Initial Setup -- Cannot Get SP and IDP Talking

Sam Agnew saa2012 at qatar-med.cornell.edu
Thu Nov 14 04:30:19 EST 2013 

OK, we have now built a new IDP on a separate box. We are again at the point where the login windows is displayed and is able to authenticate. On what should be the return path from successful authentication, however, we are still getting this error:

ERROR

An error occurred while processing your request. Please contact your helpdesk or user ID office for assistance.

This service requires cookies. Please ensure that they are enabled and try your going back to your desired resource and trying to login again.

Use of your browser's back button may cause specific errors that can be resolved by going back to your desired resource and trying to login again.

If you think you were sent here in error, please contact technical support
Error Message: No peer endpoint available to which to send SAML response

In idp-process.log I see:
12:23:24.245 - INFO [Shibboleth-Access:73] - 20131114T092324Z|207.162.245.59|idpt.qatar-med.cornell.edu:443|/profile/SAML2/Redirect/SSO|
12:23:30.802 - INFO [Shibboleth-Access:73] - 20131114T092330Z|207.162.245.59|idpt.qatar-med.cornell.edu:443|/profile/SAML2/Redirect/SSO|
12:23:30.805 - WARN [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:206] - Relying party 'https://unixadmin.qatar-med.cornell.edu/secure' requested the response to be returned to endpoint with ACS URL 'http://unixadmin.qatar-med.cornell.edu/Shibboleth.sso/SAML2/POST'  and binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' however no endpoint, with that URL and using a supported binding,  can be found in the relying party's metadata
12:23:30.806 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:447] - No return endpoint available for relying party https://unixadmin.qatar-med.cornell.edu/secure

In shibd_warn.log I see:
2013-11-14 12:15:19 ERROR Shibboleth.ArtifactResolution.SAML2 [1]: error while processing request: Invalid content type for SOAP message.
2013-11-14 12:15:30 WARN OpenSAML.MessageDecoder.SAML2SOAP [2]: ignoring incorrect content type ()
2013-11-14 12:15:38 WARN OpenSAML.MessageDecoder.SAML2SOAP [7]: ignoring incorrect content type ()
2013-11-14 12:19:04 WARN OpenSAML.MessageDecoder.SAML2ECP [8]: ignoring incorrect content type ()

I have an inkling that this probably relates to the SP and IDP not able to agree on how to handshake the success but I'm not able to figure out how to resolve this.

Thanks!

Sam




On Nov 5, 2013, at 3:29 PM, Peter Schober wrote:

* Sam Agnew <saa2012 at qatar-med.cornell.edu<mailto:saa2012 at qatar-med.cornell.edu>> [2013-11-05 13:02]:
When authentication succeeds, however, I now get an error about the return path:

Error Message: No peer endpoint available to which to send SAML response
[...]
Looking in idp-process.log I see:
14:27:58.505 - WARN [org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule:81] - SPSSODescriptor role metadata for entityID 'https://unixadmin.qatar-med.cornell.edu/idp/shibboleth' could not be resolved

What is the SP's entityID? It cannot share the same entityID as the
IdP (if you want to remain sane), so if it's
"https://unixadmin.qatar-med.cornell.edu/idp/shibboleth" (note the
"idp" hint in the entityID) give the SP its own, seperate entityID.

Then give the IdP SAML metadata describing the SP.
-peter
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>


--
Sam Agnew
System Administrator
IT Department
Weill Cornell Medical College in Qatar



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20131114/f5581f09/attachment-0001.html

More information about the users mailing list