idp.testshib.org errors from our SP
Spencer.Thomas at ithaka.org
Fri Feb 21 10:19:17 EST 2020
I first posted this to InCommon users list, where I was reminded that the Shib mailing list would be a better place.
Background: An increasing number of users, from many different organizations and countries, reporting that they get an error “Unable to locate metadata for identity provider (https://idp.testshib.org/idp/shibboleth).”
Investigation involved looking at error logs, access logs, and taking tcpdump data from the shibd instance.
Users are not sending SAMLResponse packets containing the “testshib” IDP – they have the correct IdP for the user – so the problem is not external – no phishing, no bad links, etc..
When the error occurs, I see the following sequence:
1. User hits the /Shibboleth.sso/SAML2/POST endpoint with a proper SAMLResponse, issued and signed by their IDP, encrypted with our public key, with proper assertions, etc.
2. That endpoint redirects to our protected URL, which is wrapped with “mod_shib”, in the same instance. In the redirection, it sets a _shibsession_xxxx cookie.
3. Coming back to the protected URL, the same cookie value is received.
4. Mod_shib issues the error “Unable to locate metadata for identity provider (https://idp.testshib.org/idp/shibboleth)”
We are currently using the shibboleth 2.6.0 “debian” package that was created by SWITCHaai. It appears that the problem is in the interaction between mod_shib and shibd, or completely within one of them.
I think our best option to upgrade to the SP version 3. Has anyone else seen this symptom? Any ideas for work-arounds in the meantime?
Technical Architect / JSTOR and Artstor
ITHAKA<https://www.ithaka.org/> / 301 E. Liberty St, Suite 250, Ann Arbor, MI 48104
Email: Spencer.Thomas at ithaka.org<mailto:Spencer.Thomas at ithaka.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users