Latest SP gives error Unable to Respond

Dave Perry Dave.Perry at
Wed May 31 11:24:49 EDT 2017

Found this, thanks (newer version of email filter appears to be more aggressive..).

I've got things running via http now, but have a new issue from shibd.log (after successful IdP login)...
2017-05-31 15:54:13 DEBUG OpenSAML.MessageDecoder.SAML2 [4]: searching metadata for message issuer...
2017-05-31 15:54:13 WARN OpenSAML.MessageDecoder.SAML2 [4]: no metadata found, can't establish identity of issuer (

I believe I have loaded the IdP metadata in the SP, but there is no mention of issuer in it. I can't find the URL to generate the IdP metadata again (I know it needs reviewing before being copied to places), which was the first thing I wanted to try.


Dave Perry
eLearning Technologist, Hull College Group (Monday - Thursday)

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at *

-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: 30 May 2017 15:09
To: Shib Users
Subject: RE: Latest SP gives error Unable to Respond

> The issue, I think, is that it is still looking for an http:// binding 
> URL, even though the metadata for this SP has no traces of http:// in the bindings.

The metadata has nothing to do with what the SP asks for. It's what the IdP uses to compare to what the SP asks for. The SP asked for http, so that's what the metadata has to contain. If the SP shouldn't be asking for http, then the web server on which it's running isn't virtualized properly and it is running on http, so that's what it asks for.

IIS doesn't support virtualization at all, so the SP hacks around that imperfectly with the ability to virtualize the scheme and port in the <Site> element analagously to Apache's ServerName setting.

> One thing I should also mention in shibboleth2.xml is that I put the 
> entity ID as the URL of our IdP 
> ( - which is 
> different to its entityID (http://shibb.hull-college...). We were 
> advised to keep the old entityID by the UK Federation when migrating 
> to the
> v3 server. But I can't see anything in the documentation for the <SSO> 
> tag of <ApplicationDefaults> which explains how to handle this 
> scenario. We only want the SP to authenticate against our SP.

The entityID in the SSO element is the name of the IdP to use. It's not the name of the SP, nor does either name represent a location or have any impact on the use of a particular scheme on a vhost.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: idp-metadata-nocerts.xml
Type: application/xml
Size: 5927 bytes
Desc: idp-metadata-nocerts.xml
URL: <>

More information about the users mailing list