Unknown or Unusable Identity Provider

Conroy Baltzell baltzell at umich.edu
Tue Dec 3 13:55:41 EST 2019

Thanks for the quick responses. I'm running shibboleth 3.0.4. I was
accidentally on the SP2 support pages, but in this case there doesn't seem
to be much of a difference to V3
https://wiki.shibboleth.net/confluence/display/SP3/LinuxRH6. I can try
updating shibboleth, but I just installed it on a new server less than
a month ago so I don't think that's the issue (and I'm hesitant to update
anything on the production server without testing it on the dev server). I
didn't realize the SP uses cached metadata so that seems to be the most
likely suspect. I don't think the problem is
https://shibboleth.umich.edu/md/umich-prod-idps.xml  because a lot of sites
use that and none of them seem to be down. How would I tell if it was an
expired validUntil?

On Tue, Dec 3, 2019 at 1:43 PM Peter Schober <peter.schober at univie.ac.at>

> * conroy <baltzell at umich.edu> [2019-12-03 19:17]:
> > I know this topic has been discussed a few times in a few different
> ways, but
> > none of it fixed my problem, so hopefully I'm not repeating,
> > but...Everything was working fine yesterday and today all of my servers
> that
> > are running Shibboleth are giving an error page saying: "Unknown or
> Unusable
> > Identity Provider." To my knowledge there was no patches or changes to
> any
> > of the servers.
> So what version of the SP are you running (or quoting the logs from)?
> If yesterday "Everything was working fine yesterday" and today none
> your Shib SPs can connect to
> https://shibboleth.umich.edu/md/umich-prod-idps.xml then I'd say
> either that server has seen a change or all your SP servers -- *but*
> if that is related to an expired validUntil (there's no sign of that
> in your logs, but that doesn't mean that didn't happen as well) this
> may have happened a few days ago. The SP locally caches and continue
> to use metadata as long as it's valid, so all SPs not knowing an IDP
> at the same point in time could well be indicative of such a problem.
> > I'm running RHEL 7.7 so I looked at
> > https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRH6
> but:
> Not that it matters for your question but SP v2 is out of support. Has
> been for quite a while. Of course you may be looking at the SP docs by
> mistake?
> > 1. I don't have a /etc/sysconfig/shibd or
> > /etc/systemd/system/multi-user.target.wants/shibd.service file. There are
> > other related files, but not those 2.
> I don't have a running RHEL/CentOS 7 system atm so can't check.
> > 2. The current libcurl in /opt/shibboleth/ is libcurl.so.4.5.0 which
> > is not the most recent, but I'm hesitant to update it without
> > knowing more because that might be the "correct" version for my
> > setup.
> Configuring the correct yum repository and simply 'yum install'ing and
> occasionally 'yum update'ing the software should be all that it takes,
> without ever having to ask yourself the above question ("what libcurl
> version should I be running").
> > 3. I don't see how either of those problems could change overnight.
> See my take on that above.
> -peter
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191203/80a5afe7/attachment.html>

More information about the users mailing list