REFEDS R&S SP reports intermittent failures

Baron Fujimoto baron at
Tue Apr 26 20:02:14 EDT 2016

On Sat, Apr 23, 2016 at 11:04:04AM -0400, Tom Scavo wrote:
>On Sat, Apr 23, 2016 at 12:48 AM, Baron Fujimoto <baron at> wrote:
>> ===== IdP logs
>> failure:
>> 2016-04-14 13:53:45.970 - INFO [Shibboleth-Audit:1028] - 20160414T235345Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_474802ddb0cfa6f17916ba05bc934eac||urn:mace:shibboleth:2.0:profiles:saml2:sso||urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_04653d4b3b8fcb473f1f152ffb195dd8|FAILED_USER|urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified||_cc955f74f9f861d8ac71e79d435d5c82||
>Is the IdP returning a SAML error to the SP?

Not that I have been able to identify. There are no errors or warnings logged
that I've been able to correlate with the entry above using any of it's tokens.

There are numerous warnings like the following in the logs, but they seem
pretty common (sorting out what they actually mean and their possible
implications is on my long TODO list).

2016-04-14 13:42:49.258 - WARN [org.opensaml.saml2.binding.encoding.BaseSAML2MessageEncoder:134] - Relay state exceeds 80 bytes, some application may not support this.

Is there something I should be looking for in particular or a way to
better correlate these logs?

>> success:
>> 2016-04-15 05:50:36.482 - INFO [Shibboleth-Audit:1028] - 20160415T155036Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_e904d92459abc4062c8bbff65f974158||urn:mace:shibboleth:2.0:profiles:saml2:sso||urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_7bf0cf790d13445237d85df6a26f475e|SUCCESS_USER|urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified|surname,eduPersonPrincipalName,email,transientId,givenName,|_53b7fea682b761382175445789dde9e7||
>> =====
>> I note the attributes being returned for the success.
>> Since I am logging at the INFO level, I don't think I have more details
>> available. I don't think changing the log level to DEBUG is feasible due
>> to the increased logging volume, and afaict, it would be difficult to
>> disentangle the DEBUG logs on a busy server.
>> I have also tried testing this with aacli on a spare IdP host with the
>> same config where I can log at DEBUG level.
>Have you tried using /etc/hosts on a client machine to do a full test
>with your test IdP?

No... but I don't think I quite understand what your asking. By client
machine, do you mean the SP? I have no access to or control over that.


Baron Fujimoto <baron at> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

More information about the users mailing list