ApplicationOverride problem,

Joe Edwards joee at
Wed Apr 6 13:35:27 EDT 2016

Hi again,

I'm stuck.....

We have multiple SPs on our application servers.
Each SP is hosted by its own apache server.
I am adding another SP.

Red Hat Enterprise Linux Server release 6.7 (Santiago)

I am using ApplicationOverride successfully on our dev and test servers, with the emr SP.
And for multiple SPs on our release server.

I can not see why the same shibboleth2.xml configuration does not work on our release servers for the emr SP.

If I configure the release server shibboleth2.xml to only serve 1 SP,, the login works as expected.

If I use ApplicationOverride for, the login fails.
The IDP logs in the user and when I am redirected to, can not be identified.

The info SP works using the default IDP.
And including or removing the info SP makes no difference in how the emr SP works.

<ApplicationOverride id="emr" entityID="">
     <Sessions relayState="ss:mem" handlerSSL="true" cookieProps="https">
         <SSO id="idp" isDefault="true" entityID="">
             SAML2 SAML1

     <MetadataProvider type="XML" uri="" backingFilePath="/etc/shibboleth/idp-login-metadata.xml" 
         <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
         <MetadataFilter type="Signature" certificate="idp-login-signing.crt"/>

<ApplicationOverride id="info" entityID="" />

opensaml::FatalProfileException at (
A valid authentication statement was not found in the incoming message.

2016-04-06 10:01:54 WARN OpenSAML.MessageDecoder.SAML2 [2]: no metadata found, can't establish identity of issuer (
2016-04-06 10:01:54 ERROR Shibboleth.SSO.SAML2 [2]: failed to decrypt assertion: Unable to locate an encrypted key.

Joe Edwards
University of Washington Medical Center

More information about the users mailing list