Quantcast

Shibbolet Unknown or Unusable Identity Provider Error

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Shibbolet Unknown or Unusable Identity Provider Error

Sohail Bashadi

Hi

 

I am getting the following error when I try to authenticate via an IdP that is registered with InCommon:

Unknown or Unusable Identity Provider

The identity provider supplying your login credentials is not authorized for use with this service or does not support the necessary capabilities.

To report this problem, please contact the site administrator at [hidden email].

Please include the following error message in any email:

Identity provider lookup failed at (https://test41.peopleadmin.com/Shibboleth.sso/SAML/POST)

opensaml::saml2md::MetadataException: Security of SAML 1.x SSO POST response not established.

I googled the error message, but did not find anything conclusive. Also, I am running a Shibboleth 2.0 Daemon and have another IdP from InCommon that I am able to connect with fine.

 

Any pointers are  greatly appreciated.

 

Thanks,

Sohail

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Shibbolet Unknown or Unusable Identity Provider Error

Cantor, Scott E.
Sohail Bashadi wrote on 2009-05-21:
> I googled the error message, but did not find anything conclusive. Also, I
> am running a Shibboleth 2.0 Daemon and have another IdP from InCommon that
I
> am able to connect with fine.

The error in the page is mentioned on the common errors page.

https://spaces.internet2.edu/display/SHIB2/NativeSPTroubleshootingCommonErro
rs

The explanation it lists as the "usual" cause is the applicable one.

-- Scott


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Shibbolet Unknown or Unusable Identity Provider Error

Sohail Bashadi
Thanks! For the response, I found the solution there, but this has
resulted in another question. I have a Shibboleth2 SP setup
authenticating against a Shibboleth1.3 IdP; I know Shibboleth2 is
backward compatible, but I did not find any documentation for this?
Currently my Shibboleth2.xml looks like the following:


<!-- Session Initiator -->

  <Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/Shibboleth.sso" handlerSSL="false">
    <SessionInitiator type="Chaining" Location="/Login"
id="wayf.incommonfederation.org" relayState="cookie"
entityID="urn:mace:incommon:jmu.edu">
                                <!-- <SessionInitiator type="SAML2"
defaultACSIndex="1" template="bindingTemplate.html"/> -->
                                <SessionInitiator type="Shib1"
defaultACSIndex="4"/>
    </SessionInitiator>

    <md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" />
    <md:AssertionConsumerService Location="/SAML/POST" index="4"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" />
    <Handler type="MetadataGenerator" Location="/Metadata"
signing="false" />
    <Handler type="Status" Location="/Status" acl="127.0.0.1" />
    <Handler type="Session" Location="/Session" />
  </Sessions>

<!-- Metadata -->
  <MetadataProvider type="Chaining" >
        <MetadataProvider type="XML"
uri="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml"
backingFilePath="InCommon-metadata.xml" reloadInterval="180000" />
        <MetadataProvider type="XML"
uri="http://www.testshib.org/metadata/testshib-two-metadata.xml"
backingFilePath="testshib-two-metadata.xml" reloadInterval="180000" />
  </MetadataProvider>


Any pointers are greatly appreciated.

Thanks,
Sohail
-----Original Message-----
From: Scott Cantor [mailto:[hidden email]]
Sent: Thursday, May 21, 2009 12:44 PM
To: [hidden email]
Subject: RE: [Shib-Users] Shibbolet Unknown or Unusable Identity
Provider Error

Sohail Bashadi wrote on 2009-05-21:
> I googled the error message, but did not find anything conclusive.
Also, I
> am running a Shibboleth 2.0 Daemon and have another IdP from InCommon
that
I
> am able to connect with fine.

The error in the page is mentioned on the common errors page.

https://spaces.internet2.edu/display/SHIB2/NativeSPTroubleshootingCommon
Erro
rs

The explanation it lists as the "usual" cause is the applicable one.

-- Scott



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Shibbolet Unknown or Unusable Identity Provider Error

Cantor, Scott E.
Sohail Bashadi wrote on 2009-05-22:
> Thanks! For the response, I found the solution there, but this has
> resulted in another question. I have a Shibboleth2 SP setup
> authenticating against a Shibboleth1.3 IdP; I know Shibboleth2 is
> backward compatible, but I did not find any documentation for this?

Documentation for doing what specifically? It just works, unless you make
changes to things that break its behavior.
 
> Currently my Shibboleth2.xml looks like the following:

You're making unnecessary changes, though it isn't going to hurt anything to
comment out the SAML 2 request plugin. The out of the box settings are fine
for handling SAML 1 and 2 at the same time.

-- Scott


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Shibbolet Unknown or Unusable Identity Provider Error

Sohail Bashadi
The issue I have is that when I connect to the 1.3IdP with my current
setup I get a response that I posted yesterday:

opensaml::saml2md::MetadataException: Security of SAML 1.x SSO POST
response not established.

The solution which on the FAQ page is:

The usual cause for this is an incoming SAML assertion/response from an
issuer for which the SP has no metadata loaded. This means either the
metadata is wrong, or the IdP in question is using the wrong entityID in
its configuration, so the URI passed to the SP doesn't match what it
expects.

More specific information is usually available from the shibd.log file.

And my Shibd.log has the following error:

2009-05-22 10:59:24 WARN Shibboleth.SessionInitiator.SAML2 [1]: unable
to locate SAML 2.0 identity provider role for provider
(urn:mace:incommon:jmu.edu)

Is it possible that there is some mis-configuration at the IdP end?

