Metadata resolver is looking at ID instead of entityID

Brent Putman putmanb at
Mon Aug 6 16:15:11 EDT 2018

On 8/6/18 3:27 PM, Cody Carmichael wrote:
> Yes I did post last week about the logs showing different values for
> the expected and actual digest values. The logs are no longer showing
> messages about that. Right now the logs spit out the decoded SAML
> message that contains stuff for the AuthnRequest like the
> DigestMethod, DigestValue, SignatureValue, KeyInfo, etc...

Errors about the signature validation would occur well before that. 
Since this is the Filesystem- provider, errors there would occur at IdP
startup and/or at metadata refresh time.  I'd wager a hefty sum that if
you restart your IdP, and then look the logs since that startup
(without even attempting any SP login activity) you will see errors
there from the SignatureValidation filter and the components it calls.

> There is also this message at the end of the log:
>     Profile Action SelectProfileConfiguration: Profile
> is not
>     available for RP configuration shibboleth.UnverifiedRelyingParty
>     (RPID
> But I figured that was because it's calling my SP unverified because
> it's not finding the metadata, and it's not finding the metadata for
> reasons I haven't figured out.

Correct, exactly.  In the IdP "unverified" means "no metadata" for that

> If the signature validation check is still failing, the logs are not
> giving any indication of it. 

Look earlier in the logs.  The errors with the Filesystem- provider
will happen at IdP start time, not when you are attempting to log in to
your SP.  (The latter would be true as you were doing before with the
dynamic HTTP provider, since there it's going to resolve the metadata
at runtime when it first needs to be looked up.)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list