IdP 3.1 - metadata config not working

Dave Perry Dave.Perry at hull-college.ac.uk
Fri Mar 13 07:48:06 EDT 2015


I've started my new Idp install again based on the 3.1 release from earlier this week. Attribute-resolver and -filter.xml have been copied in from our old (2.3.8) IdP, and there are no complaints in the logs (hurrah).

However, when I'm trying to specify the file-backed metadata for the UK federation, I get this error:

2015-03-13 11:42:20,358 - ERROR [org.springframework.web.context.ContextLoader:331] - Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.MetadataResolverService' defined in file [/opt/shibboleth-idp/system/conf/services-system.xml]: Invocation of init method failed; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'ShibbolethMetadata': Cannot create inner bean '(inner bean)#51dba25c' of type [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver] while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#51dba25c': Cannot create inner bean '(inner bean)#7bd00986' of type [org.opensaml.saml.metadata.resolver.impl.FileBackedHTTPMetadataResolver] while setting bean property 'resolvers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#7bd00986': Invocation of init method failed; nested exception is net.shibboleth.utilities.java.support.component.ComponentInitializationException: Error refreshing metadata during init
                at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1566)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'ShibbolethMetadata': Cannot create inner bean '(inner bean)#51dba25c' of type [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver] while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#51dba25c': Cannot create inner bean '(inner bean)#7bd00986' of type [org.opensaml.saml.metadata.resolver.impl.FileBackedHTTPMetadataResolver] while setting bean property 'resolvers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#7bd00986': Invocation of init method failed; nested exception is net.shibboleth.utilities.java.support.component.ComponentInitializationException: Error refreshing metadata during init
                at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#51dba25c': Cannot create inner bean '(inner bean)#7bd00986' of type [org.opensaml.saml.metadata.resolver.impl.FileBackedHTTPMetadataResolver] while setting bean property 'resolvers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#7bd00986': Invocation of init method failed; nested exception is net.shibboleth.utilities.java.support.component.ComponentInitializationException: Error refreshing metadata during init
                at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#7bd00986': Invocation of init method failed; nested exception is net.shibboleth.utilities.java.support.component.ComponentInitializationException: Error refreshing metadata during init
                at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1566)
Caused by: net.shibboleth.utilities.java.support.component.ComponentInitializationException: Error refreshing metadata during init
                at org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver.initMetadataResolver(AbstractReloadingMetadataResolver.java:264)
Caused by: net.shibboleth.utilities.java.support.resolver.ResolverException: net.shibboleth.utilities.java.support.resolver.ResolverException: Error filtering metadata from http://metadata.ukfederation.org.uk/ukfederation-metadata.xml
                at org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver.refresh(AbstractReloadingMetadataResolver.java:297)
Caused by: net.shibboleth.utilities.java.support.resolver.ResolverException: Error filtering metadata from http://metadata.ukfederation.org.uk/ukfederation-metadata.xml
                at org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver.processNonExpiredMetadata(AbstractReloadingMetadataResolver.java:430)
Caused by: org.opensaml.saml.metadata.resolver.filter.FilterException: Metadata's validity interval, 1753369669ms, is larger than is allowed, 604800ms.
                at org.opensaml.saml.metadata.resolver.filter.impl.RequiredValidUntilFilter.filter(RequiredValidUntilFilter.java:102)

The metadata-providers entry is based on the wiki example, but I turned off the signing (which someone may tell me is wrong here):
<?xml version="1.0" encoding="UTF-8"?>
<!-- This file is an EXAMPLE metadata configuration file. -->
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
    xmlns="urn:mace:shibboleth:2.0:metadata"
    xmlns:resource="urn:mace:shibboleth:2.0:resource"
    xmlns:security="urn:mace:shibboleth:2.0:security"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
                        urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
                        urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
                        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">

    <!-- ========================================================================================== -->
    <!--                             Metadata Configuration                                         -->
    <!--                                                                                            -->
    <!--  Below you place the mechanisms which define how to load the metadata for the SP you will  -->
    <!--  provide a service to.                                                                     -->
    <!--                                                                                            -->
    <!--  Two examples are provided.  The Shibboleth Documentation at                               -->
    <!--  https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration                -->
    <!--  provides more details.                                                                    -->
    <!--                                                                                            -->
    <!--  NOTE.  This file SHOULD NOT contain the metadata for this IdP.                            -->
    <!--                                                                                            -->
    <!-- ========================================================================================== -->



    <!-- Load the UK metadata -->

    <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider"

                      xmlns="urn:mace:shibboleth:2.0:metadata"

                      metadataURL="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"

                      backingFile="/opt/shibboleth-idp/metadata/ukfederation-metadata.xml">


        <!-- Using chaining filter to allow us multiple filters to be added -->

        <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">


            <!-- Ensure the metadata has a reasonable (1 week) validity period. -->

            <MetadataFilter xsi:type="RequiredValidUntil" xmlns="urn:mace:shibboleth:2.0:metadata"

                            maxValidityInterval="604800" />


            <!--

                Ensure metadata is signed and use the 'shibboleth.MetadataTrustEngine'

                to determine its trustworthiness

            -->
<!--
            <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"

                            trustEngineRef="shibboleth.MetadataTrustEngine"

                            requireSignedMetadata="true" />
-->

        </MetadataFilter>

    </MetadataProvider>


</MetadataProvider>


Thanks in advance for any pointers,
Dave

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at hull-college.ac.uk<mailto:elearning at hull-college.ac.uk> *

Rate our service with the Library & eLearning Survey
For Students: http://library.hull-college.ac.uk/survey
For Staff: http://library.hull-college.ac.uk/staffsurvey


**********************************************************************
This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20150313/6b124f01/attachment-0001.html 


More information about the users mailing list