idp.testshib.org errors from our SP
Spencer Thomas
Spencer.Thomas at ithaka.org
Tue Mar 3 09:01:32 EST 2020
Follow up on this weirdness. I never did track down a “root cause”. My suspicion lands on the fact that our shibboleth2.xml file did try to load metadata from the testshib.org IDP.
We upgraded to the Shib 3 SP, and the symptom has gone away. As an added benefit, we are now able to use the MDQ feed from the UK Federation, which has significantly reduced startup time.
--
Spencer Thomas
Technical Architect / JSTOR and Artstor
ITHAKA<https://www.ithaka.org/> / 301 E. Liberty St, Suite 250, Ann Arbor, MI 48104
Email: Spencer.Thomas at ithaka.org<mailto:Spencer.Thomas at ithaka.org>
Voicemail: 734-887-7004
From: users <users-bounces at shibboleth.net> on behalf of Spencer Thomas <Spencer.Thomas at ithaka.org>
Reply-To: Shib Users <users at shibboleth.net>
Date: Friday, February 21, 2020 at 10:19 AM
To: "users at shibboleth.net" <users at shibboleth.net>
Subject: idp.testshib.org errors from our SP
I first posted this to InCommon users list, where I was reminded that the Shib mailing list would be a better place.
Background: An increasing number of users, from many different organizations and countries, reporting that they get an error “Unable to locate metadata for identity provider (https://idp.testshib.org/idp/shibboleth).”
Investigation involved looking at error logs, access logs, and taking tcpdump data from the shibd instance.
Users are not sending SAMLResponse packets containing the “testshib” IDP – they have the correct IdP for the user – so the problem is not external – no phishing, no bad links, etc..
When the error occurs, I see the following sequence:
1. User hits the /Shibboleth.sso/SAML2/POST endpoint with a proper SAMLResponse, issued and signed by their IDP, encrypted with our public key, with proper assertions, etc.
2. That endpoint redirects to our protected URL, which is wrapped with “mod_shib”, in the same instance. In the redirection, it sets a _shibsession_xxxx cookie.
3. Coming back to the protected URL, the same cookie value is received.
4. Mod_shib issues the error “Unable to locate metadata for identity provider (https://idp.testshib.org/idp/shibboleth)”
We are currently using the shibboleth 2.6.0 “debian” package that was created by SWITCHaai. It appears that the problem is in the interaction between mod_shib and shibd, or completely within one of them.
I think our best option to upgrade to the SP version 3. Has anyone else seen this symptom? Any ideas for work-arounds in the meantime?
Thanks.
--
Spencer Thomas
Technical Architect / JSTOR and Artstor
ITHAKA<https://www.ithaka.org/> / 301 E. Liberty St, Suite 250, Ann Arbor, MI 48104
Email: Spencer.Thomas at ithaka.org<mailto:Spencer.Thomas at ithaka.org>
Voicemail: 734-887-7004
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200303/31938cc6/attachment.html>
More information about the users
mailing list