SP - Trying to test copy of server - should this work?

[Michael White]

Hi,

We are working on an upgrade to our Research Management System (RMS), which is a locally run (proprietary) application that is protected with a shib SP. We've taken a copy of the RMS Production server to provide a sandbox where we can test the upgrade procedure (and the upgraded system) and my system and network colleagues have made this appear as "rms-new" to the outside world, whilst changing very little under the hood (including no changes to the SP config or metadata) . . .

As everything here is SAML 2 (i.e. no back channel stuff), I had hoped that I would then be able to test shibboleth authentication on "rms-new" just by setting the host file on my laptop to resolve "rms" and "rms-new" to the IP Address of "rms-new" - in my head I thought I would then be able to go to "rms" on my laptop and behind the scenes it would actually be talking to "rms-new" (which is the case) and I hoped/presumed that our (shib) IdP would be OK with this as, as far as it was concerned, it would be authenticating for the existing "rms" system's SP . . . (?)

However, when I try this, it doesn't work, and I'm not sure whether it actually should/could/might or not?

When I try it, I get the following error in the browser:

"No peer endpoint available to which to send SAML response"

Looking at the IdP logs, I can see that happening:

13:45:10.250 - WARN [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:206] - Relying party 'https://rms.stir.ac.uk/shibboleth' requested the response to be returned to endpoint with ACS URL 'http://rms.stir.ac.uk/Shibboleth.sso/SAML2/POST'  and binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' however no endpoint, with that URL and using a supported binding,  can be found in the relying party's metadata 
13:45:10.251 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:447] - No return endpoint available for relying party https://rms.stir.ac.uk/shibboleth

I've also had a go at doing this using our DEV IdP (where I can turn up the logging) with the same result:

09:11:30.966 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relying party configuration for https://rms.stir.ac.uk/shibboleth
09:11:30.966 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:134] - No custom relying party configuration found for https://rms.stir.ac.uk/shibboleth, looking up configuration based on metadata groups.
09:11:30.967 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:157] - No custom or group-based relying party configuration found for https://rms.stir.ac.uk/shibboleth. Using default relying party configuration.
09:11:30.968 - WARN [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:206] - Relying party 'https://rms.stir.ac.uk/shibboleth' requested the response to be returned to endpoint with ACS URL 'http://rms.stir.ac.uk/Shibboleth.sso/SAML2/POST'  and binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' however no endpoint, with that URL and using a supported binding,  can be found in the relying party's metadata 
09:11:30.969 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:447] - No return endpoint available for relying party https://rms.stir.ac.uk/shibboleth

- which seems to be saying that it can't find the relying party configuration for "https://rms.stir.ac.uk/shibboleth" - however, when restarting the IdP, I can see it loading the metadata in question, and I can still authenticate against plain old "rms" from my desktop (that has no host file shenanigans), so the metadata must be there:

08:52:15.887 - DEBUG [edu.internet2.middleware.shibboleth.common.config.metadata.BaseMetadataProviderBeanDefinitionParser:42] - Parsing configuration for 'FilesystemMetadataProvider' metadata provider with ID: rmsprodSPURLMD
08:52:15.888 - DEBUG [edu.internet2.middleware.shibboleth.common.config.metadata.BaseMetadataProviderBeanDefinitionParser:46] - Metadata provider requires valid metadata: true
08:52:15.888 - DEBUG [edu.internet2.middleware.shibboleth.common.config.metadata.AbstractMetadataProviderBeanDefinitionParser:41] - Metadata provider using parser pool: shibboleth.ParserPool
08:52:15.888 - DEBUG [edu.internet2.middleware.shibboleth.common.config.metadata.AbstractMetadataProviderBeanDefinitionParser:45] - Metadata provider fail fast initialization enabled: true
08:52:15.889 - DEBUG [edu.internet2.middleware.shibboleth.common.config.metadata.AbstractReloadingMetadataProviderBeanDefinitionParser:44] - Metadata provider using task timer: shibboleth.TaskTimer
08:52:15.889 - DEBUG [edu.internet2.middleware.shibboleth.common.config.metadata.AbstractReloadingMetadataProviderBeanDefinitionParser:48] - Metadata provider refresh delay factor: 0.75
08:52:15.890 - DEBUG [edu.internet2.middleware.shibboleth.common.config.metadata.AbstractReloadingMetadataProviderBeanDefinitionParser:52] - Metadata provider min refresh delay: 300000ms
08:52:15.890 - DEBUG [edu.internet2.middleware.shibboleth.common.config.metadata.AbstractReloadingMetadataProviderBeanDefinitionParser:56] - Metadata provider max refresh delay: 14400000ms
08:52:15.890 - DEBUG [edu.internet2.middleware.shibboleth.common.config.metadata.FilesystemMetadataProviderBeanDefinitionParser:52] - Metadata provider 'rmsprodSPURLMD' reading metadata from: /opt/shibboleth-idp/metadata/rmsprod-sp-metadata.xml

And, the key bits from rmsprod-sp-metadata.xml:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://rms.stir.ac.uk/shibboleth">

&

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://rms.stir.ac.uk/Shibboleth.sso/SAML2/POST" index="1"/>

So, it looks to me like there is something pretty fundamental stopping this from working and I guess my question is, would folk expect this approach to actually work? If so, any thoughts on what I might be doing wrong? 

Everything is running on Debian Linux - the SP is version 2.4.3 and our IdP is 2.4.2 (yes, we will be moving to v3 in the very near future!).

So, assuming you aren't too busy hooting with laughter that I even thought this might work, if anyone has any insights, they'd be more than welcome!

Cheers,

Mike

Michael White
Developer
Information Services

T: (01786) 466877
E: michael.white at stir.ac.uk
A: S8, Library, University of Stirling, Stirling, FK9 4LA 



-- 
The University achieved an overall 5 stars in the QS World University Rankings 2015
The University of Stirling is a charity registered in Scotland, 
 number SC 011159.