Shibboleth setup.. So close but can use some help..

Garry Boyce gboyce at
Fri Sep 23 21:12:45 BST 2011

In /opt/shibboleth-idp/

[root at csisupport metadata]# grep "SAML2/POST" *
SO" />
impleSign/SSO" />

should these match and if so what should they match to? The Shibboleth.sso
one or the idp/profile?

Unfortunately I don't have 2 servers right now and that is likely the
situation that most people will have initially.

-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On
Behalf Of Cantor, Scott
Sent: Friday, September 23, 2011 4:08 PM
To: users at
Subject: Re: Shibboleth setup.. So close but can use some help..

On 9/23/11 3:58 PM, "Garry Boyce" <gboyce at> wrote:


That is exactly why you don't run them on the same host, particularly to
start with. You should also not use the same entityID for both IdP and SP.
That way lies total confusion.

>Also I see
>            <AssertionConsumerService

Those are the URLs it's validating against, eventually anyway. I don't think
it's getting that far.

>14:31:03.816 - ERROR
>429] - No return endpoint available for relying party 

There's something wrong with the metadata. I would use different names for
the IdP and SP, and try and make more sense of the log output then. You
might also post more of the metadata. Something just isn't right with it.

-- Scott

To unsubscribe from this list send an email to
users-unsubscribe at

More information about the users mailing list