No Peer Endpoint - At a loss

Etan Weintraub eweintra at jhmi.edu
Thu Nov 1 11:16:12 EDT 2012 

OK, so I made some changes and found some more info. New metadata looks like this:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="NetPartner">
        <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
                <md:AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://pfdev.isis.jhu.edu/NPStudent_PFSandbox/Logon.aspx" /> 
        </md:SPSSODescriptor>
</md:EntityDescriptor>


And now I'm getting the following errors:

11:10:38.326 - INFO [Shibboleth-Access:73] - 20121101T151038Z|10.186.64.218|shibpep.johnshopkins.edu:443|/profile/SAML2/Redirect/SSO|
11:10:38.328 - DEBUG [PROTOCOL_MESSAGE:91] - 
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://pfdev.isis.jhu.edu/NPStudent_PFSandbox/Logon.aspx" ID="djhajabijoidjimcppcifgablfoeaekpmcmniopj" IsPassive="false" IssueInstant="2012-11-01T15:10:38Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" ProviderName="NetPartner" Version="2.0">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">NetPartner</saml:Issuer>
   <samlp:NameIDPolicy AllowCreate="true"/>
</samlp:AuthnRequest>

11:10:51.733 - INFO [Shibboleth-Access:73] - 20121101T151051Z|10.186.64.218|shibpep.johnshopkins.edu:443|/profile/SAML2/Redirect/SSO|
11:10:51.737 - WARN [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:202] - Relying party 'NetPartner' requested the response to be returned to endpoint with ACS URL 'https://pfdev.isis.jhu.edu/NPStudent_PFSandbox/Logon.aspx'  and binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' however no endpoint, with that URL and using a supported binding,  can be found in the relying party's metadata 
11:10:51.737 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:397] - No return endpoint available for relying party NetPartner


More detail from when I had DEBUG turned all the way up:
11:08:14.022 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:237] - Searching for entity descriptor with an entity ID of https://shibpep.johnshopkins.edu/idp/shibboleth
11:08:14.026 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:100] - Filtering peer endpoints.  Supported peer endpoint bindings: [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact]
11:08:14.026 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:69] - Selecting endpoint by ACS URL 'https://pfdev.isis.jhu.edu/NPStudent_PFSandbox/Logon.aspx' and protocol binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' for request 'bcainnblepgcaoepaambjclnoicbiebedpfnenco' from entity 'NetPartner'
11:08:14.026 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:185] - Endpoint 'https://pfdev.isis.jhu.edu/NPStudent_PFSandbox/Logon.aspx' with binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' discarded because it does not meet protocol binding selection criteria
11:08:14.027 - WARN [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:202] - Relying party 'NetPartner' requested the response to be returned to endpoint with ACS URL 'https://pfdev.isis.jhu.edu/NPStudent_PFSandbox/Logon.aspx'  and binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' however no endpoint, with that URL and using a supported binding,  can be found in the relying party's metadata
11:08:14.027 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:397] - No return endpoint available for relying party NetPartner

So I'm not sure what to do here now....if I try to do Post from their side I get the following errors:
10:58:17.558 - INFO [Shibboleth-Access:73] - 20121101T145817Z|10.186.64.218|shibpep.johnshopkins.edu:443|/profile/SAML2/POST/SSO|
10:58:17.568 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:314] - Error decoding authentication request message
org.opensaml.ws.message.decoder.MessageDecodingException: This message deocoder only supports the HTTP POST method
        at org.opensaml.saml2.binding.decoding.HTTPPostDecoder.doDecode(HTTPPostDecoder.java:82) [opensaml-2.3.0.jar:na]
        at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:75) [openws-1.3.0.jar:na]
        at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:69) [opensaml-2.3.0.jar:na]
        at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.decodeRequest(SSOProfileHandler.java:302) [shibboleth-identityprovider-2.1.3.jar:na]
        at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:166) [shibboleth-identityprovider-2.1.3.jar:na]
        at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:143) [shibboleth-identityprovider-2.1.3.jar:na]
        at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:80) [shibboleth-identityprovider-2.1.3.jar:na]
        at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83) [shibboleth-common-1.1.3.jar:na]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:na]
        at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:77) [shibboleth-identityprovider-2.1.3.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:na]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) [catalina.jar:na]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:na]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) [catalina.jar:na]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:na]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:na]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) [catalina.jar:na]
        at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-coyote.jar:na]
        at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) [tomcat-coyote.jar:na]
        at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769) [tomcat-coyote.jar:na]
        at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698) [tomcat-coyote.jar:na]
        at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891) [tomcat-coyote.jar:na]
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote.jar:na]
        at java.lang.Thread.run(Thread.java:679) [na:1.6.0_22]

Which I think may have to do with me not having a certificate for their metadata, though I could be wrong, and have no idea where to get a cert for their metadata from.....




-Etan E. Weintraub
Sr. Systems Engineer
Directory Architecture
IT at Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: eweintra at jhmi.edu

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Tom Scavo
Sent: Thursday, November 01, 2012 11:06 AM
To: Shib Users
Subject: Re: No Peer Endpoint - At a loss

On Thu, Nov 1, 2012 at 10:50 AM, Paul Hethmon
<paul.hethmon at clareitysecurity.com> wrote:
>
> Just a guess here, I always use the HTTP-POST binding to send the SAML
> Response back to the SP, could there be an issue with the size of the
> response XML causing Shib to fail?

That's a good guess. I'll bet on it in fact :-)

HTTP-Redirect inbound to the SP is not sufficient. Try adding an
endpoint with the HTTP-POST binding (as Paul suggests). In fact, you
may as well just replace HTTP-Redirect with HTTP-POST.

Tom
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list