IdP gives Unable to respond error

Wed May 31 10:04:54 EDT 2017

Sorry if this echos but I sent it yesterday and saw no indication that it had been processed from the mailing list side...

I'm installing the SP on an IIS VM to authenticate against a webapp (not one I maintain). I've done it fine internal-only on a test clone, but the live one is published via a reverse proxy and is secure-only so I need to do the live one slightly differently.

I got the Metadata after installing the SP on the live server, and amended all the bind URLs to be https:// before adding the metadata to my IdP (3.1.1 fwiw - I've pencilled in upgrading to 3.3 over summer).
And now get this error:
'Unable to Respond

The login service was unable to identify a compatible way to respond to the requested resource. This is generally to due to a misconfiguration on the part of the resource and should be reported.'

DEBUG log lines from the failed attempt (IdP side, no warnings in the SP native.log):
2017-05-30 11:36:37,658 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:505] - Profile Action PopulateBindingAndEndpointContexts: Populating template endpoint for resolution from SAML AuthnRequest
2017-05-30 11:36:37,659 - DEBUG [org.opensaml.saml.common.binding.AbstractEndpointResolver:220] - Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Returning 6 candidate endpoints of type {urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService
2017-05-30 11:36:37,659 - DEBUG [org.opensaml.saml.common.binding.impl.DefaultEndpointResolver:126] - Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Candidate endpoint location did not match http://heritage.srv.hull-college.ac.uk/Shibboleth.sso/SAML2/POST
2017-05-30 11:36:37,659 - DEBUG [org.opensaml.saml.common.binding.impl.DefaultEndpointResolver:117] - Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Candidate endpoint binding did not match urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
2017-05-30 11:36:37,660 - DEBUG [org.opensaml.saml.common.binding.impl.DefaultEndpointResolver:117] - Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Candidate endpoint binding did not match urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
2017-05-30 11:36:37,660 - DEBUG [org.opensaml.saml.common.binding.impl.DefaultEndpointResolver:86] - Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Candidate endpoint binding urn:oasis:names:tc:SAML:2.0:bindings:PAOS not permitted by input criteria
2017-05-30 11:36:37,660 - DEBUG [org.opensaml.saml.common.binding.impl.DefaultEndpointResolver:86] - Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Candidate endpoint binding urn:oasis:names:tc:SAML:1.0:profiles:browser-post not permitted by input criteria
2017-05-30 11:36:37,661 - DEBUG [org.opensaml.saml.common.binding.impl.DefaultEndpointResolver:86] - Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Candidate endpoint binding urn:oasis:names:tc:SAML:1.0:profiles:artifact-01 not permitted by input criteria
2017-05-30 11:36:37,661 - DEBUG [org.opensaml.saml.common.binding.AbstractEndpointResolver:130] - Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: No candidate endpoints met criteria
2017-05-30 11:36:37,661 - WARN [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:402] - Profile Action PopulateBindingAndEndpointContexts: Unable to resolve outbound message endpoint
2017-05-30 11:36:37,664 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:154] - No SAMLBindingContext or binding URI available, error must be handled locally

The issue, I think, is that it is still looking for an http:// binding URL, even though the metadata for this SP has no traces of http:// in the bindings - I've attached the metadata (without the certificate bit).

I've made sure the external DNS name in the SP config is set to be the correct domain that it maps to externally, that it maps to the site ID from IIS and the entityID for the SP matches it in the metadata.

One thing I should also mention in case it matters - in shibboleth2.xml I put the entity ID as the URL of our IdP (https://shibb.srv.hull-college.ac.uk/idp/shibboleth) - which is different to its entityID (http://shibb.hull-college.ac.uk/idp/shibboleth). We were advised to keep the old entityID by the UK Federation when migrating to the v3 server. But I can't see anything in the documentation for the <SSO> tag of <ApplicationDefaults> which explains how to handle this scenario. We only want the SP to authenticate against our IdP.

What am I missing?

Thanks,
Dave

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group (Monday - Thursday)

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at hull-college.ac.uk<mailto:elearning at hull-college.ac.uk> *

**********************************************************************
This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170531/008c7470/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sp-metadata-heritage0517-nocert.xml
Type: application/xml
Size: 5383 bytes
Desc: sp-metadata-heritage0517-nocert.xml
URL: <http://shibboleth.net/pipermail/users/attachments/20170531/008c7470/attachment-0001.wsdl>