Metadata resolver is looking at ID instead of entityID

Cody Carmichael ccarmichael at voalte.com
Mon Aug 6 12:47:17 EDT 2018 

Here is my metadata provider, currently the only configured provider:

<MetadataProvider id="LocalEntityMetadataCRC"
>> xsi:type="FilesystemMetadataProvider"
>
>
>> metadataFile="/opt/shibboleth-idp/metadata/meta-cert2.xml">
>
>
>>         <MetadataFilter xsi:type="Predicate" direction="include"
>> removeEmptyEntitiesDescriptors="true">
>
>             <Entity>https://mySP/rest/v2/sso/message/shibboleth/metadata
>> </Entity>
>
>         </MetadataFilter>
>
> </MetadataProvider>
>
>

The metadata contains the following:

entityID="https://mySP.net/rest/v2/sso/message/shibboleth/metadata"
ID="_ef844bd930b2aed9154854a0cb80ae78"

When I try to access the IdP's login page, the logs say:

Metadata Resolver FilesystemMetadataResolver LocalEntityMetadataCRC:
> Metadata backing store does not contain any EntityDescriptors with the ID:
> https://mySP.net/rest/v2/sso/message/shibboleth/metadata


Which I understand it appears to be looking at the ID instead of the
entityID.

Here is my relying party:

<bean parent="RelyingPartyByName" c:relyingPartyIds="
> https://mySP.net/rest/v2/sso/message/shibboleth/metadata">
>             <property name="profileConfigurations">
>                 <list>
>                     <bean parent="SAML2.SSO"
> p:postAuthenticationFlows="attribute-release" p:encryptAssertions="false" />
>                 </list>
>             </property>
> </bean>



Even when I edited the metadata file so that ID="https://mySP.net/
rest/v2/sso/message/shibboleth/metadata", after I restarted shibboleth and
tried accessing the login screen again the logs still had the same message
in the logs about the backing store not containing any EntityDescriptors
with the provided ID. I have double and triple checked that the entityID
and the ID are "https://mySPnet/rest/v2/sso/message/shibboleth/metadata" I
have also double and triple checked that the metadata file is where it is
supposed to be. So my two questions are:

1. Why would the IdP be looking at the ID instead of the entityID in the
metadata? Where is this configured?
2. Even after I change the ID to be what the IdP is looking for, why would
it not be recognizing the change?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180806/dfd5f9f2/attachment.html>

More information about the users mailing list