Unable to locate a SAML 2.0 ACS endpoint to use for response

Mr. Christopher Bland chris at fdu.edu
Fri Jun 16 15:37:41 EDT 2017


Hi Peter,

I realized I forgot to include some info.  I am running Shibboleth SP v2.6 on (3) RHEL 7 boxes which sit behind a load balancer.  I was able to get things up and running using the shibboleth2.xml file with a few customization for our environment.  Since I am working in a clustered environment I deviated from my working default in an attempt to implement/configure an ODBC Storage Service.  The documentation for NativeSPODBCStorageService ( https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPODBCStorageService) required me to set a few things up differently than I would have normally, as such I looked at the example-shibboleth2.xml file to make sure I placed the OutOfProcess, StorageService, SessionInitiator, and LogoutInitiator in the proper places in the shibboleth2.xml file (I was initially getting errors due to order).  Since my SPs can talk to my IDP with a default config there has to be something I missed following the documentation.  In someone else’s post it was suggested to make sure the metadata matched so I updated my IDP with new metadata from my SPs just incase something changed but I’m still receiving the error.  My logs are telling me

native.log
2017-06-15 21:31:38 ERROR Shibboleth.Apache [4181] shib_check_user: Unable to locate a SAML 2.0 ACS endpoint to use for response.

-Chris

________________________________
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> on behalf of Peter Schober <peter.schober at univie.ac.at<mailto:peter.schober at univie.ac.at>>
Sent: Friday, June 16, 2017 6:56 AM
To: users at shibboleth.net<mailto:users at shibboleth.net>
Subject: Re: Unable to locate a SAML 2.0 ACS endpoint to use for response

* Mr. Christopher Bland <chris at fdu.edu<mailto:chris at fdu.edu>> [2017-06-16 03:50]:
> I am troubleshooting a cluster of SPs behind a load balancer and
> keep getting "Unable to locate a SAML 2.0 ACS endpoint to use for
> response”

All prior warnings and the context for that error message might be
relevant.

> <MetadataProvider type="Chaining">
>   <MetadataProvider type="XML" url="https://identity-provider/idp/profile/Metadata/SAML" backingFilePath="idp-metadata.xml"/>
>   <MetadataProvider type="XML" url="https://dev_identity-provider/idp/profile/Metadata/SAML" backingFilePath="idpdev-metadata.xml"/>
> </MetadataProvider>

Note that the wrapping "Chaining" provider is unnecessary, and more
gravely, that the above is rather insecure (unless you're willing to
bet that TLS alone will be good enough, no matter what kind of
metadata get's served there, with how many entityIDs, etc.)

If the servers/entities you're downloading metadata from are not your
own, you'd better add an entity whitelist filter to those, too,
otherwise these IDPs (or servers, or anyone in between managing to
MITM this connection) could impersonate anything and anyone to your
SP.
If those entities are your own I'd question the need for such
dynamicity and either supply those as local, verified, static files,
or maybe add some config management tooling to distribute those.
Finally, you (or the producer of this metadata) could also sign the
metadata (though you may still want to add a filter, to only let
expected entityIDs pass).

> I believe I made the correct changes based on documentation and
> example-shibboleth2.xml file but it doesn’t work.

If you've literally been changing the file example-shibboleth2.xml
then "it doesn't work" is the expected result of such action:
example-shibboleth2.xml is not used by the software by default (hence
the name), but shibboleth2.xml is.

-peter
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170616/e184b392/attachment.html>


More information about the users mailing list