No peer endpoint available to which to send SAML response

Dave Vernon dvernon at loyalistcollege.com
Wed Oct 1 19:04:17 EDT 2014


Hello Kevin,

Thanks for the specifics. I'm going to run through them here in case I'm missing something:

Item #1:

I think the http / https part is okay -- everything on the web server is running with https, and here is the snip from the SP'd XML data that is on the IdP server:

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://lms.lcaat.ca/Shibboleth.sso/SAML2/POST" index="1"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://lms.lcaat.ca/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://lms.lcaat.ca/Shibboleth.sso/SAML2/Artifact" index="3"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://lms.lcaat.ca/Shibboleth.sso/SAML2/ECP" index="4"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://lms.lcaat.ca/Shibboleth.sso/SAML/POST" index="5"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://lms.lcaat.ca/Shibboleth.sso/SAML/Artifact" index="6"/>

Item #2:
check your entityid matching at the SP and within the MD you give the IdP...  I think I am understanding the question properly..

In the SP's metadata file on the IdP I have this defined as the entityid
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_b319c7699fa297e30adac2631426536fe3332552" entityID="https://explode.lcaat.ca/idp/shibboleth">

In shibboleth2.xml on the SP server I have this:
 <ApplicationDefaults entityID="https://explode.lcaat.ca/idp/shibboleth"
and further down
<SSO entityID="https://explode.lcaat.ca/idp/shibboleth"
                 discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
              SAML2 SAML1
            </SSO>

I want to call out the discovery URL there.  From what I understand, since I am only dealing with 1 IdP I don't need to define that?  Is that correct?

Item #3:
The webserver itself is the part that is most familiar to me, and the documentation on the setup (and manual steps if necessary) are very good.  It's IIS 7.5.  There is a stopped "default" website with an ID of 1, and my actual website ("BBLEARN") as ID 2.  The SP install seemed to go fine, and I do see the Shibboleth ISAPI filter installed as the site level.  I would say the only 'unusual' part that I encountered was that the handler mapping was enabled at the root level, but disabled on the site level.  I changed the site level to grant the 'script' permission.

I am able to browse to https://localhost/Shibboleth.sso/Status on the server itself, but I am forbidden to https://lms.lcaat.ca/Shibboleth.sso/Status  --  I do recall reading somewhere in the docs that SPECIFICALLY said it had to be local host for testing this though.

Scott - Regarding your comments about properly configuring web servers to allow self-referential links being the entire issue...  Is there something I should look for specifically, or some docs that deal with configuring the web server itself past the install docs?  I have seen reference to setting the http host on Apache properly (i.e. to match) but I"m not aware of a similar IIS setting.

Thanks again all

________________________________________
From: users-bounces at shibboleth.net [users-bounces at shibboleth.net] on behalf of Kevin Foote [kpfoote at uoregon.edu]
Sent: Wednesday, October 01, 2014 5:02 PM
To: Shib Users
Subject: Re: No peer endpoint available to which to send SAML response

On Oct 1, 2014, at 1:55 PM, Dave Vernon <dvernon at loyalistcollege.com> wrote:

> If anyone out there would be willing the spend the time, I would appreciate any tips on how to go about troubleshooting this.  I've read the documentation, especially about SP metadata several times over, but I feel like I am going in circle and not making any progress.
>
> The fact of the matter is, I'm really having troubles identifying what my data should be, and how to go about 'review and adjusting' what's in it.  I have used the SAML tracer plugin to FireFox to capture (and then decode), but again, nothing is clear to me as the problem

Hi Dave,

The list is here to help.

Scott has indicated the issue that you are having. Your metadata that the IdP has for your SP does not align with apache or IIS server is thinking it is. The result is that the IdP is receiving a request from some entity it does not know about.

If your MD matches up with what your server is doing things will just work.

Places to look are - in no particular order:
- check your ACS endpoints http / vs https
- check your entityid matching at the SP and within the MD you give the IdP
- check the http server itself

--------
thanks
 kevin.foote

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list