Error "SAML response reported an IdP error" after Login

Fri Jun 9 13:45:15 UTC 2023

Hi Scott and Hi Ulf,

The time settings on the servers (Shibboleth SP and Shibboleth IdP) are identical and have no deviation.

According to the log, the login also went through successfully, or am I missing something here?

IDP_PROCESS|2023-06-08 16:28:27,461|INFO|[net.shibboleth.idp.authn.impl.LDAPCredentialValidator:163]|XXX.XXX.XXX.XXX|JSESSIONID|Credential Validator ldap: Login by 'USER' succeeded
IDP_PROCESS|2023-06-08 16:28:27,462|INFO|[net.shibboleth.idp.authn.impl.FinalizeAuthentication:196]|XXX.XXX.XXX.XXX|JSESSIONID|Profile Action FinalizeAuthentication: Principal USER authenticated
IDP_PROCESS|2023-06-08 16:28:27,619|INFO|[Shibboleth-Audit.SSO:338]|XXX.XXX.XXX.XXX|JSESSIONID|XXX.XXX.XXX.XXX|2023-06-08T14:27:52.625420Z|2023-06-08T14:28:27.619125Z|USER|SP|_608ee17ec4b811d1772d11ba3cf00ed0|password|2023-06-08T14:28:27.462712Z|eduPersonEntitlement,rwthSystemIDs_LMS,organizationName,eduPersonScopedAffiliation,mail,surname,schacHomeOrganization,rwthRufname|AAdzZWNyZXQxVn5AgkKyPxAvRkVX3hT0dQRFpjEcrv3+VG02R5YJ3hAoSuTxFgeqmGVg9neSgFS8cgWauZn19P9QKN6qrG/0iyMZITzE+YTpuxxRlhNBrzgynaxkPuZS+4lOMhWl1q5BxE1t9dipjls=|transient|false|false|AES128-GCM|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||Success||85d35935d0dc7a84f69ec4b0c2c5ecd3055a07708c2bcbff061b579615ca363e|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.41
IDP_PROCESS|2023-06-08 16:32:23,488|ERROR|[org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:91]|XXX.XXX.XXX.XXX|JSESSIONID|

The error in the last line should have nothing to do with the login (notice the 4 minutes time difference).

The Shibboleth Service Provider however displays the user the following Error:

Please include the following message in any email:

opensaml::FatalProfileException at (
SP)

SAML response reported an IdP error.

Error from identity provider:

*Status:* urn:oasis:names:tc:SAML:2.0:status:Responder
*Message:* An error occurred.

In the shibd.log of the SP:

2023-06-08 16:27:52 INFO Shibboleth.SessionCache [5104] [APP]: new session created: ID (_d590d2ddeb8ede18f5eccefd38145c47) IdP (IDP) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (XXX.XXX.XXX.XXX)

The transaction.log:

2023-06-08 16:27:52|Shibboleth-TRANSACTION.Login||_d590d2ddeb8ede18f5eccefd38145c47|IDP|_864e6684a60caf42066a1d09dc3c19ea|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|2023-06-08T16:27:51|RONID(1),affiliation(1),entitlement(1),rwthSystemIDs(1)|AAdzZWNyZXQxqfxy0PgmwVCahfqsts+nl6PyHY+fIHrQIuaJWLspKrbxqrGVEjBxtaElUSx5V1/gBDqi+iSspMPtDl6Cp99+RpNidSXfSuMaDMoK4S7CSvIk1fkgbk6j2Hsi3JIFspN6IW+4iqcXUMd9/WTN8I+E2tbu|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||urn:oasis:names:tc:SAML:2.0:status:Success|||Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0|XXX.XXX.XXX.XXX

Seems tob e pretty normal.

Any ideas where i can debug further?

Regards

Stephan

--
Stephan Krinetzki

IT Center
Gruppe: Anwendungsbetrieb und Cloud
Abteilung: Systeme und Betrieb
RWTH Aachen University
Seffenter Weg 23 
52074 Aachen
Tel: +49 241 80-24866
Fax: +49 241 80-22134
krinetzki at itc.rwth-aachen.de
www.itc.rwth-aachen.de

Social Media Kanäle des IT Centers:
https://blog.rwth-aachen.de/itc/ 
https://www.facebook.com/itcenterrwth 
https://www.linkedin.com/company/itcenterrwth
https://twitter.com/ITCenterRWTH
https://www.youtube.com/channel/UCKKDJJukeRwO0LP-ac8x8rQ

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott via users
Sent: Tuesday, June 6, 2023 2:22 PM
To: Shib Users <users at shibboleth.net>
Cc: Cantor, Scott <cantor.2 at osu.edu>
Subject: Re: Error "SAML response reported an IdP error" after Login

> I already looked into the IdP logs and I don't see any error there. 

If it's not a bad error message, there is, without any doubt, something in the log about it. That doesn't make it an "ERROR" from a logging perspective, as logging categories have a very specific meaning.

If the IdP is returning a SAML error, it has a reason and it will say so, not to mention it being audited if configured to record the relevant field.

Of course, the SP could also simply be broken and not reporting the issue accurately.

-- Scott

-- 
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6358 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20230609/4fb39d8a/attachment.p7s>