Shibboleth IdP Web Login Service - Unsupported Request

Nate Klingenstein ndk at sudonym.me
Fri Sep 7 12:53:14 EDT 2018 

Fazla,

You need to make sure that your IdP downloaded SAMLtest's metadata
successfully.  The configuration:

<MetadataProvider id="SAMLtest"
        xsi:type="FileBackedHTTPMetadataProvider"
        backingFile="%{idp.home}/metadata/SAMLtest.xml"
        metadataURL="https://samltest.id/saml/sp">

</MetadataProvider>

needs to be active in your IdP and working successfully.  It should go next
to the other MetadataProvider elements in metadata-providers.xml, and make
sure it's not commented out. You will see an error message in the logs when
you start up your IdP if the configuration is wrong, and you will see a
success message if it does work, and nothing at all if the configuration is
missing or really broken.  Here's the example on my testing machine.

2018-09-07 16:34:30,448 - INFO
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:504]
- Metadata Resolver FileBackedHTTPMetadataResolver SAMLtest: New metadata
successfully loaded for 'https://samltest.id/saml/sp'
2018-09-07 16:34:30,455 - INFO
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:324]
- Metadata Resolver FileBackedHTTPMetadataResolver SAMLtest: Next refresh
cycle for metadata provider 'https://samltest.id/saml/sp' will occur on
'2018-09-07T19:34:30.230Z' ('2018-09-07T19:34:30.230Z' local time

And this is what the last part of my metadata-providers.xml looks like:

    <!--
    Example file metadata provider.  Use this if you want to load metadata
    from a local file.  You might use this if you have some local SPs
    which are not "federated" but you wish to offer a service to.

    If you do not provide a SignatureValidation filter, then you have the
    responsibility to ensure that the contents on disk are trustworthy.
    -->

    <!--
    <MetadataProvider id="LocalMetadata"
xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
    -->

     <!-- SAMLtest SP metadata -->
     <MetadataProvider id="SAMLtest"
        xsi:type="FileBackedHTTPMetadataProvider"
        backingFile="%{idp.home}/metadata/SAMLtest.xml"
        metadataURL="https://samltest.id/saml/sp">
      <!-- You should always check the signature and freshness of remote
              metadata.  It's commented out until you get the basics
working.
           <MetadataFilter xsi:type="SignatureValidation"
                  certificateFile="%{idp.home}/credentials/signet.crt" />
           <MetadataFilter xsi:type="RequiredValidUntil"
maxValidityInterval="P30D"/>
        -->
    </MetadataProvider>

</MetadataProvider>

The metadata configuration is a list of the SP's that your IdP trusts.
Each one is named by a MetadataProvider.  They are all wrapped in one big
<MetadataProvider id="ShibbolethMetadata"
xsi:type="ChainingMetadataProvider" element at the beginning of the
configuration file, and the last line with the closing </MetadataProvider>
tag in my example closes the chain.

If you put the <?xml version="1.0" encoding="UTF-8"?> declaration in the
middle of the file, I would expect parsing to fail, and your IdP probably
doesn't trust any SP's.  Look for an ERROR when you start the IdP.  When I
tried this configuration:

<?xml version="1.0" encoding="UTF-8"?>
<MetadataProvider id="SAMLtest"
        xsi:type="FileBackedHTTPMetadataProvider"
        backingFile="%{idp.home}/metadata/SAMLtest.xml"
        metadataURL="https://samltest.id/saml/sp">

</MetadataProvider>

I got:

018-09-07 16:47:12,749 - ERROR
[net.shibboleth.utilities.java.support.service.AbstractReloadableService:181]
- Service 'shibboleth.MetadataResolverService': Initial load failed
net.shibboleth.utilities.java.support.service.ServiceException:
org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line
62 in XML document from file
[/opt/shibboleth-idp/conf/metadata-providers.xml] is invalid; nested
exception is org.xml.sax.SAXParseException; lineNumber: 62; columnNumber:
6; The processing instruction target matching "[xX][mM][lL]" is not allowed.
        at
net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:336)
Caused by:
org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line
62 in XML document from file
[/opt/shibboleth-idp/conf/metadata-providers.xml] is invalid; nested
exception is org.xml.sax.SAXParseException; lineNumber: 62; columnNumber:
6; The processing instruction target matching "[xX][mM][lL]" is not allowed.
        at
org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:399)
Caused by: org.xml.sax.SAXParseException: The processing instruction target
matching "[xX][mM][lL]" is not allowed.
        at
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:203)

