Shibboleth IDP Issues while performing Single Sign On
peter.schober at univie.ac.at
Thu Nov 27 09:19:02 EST 2014
* issacv <b35740 at freescale.com> [2014-11-27 15:04]:
> Now he clicks on Login again, but it does not take him to our SSO
> Login page. It Logs the user in and shows him his profile. It looks
> like on clicking Login again after logout, it directly got user
> credentials from Shibboleth IDP User cache and didn’t went to SSO,
> to check if user is logged in or not. In our handler.xml the Login
> Handler being used are *
If you don't want to use the SSO session from the Shibboleth IDP you'l
have to remove/comment our the PreviousSession handler in handler.xml,
like it says in the comment above that:
"Removal of this login handler will disable SSO support"
Then each request to the Shib IDP will also go to your CAS system.
> 23:52:41.516 - WARN
> - SPSSODescriptor role metadata for entityID
> 'freescale.staging.e2open.com' could not be resolved
That means just that, the IDP doesn't have metadata for that exact
entityID that features an SPSSODescriptor element.
> 23:52:41.562 - WARN
> - Simple signature validation (with no request-derived credentials)
> 23:52:41.563 - WARN
> - Validation of request simple signature failed for context issuer:
> 23:52:41.572 - WARN
> - Message did not meet security
> requirementsorg.opensaml.ws.security.SecurityPolicyException: Validation of
> request simple signature failed for context issuer
Looks like the SP signed the authtication request and the IDP couldn't
validate the signature, likely as a consequence of the IDP not having
proper metadata for the SP (as per the WARN-level message above).
More information about the users