Trouble getting TestShib2 to recognize my metadata
Paul Raccuglia
praccu at gmail.com
Tue Nov 29 22:39:55 GMT 2011
Hi.
I'm trying to test my IdP against testshib2, but I am having trouble
getting testshib2 to recognize my metadata.
After going through the registration process with testshib, and
registering my IdP, I go to https://sp.testshib.org/, and put my
entity id as https://165.82.120.62/idp/shibboleth , and encounter the
error
"Unable to locate metadata for provider (https://165.82.120.62/idp/shibboleth)"
As far as I can tell, my metadata is okay (I have the idp in question
working with a SP running on the same machine, but to test that SP I
used /etc/hosts to avoid using IP addresses; I've changed my idp
metadata to reflect the entityId I'm giving testshib.)
When I look at testshib's shibd.log, I see the following:
2011-11-29 16:49:29 DEBUG Shibboleth.Listener [33]: dispatching
message (default/TestShib::run::SAML2SI)
2011-11-29 16:49:29 DEBUG OpenSAML.MetadataProvider.XML [33]:
timestamp of local resource changed, elevating to a write lock
2011-11-29 16:49:29 INFO OpenSAML.MetadataProvider.XML [33]: change
detected, reloading local resource...
2011-11-29 16:49:29 DEBUG OpenSAML.MetadataProvider.XML [33]: loading
configuration from external resource...
2011-11-29 16:49:31 INFO OpenSAML.MetadataProvider.XML [33]: loaded
XML resource (/var/www/html/metadata/testshib-two-metadata.xml)
2011-11-29 16:49:36 CRIT OpenSAML.MetadataProvider.XML [33]:
maintaining existing configuration, error reloading resource
(/var/www/html/metadata/testshib-two-metadata.xml): Invalid child
element: md:RequestedAttribute
2011-11-29 16:49:36 DEBUG OpenSAML.MetadataProvider.XML [33]: attempt
to update resource complete, relocking
2011-11-29 16:49:36 WARN Shibboleth.SessionInitiator.SAML2 [33]:
unable to locate metadata for provider
(https://165.82.120.62/idp/shibboleth)
It seems to me, that either (a) I've done something dumb without
realizing it (much more likely), or (b) some other problem with
testshib's providers' metadata is preventing my metadata from being
loaded.
In either case, I'm not sure what to do. Can anyone point me in the
direction of what I am doing wrong?
Thanks,
Paul
For completeness, here is the metadata that I gave to testshib:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
entityID="https://165.82.120.62/idp/shibboleth">
<IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0
urn:oasis:names:tc:SAML:1.1:protocol
urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">165.82.120.62</shibmd:Scope>
</Extensions>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDIDCCAgigAwIBAgIVAPLDMQuiqyHLS6UY9Z5vGPbx6lggMA0GCSqGSIb3DQEB
BQUAMBgxFjAUBgNVBAMTDTE2NS44Mi4xMjAuNjIwHhcNMTExMTI5MjA1MjQyWhcN
MzExMTI5MjA1MjQyWjAYMRYwFAYDVQQDEw0xNjUuODIuMTIwLjYyMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmr2242HEzVLMfE5sIX5opqwiy6bM1zPm
y0LSdcAUucoC7khsE+A298dT9drR6AAZLr9CViNYG9q4NhTmnkZyfFuuP5JaasbT
HnI7wFBZApz4iH0TIMmIqLhcibXanLCtWkyQ/x44dYjXMU7DNubQn+iTFqEyle4Y
h5YyWOYy6Ap0HXTSoD2tV1vUoeHDPXiwa6sV2kKaNyMbCFB+u+lMew6Js34kurPf
OIVb6rXj1dyXLcshxIdyuAYGBYMnoIJ8T2EA/CJFYkvdhavZwUN2VQYZ0ap2YlSX
