"Unable to locate metadata" error

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

"Unable to locate metadata" error

Tony Ennis

hey gang, when we browse https://my.sp/Shibboleth.so/Login

we get an error that says, "Identity provider lookup failed at (https://my.sp/Shibboleth.so/Login)

EntityID: https://my.idp/idp/shibboleth

blah metadataException: Unable to locate metadata for identity provider (https://my.idp/idp/shibboleth)


If I browse directly to the idp, it returns metadata.  But Login is having an issue with it.  We have a simple shebbolith2.xml config file.
The entityID is again set as the idp (https://my.idp/idp/shibboleth) in the SSO section and SAML2 is supported.

In the MetadataProvider section, the entityID is again set to the idp (https://my.idp/idp/shibboleth) correctly.

I cannot really paste the config as it is inside our secure area. Copy/paste does not work.

We're at a loss and don't know how to proceed. What might the error be?


Rivera Group    
Tony Ennis
Chief Architect
[hidden email] | Rivera Group
O: 812.246.4055

Confidentiality Notice: This message and any attachments are for the sole use of the intended recipient(s), and may contain information considered confidential or privileged by the sending organization or trade secrets of the sending organization. This message does not authorize the intended recipient to disclose this information to any other party. Use, disclosure, or retention of any information in this message by anyone other than the intended user is strictly prohibited, unless otherwise authorized in writing. If you are not the intended recipient, please destroy all copies of this message.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: "Unable to locate metadata" error

Tony Ennis

Omission - the actual error being displayed in Postman is "Unknown or Unusable Identity Provider" if that helps.





Rivera Group    
Tony Ennis
Chief Architect
[hidden email] | Rivera Group
O: 812.246.4055

From: users <[hidden email]> on behalf of Tony Ennis <[hidden email]>
Sent: Tuesday, July 10, 2018 6:36:15 PM
To: [hidden email]
Subject: "Unable to locate metadata" error
 
External Email! Do not click any links or open any attachments unless you trust the sender and know the content is safe.

hey gang, when we browse https://my.sp/Shibboleth.so/Login

we get an error that says, "Identity provider lookup failed at (https://my.sp/Shibboleth.so/Login)

EntityID: https://my.idp/idp/shibboleth

blah metadataException: Unable to locate metadata for identity provider (https://my.idp/idp/shibboleth)


If I browse directly to the idp, it returns metadata.  But Login is having an issue with it.  We have a simple shebbolith2.xml config file.
The entityID is again set as the idp (https://my.idp/idp/shibboleth) in the SSO section and SAML2 is supported.

In the MetadataProvider section, the entityID is again set to the idp (https://my.idp/idp/shibboleth) correctly.

I cannot really paste the config as it is inside our secure area. Copy/paste does not work.

We're at a loss and don't know how to proceed. What might the error be?


Rivera Group    
Tony Ennis
Chief Architect
[hidden email] | Rivera Group
O: 812.246.4055

Confidentiality Notice: This message and any attachments are for the sole use of the intended recipient(s), and may contain information considered confidential or privileged by the sending organization or trade secrets of the sending organization. This message does not authorize the intended recipient to disclose this information to any other party. Use, disclosure, or retention of any information in this message by anyone other than the intended user is strictly prohibited, unless otherwise authorized in writing. If you are not the intended recipient, please destroy all copies of this message.

Confidentiality Notice: This message and any attachments are for the sole use of the intended recipient(s), and may contain information considered confidential or privileged by the sending organization or trade secrets of the sending organization. This message does not authorize the intended recipient to disclose this information to any other party. Use, disclosure, or retention of any information in this message by anyone other than the intended user is strictly prohibited, unless otherwise authorized in writing. If you are not the intended recipient, please destroy all copies of this message.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: "Unable to locate metadata" error

Peter Schober
In reply to this post by Tony Ennis
* Tony Ennis <[hidden email]> [2018-07-11 00:36]:
> blah metadataException: Unable to locate metadata for identity
> provider (https://my.idp/idp/shibboleth)

OK, so no metadata for that IDP available.

> If I browse directly to the idp, it returns metadata.

That doesn't mean the SP processed it correctly.
The SP's logs would tell you:

$ fgrep OpenSAML.Metadata.XML /var/log/shibboleth/shibd.log

and the SP would create a cached copy in (by default)
/var/cache/shibboleth/

> The entityID is again set as the idp (https://my.idp/idp/shibboleth) in the SSO section and SAML2 is supported.

Well, ApplicationDefaults/@entityID is your own entityID.

Sessions/SSO/@entityID would be the IDP's, and you certainly have that
set, because accessing /Shibboleth.so/Login tries to send you off to
the provided IDP immediately.

> In the MetadataProvider section, the entityID is again set to the
> idp (https://my.idp/idp/shibboleth) correctly.

Not "correctly" -- the MetadataProvider section has no use for
entityIDs: It may have a "url" XML attribute from where to load the
metadata. (And if your IDP's entityID is a URL and serves up its own
metadata at the value of its own entityID, well it would work. But
entityIDs are not locations and the MetadataProvider does not care
about entityIDs.)

A correct MetadataProvider would look like the examples in the
distributed shibboleth2.xml or example-shibboleth2.xml. Or like in the
documentation. Without specifics the only thing that seems clear is
that your SP is not loading that metadata.

> I cannot really paste the config as it is inside our secure area.

You'll need to check the SP's logs.
Also try connecting to the metadata URL from the server, using curl,
just to make sure you don't need to configure a forward proxy in order
to connect to the other server.

Also be are aware that loading remote metadata that's unsigned is
completely insecure (or signed metadata where you're not checking the
signature): Metadata is XML and XML is plain text, but in this case
plain text that contains key material (e.g. a cert with the IDPs
signing key) that the software trusts implicitly, so you're
effectively blindly downloading something like CA trust anchors from a
plain text file over the network. (Read: Don't do that.)

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]