No Peer Endpoint...
Dominic Forrest
dom.forrest at gmail.com
Fri Apr 5 08:54:07 EDT 2013
Thankyou for the quick reply
My current metadata from form the IdP is below.
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.zzz.com/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.zzz.com/idp/profile/SAML2/POST-SimpleSign/SSO"/>
Apologies for the newbie questions…..
Dom
dom at idp:/opt/shibboleth-idp/metadata$ cat idp-metadata.xml
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" entityID="https://idp.zzz.com/idp/shibboleth">
<IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">zzz.com</shibmd:Scope>
</Extensions>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDOzCCAiOgAwIBAgIUBJFYt0SJkdNm5+t/4JFT40NJX+IwDQYJKoZIhvcNAQEF
.
.
.
skMWnczUWJDlEabiGEmH
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.zzz.com:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>
<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.zzz.com:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp.zzz.com/idp/profile/Shibboleth/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.zzz.com/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.zzz.com/idp/profile/SAML2/POST-SimpleSign/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.zzz.com/idp/profile/SAML2/Redirect/SSO"/>
</IDPSSODescriptor>
<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">zzz.com</shibmd:Scope>
</Extensions>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDOzCCAiOgAwIBAgIUBJFYt0SJkdNm5+t/4JFT40NJX+IwDQYJKoZIhvcNAQE
……
.
.
skMWnczUWJDlEabiGEmH
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.zzz.com:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.zzz.com:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
</AttributeAuthorityDescriptor>
</EntityDescriptor>
On 5 Apr 2013, at 13:39, Paul Hethmon <paul.hethmon at clareitysecurity.com> wrote:
> Look at the SP metadata file you load at the IdP. You will find it does
> not have that endpoint in it. Also note that the ACS endpoints have to
> match on both binding and URL. So you need one in the file with:
>
> binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
> acs url: https://sp.zzz.com/Shibboleth.sso/SAML2/POST
>
> Paul
>
> On 4/5/13 8:35 AM, "Dominic Forrest" <dom.forrest at gmail.com> wrote:
>
>> ==> idp-process.log <==
>> 23:45:05.995 - INFO [Shibboleth-Access:74] -
>> 20130404T224505Z|192.168.3.12|idp.zzz.com:443|/profile/SAML2/Redirect/SSO|
>> 23:45:05.996 - WARN
>> [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:206] - Relying
>> party 'https://sp.zzz.com' requested the response to be returned to
>> endpoint with ACS URL 'https://sp.zzz.com/Shibboleth.sso/SAML2/POST' and
>> binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' however no
>> endpoint, with that URL and using a supported binding, can be found in
>> the relying party's metadata
>> 23:45:05.997 - ERROR
>> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandle
>> r:429] - No return endpoint available for relying party https://sp.zzz.com
>>
>> so it is clear I have a metadata error which I believe to be on the SP?
>>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list