When I delete the XML line 62, the logs change and I see success:

2018-09-07 16:50:31,211 - INFO
[net.shibboleth.utilities.java.support.service.AbstractReloadableService:172]
- Service 'shibboleth.MetadataResolverService': Performing initial load
2018-09-07 16:50:31,211 - INFO
[net.shibboleth.utilities.java.support.service.AbstractReloadableService:258]
- Service 'shibboleth.MetadataResolverService': Reloading service
configuration
2018-09-07 16:50:31,213 - INFO
[net.shibboleth.ext.spring.util.SchemaTypeAwareXMLBeanDefinitionReader:317]
- Loading XML bean definitions from file
[/opt/shibboleth-idp/conf/metadata-providers.xml]
2018-09-07 16:50:31,263 - INFO
[net.shibboleth.ext.spring.util.SchemaTypeAwareXMLBeanDefinitionReader:317]
- Loading XML bean definitions from file
[/opt/shibboleth-idp/system/conf/metadata-providers-system.xml]
2018-09-07 16:50:31,268 - INFO
[net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:583]
- Refreshing ApplicationContext:shibboleth.MetadataResolverService: startup
date [Fri Sep 07 16:50:31 UTC 2018]; parent: Root WebApplicationContext
2018-09-07 16:50:31,571 - INFO
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:504]
- Metadata Resolver FileBackedHTTPMetadataResolver SAMLtest: New metadata
successfully loaded for 'https://samltest.id/saml/sp'
2018-09-07 16:50:31,573 - INFO
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:324]
- Metadata Resolver FileBackedHTTPMetadataResolver SAMLtest: Next refresh
cycle for metadata provider 'https://samltest.id/saml/sp' will occur on
'2018-09-07T16:50:36.571Z' ('2018-09-07T16:50:36.571Z' local time)
2018-09-07 16:50:31,584 - INFO
[net.shibboleth.ext.spring.service.ReloadableSpringService:380] - Service
'shibboleth.MetadataResolverService': Completed reload and swapped in
latest configuration for service 'shibboleth.MetadataResolverService'
2018-09-07 16:50:31,589 - INFO
[net.shibboleth.ext.spring.service.ReloadableSpringService:387] - Service
'shibboleth.MetadataResolverService': Reload complete

So, if you just delete that one line, it might be enough.

Take care,
Nate.



On Fri, Sep 7, 2018 at 8:04 AM, fazla <fazlarabby043264 at gmail.com> wrote:

