sp can not get metadata from idp

Nate Klingenstein ndk at signet.id
Mon Jan 11 14:53:44 UTC 2021 

Lanxin,

The versions of software that you're using are old.  Your IdP version in particular is very unsupported, and I don't know RedHat's complete deprecation schedule immediately or which version you're using.

Anyway, RedHat made the decision between versions 5 and 6 to switch from using OpenSSL as its cryptographic library for libcurl to using NSS.  This gave Shibboleth much more limited ability to control the network layer when establishing connections, so the project had to switch to distributing a version libcurl built against OpenSSL along with the SP, for RHEL 6 and 7.  RedHat reverted this change in RHEL 8, so it's no longer necessary with the most recent software.

https://wiki.shibboleth.net/confluence/display/SP3/LinuxRH6

You will need to make sure the SP is built and linked against a libcurl built against OpenSSL, and you should upgrade a lot of software to modern releases.

At that point, the network calls should work.  Your configuration looks okay.

谢谢啦,
Nate.

--------
Signet, Inc.
The Art of Access ®

https://www.signet.id

 
 
-----Original message-----
> From: MA Lanxin
> Sent: Monday, January 11 2021, 2:47 am
> To: shib users
> Subject: sp can not get metadata from idp
> 
> Hello,
> 
> My SP cannot get metadata from IDP.
> My SP version is 3.1.0, Apache version is 2.4.6. My IDP version is 2.4.1
> 
> rpm -qa | grep shib
> shibboleth-3.1.0-3.1.x86_64
> liblog4shib2-2.0.0-3.1.x86_64
> 
> rpm -qa | grep httpd
> httpd-tools-2.4.6-93.el7.centos.x86_64
> httpd-2.4.6-93.el7.centos.x86_64
> 
> Here is the error log  in /var/log/shibboleth/shibd.log at SP
> 
> 2021-01-11 17:21:22 INFO Shibboleth.Application : building MetadataProvider of type XML...
> 2021-01-11 17:21:22 ERROR XMLTooling.libcurl.InputStream : error while fetching https://idp-test.ihep.ac.cn/idp/profile/Metadata/SAML: (59) Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
> 2021-01-11 17:21:22 ERROR XMLTooling.libcurl.InputStream : on Red Hat 6+, make sure libcurl used is built with OpenSSL
> 2021-01-11 17:21:22 ERROR XMLTooling.ParserPool : fatal error on line 0, column 0, message: internal error in NetAccessor
> 2021-01-11 17:21:22 ERROR OpenSAML.MetadataProvider.XML : error while loading resource (https://idp-test.ihep.ac.cn/idp/profile/Metadata/SAML): XML error(s) during parsing, check log for specifics
> 2021-01-11 17:21:22 WARN OpenSAML.MetadataProvider.XML : adjusted reload interval to 600 seconds
> 2021-01-11 17:21:22 WARN OpenSAML.MetadataProvider.XML : trying backup file, exception loading remote resource: XML error(s) during parsing, check log for specifics
> 
> Hereis my SP config
> cat /etc/shibboleth/shibboleth2.xml
>     <ApplicationDefaults entityID = "https://a.ihep.ac.cn/shibboleth"
>         REMOTE_USER="eppn subject-id pairwise-id persistent-id"
>         cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"
>         encryption="false">
>             <SSO entityID="https://idp-test.ihep.ac.cn/idp/shibboleth" >
>               SAML2 SAML1
>             </SSO>
> 
>         <MetadataProvider type="XML" validate="true"
>         url="https://idp-test.ihep.ac.cn/idp/profile/Metadata/SAML"
>         backingFilePath="idp-test-metadata.xml" maxRefreshDelay="7200">
>         </MetadataProvider>
> 
> I do not understand.  What cause the problem. Could any body help ?
> Thanks a lt,
> 
> Best Regards,
> Lanxin
> 
> -- 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>

More information about the users mailing list