TESTSHIB: unable to locate metadata for provider

Nate Klingenstein ndk at internet2.edu
Sun Jan 6 13:54:00 EST 2013 

Mauro,

> Actually, I followed this guide http://www.microsoft.com/en-us/download/details.aspx?id=35464 that on page 47 says

Fascinating.  This guide looks like it overlaps a lot with, but is completely distinct from:

http://technet.microsoft.com/en-us/library/jj205456

> c.          Leave What scope will the IdP assert ? empty
> 

This will usually cause issues and I'm surprised it's in the documentation.  Jean-Marie, one of the authors, knows his stuff, so I'll be curious to find out why this was written.

> I will inform the authors, however I left an empty scope because I didn’t want that some users were filtered out.

I'm not sure what you mean by users being filtered out.  The scope entered in that dialog is used to automagically append domains to some attributes in a default configuration(e.g. using uid to build an EPPN) and is also used to generate the example metadata.

My suspicion is that they never planned on using the metadata generated by the IdP and they were going to store attributes with a scope in the upstream data source.  I still don't think that entering a scope would hurt anything, though.

> In fact, even though my AD domain name is “shibbo-domain.local”, I defined AD users like john.smith at eduteamit.net  and paul.brown at otherdomain.com and so I didn’t know what to write there, during Shibboleth installation. I probably misunderstood the point, but I supposed that my users’ domain should match the scope I write there, shound’t it?

Yes, it should, and I think you understand.  The scope validation is used to ensure that the IdP is authoritative over the attribute values it asserts.  This prevents, for example, idp.osu.edu from asserting ndk at internet2.edu.

> Another QQ: where could I find the error you reported (Scope must have TextContent)? I could find only the other generic error “unable to locate metadata for provider”.

It will register complaints about metadata validation failures during startup of the SP.  At runtime, it has no way of knowing that this entityID was defined in an unparseable file, so it just reports that it can't locate metadata for that provider.

> Thank you so much,

Glad to help.
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130106/52d3405b/attachment.html

More information about the users mailing list