Unknown or Unusable Identity Provider issue...

Christopher Bongaarts cab at umn.edu
Fri Apr 5 15:28:40 EDT 2019 

The metadata is incomplete; as the error says, it's missing a 
SingleSignOnService element in the IDPSSODescriptor.  You'll want to get 
updated/fixed metadata from the IdP.

On 4/5/2019 2:23 PM, Dennis Fazekas wrote:
>
> There is another…
>
> 2019-03-1114:51:02WARNShibboleth.SessionInitiator.SAML2[22]: unable to 
> locate metadata for provider (lly-qa:saml2:idp)
>
> 2019-03-1114:51:02*ERROR*OpenSAML.Metadata.XML: metadata instance 
> failed manual validation checking: IDPSSODescriptor must have at least 
> one SingleSignOnService.
>
> *From:*Dennis Fazekas
> *Sent:* Friday, April 05, 2019 3:22 PM
> *To:* 'Christopher Bongaarts' <cab at umn.edu>; Shib Users 
> <users at shibboleth.net>
> *Cc:* Henry Zhou <Henry_Zhou at SHI.com>
> *Subject:* RE: Unknown or Unusable Identity Provider issue...
>
> Thank you again for the help. J
>
> Here is the line above that I left out by accident.
>
> 2019-03-1114:51:02WARNShibboleth.SessionInitiator.SAML2[22]: unable to 
> locate metadata for provider (lly-qa:saml2:idp)
>
> *From:*Christopher Bongaarts [mailto:cab at umn.edu]
> *Sent:* Friday, April 05, 2019 2:32 PM
> *To:* Dennis Fazekas <Dennis_Fazekas at SHI.com 
> <mailto:Dennis_Fazekas at SHI.com>>; Shib Users <users at shibboleth.net 
> <mailto:users at shibboleth.net>>
> *Cc:* Henry Zhou <Henry_Zhou at SHI.com <mailto:Henry_Zhou at SHI.com>>
> *Subject:* Re: Unknown or Unusable Identity Provider issue...
>
> There is likely a typo or other syntax error in the metadata file.  
> There might be a hint as to what/where just above the CRIT error in 
> the log.
>
> On 4/5/2019 1:28 PM, Dennis Fazekas wrote:
>
>     Thank you for getting back to me so quickly. Here is what I found
>     in the log file:
>
>     2019-03-1114:51:02CRIT OpenSAML.Metadata.XML: maintaining existing
>     configuration, error reloading resource
>     (C:/opt/shibboleth-sp/etc/shibboleth/partnermetadata/lly.xml):
>     Metadata instance failed manual validation checking.
>
>     2019-03-1114:56:46WARNShibboleth.SessionInitiator.SAML2[22]:
>     unable to locate metadata for provider (lly-qa:saml2:idp)
>
>     2019-03-1114:56:49WARNShibboleth.SessionInitiator.SAML2[22]:
>     unable to locate metadata for provider (lly-qa:saml2:idp)
>
>     2019-03-1114:56:58WARNShibboleth.SessionInitiator.SAML2[22]:
>     unable to locate metadata for provider (lly-qa:saml2:idp)
>
>     2019-03-1114:58:42WARNShibboleth.SessionInitiator.SAML2[22]:
>     unable to locate metadata for provider (lly-qa:saml2:idp)
>
>     2019-03-1115:01:08WARNShibboleth.SessionInitiator.SAML2[22]:
>     unable to locate metadata for provider (lly-qa:saml2:idp)
>
>     *From:*Christopher Bongaarts [mailto:cab at umn.edu]
>     *Sent:* Friday, April 05, 2019 1:46 PM
>     *To:* Shib Users <users at shibboleth.net>
>     <mailto:users at shibboleth.net>; Dennis Fazekas
>     <Dennis_Fazekas at SHI.com> <mailto:Dennis_Fazekas at SHI.com>
>     *Cc:* Henry Zhou <Henry_Zhou at SHI.com> <mailto:Henry_Zhou at SHI.com>
>     *Subject:* Re: Unknown or Unusable Identity Provider issue...
>
>     Check your shibd.log file for errors trying to load the metadata
>     file.  The messages would most likely be happening at shibd
>     restart time, not the time you access the page.
>
>     On 4/5/2019 12:31 PM, Dennis Fazekas wrote:
>
>         Greetings,
>
>         We have a customer whom we cannot get working. We are seeing
>         the following error from Shibboleth. I’m wondering if the
>         problem is related to the customer’s entityID; since it’s not
>         a valid URI.
>
>         Here is the snippet from the customer’s metadata:
>
>         Snippet from partnermetadata/lly.production.xml
>
>         <md:EntityDescriptor ID="cADhVl_SqndvQACPbar0ae8GkKK"
>         cacheDuration="PT1440M" entityID="*lly-qa:saml2:idp*"
>         xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
>
>>
>         </md:EntityDescriptor>
>
>         In our shibboleth2.xml the *MetadataProviders* has the
>         following entry which is correctly mapped to the customer’s
>         metadata.
>
>         *<MetadataProvider type="XML"
>         file="partnermetadata/lly.production.xml"/>*
>
>         **
>
>
>           Unknown or Unusable Identity Provider
>
>         The identity provider supplying your login credentials is not
>         authorized for use with this service or does not support the
>         necessary capabilities.
>
>         To report this problem, please contact the site administrator
>         at [cut_out].
>
>         Please include the following error message in any email:
>
>         Identity provider lookup failed at
>         (https://sp.shi.com/Shibboleth.sso/Login)
>
>         *EntityID:* lly-qa:saml2:idp
>
>         opensaml::saml2md::MetadataException: Unable to locate
>         metadata for identity provider (lly-qa:saml2:idp)
>
>         Any help would greatly be appreciated. Thank you!
>
>
>
>     -- 
>
>     %%  Christopher A. Bongaarts   %%cab at umn.edu  <mailto:cab at umn.edu>           %%
>
>     %%  OIT - Identity Management  %%http://umn.edu/~cab   %%
>
>     %%  University of Minnesota    %%  +1 (612) 625-1809    %%
>
> -- 
> %%  Christopher A. Bongaarts   %%cab at umn.edu  <mailto:cab at umn.edu>           %%
> %%  OIT - Identity Management  %%http://umn.edu/~cab   %%
> %%  University of Minnesota    %%  +1 (612) 625-1809    %%

-- 
%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190405/8e540a4c/attachment.html>

More information about the users mailing list