Shib 2.2: EndpointType must have Binding?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Shib 2.2: EndpointType must have Binding?

Nathan Dors
I used shibboleth-sp-2.1-win32.msi to uninstall a working SP, and then
installed shibboleth-sp-2.2-win32.msi. Having left everything else the
same, I now get two WARNs, an ERROR, and one colossal CRIT in shibd.log:

[...]
2009-06-21 14:43:04 INFO Shibboleth.Config [1]: change detected, reloading local resource...
2009-06-21 14:43:04 WARN XMLTooling.ParserPool [1]: warning on line 0, column 0, message: unable to open primary document entity 'C:\opt\shibboleth-sp\share\xml\opensaml\sstc-metadata-attr.xsd'
2009-06-21 14:43:04 INFO Shibboleth.Config [1]: loaded XML resource (C:/opt/shibboleth-sp/etc/shibboleth/shibboleth2.xml)
2009-06-21 14:43:04 INFO Shibboleth.Config [1]: Library versions: Xerces-C 3.0.1, XML-Security-C 1.5.0, XMLTooling-C 1.2.0, OpenSAML-C 2.2.0, Shibboleth 1.2.0
2009-06-21 14:43:04 WARN Shibboleth.Config [1]: detected legacy Policy configuration, please convert to new PolicyRule syntax
2009-06-21 14:43:04 INFO Shibboleth.Config [1]: installing a default Conditions rule in policy (default) for compatibility with legacy configuration
2009-06-21 14:43:04 INFO OpenSAML.SecurityPolicyRule.Conditions [1]: building SecurityPolicyRule of type Audience
2009-06-21 14:43:04 INFO OpenSAML.SecurityPolicyRule.Conditions [1]: building SecurityPolicyRule of type Ignore
2009-06-21 14:43:04 INFO OpenSAML.SecurityPolicyRule.Conditions [1]: building SecurityPolicyRule of type Ignore
2009-06-21 14:43:04 INFO OpenSAML.SecurityPolicyRule.Conditions [1]: building SecurityPolicyRule of type Ignore
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (run::AssertionLookup)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/Login::run::SAML2SI)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/Login::run::Shib1SI)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/WAYF::run::SAML2SI)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/WAYF::run::Shib1SI)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/DS::run::SAML2SI)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/DS::run::Shib1SI)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/SAML2/POST)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/SAML2/POST-SimpleSign)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/SAML2/Artifact)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/SAML2/ECP)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/SAML/POST)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/SAML/Artifact)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/Logout::run::SAML2LI)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/Logout::run::LocalLI)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/SLO/SOAP)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/SLO/Redirect)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/SLO/POST)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/SLO/Artifact)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/NIM/SOAP)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/NIM/Redirect)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/NIM/POST)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/NIM/Artifact)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/Artifact/SOAP::run::SAML2Artifact)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/Metadata)
2009-06-21 14:43:04 INFO Shibboleth.Listener [1]: registered remoted message endpoint (default/Status)
2009-06-21 14:43:04 INFO Shibboleth.Application [1]: building MetadataProvider of type Chaining...
2009-06-21 14:43:04 INFO OpenSAML.Metadata.Chaining [1]: building MetadataProvider of type XML
2009-06-21 14:43:04 INFO OpenSAML.Metadata [1]: building MetadataFilter of type Signature
2009-06-21 14:43:04 INFO XMLTooling.SecurityHelper [1]: loading certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/incommon.pem)
2009-06-21 14:43:06 INFO OpenSAML.MetadataProvider.XML [1]: loaded XML resource (http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml)
2009-06-21 14:43:06 ERROR OpenSAML.MetadataProvider.XML [1]: metadata intance failed manual schema validation checking: EndpointType must have Binding.
2009-06-21 14:43:06 CRIT OpenSAML.Metadata.Chaining [1]: failure initializing MetadataProvider: Metadata instance failed manual schema validation checking.

Anyone else run into this with InCommon-metadata.xml and SP 2.2?

