Shibboleth Users

Text archives Help


RE: Shibboleth errors differ on SSL/non-SSL.


Chronological Thread 
  • From: Jim Fox < >
  • To: Scott Cantor < >
  • Cc: ,
  • Subject: RE: Shibboleth errors differ on SSL/non-SSL.
  • Date: Mon, 28 Feb 2005 09:24:40 -0800 (PST)



For starters, you're using the wrong log, the shire log is not generally
useful for anything except very esoteric problems or problems with the
RequestMap process.

The first error is an IdP blocking you because the SP's metadata is wrong.
The assertion consumer service URL has to be published in the metadata
loaded into the IdP, and apparently it's not. Probably only the SSL URL is
published, so it's (correctly) blocking you.

Correct. The origin rejects "http://bob.createhope.com/Shibboleth.shire";
because the consumer service is listed as "https://,,,";


In the SSL case, anything could be happening, but it's a configuration
failure and the shar service is undoubtedly failing to process the new
session, which the log will indicate.


The IdP seems to have no objections to the requests. It shows:

- Remote provider has identified itself as:
(https://www.createhope.com/shibboleth).
- Provider is a member of group (urn:mace:incommon:washington:edu), but no
matching Relying Party was found.
- Could not locate Relying Party configuration for
(https://www.createhope.com/shibboleth). Using default Relying Party:
(urn:mace:incommon).
- Supplied consumer URL validated for this provider.
- User was authenticated via the default method for this relying party
(urn:oasis:names:tc:SAML:1.0:am:password).
- Dumping generated SAML Response:
... etc ...

Which seems to be normal.

Jim



Archive powered by MHonArc 2.6.16.

Top of page