"Unable to locate metadata" error

Peter Schober peter.schober at univie.ac.at
Tue Jul 10 18:58:16 EDT 2018 

* Tony Ennis <tennis at eagle6.com> [2018-07-11 00:36]:
> blah metadataException: Unable to locate metadata for identity
> provider (https://my.idp/idp/shibboleth)

OK, so no metadata for that IDP available.

> If I browse directly to the idp, it returns metadata.

That doesn't mean the SP processed it correctly.
The SP's logs would tell you:

$ fgrep OpenSAML.Metadata.XML /var/log/shibboleth/shibd.log

and the SP would create a cached copy in (by default)
/var/cache/shibboleth/

> The entityID is again set as the idp (https://my.idp/idp/shibboleth) in the SSO section and SAML2 is supported.

Well, ApplicationDefaults/@entityID is your own entityID.

Sessions/SSO/@entityID would be the IDP's, and you certainly have that
set, because accessing /Shibboleth.so/Login tries to send you off to
the provided IDP immediately.

> In the MetadataProvider section, the entityID is again set to the
> idp (https://my.idp/idp/shibboleth) correctly.

Not "correctly" -- the MetadataProvider section has no use for
entityIDs: It may have a "url" XML attribute from where to load the
metadata. (And if your IDP's entityID is a URL and serves up its own
metadata at the value of its own entityID, well it would work. But
entityIDs are not locations and the MetadataProvider does not care
about entityIDs.)

A correct MetadataProvider would look like the examples in the
distributed shibboleth2.xml or example-shibboleth2.xml. Or like in the
documentation. Without specifics the only thing that seems clear is
that your SP is not loading that metadata.

> I cannot really paste the config as it is inside our secure area.

You'll need to check the SP's logs.
Also try connecting to the metadata URL from the server, using curl,
just to make sure you don't need to configure a forward proxy in order
to connect to the other server.

Also be are aware that loading remote metadata that's unsigned is
completely insecure (or signed metadata where you're not checking the
signature): Metadata is XML and XML is plain text, but in this case
plain text that contains key material (e.g. a cert with the IDPs
signing key) that the software trusts implicitly, so you're
effectively blindly downloading something like CA trust anchors from a
plain text file over the network. (Read: Don't do that.)

-peter

More information about the users mailing list