No Peer Endpoint - At a loss

Paul Hethmon paul.hethmon at clareitysecurity.com
Thu Nov 1 10:40:37 EDT 2012 

The AuthnRequest is SAML 2.0, metadata is 1.1 for the ACS endpoint.

Paul

From: Etan Weintraub <eweintra at jhmi.edu<mailto:eweintra at jhmi.edu>>
Reply-To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Thursday, November 1, 2012 10:36 AM
To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: No Peer Endpoint - At a loss

Hi All,

So I’m at a bit of a loss here. I’m working on integrating a system that has its own SAML SP built in, and am getting the “No peer endpoint available to which to send SAML response” message. I added protocol debug to my logs and have this:

10:32:27.031 - DEBUG [PROTOCOL_MESSAGE:91] -
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://pfdev.isis.jhu.edu/NPStudent_PFSandbox/Logon.aspx" ID="mleklaicbkmclacdhegikepebmbaadbojljdondj" IsPassive="false" IssueInstant="2012-11-01T14:32:25Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" ProviderName="NetPartner" Version="2.0">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">NetPartner</saml:Issuer>
   <samlp:NameIDPolicy AllowCreate="true"/>
</samlp:AuthnRequest>

10:32:41.010 - INFO [Shibboleth-Access:73] - 20121101T143241Z|10.186.64.218|shibpep.johnshopkins.edu:443|/profile/SAML2/Redirect/SSO|
10:32:41.014 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:397] - No return endpoint available for relying party NetPartner


Here’s what I have for the metadata for that SP:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="NetPartner">
        <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
                <md:AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://pfdev.isis.jhu.edu/NPStudent_PFSandbox/Logon.aspx" />
        </md:SPSSODescriptor>
</md:EntityDescriptor>


As you can see, the ACS in the metadata and the one in the SAML request appear to match (at least to me). Anyone have any ideas what I missed/fat-fingered?


-Etan E. Weintraub
Sr. Systems Engineer
Directory Architecture
IT at Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: eweintra at jhmi.edu<mailto:eweintra at jhmi.edu>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121101/0b1fe556/attachment-0001.html

More information about the users mailing list