test of idP to idP using testshib.org

Paul Hethmon paul.hethmon at clareitysecurity.com
Tue Sep 18 09:33:14 EDT 2012


It's a bit unclear on what exactly you've done, but comments/questions
inline.

On 9/18/12 9:24 AM, "Bo Lorentsen" <bl at moch.dk> wrote:

>
>My next step was to try out to setup my own idP (I need to join a
>federation (MS AFDS 2) as my next/last step), and then setup
>testshib.org to be able to test it.
>
>The setup seems find, after learning how to use apache2/tomcat6 and all
>this funny issues.

So, at this point, your Linux SP is working against your copy of
Shibboleth IdP? Normally you would not use Apache2 in combination with the
IdP software and this can sometimes lead to set up complications. Not that
it cannot work, it is just more complicated.

>
>Now this did not work, when I use my SP and I end up with this error at
>my idP :
>
>00:44:52.358 - ERROR
>[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandle
>r:429] 
>- No return endpoint available for relying party
>https://idp.moch.dk/idp/shibboleth

So this error means that the IdP does not know where to send the SAML
Response to. It could mean that your SAML Authn Request did not contain an
AssertionConsumerService URL, or that the metadata you loaded onto your
IdP for your SP does not have ACS endpoints listed.

>
>I have added the testshib.org to my relay-party.xml file as described at
>the test site, and uploaded the idp-metadata.xml to the test system, but
>I end up here. I expected my idP to relay my auth request to the test
>server, but that seems not to happend. Are there some routing info I
>need to add, that I have not configured properly, yet ?

So how does testshib.org fit into testing between an IdP and SP on your
systems? Or am I misunderstanding your setup?

Paul



More information about the users mailing list