69P= hYjuXd6vryvNWSPVgoVDJ5R10s+W2JvnQXlgD0MVlgJQs905+yi1fugYYYuA2P0NIEu3/Ky4U4C= LxmGM3NIAkTWpjpFhHxv8il3x4TLPs2BB49gV1FOF3E5oXYg37bY1k0aeJA/DDxm2QXLP31Q4jd= OAwdL5o6gIbeHV2g4WEUeMHg3zMfuL3jcJi/JA7A6MJEDyYCC32Z42DfUYgocmIwlOTs6y2ujxK= qAWfKYC9n6bu5Wxj2zU8dZlmA7Os1UYZZbz9ZaRFMp3aN31/x1dasSP2yCoLpcjgiWsQDTBOn59= 6V9OXmK14Z6K/+Ba51dfT3UWc4vTSb603AB0yNV4Y4vclSFxM47qPb2kU2qtgZyEOVKDy6OekNV= W+az8+IitTH/f2Fk+HgM4Ro6MrCLkjbwvriL3NZmIcTm3eV3cGDf752fmDI/wYXc8tMXMcNQQo+= S8Gf76rLy9TffWX4DvIPQkG4o278c1RRwl58+O1arAcsAvhMNGiwzHDVhTCrzVWebifphXBzOjD= N3cNm4I0HC/nmiuWprQy7IAkNatmQIRa5AevmmFYNd5rSvptyxVPBLcCCWxXcgB8nAosQp2nsTs= E01UTfptvEPDPwc3BPbc8S4I2o5hhE5LCDquDmi3o5VbBmEGoOlt8pcpvtF99ogvSYo9nXPjt8X= MwxWyfR52ch4XbGqLXrSiQejGBwhMeIj02wdiEZU3jI7VyCvidZIbAfSwIFb7M0zke/zNK0rYLM= qiRM/T6IeBCBd+a+F6afyokHEDO7jQsCAsQ+AtQwfAgCeoZO9X7Tn1gDKBBLMoIhAcXJaVvwIdd= 52DliYffnK906NaT64M+KBKGLESDyJJJ2 mJQd/E0mo svNUHOJ13bV cR5qPFT2v p0hnodqi4= q8wEdv7jGlYt8qOpVgmNgMT9hBtuS3dDoQ0wRKao2XpXIAUjW/SbCEG4FwzlTZR6a9oMd3WoU3Y= Qr5+nsGM6ryzW3vZzt3zkQqCiuwgd86MhVJ+N1HGOQr7ZUWUsd42BXXpWEfpDFWMtke4apztJwr= YS9YnOpH6dOkCgu5uKelChsSMaov+Undj9ioejbd7pta9J2TYsO14cq6Hv+G++TjNfP5O4XcOU8= 04xIRCRZwC/jIrbkJMQ9XKYPwjsrhwBo1eC3eXeUCFvmr4yOfVoEAKWp9Go59wIEC8fPFdU6UUN= SUYDchZa9l7tS+N7iZu4fcVmye6m8uKqsBQww8Fbk1kS06K5/QXD1T14H5bzs6eR+QHEsRoqDxR= 1+WNYjZm+c1qTd5eu5f1N+tWkmXmn0ko34QUUOjwR7JRPum6WTizh57S/aCYxNjx2qPk2QYXIP1= tNXGkOTc7qq/u3fc+KGN8wEsLwfbd2j0n1fAsWbxv6q/RBdgIzl142W+m4EEoHKrOhctI3VOi+x= oEcoCF/AQuTsBm3617qfZcWRqFR0t0RVivCo9jutqXmkTdkIWbLW+elocN/lYNXRgOO+VtK8E39= NQ2wbwYh2vCoqrNB61+MAketA/2UBblTBKnPe0ipYRV0isSQXoxVlRLfAAfqXES9DyRsCmu9vln= YxT0cyeHlgT8czCWypSRwxSX9V3tWxQVuXaktxIE5wU9VGOQzieP0z1EA5Plr5e2FbdtsS87eEC= 5yvYVLccEU4ni44HCGFqPUNHnMJtjGtqoSq56SBeBEy8WQVUB3PSckRnZE9F5/BYyACiSdw3E1E= IB0algS/LuotpijriG2JODouCnFleVcraMdp2VweqDH3pxjRQbOdboyj7n2YuYR+RrDspwnjczm= iiiL9+708PwZnGie+etvYTDFoKIHURQVLxid9mS87JBcpfzIXKPxSS89HdTk2 jvFXR4VmU VYA= 0nJ4VJzy CWnArSZJp fvhyhuydFXAOhhE3tDqIJ120kXarGnaF1Yp2ZBZuX4UsV/jR1R6faqYT= c7ynAzEnQ4zGj9d20O/4exiK9DRMGBaRYP4R6DRRDyKqC2Cqt2N2O4fcxYOfKeMNTmwHDBAU0tB= lsZDCSHl/3Hr5eHdUXEH8D1AaF9rWvq3SI/aV0cSoyk7eIZ2AGzRs9lljHLoa6U65ichrz//1Cu= eBDKc1pcomDTfAt1uSmeBe/cCNjhdpaB2dokgRUxNXGPENAtSYpoZrfBp/jjxUy83rdDVc5aW2q= TnM9UQi3XJFv02jDIlTmIVI3+cDZQTHieExXCBgsAXMCcncEXY8Q2bDd1IUkDlTzUWf8lbr6YbD= zmxYP2SFIXSjzAWRKIHKRGnLuETUw6FS9fpc4101VdkGVicv09RQsg3n1SHHmvmEH0HxxwZD4Og= mSNKDmsfBLGaANEA0Ke+tDzIjQO2QjpLS9p7PsarE126WPvNHa1mNss0G22SI1s60xXYbcjFBXk= tT99m6ofIS36e4mLwH7F9NFWuKNqxofjoVtvcKcru3OeaChm+jl3ZcMEJPbQf8xBAvYWwGc3QJS= pGw1NSbIO5sOeT/CjMjKux02nvFg0nBceRbTZ05cPjSErS2HwleXXEsicXgp9bcFf4oRGWNCVIv= kItkUNijg/Rl9Y7xNv+ZVUCkN3DyOmg4GhzNnIFGDAPpqDXzx7uyLApSiWJe39VDq76muNOw0UQ= 