No Peer Endpoint...

Dominic Forrest dom.forrest at gmail.com
Fri Apr 5 08:54:07 EDT 2013 

Thankyou for the quick reply


My current metadata from form the IdP  is below.

        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.zzz.com/idp/profile/SAML2/POST/SSO"/>

        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.zzz.com/idp/profile/SAML2/POST-SimpleSign/SSO"/>


 Apologies for the newbie questions…..



Dom



dom at idp:/opt/shibboleth-idp/metadata$ cat idp-metadata.xml 
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" entityID="https://idp.zzz.com/idp/shibboleth">

    <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">

        <Extensions>
            <shibmd:Scope regexp="false">zzz.com</shibmd:Scope>
        </Extensions>

        <KeyDescriptor>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
MIIDOzCCAiOgAwIBAgIUBJFYt0SJkdNm5+t/4JFT40NJX+IwDQYJKoZIhvcNAQEF
.
.
.
skMWnczUWJDlEabiGEmH

                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        
        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.zzz.com:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>

        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.zzz.com:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>
                                   
        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp.zzz.com/idp/profile/Shibboleth/SSO"/>
        
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.zzz.com/idp/profile/SAML2/POST/SSO"/>

        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.zzz.com/idp/profile/SAML2/POST-SimpleSign/SSO"/>
        
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.zzz.com/idp/profile/SAML2/Redirect/SSO"/>
    </IDPSSODescriptor>

    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">

        <Extensions>
            <shibmd:Scope regexp="false">zzz.com</shibmd:Scope>
        </Extensions>

        <KeyDescriptor>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
MIIDOzCCAiOgAwIBAgIUBJFYt0SJkdNm5+t/4JFT40NJX+IwDQYJKoZIhvcNAQE
……
.
.
skMWnczUWJDlEabiGEmH

                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>

        <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.zzz.com:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
        
        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.zzz.com:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>
        
        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        
    </AttributeAuthorityDescriptor>
    
</EntityDescriptor>
On 5 Apr 2013, at 13:39, Paul Hethmon <paul.hethmon at clareitysecurity.com> wrote:

> Look at the SP metadata file you load at the IdP. You will find it does
> not have that endpoint in it. Also note that the ACS endpoints have to
> match on both binding and URL. So you need one in the file with:
> 
> binding:  urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
> acs url:  https://sp.zzz.com/Shibboleth.sso/SAML2/POST
> 
> Paul
> 
> On 4/5/13 8:35 AM, "Dominic Forrest" <dom.forrest at gmail.com> wrote:
> 
>> ==> idp-process.log <==
>> 23:45:05.995 - INFO [Shibboleth-Access:74] -
>> 20130404T224505Z|192.168.3.12|idp.zzz.com:443|/profile/SAML2/Redirect/SSO|
>> 23:45:05.996 - WARN
>> [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:206] - Relying
>> party 'https://sp.zzz.com' requested the response to be returned to
>> endpoint with ACS URL 'https://sp.zzz.com/Shibboleth.sso/SAML2/POST'  and
>> binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' however no
>> endpoint, with that URL and using a supported binding,  can be found in
>> the relying party's metadata
>> 23:45:05.997 - ERROR
>> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandle
>> r:429] - No return endpoint available for relying party https://sp.zzz.com
>> 
>> so it is clear I have a metadata error which I believe to be on the SP?
>> 
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list