Looking for some troubleshooting advice for setting up a SP that isn't working.

Mak, Steve makst at upenn.edu
Fri May 15 18:59:48 UTC 2020



From: users <users-bounces at shibboleth.net> on behalf of Dan Oachs <doachs at gac.edu>
Reply-To: Shib Users <users at shibboleth.net>
Date: Friday, May 15, 2020 at 14:52
To: "users at shibboleth.net" <users at shibboleth.net>
Subject: Looking for some troubleshooting advice for setting up a SP that isn't working.

So over the years I have successfully added quite a few SP to our IDP but this past week I have run into one that I am having trouble getting working.  I believe there is some mismatch with their metadata vs. what they are requesting.

Here is the error log a user sees when trying to access the SP:
Login - Unable to Respond
The login service was unable to identify a compatible way to respond to the requested application. This is generally to due to a misconfiguration on the part of the application and should be reported to the application's support team or owner.

On the IDP side ( 3.3.1 - I know, we need to upgrade to 4) , I see these errors:
idp-process.log:2020-05-15 13:13:02,959 - DEBUG [org.opensaml.saml.common.binding.impl.DefaultEndpointResolver:126] - Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Neither candidate endpoint location 'https://saml-live.scenariolearning.com/saml/acs?dest=gustavus-mn.safecolleges.com' nor response location 'null' matched 'https://saml-live.scenariolearning.com/saml/acs?dest=gustavus.mn.safecolleges.com'  (ipv6 ip address removed)

idp-process.log:2020-05-15 13:13:02,959 - WARN [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:410] - Profile Action PopulateBindingAndEndpointContexts: Unable to resolve outbound message endpoint for relying party 'saml-live.scenariolearning.com<http://saml-live.scenariolearning.com>': EndpointCriterion [type={urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService, Binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, Location=https://saml-live.scenariolearning.com/saml/acs?dest=gustavus.mn.safecolleges.com, trusted=false] (ipv6 ip address removed)

Am I correct that the error message says that the endpoint location does not match however they look identical?  Is there an issue with a question mark in there?  Hopefully I am just overlooking something obvious and you all can point it out for me :)

The SP claims they have this working with other customers using Shibboleth.  Wondering if anyone has any idea what might be wrong on my end, or what I should tell the SP they need to fix?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200515/aebc01c9/attachment.htm>

More information about the users mailing list