> This is the SAMLtest.xml
>
> <?xml version="1.0" encoding="UTF-8"?>
> <MetadataProvider id="SAMLtest"
>         xsi:type="FileBackedHTTPMetadataProvider"
>         backingFile="%{idp.home}/metadata/SAMLtest.xml"
>         metadataURL="https://samltest.id/saml/sp">
>
> </MetadataProvider>
>
>
>
> this is the server log
>
> 2018-09-07 07:29:42,300 - WARN
> [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile
> Action SelectProfileConfiguration: Profile
> http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for
> RP
> configuration shibboleth.UnverifiedRelyingParty (RPID
> https://samltest.id/saml/sp)
> 2018-09-07 07:29:42,300 - WARN
> [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
> occurred while processing the request: InvalidProfileConfiguration
> 2018-09-07 07:30:28,893 - INFO
> [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] -
> Message Handler:  No metadata returned for https://samltest.id/saml/sp in
> role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol
> urn:oasis:names:tc:SAML:2.0:protocol
> 2018-09-07 07:30:28,893 - WARN
> [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile
> Action SelectProfileConfiguration: Profile
> http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for
> RP
> configuration shibboleth.UnverifiedRelyingParty (RPID
> https://samltest.id/saml/sp)
> 2018-09-07 07:30:28,893 - WARN
> [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
> occurred while processing the request: InvalidProfileConfiguration
> 2018-09-07 07:30:34,565 - INFO
> [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] -
> Message Handler:  No metadata returned for https://samltest.id/saml/sp in
> role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol
> urn:oasis:names:tc:SAML:2.0:protocol
> 2018-09-07 07:30:34,565 - WARN
> [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile
> Action SelectProfileConfiguration: Profile
> http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for
> RP
> configuration shibboleth.UnverifiedRelyingParty (RPID
> https://samltest.id/saml/sp)
> 2018-09-07 07:30:34,565 - WARN
> [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
> occurred while processing the request: InvalidProfileConfiguration
> 2018-09-07 07:34:23,860 - INFO
> [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] -
> Message Handler:  No metadata returned for https://samltest.id/saml/sp in
> role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol
> urn:oasis:names:tc:SAML:2.0:protocol
> 2018-09-07 07:34:23,860 - WARN
> [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile
> Action SelectProfileConfiguration: Profile
> http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for
> RP
> configuration shibboleth.UnverifiedRelyingParty (RPID
> https://samltest.id/saml/sp)
> 2018-09-07 07:34:23,860 - WARN
> [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
> occurred while processing the request: InvalidProfileConfiguration
> 2018-09-07 07:34:25,547 - INFO
> [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] -
> Message Handler:  No metadata returned for https://samltest.id/saml/sp in
> role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol
> urn:oasis:names:tc:SAML:2.0:protocol
> 2018-09-07 07:34:25,579 - WARN
> [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile
> Action SelectProfileConfiguration: Profile
> http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for
> RP
> configuration shibboleth.UnverifiedRelyingParty (RPID
> https://samltest.id/saml/sp)
> 2018-09-07 07:34:25,594 - WARN
> [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
> occurred while processing the request: InvalidProfileConfiguration
> 2018-09-07 07:34:42,813 - WARN
> [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
> occurred while processing the request: ServiceNotSpecified
> 2018-09-07 07:34:42,829 - INFO [Shibboleth-Audit.SSO:275] -
> 20180907T073442Z||||https://www.apereo.org/cas/protocol/login|||||||||
> 2018-09-07 07:34:47,578 - INFO
> [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] -
> Message Handler:  No metadata returned for https://samltest.id/saml/sp in
> role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol
> urn:oasis:names:tc:SAML:2.0:protocol
> 2018-09-07 07:34:47,578 - WARN
> [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile
> Action SelectProfileConfiguration: Profile
> http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for
> RP
> configuration shibboleth.UnverifiedRelyingParty (RPID
> https://samltest.id/saml/sp)
> 2018-09-07 07:34:47,578 - WARN
> [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
> occurred while processing the request: InvalidProfileConfiguration
> 2018-09-07 07:35:14,828 - INFO
> [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] -
> Message Handler:  No metadata returned for https://samltest.id/saml/sp in
> role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol
> urn:oasis:names:tc:SAML:2.0:protocol
> 2018-09-07 07:35:14,828 - WARN
> [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile
> Action SelectProfileConfiguration: Profile
> http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for
> RP
> configuration shibboleth.UnverifiedRelyingParty (RPID
> https://samltest.id/saml/sp)
> 2018-09-07 07:35:14,828 - WARN
> [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
> occurred while processing the request: InvalidProfileConfiguration
> 2018-09-07 07:45:13,152 - INFO
> [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] -
> Message Handler:  No metadata returned for https://samltest.id/saml/sp in
> role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol
> urn:oasis:names:tc:SAML:2.0:protocol
> 2018-09-07 07:45:13,168 - WARN
> [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile
> Action SelectProfileConfiguration: Profile
> http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for
> RP
> configuration shibboleth.UnverifiedRelyingParty (RPID
> https://samltest.id/saml/sp)
> 2018-09-07 07:45:13,168 - WARN
> [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
> occurred while processing the request: InvalidProfileConfiguration
>
>
>
>
>
> --
> Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-
> f1660767.html
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180907/cc12276c/attachment.html>

More information about the users mailing list