Latest SP gives error Unable to Respond

Cantor, Scott cantor.2 at
Tue May 30 10:09:11 EDT 2017

> The issue, I think, is that it is still looking for an http:// binding URL, even
> though the metadata for this SP has no traces of http:// in the bindings.

The metadata has nothing to do with what the SP asks for. It's what the IdP uses to compare to what the SP asks for. The SP asked for http, so that's what the metadata has to contain. If the SP shouldn't be asking for http, then the web server on which it's running isn't virtualized properly and it is running on http, so that's what it asks for.

IIS doesn't support virtualization at all, so the SP hacks around that imperfectly with the ability to virtualize the scheme and port in the <Site> element analagously to Apache's ServerName setting.

> One thing I should also mention in shibboleth2.xml is that I put the entity ID
> as the URL of our IdP ( -
> which is different to its entityID (http://shibb.hull-college...). We were
> advised to keep the old entityID by the UK Federation when migrating to the
> v3 server. But I can't see anything in the documentation for the <SSO> tag of
> <ApplicationDefaults> which explains how to handle this scenario. We only
> want the SP to authenticate against our SP.

The entityID in the SSO element is the name of the IdP to use. It's not the name of the SP, nor does either name represent a location or have any impact on the use of a particular scheme on a vhost.

-- Scott

More information about the users mailing list