ECP Issue with IdP 2.3.3

Mike Wiseman mike.wiseman at utoronto.ca
Thu Sep 1 21:26:27 BST 2011 

Hi,

I'm testing IdP v-2.3.3 built-in ECP functionality with an SP. The client access fails with the following IdP error:

...
14:20:50.922 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:101] - Filtering peer endpoints.  Supported peer endpoint bindings: [urn:oasis:names:tc:SAML:2.0:bindings:PAOS]
14:20:50.922 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:116] - Removing endpoint <SP_endpoint_URL> because its binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST is not supported
14:20:50.922 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:116] - Removing endpoint <SP_endpoint_URL> because its binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign is not supported
14:20:50.923 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:429] - No return endpoint available for relying party <SP_entityID>
14:20:50.923 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SAML2ECPProfileHandler:237] - Returning SOAP fault
edu.internet2.middleware.shibboleth.common.profile.ProfileException: No peer endpoint available to which to send SAML response
        at edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler.populateProfileInformation(AbstractSAMLProfileHandler.java:430) ~[shibboleth-identityprovider-2.3.3.jar:na]
        at edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler.populateRequestContext(AbstractSAMLProfileHandler.java:315) ~[shibboleth-identityprovider-2.3.3.jar:na]
        at edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.populateRequestContext(AbstractSAML2ProfileHandler.java:181) ~[shibboleth-identityprovider-2.3.3.jar:na]
        at edu.internet2.middleware.shibboleth.idp.profile.saml2.SAML2ECPProfileHandler.decodeRequest(SAML2ECPProfileHandler.java:305) [shibboleth-identityprovider-2.3.3.jar:na]
        at edu.internet2.middleware.shibboleth.idp.profile.saml2.SAML2ECPProfileHandler.processRequest(SAML2ECPProfileHandler.java:183) [shibboleth-identityprovider-2.3.3.jar:na]   
...

The two endpoint bindings are listed in the SP metadata. The same functionality works fine with the production IdP v2.2.1 with the ECP plugin and the same SP and metadata. Some equivalent logs from the production IdP:

...
00:00:10.149 - DEBUG [edu.internet2.middleware.shibboleth.idp.ext.ecp.profile.ECPProfileHandler:488] - adding acceptable ep: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
00:00:10.149 - DEBUG [edu.internet2.middleware.shibboleth.idp.ext.ecp.profile.ECPProfileHandler:488] - adding acceptable ep: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
00:00:10.149 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:100] - Filtering peer endpoints.  Supported peer endpoint bindings: [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign]
00:00:10.149 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:64] - Selecting endpoint by ACS index '0' for request '_8045c311-c0df-4fbd-88b1-ba3b507b89df' from entity '<SP_entityID>' 
...


Appreciate any help with this.

Mike



Mike Wiseman
Information + Technology Services
University of Toronto

More information about the users mailing list