Shibboleth setup.. So close but can use some help..

Garry Boyce gboyce at cambridgesemantics.com
Fri Sep 23 20:58:48 BST 2011 

Which log are you recommending that I look in

In /opt/shibboleth-idp/metadata/sp-metadata.xml
entityID="https://csisupport.cambridgesemantics.com/idp/shibboleth"

Also I see
            <AssertionConsumerService
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 
Location="https://csisupport.cambridgesemantics.com/Shibboleth.sso/SAML2/POS
T"
                index="1" isDefault="true"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
             <AssertionConsumerService
 
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
 
Location="https://csisupport.cambridgesemantics.com/Shibboleth.sso/SAML2/POS
T-SimpleSign"
                index="2" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
            <AssertionConsumerService
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
 
Location="https://csisupport.cambridgesemantics.com/Shibboleth.sso/SAML2/Art
ifact"
                index="3" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
            <AssertionConsumerService
                Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
 
Location="https://csisupport.cambridgesemantics.com/Shibboleth.sso/SAML/POST
"
                index="4" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
            <AssertionConsumerService
                Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
 
Location="https://csisupport.cambridgesemantics.com/Shibboleth.sso/SAML/Arti
fact"
                index="5" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>


>From the point I get authenticated
/var/log/shibboleth/idp-process.log (is that the right log?) reads:
14:31:03.550 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:701] -
Recording authentication and service info
rmation in Shibboleth session for principal: garry
14:31:03.550 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:552] -
User garry authenticated with method urn:
oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
14:31:03.551 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:161] -
Returning control to profile handler
14:31:03.551 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:170] -
Redirecting user to profile handler at ht
tps://csisupport.cambridgesemantics.com:443/idp/profile/SAML2/Redirect/SSO
14:31:03.811 - INFO [Shibboleth-Access:74] -
20110923T183103Z|192.168.203.27|csisupport.cambridgesemantics.com:443|/profi
le/SAML2/Redirec
t/SSO|
14:31:03.811 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86
] - shibboleth.HandlerManager: Looking u
p profile handler for request path: /SAML2/Redirect/SSO
14:31:03.812 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97
] - shibboleth.HandlerManager: Located  rofile handler of the following type
for the request path:
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler
14:31:03.812 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:163
] - Incoming request contains a login c ntext, processing as second leg of
request
14:31:03.812 - DEBUG
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:572] -
Unbinding LoginContext
14:31:03.813 - DEBUG
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:598] -
Expiring LoginContext cookie
14:31:03.813 - DEBUG
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:607] -
Removing LoginContext, with key f07672ef-814 -40ea-955e-0199847d8944, from
StorageService partition loginContexts
14:31:03.814 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRely
ingPartyConfigurationManager:127] - Loo ing up relying party configuration
for https://csisupport.cambridgesemantics.com/idp/shibboleth
14:31:03.814 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRely
ingPartyConfigurationManager:133] - No  ustom relying party configuration
found for https://csisupport.cambridgesemantics.com/idp/shibboleth, looking
up configuration based on  etadata groups.
14:31:03.814 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRely
ingPartyConfigurationManager:156] - No  ustom or group-based relying party
configuration found for
https://csisupport.cambridgesemantics.com/idp/shibboleth. Using default
relyi g party configuration.
14:31:03.816 - ERROR
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:
429] - No return endpoint available for relying party
https://csisupport.cambridgesemantics.com/idp/shibboleth



-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On
Behalf Of Cantor, Scott
Sent: Friday, September 23, 2011 3:39 PM
To: users at shibboleth.net
Subject: Re: Shibboleth setup.. So close but can use some help..

On 9/23/11 3:01 PM, "Garry Boyce" <gboyce at cambridgesemantics.com> wrote:

>>From the log it would appear that
>https://csisupport.cambridgesemantics.com/idp/shibboleth is the URL

That is an entityID, not a URL in the sense of a location. It is not what
I'm talking about, and that refers to the IdP anyway, not the SP.

>In /opt/shibboleth-idp/metadata/idp-metadata.xml
>entityId is https://csisupport.cambridgesemantics.com/idp/shibboleth
>
>There is no <AsssertionConsumerService> and I can't find anywhere in 
>documentation information about how to add it.

That's because that's IdP metadata and that's not what we're talking about.
The error is with the SP's endpoints and the metadata about it. The URL
causing the problem will be in the log and I don't know what else to say. I
don't know what the specific message in the log is, but it shouldn't be that
obtuse.

-- Scott

--
To unsubscribe from this list send an email to
users-unsubscribe at shibboleth.net

More information about the users mailing list