7r6p7YUv7pGxJ7fjan8h97uBtdkZLHv4nOcZUFesMykAmy6cd1vIe41rujylDs+dTkYWsoIuLV7= 1zqMGhufLyew7nSxX5kK+9wkPzxvF6o7HHXKOGr5oGVxV5/S6wmbZ4lGoUeRrYaYPIEnkhKDlik= ug6gXngK1Xrr7qd4pRLW2p2LRaYYk5wdlI3DucQuDbu1u6393Rv7AL0ZGVcQm2qWOMUiLT2V8VK= 4iy6lenFCX4zck 623fOxs7y 1EsyVyV0DIV RWXQODN9J HzVXQfBOrO7zY/91W8PwAYOy0hbw= 7uT/ZzKTMzGsEZN6ftGct5K/GiwoRyA/RV9edo1ghsNjjyuMp3IvGitp+IKPIZ1D+I9uZVygcle= PhSlxPZ4ceasZEExxyPNCVyvH1GJ3gMKW8WX2nuIU1ODESUcnRz40IMIFrnzgFpk//xzhoX7jk/= 90lBCntvb2xVaEk7+YKS2791ePmt+aydoaeYBiuR8lj8kpm9gTBQPtIFG6igBIHfP6Qh/hrg23Z= IQ15CMBxD7ZlJCpxPzD+g9/ZJYj2iaiONOecN2F+pI07cxmWYbl3z6FhBysQAcF5KU10GjCjdoV= yGBnvLAWlA8/PIbcTFvFAMNq/r8I2RXRRvZK1f+WYAzuvYkQ6FvNxTvyBZ5W3ywg0UTOIXhJYSx= j3fhmT7S57PWgsLQQc2GCgspwsacQFtcD9FJNydvCyPi5eBt+OHZ8gjw+MJs8pHyK6Rs/Hwr62T= PnwwNizTTe+dWrWwSdlYNFRnG5MhCVw4dfKo5rzCtABN3H7qpUGt94/DeiGKPm5dVmZUYZk3wv4= wQfxsn5VlKeZxeowwql3KgYdyyHxYVWZSmFi87roxYAdFz+UAZtxnWN8YejkwQKYAcbdCZhLllz= RJX/bqtCgtfCgl+coeP7OSR6eqP+YPlE5RoXrKEAz544jyLRUcbw6iiIeLTozHiTwIubRji0bxJ= ybFr48ePKsDyIW2xpY7YjpRXVc2xOOzJE+ZXbymD/8LSdR42c0nNBW+sIgGP0raVpLATxr35bj9= B+vh37oTnVEN4JyYgrVvhjlhlErnaLFIZ0G2U73tjiJD/361q62PPBC4jWeDHNK5VnNe4pPIczs= YEwwQTh2EtAtpn0CCKn179HRGl5mlj9LhX3JzaZPGEmDPzS0JfiU15YxlAlgrG35x5mahZcc/oH= jZyZc7XVqwlPk0GCdAGhfrnRwcedDwVsGGvNg49ciq dCjPREKkn XMqFO+KAq+w 2kePK+OMi = 3+rKzgWhurgI/hvpb+ucwhF5KpraIfJdzoTiwWYnxSGww2EJRXq/0ozIyQB9DZmOCD5tcHnKFjC= judgtiIbdBLmzxeNwG3SgDqPkkn31KK9jobWO5PGjCPUc6AvUD4GSYhw9En4xkRbsbbRztGCrXf= pa0NpMysbo71YruK1gc9dccnwdSxTDZZEoxH8FqR6hUt5PAAxLi30UX5vqq9gXObzmlExIgeopy= U2XkMIaa/HtAKPpCrZpeFQcbDC+bfos1vYUnGfVennTaFch47rWARdgLI1dGqq88lrJhfzKhS+Z= WKHMDbdKs5OgNmvIt5kTWpbeie4qPW2volholu5wrmBz9Tpuhx7gwg/Zp3PeLCoPkvXCRAqQQKt= ZsnP+xKVW9+cugIN4GKLf60DbK897RRJcTP14nRo+tgYfdR2gKgZaiPNGXjz7wFUK7ApxSPEF//= LBoLOOwSURVk4ckpPbam5M5KZydcAMRTxHbNUXlTPpcTCd/XkU0A/hsqVMvYBru2dcS0I9CQ4tf= b8I2OTIZ2webSvgw0UjZmf+LHVRWiIhY+hMJ5aVpoLa3sVm22j9Yq+ZYIm+QbrRjJFBejzjeMgC= 8vJiL6hBgeEQDmInnpnYmR2AW6ZTjfNyyGTwwSCN9IqvJ5frJ9GAFv9PDnY78/tZuymXzzVaMxQ= PSqYsw+EXPTbn3onlJCoOUClG41s/kdwqebFguxUSm6MKZiEqirmY8VCalLF/W++jtQZbIeL8at= plGe8A4R8dxIE25ArF3XXNykuGZQoJdlSZC/ZgNv6usBFUzZEuyB/luTkMW0V9dGO2otxR3xSYA= R5d+mAzZsllaH/fOPD/904LijaO1+K8REwr3uUNe8hDZaErCTbnL09feZISe6+NykTw5runFqbi= OlgGP6qvjc/qFLJy65LiQMj1+fWaz87UkshQH4nqOOROLFRP7HbeJI9UcXXoRQ2e/l2iDC 5gDa= M7xmm A7HE91vLD4X CT6W5obbS