Shibboleth IDP Issues while performing Single Sign On

Peter Schober peter.schober at
Thu Nov 27 09:19:02 EST 2014

* issacv <b35740 at> [2014-11-27 15:04]:
> Now he clicks on Login again, but it does not take him to our SSO
> Login page. It Logs the user in and shows him his profile. It looks
> like on clicking Login again after logout, it directly got user
> credentials from Shibboleth IDP User cache and didn’t went to SSO,
> to check if user is logged in or not. In our handler.xml the Login
> Handler being used are *
> urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession

If you don't want to use the SSO session from the Shibboleth IDP you'l
have to remove/comment our the PreviousSession handler in handler.xml,
like it says in the comment above that:
"Removal of this login handler will disable SSO support"
Then each request to the Shib IDP will also go to your CAS system.

> 23:52:41.516 - WARN
> []
> - SPSSODescriptor role metadata for entityID
> '' could not be resolved

That means just that, the IDP doesn't have metadata for that exact
entityID that features an SPSSODescriptor element.

> 23:52:41.562 - WARN
> []
> - Simple signature validation (with no request-derived credentials)
> failed
> 23:52:41.563 - WARN
> []
> - Validation of request simple signature failed for context issuer:
> 23:52:41.572 - WARN
> [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:377]
> - Message did not meet security
> Validation of
> request simple signature failed for context issuer

Looks like the SP signed the authtication request and the IDP couldn't
validate the signature, likely as a consequence of the IDP not having
proper metadata for the SP (as per the WARN-level message above).

More information about the users mailing list