Metadata resolver is looking at ID instead of entityID

[Brent Putman]

On 8/6/18 3:27 PM, Cody Carmichael wrote:
> Yes I did post last week about the logs showing different values for
> the expected and actual digest values. The logs are no longer showing
> messages about that. Right now the logs spit out the decoded SAML
> message that contains stuff for the AuthnRequest like the
> DigestMethod, DigestValue, SignatureValue, KeyInfo, etc...

Errors about the signature validation would occur well before that. 
Since this is the Filesystem- provider, errors there would occur at IdP
startup and/or at metadata refresh time.  I'd wager a hefty sum that if
you restart your IdP, and then look the logs since that startup
(without even attempting any SP login activity) you will see errors
there from the SignatureValidation filter and the components it calls.

>
> There is also this message at the end of the log:
>
>     Profile Action SelectProfileConfiguration: Profile
>     http://shibboleth.net/ns/profiles/saml2/sso/browser is not
>     available for RP configuration shibboleth.UnverifiedRelyingParty
>     (RPID https://mySP.net/rest/v2/sso/message/shibboleth/metadata)
>
>
> But I figured that was because it's calling my SP unverified because
> it's not finding the metadata, and it's not finding the metadata for
> reasons I haven't figured out.

Correct, exactly.  In the IdP "unverified" means "no metadata" for that
entity.


> If the signature validation check is still failing, the logs are not
> giving any indication of it. 
>

Look earlier in the logs.  The errors with the Filesystem- provider
will happen at IdP start time, not when you are attempting to log in to
your SP.  (The latter would be true as you were doing before with the
dynamic HTTP provider, since there it's going to resolve the metadata
at runtime when it first needs to be looked up.)

--Brent
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180806/42184f83/attachment.html>