Shibboleth Developers

["Howard Gilbert" <>]

I propose instructions to change occurrences of "sp.example.org" to the machine on which the SP is installed. This both sets the handlerURL to the right value and establishes an Entity name that is not in the IdP Metadata. The entity name of "sp.example.org" is in its Metadata and produces a shire lookup error if not changed.

 

Using the IQ WAYF

 

<SessionInitiator isDefault="true" id="IQ" Location="/WAYF/InQueue"

      Binding="urn:mace:shibboleth:sp:1.3:SessionInit"

      wayfURL="https://wayf.internet2.edu/InQueue/WAYF"

      wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>

 

Then everything goes as expected and I can login as demo/demo. However, using the checked in Metadata associated with IQ:

 

<MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"

uri="$SP_HOME$/etc/IQ-metadata.xml"/>

 

I get some sort of certificate mismatch of Metadata and actual AA certificate:

 

15:16 DEBUG Setting connection properties for connecting to https://wayf.interne

t2.edu:8443/shibboleth-idp/AA

15:16 DEBUG Connection to https://wayf.internet2.edu:8443/shibboleth-idp/AA set

up, running 1 outgoing client-side HTTP hooks.

15:16 DEBUG Connecting to https://wayf.internet2.edu:8443/shibboleth-idp/AA

15:16 DEBUG Inline validation was unsuccessful.  Attmping PKIX...

15:16 ERROR cannot match certificate subject against acceptable key names based

on the metadata entityId or KeyDescriptors

15:16 WARN  X.509 Certificate failed Trust validate

15:16 INFO  ShibHttpHook rejected AA Server Certificate.

15:16 ERROR Unable to query attributes: javax.net.ssl.SSLHandshakeException: jav

a.security.cert.CertificateException: Cannot validate AA Server Certificate in M

etadata

15:16 ERROR AttributeRequestor Query to remote AA returned no response from urn:

mace:inqueue:example.edu

 

I do not believe that this is a code error because the problem does not occur when using the local IdP and the idp/sp.example.org Metadata.