SP not working in prod

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SP not working in prod

Herriott, Cascade

Hi all,

 

We’re trying to implement shibboleth and have successfully done so with our dev idP (which is on V3), but when we try to perform the same action with our production idP (currently on V2) we run into errors (see below).

 

I am wondering if the different versioning is causing the issue? If so, we do plan on upgrading our production idP to V3 in the next couple of weeks. If it’s something outside of that I’m up for suggestions.

 

When targeting our production idP we can authenticate against it, but then we run into issues and shibboleth errors out.

 

I see two possible issue points.

 

1)      In the Shibd.log I noticed that the key algorithm don’t match up.

 

XMLTooling.CredentialCriteria [2]: key algorithm didn't match ('AES' != 'RSA')

 

I dug around that for a bit and it looks like we’re still getting attributes passed back to us so I think this issue is resolving itself.

 

2)      What looks more likely the culprit is this error I found in the native.log file

 

ERROR Shibboleth.Listener [15288] isapi_shib_extension: socket call (unknown) resulted in error (10054): Unknown error

 

I’ve compared this against our dev idp and we do not get this error in there.

 

Can anyone point me in the right direction?

 

Thanks,

 

-Cascade

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SP not working in prod

Nate Klingenstein-2
Cascade,

The first message probably indicates that your IdP is using a certificate that doesn't match the certificate in its metadata as loaded by the SP.

The second message indicates that the two halves of your SP -- the ISAPI filter and the shibd process -- can't talk to each other.  That's fully self-contained in the SP and a Windows error code.  It'll be very hard for anyone to diagnose that remotely, but something on that server is breaking things.

Hope this helps,
Nate.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SP not working in prod

Cantor, Scott E.
On 4/27/18, 4:19 PM, "users on behalf of Nate Klingenstein" <[hidden email] on behalf of [hidden email]> wrote:

> The first message probably indicates that your IdP is using a certificate that doesn't match the certificate in its metadata
> as loaded by the SP.

No, it means nothing (which is why it's on DEBUG), it's an internal implementation detail.

> The second message indicates that the two halves of your SP -- the ISAPI filter and the shibd process -- can't talk to each
> other.

Just means shibd was restarted, that's incredibly unlikely to be a problem of any sort.

There was no "problem" in the message at all. By all indications it could be working fine.

-- Scott



--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]