Thanks,
Sohail
-----Original Message-----
From: Scott Cantor [mailto:[hidden email]]
Sent: Friday, May 22, 2009 1:15 PM
To: [hidden email]
Subject: RE: [Shib-Users] Shibbolet Unknown or Unusable Identity
Provider Error

Sohail Bashadi wrote on 2009-05-22:
> Thanks! For the response, I found the solution there, but this has
> resulted in another question. I have a Shibboleth2 SP setup
> authenticating against a Shibboleth1.3 IdP; I know Shibboleth2 is
> backward compatible, but I did not find any documentation for this?

Documentation for doing what specifically? It just works, unless you
make
changes to things that break its behavior.
 
> Currently my Shibboleth2.xml looks like the following:

You're making unnecessary changes, though it isn't going to hurt
anything to
comment out the SAML 2 request plugin. The out of the box settings are
fine
for handling SAML 1 and 2 at the same time.

-- Scott



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Shibbolet Unknown or Unusable Identity Provider Error

Cantor, Scott E.
Sohail Bashadi wrote on 2009-05-22:
> The issue I have is that when I connect to the 1.3IdP with my current
> setup I get a response that I posted yesterday:

That has nothing to do with compatibility, it just means what the
explanation says, the metadata's probably wrong.

> And my Shibd.log has the following error:
>
> 2009-05-22 10:59:24 WARN Shibboleth.SessionInitiator.SAML2 [1]: unable
                          ^^^
A warning is not an error.

> Is it possible that there is some mis-configuration at the IdP end?

I have no idea, but your log has to be telling you more than that. If it
can't issue a legacy request, then you don't have metadata identifying that
the IdP can support that.

-- Scott


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Shibbolet Unknown or Unusable Identity Provider Error

Sohail Bashadi
> I have no idea, but your log has to be telling you more than that.

There isn't that much more interesting information in the logs except
for the normal initialization stuff, here is another warning and an Info
line:

2009-05-22 10:59:24 WARN Shibboleth.SessionInitiator.SAML2 [1]: unable
to locate SAML 2.0 identity provider role for provider
(urn:mace:incommon:jmu.edu)
2009-05-22 11:05:05 WARN OpenSAML.MessageDecoder.SAML1 [1]: no metadata
found, can't establish identity of issuer
(https://idp.example.org/shibboleth)
2009-05-22 11:39:43 INFO XMLTooling.StorageService : purged 1 expired
record(s) from storage

I understood most of what you meant except this:

> If it can't issue a legacy request, then
> you don't have metadata identifying that
> the IdP can support that.

Not sure, how I would go about setting up my Shibboleth2.xml to issue a
legacy request?

Thanks,
Sohail
-----Original Message-----
From: Scott Cantor [mailto:[hidden email]]
Sent: Friday, May 22, 2009 2:58 PM
To: [hidden email]
Subject: RE: [Shib-Users] Shibbolet Unknown or Unusable Identity
Provider Error

Sohail Bashadi wrote on 2009-05-22:
> The issue I have is that when I connect to the 1.3IdP with my current
> setup I get a response that I posted yesterday:

That has nothing to do with compatibility, it just means what the
explanation says, the metadata's probably wrong.

> And my Shibd.log has the following error:
>
> 2009-05-22 10:59:24 WARN Shibboleth.SessionInitiator.SAML2 [1]: unable
                          ^^^
A warning is not an error.

> Is it possible that there is some mis-configuration at the IdP end?

I have no idea, but your log has to be telling you more than that. If it
can't issue a legacy request, then you don't have metadata identifying
that
the IdP can support that.

-- Scott



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Shibbolet Unknown or Unusable Identity Provider Error

Cantor, Scott E.
Sohail Bashadi wrote on 2009-05-22:
> There isn't that much more interesting information in the logs except
> for the normal initialization stuff, here is another warning and an Info
> line:
>
> 2009-05-22 10:59:24 WARN Shibboleth.SessionInitiator.SAML2 [1]: unable
> to locate SAML 2.0 identity provider role for provider
> (urn:mace:incommon:jmu.edu) 2009-05-22 11:05:05
> WARN OpenSAML.MessageDecoder.SAML1 [1]: no metadata found, can't establish
> identity of issuer (https://idp.example.org/shibboleth)

Those are two different ends of the process. You have to be issuing a
request in between because the second one is an indicator that you don't
have metadata for the IdP in question (which is identifying itself as a
dummy IdP, apparently).

For it to send a request in the first place, you either have metadata, which
makes no sense here, or you're pointing at a WAYF or something like that.
 
> Not sure, how I would go about setting up my Shibboleth2.xml to issue a
> legacy request?

It already did, because it's failing processing a response.

-- Scott


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Shibbolet Unknown or Unusable Identity Provider Error

Cantor, Scott E.
In reply to this post by Sohail Bashadi
In combination with the config snippet you posted, I think what's probably
happening is you're routing the request directly to an IdP that's in the
InCommon metadata, and it's sending you a bogus response with an invalid
entityID in it. So it's an IdP issue, as you suggested.

-- Scott


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Shibbolet Unknown or Unusable Identity Provider Error

Sohail Bashadi
Thank you! I had a strong feeling that my setup was accurate because I
have another Shibboleth1.3 IdP that I am connecting to in this file, I
was just not absolutely sure and hence all the posts.

-Sohail
-----Original Message-----
From: Scott Cantor [mailto:[hidden email]]
Sent: Friday, May 22, 2009 3:51 PM
To: [hidden email]
Subject: RE: [Shib-Users] Shibbolet Unknown or Unusable Identity
Provider Error

In combination with the config snippet you posted, I think what's
probably
happening is you're routing the request directly to an IdP that's in the
InCommon metadata, and it's sending you a bogus response with an invalid
entityID in it. So it's an IdP issue, as you suggested.

-- Scott



Loading...