configuring shibboleth on AWS using ELB

Deirdre Kirmis Deirdre.Kirmis at
Tue Nov 26 16:31:02 EST 2019

I figured out the certs issue…do you mind if I ask if I have set this up correctly? I have an application load balancer, listening on ports 80 and 443, directing to a target group (with currently only 1 EC2 instance registered). I set up the ELB using our AWS wildcard certificate in ACM, and did not configure anything specifically on the EC2 to enforce https and regarding certs (ssl.conf is pointing to the localhost.key and .crt files).  I guess the “wired together properly” part is where I’m stuck. I installed shib, added the Location section for it in ssl.conf, configured shibboleth2.xml with servername and to point to my metadata file, which I got from my host provider (my organization is an IDP). Added shib as an authentication provider.

I see my provider on the login page of my app, but when I try to login I get an error “The login service was unable to identify a compatible way to respond to the requested application. This is generally due to a misconfiguration on the part of the application and should be reported to the application's support team or owner.”

Any ideas what I missed? Thank you!

Deirdre Kirmis
Technology Services
Arizona State University Library

From: users <users-bounces at> On Behalf Of Nate Klingenstein
Sent: Monday, November 25, 2019 5:54 PM
To: Shib Users <users at>
Subject: RE: configuring shibboleth on AWS using ELB


For what it's worth, we've configured a lot of IdP's and SP's in AWS, including SAMLtest.  It's pretty straightforward: ELB, target groups, and instances, just wired together properly.  There's really nothing special about it.

I often do it for single instances just because I like having ELB in between the world and me.  It doesn't really provide anything that security groups wouldn't other than IP address obfuscation, so it's more of a security blanket than a necessary piece of infrastructure, but hey.

Take care,



[Image removed by sender.]

The Art of Access ®

Nate Klingenstein | Principal<>

-----Original message-----
From: Deirdre Kirmis
Sent: Monday, November 25 2019, 4:30 pm
To: users at
Subject: configuring shibboleth on AWS using ELB

Hi all…prefacing this to say that I am new to AWS and new to configuring shibboleth. I was wondering if anyone has successfully configured shibboleth on an AWS instance that is running https via a load balancer. I installed and configured shib, send/received metadata from my IDP, but when I generate my metadata file, the certs are not included, and the sp-cert.pem and sp-key.pem files did not get created. Do I still need to “configure” https locally on the server, and if so, how, and how do I fix my shib config?

Thanks for any help!


For Consortium Member technical support, see

To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ~WRD000.jpg
Type: image/jpeg
Size: 823 bytes
Desc: ~WRD000.jpg
URL: <>

More information about the users mailing list