Here's my MetadataProvider configuration:

<MetadataProvider type="XML" uri="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml" backingFilePath="federation-metadata.xml" reloadInterval="7200">
   <SignatureMetadataFilter certificate="incommon.pem"/>
</MetadataProvider>

Thanks for the advice,

-Nathan
Reply | Threaded
Open this post in threaded view
|

RE: Shib 2.2: EndpointType must have Binding?

Cantor, Scott E.
Nathan Dors wrote on 2009-06-21:
> I used shibboleth-sp-2.1-win32.msi to uninstall a working SP, and then
> installed shibboleth-sp-2.2-win32.msi. Having left everything else the
> same, I now get two WARNs, an ERROR, and one colossal CRIT in shibd.log:

The first warning seems to be a packaging bug I'll have to correct, the
schema itself won't matter much. The second is documented on the "change"
page I created in the wiki and is a deprecation change that can be addressed
at leisure.

The error is an indication the metadata is in fact bad. I mentioned a while
ago that there were code fixes that tightened up syntax checking. I get the
same result.

There's a bug in one of Washington's AA endpoints, an empty Binding. I
suspect it's a bug in the SAML 2.0 rollout. I'll forward the issue, as
should you probably.

I'll correct the Windows package as soon as I can, but that's a minor issue.
 
-- Scott


Reply | Threaded
Open this post in threaded view
|

RE: Shib 2.2: EndpointType must have Binding?

Cantor, Scott E.
In reply to this post by Nathan Dors
Scott Cantor wrote on 2009-06-21:
> The first warning seems to be a packaging bug I'll have to correct, the
> schema itself won't matter much. The second is documented on the "change"
> page I created in the wiki and is a deprecation change that can be
addressed
> at leisure.

Neglected to post the link:
https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationChanges

The missing schema is now corrected in the Win32 installer, thanks. (If
you're concerned about adding it, it's in the postinstall ZIP.)

I reported the metadata issue. Whoever has admin access to UW's IdP metadata
might be able to correct the problem if it's a actual data entry bug, but I
figured it was more likely to be a bug in the generation process.

-- Scott


Reply | Threaded
Open this post in threaded view
|

RE: Shib 2.2: EndpointType must have Binding?

Nathan Dors
Thanks for spotting that. We'd submitted a metadata update to InCommon
that got snagged or zapped by other changes. We're back to normal now.

With regard to the postinstall ZIP, what's the difference between the
"sdk" and non-"sdk" filenames?

http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/win32/

Seems like shibboleth-sp-2.2-win32-postinstall.zip is the current
postinstall file, but it hasn't been updated as recently as the "sdk"
version.

-Nathan

On Sun, 21 Jun 2009, Scott Cantor wrote:

> Scott Cantor wrote on 2009-06-21:
>> The first warning seems to be a packaging bug I'll have to correct, the
>> schema itself won't matter much. The second is documented on the "change"
>> page I created in the wiki and is a deprecation change that can be
> addressed
>> at leisure.
>
> Neglected to post the link:
> https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationChanges
>
> The missing schema is now corrected in the Win32 installer, thanks. (If
> you're concerned about adding it, it's in the postinstall ZIP.)
>
> I reported the metadata issue. Whoever has admin access to UW's IdP metadata
> might be able to correct the problem if it's a actual data entry bug, but I
> figured it was more likely to be a bug in the generation process.
>
> -- Scott
>
>
>
Reply | Threaded
Open this post in threaded view
|

RE: Shib 2.2: EndpointType must have Binding?

Cantor, Scott E.
Nathan Dors wrote on 2009-06-22:
> Thanks for spotting that. We'd submitted a metadata update to InCommon
> that got snagged or zapped by other changes. We're back to normal now.

IJ thinks he worked out what happened, so hopefully it will get plugged.

> With regard to the postinstall ZIP, what's the difference between the
> "sdk" and non-"sdk" filenames?

The SDK is an unrelated thing. That's just headers and import libraries for
people doing extensions on Windows.

I guess I'll add something to the HEADER.html for the directory so people
don't get lost.

-- Scott