StatusResponseType must have Status. / xmltooling::ValidationException at (https://idefix.worldtalk.de/sp/Shibboleth.sso/SAML2/POST)

Stefan König s.koenig at uni-tuebingen.de
Tue Feb 21 18:04:00 GMT 2012 

What I wonder is.... Does the IdP really need the metadata and relying 
party defintion for handling this kind of request?

The SP issues the following AuthnRequest (or equivalent):
—
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://idefix.worldtalk.de/sp/Shibboleth.sso/SAML2/POST"
Destination="https://idefix.worldtalk.de/idp/profile/SAML2/Redirect/SSO"
ID="_3e3e35716f396695533a686a8d8e370e" IssueInstant="2012-02-21T16:04:47Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml:Issuer 
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idefix.worldtalk.de/sp</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="1"/>
</samlp:AuthnRequest>
—

It gets a 
AssertionConsumerServiceURL="https://idefix.worldtalk.de/sp/Shibboleth.sso/SAML2/POST", 
thats where to send the response to.
It gets a 
Destination="https://idefix.worldtalk.de/idp/profile/SAML2/Redirect/SSO", so 
it knows the Profile Binding to be used for receiption (from it's own 
metadata, as defined in C:/opt/shibboleth-idp/metadata/idp-metadata.xml):
—
[...]
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
entityID="https://idefix.worldtalk.de/idp">

<IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 
urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">

<Extensions>
<shibmd:Scope regexp="false">idefix.worldtalk.de</shibmd:Scope>
</Extensions>

[...]

<SingleSignOnService 
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
Location="https://idefix.worldtalk.de/idp/profile/SAML2/Redirect/SSO"/>
</IDPSSODescriptor>

[...]
—

It even gets the 
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", so it 
knows how to communicatio with the Service at the 
"AssertionConsumerServiceURL" to send back the Response.

While just reading again the IdPRelyingParty-Page of the Wiki 
(https://wiki.shibboleth.net/confluence/display/SHIB2/IdPRelyingParty) I 
found:
 >> Before attempting to change relying party configurations be sure you 
understand the concept of a relying party. Also, note, changing these 
configuration is an intermediate-level configuration task, is not 
generally needed in most deployments, and should only by done by 
deployers with a good understanding of how shibboleth and federated 
identity management works.

So the question is, weather I should (or better: need) to change 
something in the relying-party.xml at all.

The problem: When I comment out everything I added to the 
relying-party.xml I'm getting the error message:
—
Error Message: SAML 2 SSO profile is not configured for relying party 
https://idefix.worldtalk.de/sp
—

Details from the idp-processing.log:

The following is according to what the wiki states... Its using the 
default relying party configuration. That's what we want...
—
18:18:10.124 - DEBUG 
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:157] 
- No custom or group-based relying party configuration found for 
https://idefix.worldtalk.de/sp. Using default relying party configuration.
—

But later there's those warnings:
—
18:18:10.126 - WARN 
[org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule:81] - 
SPSSODescriptor role metadata for entityID 
'https://idefix.worldtalk.de/sp' could not be resolved

18:18:10.128 - WARN 
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:287] 
- No metadata for relying party https://idefix.worldtalk.de/sp, treating 
party as anonymous
18:18:10.129 - WARN 
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:199] 
- SAML 2 SSO profile is not configured for relying party 
https://idefix.worldtalk.de/sp
—

This at least states, that the IdP wants the access the service 
provider's metadata. The only way to give it that metadata reference was 
for me to add the definitions in relying-party.xml. Or I could try to 
add the SAML 2 SSO profile to the anonymous relying party definition 
(which seems not to make so much sense to me).
Just adding the Service Provider Metadata-Definition to the 
idp-metadata.xml doesn't work, since the XMLs root node 
<EntityDescriptor> has entityID="https://idefix.worldtalk.de/idp"; This 
one seems to be the relevant one for the IdP when looking for a matching 
<SPSSODescriptor>-Definition. As two root nodes are not permitted in 
XML, I can't add another EntityDescriptor...

BUT: It's always interesting to find the solution myself while 
explaining the problem.... I just remembered there is a 
<EntitiesDescriptor>-Tag, which can have multiple 
<EntityDescriptor>-Tags as child nodes. Let me try this...

Scott Cantors answer to this was:
 >> No, it never did, which I have said repeatedly.
 >> Please take questions to the list, it's not really on topic here.

So I posted it here instead....

Ok, the test result is that the IdP implementation doesn't seem to 
support the <EntitiesDescriptor>-Tag; at least it doesn't like the new 
XML structure.

