Shibboleth IdP Issuer

Rawlinson, Philip (rawlinpa) RAWLINPA at UCMAIL.UC.EDU
Mon Feb 18 11:37:12 EST 2013

We are having issues with our IdP working with the SP The people at OhioLINK are telling us that we are not sending an Issuer which they require. We do not have any specific settings in our IdP configurations for and we are both members of the InCommon Federation. We are not intentionally not sending the Issuer. We are looking for reasons why we are not sending the Issuer and how to make our IdP send the Issuer to this SP.

A few other things to note is that Shibboleth is using the SAML 1.0 browser post binding below. We use SAML2 with all other non-ohiolink SPs so I am not sure what is causing that to happen. Here are the 4 possibilities from their metadata in the InCommon file:
<md:AssertionConsumerService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" index="1"/>
<md:AssertionConsumerService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="" index="2"/>
<md:AssertionConsumerService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="" index="3"/>
<md:AssertionConsumerService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="" index="4"/>

There is an error in the IdP logs:
10:04:19.277 - ERROR [] - Inbound message issuer was not authenticated.
10:04:19.278 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler:180] - Message did not meet security requirements Inbound message issuer was not authenticated.

One of the certificates in the InCommon Metadata file for had expired at the end of January, but that has since been updated in the file and we have the latest InCommon Metadata file.

Scott- I know Joseph from OARnet messaged you about part of this last week. He also mentioned that OSU uses SAML1 in their communication with OhioLINK.

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list