Unknown or Unusable Identity Provider

Peter Schober peter.schober at univie.ac.at
Tue Dec 3 13:43:39 EST 2019

* conroy <baltzell at umich.edu> [2019-12-03 19:17]:
> I know this topic has been discussed a few times in a few different ways, but
> none of it fixed my problem, so hopefully I'm not repeating,
> but...Everything was working fine yesterday and today all of my servers that
> are running Shibboleth are giving an error page saying: "Unknown or Unusable
> Identity Provider." To my knowledge there was no patches or changes to any
> of the servers.

So what version of the SP are you running (or quoting the logs from)?
If yesterday "Everything was working fine yesterday" and today none
your Shib SPs can connect to
https://shibboleth.umich.edu/md/umich-prod-idps.xml then I'd say
either that server has seen a change or all your SP servers -- *but*
if that is related to an expired validUntil (there's no sign of that
in your logs, but that doesn't mean that didn't happen as well) this
may have happened a few days ago. The SP locally caches and continue
to use metadata as long as it's valid, so all SPs not knowing an IDP
at the same point in time could well be indicative of such a problem.

> I'm running RHEL 7.7 so I looked at
> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRH6 but:

Not that it matters for your question but SP v2 is out of support. Has
been for quite a while. Of course you may be looking at the SP docs by

> 1. I don't have a /etc/sysconfig/shibd or
> /etc/systemd/system/multi-user.target.wants/shibd.service file. There are
> other related files, but not those 2.

I don't have a running RHEL/CentOS 7 system atm so can't check.

> 2. The current libcurl in /opt/shibboleth/ is libcurl.so.4.5.0 which
> is not the most recent, but I'm hesitant to update it without
> knowing more because that might be the "correct" version for my
> setup.

Configuring the correct yum repository and simply 'yum install'ing and
occasionally 'yum update'ing the software should be all that it takes,
without ever having to ask yourself the above question ("what libcurl
version should I be running").

> 3. I don't see how either of those problems could change overnight. 

See my take on that above.


More information about the users mailing list