Error in SAML2/POST while Login

Peter Schober peter.schober at
Mon May 9 19:47:31 EDT 2016

* Ram, Budh <budh.ram at> [2016-05-09 12:56]:
> I am getting below error while browsing this URL
> changes to
> ( )

That ("URL changes") means you've initiated SSO at the SP and are
returned to the SP with a response from the IDP.

> SAML response reported an IdP error.
> Error from identity provider:
> Status: urn:oasis:names:tc:SAML:2.0:status:Requester
> Sub-Status: urn:oasis:names:tc:SAML:2.0:status:RequestDenied
> Message: The digital signature of the received SAML2 message is invalid.

What about that Message is unclear?
The IDP cannot verify your SP's cryptographic signature on the SAML2.0
authentication request you generated (and sent to the IDP) when you
accessed the SP's Login handler. How to fix that:
Shibboleth Wiki -> SHIB2 space -> Troubleshoot -> SP: Signature Issues.

> 2016-05-09 05:43:42 ERROR XMLTooling.ParserPool : fatal error on line 0, column 0, message: unable to connect socket for URL ''

I can connect to that URL without problems so if your SP cannot that's
something you need to debug locally. Maybe you need to use a proxy
server to make outgoing connections from that machine? Maybe verify
with curl on the command line first. If so see
for documentation.

> 2016-05-09 05:43:42 INFO OpenSAML.MetadataProvider.XML : using local backup of remote resource
> 2016-05-09 05:43:42 INFO OpenSAML.MetadataProvider.XML : loaded XML resource (C:/opt/shibboleth-sp/var/cache/shibboleth/metadata.xml)

JFYI, the metadata at
has no expiration date (validUntil) so the software will fall back to
the local copy indefinitively.

More information about the users mailing list