--------- CUT HERE -----
18:55:39.796 - DEBUG 
[org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:260] 
- Processing new metadata from 
'C:\opt\shibboleth-idp\metadata\idp-metadata.xml'
18:55:39.796 - DEBUG 
[org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:344] 
- Unmarshalling metadata from 
'C:\opt\shibboleth-idp\metadata\idp-metadata.xml'
18:55:39.797 - ERROR 
[org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:465] - No 
unmarshaller registered for document element EntitiesDescriptor
18:55:39.802 - ERROR 
[org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:307] 
- Unable to unmarshall metadata
org.opensaml.xml.io.UnmarshallingException: 
org.opensaml.xml.io.UnmarshallingException: No unmarshaller registered 
for document element EntitiesDescriptor
at 
org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.unmarshallMetadata(AbstractMetadataProvider.java:471) 
[opensaml-2.5.2.jar:na]
at 
org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.unmarshallMetadata(AbstractReloadingMetadataProvider.java:304) 
[opensaml-2.5.2.jar:na]
at 
org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.processNewMetadata(AbstractReloadingMetadataProvider.java:345) 
[opensaml-2.5.2.jar:na]
at 
org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:261) 
[opensaml-2.5.2.jar:na]
at 
org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236) 
[opensaml-2.5.2.jar:na]
at 
org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize(AbstractMetadataProvider.java:407) 
[opensaml-2.5.2.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
~[na:1.6.0_30]
[...]
Caused by: org.opensaml.xml.io.UnmarshallingException: No unmarshaller 
registered for document element EntitiesDescriptor
at 
org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.unmarshallMetadata(AbstractMetadataProvider.java:466) 
[opensaml-2.5.2.jar:na]
... 72 common frames omitted
18:55:39.804 - DEBUG 
[org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:264] 
- Error occurred while attempting to refresh metadata from '{}'
org.opensaml.saml2.metadata.provider.MetadataProviderException: Unable 
to unmarshall metadata
at 
org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.unmarshallMetadata(AbstractReloadingMetadataProvider.java:308) 
[opensaml-2.5.2.jar:na]
at 
org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.processNewMetadata(AbstractReloadingMetadataProvider.java:345) 
[opensaml-2.5.2.jar:na]
at 
org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:261) 
[opensaml-2.5.2.jar:na]
at 
org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236) 
[opensaml-2.5.2.jar:na]
at 
org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize(AbstractMetadataProvider.java:407) 
[opensaml-2.5.2.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
~[na:1.6.0_30]
[...]
Caused by: org.opensaml.xml.io.UnmarshallingException: 
org.opensaml.xml.io.UnmarshallingException: No unmarshaller registered 
for document element EntitiesDescriptor
at 
org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.unmarshallMetadata(AbstractMetadataProvider.java:471) 
[opensaml-2.5.2.jar:na]
at 
org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.unmarshallMetadata(AbstractReloadingMetadataProvider.java:304) 
[opensaml-2.5.2.jar:na]
... 71 common frames omitted
Caused by: org.opensaml.xml.io.UnmarshallingException: No unmarshaller 
registered for document element EntitiesDescriptor
at 
org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.unmarshallMetadata(AbstractMetadataProvider.java:466) 
[opensaml-2.5.2.jar:na]
... 72 common frames omitted
18:55:39.805 - INFO 
[org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:271] 
- Next refresh cycle for metadata provider 
'C:\opt\shibboleth-idp\metadata\idp-metadata.xml' will occur on 
'2012-02-21T18:00:39.804Z' ('2012-02-21T19:00:39.804+01:00' local time)
18:55:39.807 - ERROR 
[org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:411] - 
Metadata provider failed to properly initializing, halting
org.opensaml.saml2.metadata.provider.MetadataProviderException: 
org.opensaml.saml2.metadata.provider.MetadataProviderException: Unable 
to unmarshall metadata
at 
org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:266) 
~[opensaml-2.5.2.jar:na]
at 
org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236) 
~[opensaml-2.5.2.jar:na]
at 
org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize(AbstractMetadataProvider.java:407) 
~[opensaml-2.5.2.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
~[na:1.6.0_30]
[...]
Caused by: 
org.opensaml.saml2.metadata.provider.MetadataProviderException: Unable 
to unmarshall metadata
at 
org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.unmarshallMetadata(AbstractReloadingMetadataProvider.java:308) 
~[opensaml-2.5.2.jar:na]
at 
org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.processNewMetadata(AbstractReloadingMetadataProvider.java:345) 
~[opensaml-2.5.2.jar:na]
at 
org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:261) 
~[opensaml-2.5.2.jar:na]
... 69 common frames omitted
Caused by: org.opensaml.xml.io.UnmarshallingException: 
org.opensaml.xml.io.UnmarshallingException: No unmarshaller registered 
for document element EntitiesDescriptor
at 
org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.unmarshallMetadata(AbstractMetadataProvider.java:471) 
~[opensaml-2.5.2.jar:na]
at 
org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.unmarshallMetadata(AbstractReloadingMetadataProvider.java:304) 
~[opensaml-2.5.2.jar:na]
... 71 common frames omitted
Caused by: org.opensaml.xml.io.UnmarshallingException: No unmarshaller 
registered for document element EntitiesDescriptor
at 
org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.unmarshallMetadata(AbstractMetadataProvider.java:466) 
~[opensaml-2.5.2.jar:na]
... 72 common frames omitted
18:55:39.808 - ERROR 
[edu.internet2.middleware.shibboleth.common.config.BaseService:188] - 
Configuration was not loaded for 
shibboleth.RelyingPartyConfigurationManager service, error creating 
components. The root cause of this error was: 
org.opensaml.xml.io.UnmarshallingException: No unmarshaller registered 
for document element EntitiesDescriptor
--------- CUT HERE -----


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4467 bytes
Desc: S/MIME Kryptografische Unterschrift
Url : http://shibboleth.net/pipermail/users/attachments/20120221/9967659c/attachment.bin

More information about the users mailing list