ApplicationOverride problem,

Joe Edwards joee at uw.edu
Wed Apr 6 13:35:27 EDT 2016 

Hi again,

I'm stuck.....

We have multiple SPs on our application servers.
Each SP is hosted by its own apache server.
I am adding another SP.

Red Hat Enterprise Linux Server release 6.7 (Santiago)
shibboleth-2.5.5-3.1.el6.x86_64
shibboleth-idp.3.1.2

I am using ApplicationOverride successfully on our dev and test servers, with the emr SP.
And for multiple SPs on our release server.

I can not see why the same shibboleth2.xml configuration does not work on our release servers for the emr SP.

If I configure the release server shibboleth2.xml to only serve 1 SP, emr.uwmc.org, the login works as expected.

If I use ApplicationOverride for emr.uwmc.org, the login fails.
The IDP logs in the user and when I am redirected to emr.uwmc.org, login.uwmc.org can not be identified.

The info SP works using the default IDP.
And including or removing the info SP makes no difference in how the emr SP works.

<ApplicationOverride id="emr" entityID="emr.uwmc.org">
     <Sessions relayState="ss:mem" handlerSSL="true" cookieProps="https">
         <SSO id="idp" isDefault="true" entityID="login.uwmc.org">
             SAML2 SAML1
         </SSO>
     </Sessions>

     <MetadataProvider type="XML" uri="https://login.uwmc.org/idp/shibboleth" backingFilePath="/etc/shibboleth/idp-login-metadata.xml" 
reloadInterval="7200">
         <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
         <MetadataFilter type="Signature" certificate="idp-login-signing.crt"/>
     </MetadataProvider>
</ApplicationOverride>

<ApplicationOverride id="info" entityID="info.uwmc.org" />


opensaml::FatalProfileException at (https://login.uwmc.org/Shibboleth.sso/SAML2/POST)
A valid authentication statement was not found in the incoming message.

2016-04-06 10:01:54 WARN OpenSAML.MessageDecoder.SAML2 [2]: no metadata found, can't establish identity of issuer (login.uwmc.org)
2016-04-06 10:01:54 ERROR Shibboleth.SSO.SAML2 [2]: failed to decrypt assertion: Unable to locate an encrypted key.


---------------------------------------
Joe Edwards
University of Washington Medical Center
---------------------------------------

More information about the users mailing list