errors from our SP

Spencer Thomas Spencer.Thomas at
Fri Feb 21 10:19:17 EST 2020

I first posted this to InCommon users list, where I was reminded that the Shib mailing list would be a better place.

Background: An increasing number of users, from many different organizations and countries, reporting that they get an error “Unable to locate metadata for identity provider (”

Investigation involved looking at error logs, access logs, and taking tcpdump data from the shibd instance.

Users are not sending SAMLResponse packets containing the “testshib” IDP – they have the correct IdP for the user – so  the problem is not external – no phishing, no bad links, etc..

When the error occurs, I see the following sequence:

  1.  User hits the /Shibboleth.sso/SAML2/POST endpoint with a proper SAMLResponse, issued and signed by their IDP, encrypted with our public key, with proper assertions, etc.
  2.  That endpoint redirects to our protected URL, which is wrapped with “mod_shib”, in the same instance. In the redirection, it sets a _shibsession_xxxx cookie.
  3.  Coming back to the protected URL, the same cookie value is received.
  4.  Mod_shib issues the error “Unable to locate metadata for identity provider (”

We are currently using the shibboleth 2.6.0 “debian” package that was created by SWITCHaai. It appears that the problem is in the interaction between mod_shib and shibd, or completely within one of them.

I think our best option to upgrade to the SP version 3. Has anyone else seen this symptom? Any ideas for work-arounds in the meantime?


Spencer Thomas
Technical Architect / JSTOR and Artstor
ITHAKA<> / 301 E. Liberty St, Suite 250, Ann Arbor, MI 48104
Email: Spencer.Thomas at<mailto:Spencer.Thomas at>
Voicemail: 734-887-7004

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list