No Peer Endpoint - At a loss

Paul Hethmon paul.hethmon at clareitysecurity.com
Thu Nov 1 10:58:14 EDT 2012 

Does upping to debug level logging yield any other clues? Or even trace?

Paul


From: Etan Weintraub <eweintra at jhmi.edu<mailto:eweintra at jhmi.edu>>
Reply-To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Thursday, November 1, 2012 10:52 AM
To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: RE: No Peer Endpoint - At a loss

Unfortunately, HTTP-POST isn’t a viable option in this scenario. HTTP-Redirect is the only one that works. If it was the response XML being too large, I would expect a different issue. This has to be a mismatch somewhere, and I’m just not seeing what that is….

-Etan E. Weintraub
Sr. Systems Engineer
Directory Architecture
IT at Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: eweintra at jhmi.edu<mailto:eweintra at jhmi.edu>

From: users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> [mailto:users-bounces at shibboleth.net] On Behalf Of Paul Hethmon
Sent: Thursday, November 01, 2012 10:50 AM
To: Shib Users
Subject: Re: No Peer Endpoint - At a loss

Putz. Missed that.

Just a guess here, I always use the HTTP-POST binding to send the SAML Response back to the SP, could there be an issue with the size of the response XML causing Shib to fail?

Paul


From: Etan Weintraub <eweintra at jhmi.edu<mailto:eweintra at jhmi.edu>>
Reply-To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Thursday, November 1, 2012 10:45 AM
To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: RE: No Peer Endpoint - At a loss

Paul-
Where do you see 1.1 for the endpoint (aside from in the protocol support enumeration, which has saml 2.0 first, and just supports the others, which I’ve also tried with just the 2.0 in that list).

-Etan E. Weintraub
Sr. Systems Engineer
Directory Architecture
IT at Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: eweintra at jhmi.edu<mailto:eweintra at jhmi.edu>

From:users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> [mailto:users-bounces at shibboleth.net]On Behalf Of Paul Hethmon
Sent: Thursday, November 01, 2012 10:41 AM
To: Shib Users
Subject: Re: No Peer Endpoint - At a loss

The AuthnRequest is SAML 2.0, metadata is 1.1 for the ACS endpoint.

Paul

From: Etan Weintraub <eweintra at jhmi.edu<mailto:eweintra at jhmi.edu>>
Reply-To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Thursday, November 1, 2012 10:36 AM
To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: No Peer Endpoint - At a loss

Hi All,

So I’m at a bit of a loss here. I’m working on integrating a system that has its own SAML SP built in, and am getting the “No peer endpoint available to which to send SAML response” message. I added protocol debug to my logs and have this:

10:32:27.031 - DEBUG [PROTOCOL_MESSAGE:91] -
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://pfdev.isis.jhu.edu/NPStudent_PFSandbox/Logon.aspx" ID="mleklaicbkmclacdhegikepebmbaadbojljdondj" IsPassive="false" IssueInstant="2012-11-01T14:32:25Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" ProviderName="NetPartner" Version="2.0">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">NetPartner</saml:Issuer>
   <samlp:NameIDPolicy AllowCreate="true"/>
</samlp:AuthnRequest>

10:32:41.010 - INFO [Shibboleth-Access:73] - 20121101T143241Z|10.186.64.218|shibpep.johnshopkins.edu:443|/profile/SAML2/Redirect/SSO|
10:32:41.014 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:397] - No return endpoint available for relying party NetPartner


Here’s what I have for the metadata for that SP:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="NetPartner">
        <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
                <md:AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://pfdev.isis.jhu.edu/NPStudent_PFSandbox/Logon.aspx" />
        </md:SPSSODescriptor>
</md:EntityDescriptor>


As you can see, the ACS in the metadata and the one in the SAML request appear to match (at least to me). Anyone have any ideas what I missed/fat-fingered?


-Etan E. Weintraub
Sr. Systems Engineer
Directory Architecture
IT at Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: eweintra at jhmi.edu<mailto:eweintra at jhmi.edu>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121101/803fef9b/attachment-0001.html

More information about the users mailing list