C5t9COUSU88UubAzXX+DjFtRL/e0E94/nfpKiFDsRlWJJwK= IFybBqezGksdmU21VEh/Z7vzNRvlmAAsz6vepof4cNL4PkHOhn8BSnFI6wDZahPj9WzIZ7ePeUk= z5NpTdYfqX6VcHzANAgiygeLx8EaT9dCaOPj3PEGU/QkCcFKFcY1l8LGGUUW8Rudje0MRarcRh+= ms51nwuoCAB5Gr+73GYb+2Ir3DYQme3ym0zGfsqTl8gR707/lvdxgVP3ShqSwvD6tr0rgd1r5pG= 8BESQbak9bFdq6cNZpTLVQ3/AsOd7FBdlWlPCE6I9eU70NNQy3iKxJljVb//5xrcjEDa9ulQc= =3D 11:09:55.379 - INFO [Shibboleth-Audit:1028] - 20170502T090955Z|urn:oasis:na= mes:tc:SAML:2.0:bindings:HTTP-Redirect|ni2j9u3i4d749ask9434jsgon0i9g7u2|clo= ud.etrs.terre.defense.gouv.fr|urn:mace:shibboleth:2.0:profiles:saml2:sso|ht= tps://idp.etrs.terre.defense.gouv.fr/idp/shibboleth|urn:oasis:names:tc:SAML= :2.0:bindings:HTTP-POST|_3b1e03d6935882d3eb5d3f9242fb1426|fabrice.pollet|ur= n:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,email,t= ransientId,|_9d5c99cfc524cd833e5e19406c95538e|| Here are the CloudStack logs: 2017-05-02 10:10:10,732 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-5224= 3a80) (logid:f3e20c3e) =3D=3D=3DSTART=3D=3D=3D 172.16.96.7 -- GET command= =3DsamlSso&idpid=3Dhttps://idp.etrs.terre.defense.gouv.fr/idp/shibboleth&re= sponse=3Djson 2017-05-02 10:10:10,732 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-5224= 3a80) (logid:f3e20c3e) Session cookie is marked secure! 2017-05-02 10:10:10,735 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] (ca= talina-exec-20:ctx-52243a80) (logid:f3e20c3e) Sending SAMLRequest id=3Dmdp1= ikdn2elvck5uilfbs266ahop200v 2017-05-02 10:10:10,903 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-5224= 3a80) (logid:f3e20c3e) =3D=3D=3DEND=3D=3D=3D 172.16.96.7 -- GET command= =3DsamlSso&idpid=3Dhttps://idp.etrs.terre.defense.gouv.fr/idp/shibboleth&re= sponse=3Djson Here is the error in the browser: https://cloud.etrs.terre.defense.gouv.fr/= client/api?command=3DsamlSso : 531Received SAML response for a SSO request that we may not have made= or has expired, please try logging in again Thank you again for your time. Le 28/04/2017 11:23, Rohit Yadav a =E9crit : Hi Fabrice, I looked at the IdP XML, with the SAML2 plugin enabled/configured in CloudS= tack when users click on login they will be redirected to https://idp.etrs.= terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO (with a saml token). A= fter this, I'm not sure how your setup/IdP should behave on handling the re= direction or use of the REMOTE_USER environment variable. A sort of a hack you can try is to replace the SSO URL in your xml file (sa= ved in /etc/cloudstack/management/) to https://idp.etrs.terre.defense.gouv.