idp.testshib.org errors from our SP

[Spencer Thomas]

I first posted this to InCommon users list, where I was reminded that the Shib mailing list would be a better place.

Background: An increasing number of users, from many different organizations and countries, reporting that they get an error “Unable to locate metadata for identity provider (https://idp.testshib.org/idp/shibboleth).”

Investigation involved looking at error logs, access logs, and taking tcpdump data from the shibd instance.

Users are not sending SAMLResponse packets containing the “testshib” IDP – they have the correct IdP for the user – so  the problem is not external – no phishing, no bad links, etc..

When the error occurs, I see the following sequence:

  1.  User hits the /Shibboleth.sso/SAML2/POST endpoint with a proper SAMLResponse, issued and signed by their IDP, encrypted with our public key, with proper assertions, etc.
  2.  That endpoint redirects to our protected URL, which is wrapped with “mod_shib”, in the same instance. In the redirection, it sets a _shibsession_xxxx cookie.
  3.  Coming back to the protected URL, the same cookie value is received.
  4.  Mod_shib issues the error “Unable to locate metadata for identity provider (https://idp.testshib.org/idp/shibboleth)”

We are currently using the shibboleth 2.6.0 “debian” package that was created by SWITCHaai. It appears that the problem is in the interaction between mod_shib and shibd, or completely within one of them.

I think our best option to upgrade to the SP version 3. Has anyone else seen this symptom? Any ideas for work-arounds in the meantime?

Thanks.

--
Spencer Thomas
Technical Architect / JSTOR and Artstor
ITHAKA<https://www.ithaka.org/> / 301 E. Liberty St, Suite 250, Ann Arbor, MI 48104
Email: Spencer.Thomas at ithaka.org<mailto:Spencer.Thomas at ithaka.org>
Voicemail: 734-887-7004





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200221/ff3c6526/attachment.html>