shibboleth-dev - shibd not parsing XML metadata
Subject: Shibboleth Developers
List archive
- From: "E. Stuart Hicks" <>
- To:
- Subject: shibd not parsing XML metadata
- Date: Wed, 11 Jun 2008 15:41:54 -0400
- Openpgp: id=FCC71252
- Organization: OhioLINK
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Well, I've hacked away at ShibSP enough now that it's compiled and
running on the Tru64 machine. The Apache module seems fine but when I
try and access the /secure section and return from the IdP, it returns
this error:
- ----------------------
Unknown or Unusable Identity Provider
The identity provider supplying your login credentials is not authorized
for use with this service or does not support the necessary capabilities.
To report this problem, please contact the site administrator at
.
Please include the following error message in any email:
Identity provider lookup failed at
(http://journals.ohiolink.edu/Shibboleth.sso/SAML/POST)
opensaml::saml2md::MetadataException: Security of SAML 1.x SSO POST
response not established.
- ---------------------
The output from shibd.log (with OpenSAML.MessageDecoder=DEBUG) is below
as well. This IdP works fine on the other SPs so I'm guessing that the
XML libraries aren't parsing the Metadata properly. shibd.log shows it
being properly downloaded and passing the signature test. The files in
/usr/local/var/run/shibboleth look fine. I've tried with the other IdP
I have running and the result is the same even though it is also
included in the metadata.
Considering the platform, my guess is that one of the supporting
packages (probably something XML-related) isn't compiling and/or
functioning properly. I really don't know where to start looking,
though. Any ideas?
- ----------------------
E. Stuart Hicks
Access Manager / Systems Engineer
OhioLINK
shibd.log:
- ---------------------
2008-06-11 15:34:07 DEBUG OpenSAML.MessageDecoder.SAML1POST [1]:
validating input
2008-06-11 15:34:07 DEBUG OpenSAML.MessageDecoder.SAML1POST [1]: decoded
SAML response:
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
IssueInstant="2008-06-11T19:33:18.424Z" MajorVersion="1"
MinorVersion="1"
Recipient="http://journals.ohiolink.edu/Shibboleth.sso/SAML/POST";
ResponseID="_3abe154442fe79a280ed48c8af5706e8"><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
<ds:Reference URI="#_3abe154442fe79a280ed48c8af5706e8">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="code ds
kind rw saml samlp typens #default xsd
xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>hgytHUw7SFHk+q5JxSxNVpRfOQw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
LYE2jjt7SEGZvMo2sPULSKuObyTZpRyFtmfGndPqOQymuzHrHhqqVbExHtqpbm5ke5GrG2CJ4GHR
wsmfBNprilrMDVZzgQvVNPtehNwVsPk+TAF7HWZ7nADtaw2pdxqHOQvSVYjX2GCtZD4hGD4/bQu5
a0BM/57CtGfigUlFVtQ=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIFGzCCBAOgAwIBAgICAQMwDQYJKoZIhvcNAQEFBQAwVjELMAkGA1UEBhMCVVMxHDAaBgNVBAoT
E0luQ29tbW9uIEZlZGVyYXRpb24xKTAnBgNVBAMTIEluQ29tbW9uIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MB4XDTA4MDIwNzIxMDQzMFoXDTEwMDIwNzIxMDQzMFowHjEcMBoGA1UEAxMTYXV0aGRi
Lm9oaW9saW5rLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAob4wEfkTd9weHRFCRCby
V17CuLf9St0atewMH2EAgo9fyWk6KSmX9odoFJ91SFr6xIjAuY3oyIMXVM8uJqlWS+yYzTjjqYum
dHtOTNO22Sw31FP/sWgNbzrzp6AZWrzZO5fuBAr63QeUOt3R1aF9V4xLexaib6Sc2xIFGv+He78C
AwEAAaOCAq0wggKpMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU2pndIGo9T0vh04sEQLdp/eFbslQwfgYDVR0jBHcw
dYAUky3IYRitY+ObZbOd3Y2TuufKY0WhWqRYMFYxCzAJBgNVBAYTAlVTMRwwGgYDVQQKExNJbkNv
