Invalid Metadata on different versions of IdP
Michael Dahlberg
olgamirth at gmail.com
Wed Aug 29 21:25:07 EDT 2018
I just upgraded our IdP from v. 3.2.1 to v. 3.3.3 and one of my SPs is
giving me problems. When accessing the site using v.3.2.1, access is
permitted. When using v.3.3.3 I get an error page that states
"Unsupported Request". Metadata and config files are the same across
versions. Looking at the v.3.3.3, I get a debug log with the following
entries:
20:19:16.117 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver:162]
- Metadata Resolver FilesystemMetadataResolver PageUpMD: Resolved 1
candidates via EntityIdCriterion: EntityIdCriterion [id=
https://admin.dc4.pageuppeople.com/]
20:19:16.118 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:590] -
Metadata Resolver FilesystemMetadataResolver PageUpMD: Attempting to filter
candidate EntityDescriptors via resolved Predicates
20:19:16.118 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:612] -
Metadata Resolver FilesystemMetadataResolver PageUpMD: After predicate
filtering 1 EntityDescriptors remain
20:19:16.119 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:264]
- Resolved 1 source EntityDescriptors
20:19:16.119 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:275]
- Resolved 1 RoleDescriptor candidates via role criteria, performing
predicate filtering
20:19:16.120 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:372]
- Candidates iteration was empty, nothing to filter via predicates
20:19:16.120 - INFO
[org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] -
Message Handler: No metadata returned for
https://admin.dc4.pageuppeople.com/ in role
{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol
urn:oasis:names:tc:SAML:2.0:protocol
20:19:16.122 - DEBUG
[net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] -
Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of
type
'org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler'
on INBOUND message context
20:19:16.122 - DEBUG
[net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] -
Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on
message context containing a message of type
'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl
'
20:19:16.122 - DEBUG
[org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:110]
- Message Handler: No metadata context found, nothing to do
20:19:16.123 - DEBUG
[net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:132]
- Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching
RelyingPartyContext based on SAML peer https://admin.dc4.pageuppeople.com/
20:19:16.123 - DEBUG
[net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:293]
- Resolving relying party configuration
20:19:16.124 - DEBUG
[net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:299]
- Profile request is unverified, returning configuration
shibboleth.UnverifiedRelyingParty
20:19:16.124 - DEBUG
[net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:136] -
Profile Action SelectRelyingPartyConfiguration: Found relying party
configuration shibboleth.UnverifiedRelyingParty for request
20:19:16.125 - WARN
[net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile
Action SelectProfileConfiguration: Profile
http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for RP
configuration shibboleth.UnverifiedRelyingParty (RPID
https://admin.dc4.pageuppeople.com/)
20:19:16.143 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A
non-proceed event occurred while processing the request:
InvalidProfileConfiguration
20:19:16.144 - DEBUG
[org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:154] -
No SAMLBindingContext or binding URI available, error must be handled
locally
Obviously, the metadata is found but the RP is "Unverified" because the
profile "http://shibboleth.net/ns/profiles/saml2/sso/browser" is not
available. Is this profile available for v.3.2.1 but not for v.3.3.3? If
that is the case, is it possible to make it available?
Any suggestions on how to troubleshoot this issue would be greatly
appreciated.
Thanks,
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180829/846ddc38/attachment.html>
More information about the users
mailing list