SP Configuration issue

Eric Stein steine at locustec.com
Fri Apr 4 09:53:10 EDT 2014 

Scott,

Thanks for taking the time to look at this.

My "relying party error" is the very common:
    Error Message: SAML 2 SSO profile is not configured for relying party https://cms1.locusfocus.com/shibboleth

In my IdP's relying-party.xml, I have:
        <metadata:MetadataProvider id="SPMD" 
                                   xsi:type="metadata:FilesystemMetadataProvider"
                                   metadataFile="C:/shibboleth-sp-2.5.1/etc/shibboleth/sp-metadata.xml" />
I checked that file, and it exists. It contains the (problematic?) metadata I mentioned in the prior message.

In my SP's shibboleth2.xml, I have:
    <ApplicationDefaults entityID="https://cms1.locusfocus.com/shibboleth"
                         REMOTE_USER="nameid persistent-id targeted-id">
...
            <SSO entityID="https://cms1.locusfocus.com/idp/shibboleth"
                 discoveryProtocol="SAMLDS" discoveryURL="https://cms1.locusfocus.com/discovery/DS">
              SAML2 SAML1
            </SSO>
which to me means that the SP's entityID is set correctly.

I thought that the way the IdP found the SP was through the entityID in the sp-metadata. Is that not correct? So what am I missing that the IdP can't find the SP?

Thanks,
Eric

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Thursday, April 03, 2014 10:07 PM
To: Shib Users
Subject: Re: SP Configuration issue

On 4/3/14, 9:56 PM, "Eric Stein" <steine at locustec.com> wrote:

>but all the Location attribute URIs have foo.mycompany.com in them. I 
>did a search of all files in my shibboleth installation, and 
>bar.mycmpny.com only shows up in the generated metadata.

Your description implies that it isn't in the metadata at all, other than by way of the certificate generated when you installed the SP. Nor does it matter what's in that certificate in practice.

> I *think* this is what's causing my relying party error.

Very unlikely, but since I don't know what "relying party error" means, I couldn't say for certain.

> So I guess my questions are:
>0) where is shibboleth getting the key name and cert subject name from?

>From the certificate it generated during installation.

>1) why doesn't fixing them manually to be foo.mycompany.com work?

I guess that depends on what you did, but the certificate is whatever you configure it to be, and the metadata is never to be generated and used directly without modification, so it's entirely under your control what you give to others.

>2) could this be causing my relying party problem, or is it just a red 
>herring?

I don't know what the problem is since you didn't describe it, but I doubt it has anything to do with it.

-- Scott


--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list