bW1vbiBGZWRlcmF0aW9uMSkwJwYDVQQDEyBJbkNvbW1vbiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
eYIBADCBugYIKwYBBQUHAQEEga0wgaowgacGCCsGAQUFBzAChoGaaHR0cDovL2luY29tbW9uY2Ex
LmluY29tbW9uZmVkZXJhdGlvbi5vcmcvYnJpZGdlL2NlcnRzL2NhLWNlcnRzLnA3YgoJCUNBIElz
c3VlcnMgLSBVUkk6aHR0cDovL2luY29tbW9uY2EyLmluY29tbW9uZmVkZXJhdGlvbi5vcmcvYnJp
ZGdlL2NlcnRzL2NhLWNlcnRzLnA3YjCBjQYDVR0fBIGFMIGCMD+gPaA7hjlodHRwOi8vaW5jb21t
b25jcmwxLmluY29tbW9uZmVkZXJhdGlvbi5vcmcvY3JsL2VlY3Jscy5jcmwwP6A9oDuGOWh0dHA6
Ly9pbmNvbW1vbmNybDIuaW5jb21tb25mZWRlcmF0aW9uLm9yZy9jcmwvZWVjcmxzLmNybDBeBgNV
HSAEVzBVMFMGCysGAQQBriMBBAEBMEQwQgYIKwYBBQUHAgEWNmh0dHA6Ly9pbmNvbW1vbmNhLmlu
Y29tbW9uZmVkZXJhdGlvbi5vcmcvcHJhY3RpY2VzLnBkZjAeBgNVHREEFzAVghNhdXRoZGIub2hp
b2xpbmsuZWR1MA0GCSqGSIb3DQEBBQUAA4IBAQB/J9X+PbXlREVgeBKNWHNvA15LUtxQ86mUwWKy
vElCu9u6x6y3PFbyH3WKu8jbocWLYVUJMu3ACEO0+CgU5TMvX1wMJtgWHifUu8e92h3JI7NccZ5X
nyTKpePeuJqX0CFLc8arVxS4JwsOg5r+UpEk3GlDSGrcsGsUu+wIBHGZuFzDQbQ8bMVc4nWUjpFj
oJZOkVsbKk2Y08/DeazDWCL6tD4yi9lA18LXGBMFdv83ecR8P+YBrsEqUYzvLB4cQ70z6Yc4C4el
nvwercaMheEJ0Z6IAdRwjWmj9oQEjO+YG5JRf/k5Mm3mURxD07Ss0YtaKX6yxZkpIg9EzzdiotPp
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature><Status><StatusCode
Value="samlp:Success"></StatusCode></Status><Assertion
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="_88b9295c52f43dd20b9ceb3d4c301c31"
IssueInstant="2008-06-11T19:33:18.424Z"
Issuer="urn:mace:incommon:ohiolink.edu" MajorVersion="1"
MinorVersion="1"><Conditions NotBefore="2008-06-11T19:33:18.424Z"
NotOnOrAfter="2008-06-11T19:38:18.424Z"><AudienceRestrictionCondition><Audience>https://journals.ohiolink.edu/shibboleth</Audience><Audience>urn:mace:shibboleth:examples</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement
AuthenticationInstant="2008-06-11T19:33:18.424Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier
Format="urn:mace:shibboleth:1.0:nameIdentifier"
NameQualifier="urn:mace:incommon:ohiolink.edu">_d5290468d20a01275b48ca66e4c9b2b5</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality
IPAddress="192.153.30.31"></SubjectLocality></AuthenticationStatement></Assertion></Response>
2008-06-11 15:34:07 DEBUG OpenSAML.MessageDecoder.SAML1 [1]: extracting
issuer from SAML 1.x Response
2008-06-11 15:34:07 DEBUG OpenSAML.MessageDecoder.SAML1 [1]: response
from (urn:mace:incommon:ohiolink.edu)
2008-06-11 15:34:07 DEBUG OpenSAML.MessageDecoder.SAML1 [1]: searching
metadata for response issuer...
2008-06-11 15:34:07 WARN OpenSAML.MessageDecoder.SAML1 [1]: no metadata
found, can't establish identity of issuer (urn:mace:incommon:ohiolink.edu)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkhQKoIACgkQqmBbivzHElLmgACg2zAonMSDSdP0gYJ2y7yQ9/0j
N18An0gDp3ja47hMvzyIFKtHS089Q/9G
=tBsy
-----END PGP SIGNATURE-----
- shibd not parsing XML metadata, E. Stuart Hicks, 06/11/2008
- RE: [Shib-Dev] shibd not parsing XML metadata, Scott Cantor, 06/11/2008
- Re: [Shib-Dev] shibd not parsing XML metadata, E. Stuart Hicks, 06/11/2008
- RE: [Shib-Dev] shibd not parsing XML metadata, Scott Cantor, 06/11/2008
- Re: [Shib-Dev] shibd not parsing XML metadata, E. Stuart Hicks, 06/13/2008
- RE: [Shib-Dev] shibd not parsing XML metadata, Scott Cantor, 06/13/2008
- Re: [Shib-Dev] shibd not parsing XML metadata, E. Stuart Hicks, 06/13/2008
- RE: [Shib-Dev] shibd not parsing XML metadata, Scott Cantor, 06/11/2008
- Re: [Shib-Dev] shibd not parsing XML metadata, E. Stuart Hicks, 06/11/2008
- RE: [Shib-Dev] shibd not parsing XML metadata, Scott Cantor, 06/11/2008
Archive powered by MHonArc 2.6.16.