qLo/z+D2awDqhhiE/bA5WCtdPBsJy19IHFKuTmzZub4TxPPmYdtmpwIDAQABo2Ew
XzA+BgNVHREENzA1gg0xNjUuODIuMTIwLjYyhiRodHRwczovLzE2NS44Mi4xMjAu
NjIvaWRwL3NoaWJib2xldGgwHQYDVR0OBBYEFD4bL5/HFL1/62JyL3FrgTS9sh/B
MA0GCSqGSIb3DQEBBQUAA4IBAQB5uylEc8Xs1cOPBdjMILttCzIeNNJDU1mgoqAh
VU9QXvDJxFvmTHqRvPfKk9O75pbow8lkuQWwhNEG5PKfpPEYDhs7j+h98o4oxZ1u
u1YT5wcHaOh+AWO9+LOZxOEyZ+sFQOp48l/VNjkM1kAPGdnEOahFuahwsTlDJkDO
dSaD8ry9txR+m205mPRvVr0WXnNA5rygjlPC0W0h4MJNL0W4EpVVsUTgxsaZ+8of
McmYMNoBIXGYhh0q9l6brRUvMOi7lAgVzuHZWdSiWiZBYtJBobMftzkKcXbPtgFF
kPu4M63HBFGKttgTkonBGxWzxTjGFzCSnHcMsOA53QFmOisG
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<ArtifactResolutionService
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://165.82.120.62:8443/idp/profile/SAML1/SOAP/ArtifactResolution"
index="1"/>
<ArtifactResolutionService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://165.82.120.62:8443/idp/profile/SAML2/SOAP/ArtifactResolution"
index="2"/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
<SingleSignOnService
Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
Location="https://165.82.120.62/idp/profile/Shibboleth/SSO"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://165.82.120.62/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="https://165.82.120.62/idp/profile/SAML2/POST-SimpleSign/SSO"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://165.82.120.62/idp/profile/SAML2/Redirect/SSO"/>
</IDPSSODescriptor>
<AttributeAuthorityDescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol
urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">165.82.120.62</shibmd:Scope>
</Extensions>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDIDCCAgigAwIBAgIVAPLDMQuiqyHLS6UY9Z5vGPbx6lggMA0GCSqGSIb3DQEB
BQUAMBgxFjAUBgNVBAMTDTE2NS44Mi4xMjAuNjIwHhcNMTExMTI5MjA1MjQyWhcN
MzExMTI5MjA1MjQyWjAYMRYwFAYDVQQDEw0xNjUuODIuMTIwLjYyMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmr2242HEzVLMfE5sIX5opqwiy6bM1zPm
y0LSdcAUucoC7khsE+A298dT9drR6AAZLr9CViNYG9q4NhTmnkZyfFuuP5JaasbT
HnI7wFBZApz4iH0TIMmIqLhcibXanLCtWkyQ/x44dYjXMU7DNubQn+iTFqEyle4Y
h5YyWOYy6Ap0HXTSoD2tV1vUoeHDPXiwa6sV2kKaNyMbCFB+u+lMew6Js34kurPf
OIVb6rXj1dyXLcshxIdyuAYGBYMnoIJ8T2EA/CJFYkvdhavZwUN2VQYZ0ap2YlSX
qLo/z+D2awDqhhiE/bA5WCtdPBsJy19IHFKuTmzZub4TxPPmYdtmpwIDAQABo2Ew
XzA+BgNVHREENzA1gg0xNjUuODIuMTIwLjYyhiRodHRwczovLzE2NS44Mi4xMjAu
NjIvaWRwL3NoaWJib2xldGgwHQYDVR0OBBYEFD4bL5/HFL1/62JyL3FrgTS9sh/B
MA0GCSqGSIb3DQEBBQUAA4IBAQB5uylEc8Xs1cOPBdjMILttCzIeNNJDU1mgoqAh
VU9QXvDJxFvmTHqRvPfKk9O75pbow8lkuQWwhNEG5PKfpPEYDhs7j+h98o4oxZ1u
u1YT5wcHaOh+AWO9+LOZxOEyZ+sFQOp48l/VNjkM1kAPGdnEOahFuahwsTlDJkDO
dSaD8ry9txR+m205mPRvVr0WXnNA5rygjlPC0W0h4MJNL0W4EpVVsUTgxsaZ+8of
McmYMNoBIXGYhh0q9l6brRUvMOi7lAgVzuHZWdSiWiZBYtJBobMftzkKcXbPtgFF
kPu4M63HBFGKttgTkonBGxWzxTjGFzCSnHcMsOA53QFmOisG
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AttributeService
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://165.82.120.62:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://165.82.120.62:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
</AttributeAuthorityDescriptor>
</EntityDescriptor>
More information about the users
mailing list