shibboleth-dev - RE: metadata lookup failed, unable to process assertion
Subject: Shibboleth Developers
List archive
- From: "Vitaliy A. Shipitsyn" <>
- To: Scott Cantor <>,
- Cc: "'David Alexander'" <>, "'Alexander Fedyukin'" <>, "'Todd Acheson'" <>
- Subject: RE: metadata lookup failed, unable to process assertion
- Date: Tue, 12 Jul 2005 18:03:57 -0400
--On Tuesday, July 12, 2005 4:20 PM -0400 Scott Cantor
<>
wrote:
> > We are using the exact same configuration from a working
> > Linux target, so we don't believe it is a configuration issue.
>
> Does that target successfully find metadata about a urn:mace:incommon IdP
> when you interact with the IdP in question?
Yes.
Here is the last part of the SAML response to the Linux target:
<Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="a2111452f14aa7a215d9839349ad7355"
IssueInstant="2005-07-12T21:46:58.928Z" Issuer="urn:mace:incommon:ohio.edu"
MajorVersion="1" MinorVersion="1"><Conditions
NotBefore="2005-07-12T21:46:58.928Z"
NotOnOrAfter="2005-07-12T21:51:58.928Z"><AudienceRestrictionCondition><Audience>https://www-test.cns.ohiou.edu/shibboleth</Audience><Audience>urn:mace:incommon</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement
AuthenticationInstant="2005-07-12T21:46:58.928Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier
Format="urn:mace:shibboleth:1.0:nameIdentifier"
NameQualifier="urn:mace:incommon:ohio.edu">heYv1QTpAo5y5E9ZU4PjCBDvQkOcJ36b6RitTm2F6B/Uo4iHOO6NNqK3QXJNmpopHm6DefmCxxVtN1ItnY+jTfKrV4n1a61VIgRXeRmxuxX/SuXxZ7i0YT9BKP5z9TPpRESy2WWM8ug8BGNEjKHPnsIlRzMSaWc37lIixmkhOA+eCKnxYZREnnbnSFNNpUzOhETHhvXi2SHNAzuqG56kzf93STnpDfFNPTpNh4ywDzvCV0LgMZzFhHKhOAtQpB/YatAC1KWbaCZI+eYecyzo4/+D/duRfy7IeCgp+ghH1reN+yO0wksOcu4LCgpkN/DxikEyd5zbVOTEDVggEbgoUzzQmp/KjZnCh4+cBoFEiP4VnmIvOWEgsj7zwbhCZd8OTiebjxq1rbI=</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn
:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality
IPAddress="132.235.79.58"></SubjectLocality></AuthenticationStatement></Assertion>
>
> > A valid-looking SAML response gets written to shibd.log before we see
> > the errors above. We suspect that the XML data from the metadata file
> > are not read correctly or corrupt, and the lookups of the issuer
> > urn:mace:incommon:ohio.edu consequently fail.
>
> So you have a metadata file supplied with an EntityDescriptor with
> entityID="urn:mace:incommon:ohio.edu"?
Yes.
This is what we have (copied & pasted from XML):
<EntityDescriptor entityID="urn:mace:incommon:ohio.edu">
The last part of the SAML response to the Tru64 target:
<Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="a0bcb37051edcb03e43bb5e45d4d612a"
IssueInstant="2005-07-12T21:55:55.119Z" Issuer="urn:mace:incommon:ohio.edu"
MajorVersion="1" MinorVersion="1"><Conditions
NotBefore="2005-07-12T21:55:55.119Z"
NotOnOrAfter="2005-07-12T22:00:55.119Z"><AudienceRestrictionCondition><Audience>https://toddtest4.cats.ohiou.edu/shibboleth</Audience><Audience>urn:mace:incommon</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement
AuthenticationInstant="2005-07-12T21:55:55.119Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier
Format="urn:mace:shibboleth:1.0:nameIdentifier"
NameQualifier="urn:mace:incommon:ohio.edu">zjuGMocLKc9CSlADjVPpfn2pg9tVBj7qTOVUVOjtxRF7Jnooe4qIcXT+YPY6tg6H8UCHxW3zyWaTn3wfgncHVcnP4g38ALAz6DaATnK/ft9yQNhtVvy11HEGCP1OwdJKiz/oRDvTAbShsTTMsyuWBLVlalLeVaFjiOPiOS7g+yyyQPjQabzlwH+To4ySw2llD+yjQPsEbkahjpqxu7NC2Yz19oxhIrCZu0DSbfX2Wo9v4omFxTsnq7tyIiN8E2sBL0m+REhv6OrZxK1M8Teqq2V9wZg5T8IMFWQR3zaEatdTEKQPpgw8zEPOpIWXskxFTMS9dqP5Zbij7lOAWmtUXj3GSV0+UddDMbv6pCyF4f6edWlYIMcLIbyq2ragBFtuNQ2Axq4QoGI=</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn
:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality
IPAddress="132.235.79.58"></SubjectLocality></AuthenticationStatement></Assertion>
>
> > Questions:
> > - could there be incompatibilities related to 64bit vs. 32bit
> > compilation modes?
>
> I have no experience with 64 bit anything.
>
> > - are there class methods that dump the parsed metadata?
>
> No, but you could add log messages to the code that's loading the entities
> and storing them in the site map.
We are involved in this right now.
>
> > - does metadata lookup take place in mod_shib or in shibd? We
> > would like to debug the code spanning from Metadata.cpp.
>
> Both, but shibd is responsible initially.
>
> -- Scott
Thank you for the quick response, Scott.
Vitaliy
----
Vitaliy A Shipitsyn
Ohio University, http://edirectory.ohio.edu/?$search?uid=vshipits
- metadata lookup failed, unable to process assertion, Vitaliy A. Shipitsyn, 07/12/2005
- RE: metadata lookup failed, unable to process assertion, Scott Cantor, 07/12/2005
- RE: metadata lookup failed, unable to process assertion, Vitaliy A. Shipitsyn, 07/12/2005
- RE: metadata lookup failed, unable to process assertion, Scott Cantor, 07/12/2005
Archive powered by MHonArc 2.6.16.