Error resolving principal name

[Morris, Andi]

Or not.....
We're still getting the error from some providers. This time, Ovid:

12:56:43.434 - INFO [Shibboleth-Access:73] - 20150416T115643Z|192.168.219.233|idp.cardiffmet.ac.uk:8443|/profile/SAML1/SOAP/AttributeQuery|
12:56:43.461 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileHandler:568] - Error resolving principal name for SAML request from relying party 'https://shibboleth.ovid.com/entity'. Cause: No information associated with transient identifier: _524c0dd6ceeac0d0b24845f038b9ed74
12:56:43.466 - INFO [Shibboleth-Audit:745] - 20150416T115643Z|urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding|_a4cfab5ee978a9376ee3be022fd32b6d|https://shibboleth.ovid.com/entity|urn:mace:shibboleth:2.0:profiles:saml1:query:attribute|https://idp.cardiffmet.ac.uk/idp/shibboleth|urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding|_e3f608b1020583da2a9433590c23ef4d||||_524c0dd6ceeac0d0b24845f038b9ed74||
12:57:49.951 - INFO [Shibboleth-Access:73] - 20150416T115749Z|192.168.219.233|idp.cardiffmet.ac.uk:443|/profile/SAML2/POST/SSO|
12:57:56.615 - INFO [Shibboleth-Access:73] - 20150416T115756Z|192.168.219.233|idp.cardiffmet.ac.uk:8443|/profile/SAML1/SOAP/AttributeQuery|
12:57:56.619 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileHandler:568] - Error resolving principal name for SAML request from relying party 'https://shibboleth.ovid.com/entity'. Cause: No information associated with transient identifier: _524c0dd6ceeac0d0b24845f038b9ed74

Any ideas?

Cheers,
Andi

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Morris, Andi
Sent: 16 April 2015 12:02
To: 'Shib Users'
Subject: RE: Error resolving principal name

Apologies for dropping the conversation.

After reading Peter's email below I realised that I had not added in the config to support legacy SPs that still use SAML1 I followed the steps at https://wiki.shibboleth.net/confluence/display/SHIB2/IdPApacheTomcatPrepare and all seems to be ok now.

Cheers for your help,
Andi

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: 26 February 2015 15:23
To: users at shibboleth.net
Subject: Re: Error resolving principal name

* Morris, Andi <amorris at cardiffmet.ac.uk> [2015-02-26 14:29]:
> 20:33:56.393 - WARN
> [edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1Pr
> ofileHandler:568] - Error resolving principal name for SAML request 
> from relying party 'https://academic.mintel.com/shibboleth'. Cause: No 
> information associated with transient identifier:
> _15c9b9b5bd0c3aa11d088549e802a3dd

Note that this SP speaks SAML2 just fine (I just tried to log at http://academic.mintel.com/ via "Federated Log In"), so there should be no reason to use (a) use SAML1, and (b) attribute queries.

While that's no explanation why the attribute query failed (which a Shib IDP supports by default once you have set up the SOAP port correctly, which seems to be the case here) you might still prefer to remove the reason this happens in the first place.

Then you can still try to find out whether your IDP works with Attribute Queries (potentially involving an SP of your own, or one provided by someone else, e.g. the UKfederation or TestShib) or whether you'd like to continue supporting queries in the first place.

E.g. if all you ever send to such SAML1 SPs is an eduPersonAffiliation and/or the common-lib-terms eduPersonEntitlement attribute value you might consider pushing those attributes over the browser, unencrypted.
Then most SPs won't see a need to issue an attribute query, not even via SAML1.
-peter
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net ________________________________

[Cardiff Metropolitan University - 150 years of nurturing talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net