<div dir="ltr">Just for the archives...<div><br></div><div>It was/is a LIGO SP. </div><div><br></div><div>Problem was bad permissions on the SP key file (only readable by root and not shibd).</div><div><br></div><div>Running </div><div><br></div><div>LD_LIBRARY_PATH=/opt/shibboleth/lib64 /usr/sbin/shibd -t -u shibd -g shibd</div><div><br></div><div>immediately showed the problem (this is a SL6 box so LD_LIBRARY_PATH necessary to get the Shib distributed curl libraries).</div><div><br></div><div>Scott K<br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 19, 2015 at 8:09 AM, Scott Koranda <span dir="ltr"><<a href="mailto:skoranda@gmail.com" target="_blank">skoranda@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Joe,<div><br></div><div>(Joe is also part of the LIGO project.)<br><div><br></div><div>I don't know why the change is now causing you an error.</div><div><br></div><div>But if this is a LIGO SP please contact me offline and I can help you troubleshoot.</div><div><br></div><div>If this is not a LIGO SP but you copied or evolved the SP configuration from a LIGO SP then also contact me offline and I will help you create a more "vanilla" configuration. I say that because the error indicates the SP is using the artifact resolution protocol, which we do use in LIGO for certain situations, but it is best not to use it with "generic" SPs if you do not have a good reason for it.</div></div><div><br></div><div>Thanks,</div><div><br></div><div>Scott K</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 19, 2015 at 7:26 AM, Joseph Areeda <span dir="ltr"><<a href="mailto:jareeda@exchange.fullerton.edu" target="_blank">jareeda@exchange.fullerton.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA512<br>
<br>
Hi,<br>
<br>
I've swapped server hardware to move our SP to a more capable machine.<br>
The service used to be provided by a VM which became our backup.<br>
<br>
Both were working before the swap which consisted of a DNS change and<br>
swapping certificates and keytabs to match the new URLs.<br>
<br>
Now the VM is working but the new hardware cannot authenticate with<br>
Shibboleth. The web page and log files say:<br>
<br>
2015-08-19 04:11:33 ERROR Shibboleth.Listener [15015] shib_handler:<br>
remoted message returned an error: Unable to resolve artifact(s) into<br>
a SAML response.<br>
2015-08-19 04:11:33 ERROR Shibboleth.Apache [15015] shib_handler:<br>
Unable to resolve artifact(s) into a SAML response.<br>
<br>
I don't understand the message or what part of the SP is<br>
misconfigured. I've compared configurations of the working and non<br>
working systems but I don't see a problem.<br>
<br>
Google and the troubleshooting section of the Shib wiki didn't turn up<br>
anything useful.<br>
<br>
I'd appreciate any help to isolate the problem.<br>
<br>
Thanks,<br>
Joe<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG/MacGPG2 v2<br>
Comment: GPGTools - <a href="https://gpgtools.org" rel="noreferrer" target="_blank">https://gpgtools.org</a><br>
<br>
iQEcBAEBCgAGBQJV1GfyAAoJEGX1ANcKSZvNCUoH/0af7+fStlfKQHDdoGcuifyp<br>
RGIHcOQ0Qs75APBV/dj89leLDQkEGmytv2g0L0+xMvKR4aYIzOMdv7J+hPTGkRdB<br>
Qomd+FfZsBay6x1eTO+KChqwlhLGR1dRPN9DeYHKhh9WDSQmuKDmaSzuf3VZmzDd<br>
IVrZTE2QifWDL45EUxUxg6EdoCCSf1T++h/EYbo8/Qx5WoKS50llxL7RBxolQ8IJ<br>
XxoeNz12YzxLZrnpIaWKdooUTcQlWwIhunO/ZHqk31vSSG+PFos/xJHzV1jihmLZ<br>
D4npPsLsvYsJxIoh1zMGCz6eMcYYLgNPP7GlmTDD6N9vZEamdUoQgK9ZzCZrkGs=<br>
=pcsm<br>
-----END PGP SIGNATURE-----<span class="HOEnZb"><font color="#888888"><br>
<span><font color="#888888">--<br>
To unsubscribe from this list send an email to <a href="mailto:users-unsubscribe@shibboleth.net" target="_blank">users-unsubscribe@shibboleth.net</a><br>
</font></span></font></span></blockquote></div><br></div>
</blockquote></div><br></div></div></div>