= fr/idp/Authn/UserPassword and see if that works for you. Regards. rohit.yadav@shapeblue.com www.shapeblue.com @shapeblue ________________________________ From: Fabrice Pollet Sent: 27 April 2017 14:30:53 To: Rohit Yadav; users@cloudstack.apache.org; fabrice.pollet@etrs.fr Subject: Re: Shibboleth and CloudStack I tried your solution to save the IdP metadata in file /etc/cloudstack/mana= gement/idp-metadata.xml and I found my IdP in the selection proposed by Clo= udStack. In any case it shows me the possibility of adding other IdP and th= at is very good. However, I come back to the same situation. My Cloud refers to the native a= uthentication of my IdP instead of the SSO-CAS. I specify that my IdP has been working since 2015 with the Federation RENAT= ER and that its external services are well redirected to our SSO-CAS. Maybe a REMOTE_USER environment variable problem between the SP and the IdP= ? Le 27/04/2017 09:10, Fabrice Pollet a =E9crit : Hello, The IdP metadata can also be read at this public URL https://idp.etrs.terre= .defense.gouv.fr/idp/shibboleth. The SP metadata is not public at the moment (see attached). For me the redirection should be done towards https://idp.etrs.terre.defens= e.gouv.fr/idp/Authn/RemoteUser (SSO-CAS) instead of https://idp.etrs.terre.= defense.gouv.fr/idp/Authn/UserPassword. My IdP server has the SP metadata (the "backingFile" is filled automaticall= y). I will try your workaround. I would like to inform you and thank you in advance. Regards, Le 26/04/2017 17:29, Rohit Yadav a =E9crit : Hi Fabrice, I could not open the URLs (they are not public) so cannot verify the XML me= tadata. The IdP metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth = will include list of supported IDP server endpoints that support http-redir= ect (binding is set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) = based single-sign on. The current SAML2 plugin only supports and works with= the Http-Redirect binding only. If you can share the xml with me, I can verify the SSO URL. Likely, the URL= https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword must be one = of the allowed SSO http-redirect based endpoints. You may try this workaround -- assuming your IdP server has the SP metadata= (i.e. the xml that you get from "http://cloud.etrs.terre.defense.gouv.fr:8= 080/client/api?command=3DgetSPMetadata") added/enabled; you can download an= d save the IdP metadata (make any URL modification that you want) to be fil= e such as 'idp-metadata.xml' in /etc/cloudstack/management on the managemen= t server(s) and then in the global setting set the 'saml2.idp.metadata.url'= to the value 'idp-metadata.xml' (without the quotes). Then, restart the m= gmt server(s), it will read the metadata from this file location instead of= the URL. The SAML2 plugin also allows for multiple idps defined (for example, in cas= e of a federation it will retrieve and list all the available SSO site, for= example search for CAFe saml federation). Regards. ________________________________ From: Fabrice Pollet Sent: 26 April 2017 17:31:46 To: users@cloudstack.apache.org Subject: Shibboleth and CloudStack Hello, I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0 as a service provider (SP) to our own identity provider Shibboleth 2.4.4 (IdP - Authentication Service and Authorization based on XML). I have completed the following CloudStack SAML2 settings: saml2.append.idpdomain =3D false saml2.default.idpid =3D n=E9ant saml2.enabled =3D true saml2.idp.metadata.url =3D http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth saml2.redirect.url =3D https://cloud.etrs.terre.defense.gouv.fr/client saml2.sigalg =3D SHA256 saml2.sp.id =3D cloud.etrs.terre.defense.gouv.fr saml2.sp.slo.url =3D https://cloud.etrs.terre.defense.gouv.fr/client/api?command=3DsamlSlo saml2.sp.sso.url =3D https://cloud.etrs.terre.defense.gouv.fr/client/api?command=3DsamlSso saml2.user.attribute =3D uid But the URL SSO-SAML2 https://cloud.etrs.terre.defense.gouv.fr/client/api?command=3DsamlSso returns me to the native authentication URL of our IdP https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword instead of the SSO-CAS delegation URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser. The meta data of my SP are listed in my IdP (from the configuration file relying-party.xml): Thank you for your help. -- IEF MINDEF POLLET Fabrice TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA COMSIC BP18 35998 RENNES 9 France 821 354 34 82 / 02 99 84 34 82 fabrice.pollet@etrs.fr (Internet) fabrice-c.pollet@intradef.gouv.fr= (Intradef) rohit.yadav@shapeblue.com www.shapeblue.com @shapeblue -- IEF MINDEF POLLET Fabrice TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA COMSIC BP18 35998 RENNES 9 France 821 354 34 82 / 02 99 84 34 82 fabrice.pollet@etrs.fr (Internet) fabrice-c.pollet@intradef.gouv.fr= (Intradef) rohit.yadav@shapeblue.com=A0 www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue =20 =20 --_000_DB5PR07MB12050B473DA5D785A3C4ECC5E9E90DB5PR07MB1205eurp_--