Unknown or Unusable Identity Provider

Peter Schober peter.schober at univie.ac.at
Tue Jul 16 18:29:12 EDT 2019

* shibbbb <d.andrade at campus.fct.unl.pt> [2019-07-16 19:18]:
> when I try to use the SP it has no errors also but when I try to go to the
> login page it says that my Identity Provider is unknown or unusable and
> gives this error:
> opensaml::saml2md::MetadataException: Unable to locate metadata for identity
> provider(with the right EntityID).
> 2019-07-16 16:50:13 INFO OpenSAML.MetadataProvider.XML : loaded XML resource
> (C:/opt/shibboleth-sp/etc/shibboleth/idp-metadata.xml)
> So its beeing loaded but the cache folder is empty.

I wouldn't expect the SP to create a local cache copy of a local file
(what would be the purpose of that?), so that may not mean much.

Anyway, I guess the most likely explanation is that the entityID used
to initiate SSO does not in fact match the entityID within the
metadata the SP is configured to load.
How to you trigger SSO with that IDP, by setting
ApplicationDefaults/Sessions/SSO/@entityID in your shibboleth2.xml
Can you extract and compare those entityID values with a tool?

Your mention of 'netsh' seems to suggest you're using MS-Windows, so
I have no example or suggestion for that but on Unix I'd have used
something like this to get the entityID value from the SSO element:
$ fgrep -A1 '<SSO ' /etc/shibboleth/shibboleth2.xml | fgrep entityID | sed -r 's/.*entityID="(.+)".*$/\1/'
$ fgrep entityID /opt/shibboleth-idp/metadata/idp-metadata.xml | sed -r 's/.*entityID="(.+)".*$/\1/'
for the entityID value from the IDP metadata. Redirecting
the output to two seperate files a final `diff` command would show
whether they're equal or not.

What does the DiscoFeed endpoint report for known IDPs, e.g.
$ curl -k https://localhost/Shibboleth.sso/DiscoFeed

There's really no secret mechanism involved here, you "just add
metadata" and it should work.


More information about the users mailing list