Metadata Error for identity provider

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Metadata Error for identity provider

Lee Foltz
We are getting the following error at the login page.
Any suggestions would help.


opensaml::saml2md::MetadataException at (https://example.org/Shibboleth.sso/Login)

Unable to locate metadata for identity provider (https://example.org:8443/idp/shibboleth)
Reply | Threaded
Open this post in threaded view
|

Re: Metadata Error for identity provider

Nate Klingenstein
Foltz2,

You need to configure the SP before you can use it.  It needs to know where the IdP is located and what its own name is.  If you don't know what to put there and you need a simple testing service, try out TestShib.


Take care,
Nate.

On Feb 4, 2010, at 8:32 PM, [hidden email] wrote:

We are getting the following error at the login page.
Any suggestions would help.


opensaml::saml2md::MetadataException at (https://example.org/Shibboleth.sso/Login)

Unable to locate metadata for identity provider (https://example.org:8443/idp/shibboleth)

Reply | Threaded
Open this post in threaded view
|

Re: Metadata Error for identity provider

Lee Foltz
I believe that we have done that.  In what file would we confirm that the SP is configure to point to the IDP?


 
On Thu, Feb 4, 2010 at 3:37 PM, Nate Klingenstein <[hidden email]> wrote:
Foltz2,

You need to configure the SP before you can use it.  It needs to know where the IdP is located and what its own name is.  If you don't know what to put there and you need a simple testing service, try out TestShib.


Take care,
Nate.

On Feb 4, 2010, at 8:32 PM, [hidden email] wrote:

We are getting the following error at the login page.
Any suggestions would help.


opensaml::saml2md::MetadataException at (https://example.org/Shibboleth.sso/Login)

Unable to locate metadata for identity provider (https://example.org:8443/idp/shibboleth)




--
Lee Foltz
Oakland University - UTS
Systems Administrator

248-370-2675
Reply | Threaded
Open this post in threaded view
|

Re: Metadata Error for identity provider

Nate Klingenstein
Lee,

You'll want to look at /etc/shibboleth/shibboleth2.xml.  You'll need  
to configure at a minimum the SessionInitiator, the MetadataProvider,  
and the entityID on the ApplicationsDefaults.

Take care,
Nate.

On Feb 4, 2010, at 8:50 PM, Lee Foltz wrote:

> I believe that we have done that.  In what file would we confirm  
> that the SP is configure to point to the IDP?
>

Reply | Threaded
Open this post in threaded view
|

RE: Metadata Error for identity provider

Cantor, Scott E.
In reply to this post by Lee Foltz
Lee Foltz wrote on 2010-02-04:
> I believe that we have done that.  In what file would we confirm that the
SP
> is configure to point to the IDP?

You need to start by not making up names and using appropriate entityIDs and
metadata for your testing.

https://spaces.internet2.edu/display/SHIB2/EntityNaming

https://spaces.internet2.edu/display/SHIB2/Metadata

Alternatives would be to utilize a real federation to facilitate your work
or try testshib.org.

There's no "just check this" answer here.
 
-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: Metadata Error for identity provider

Lee Foltz
In reply to this post by Lee Foltz
Would it help if I included our shibboleth2.xml file from /etc/shibboleth and sp-metadata.xml, idp-metadata.xml from /opt/shibboleth-idp/metadata


 
On Thu, Feb 4, 2010 at 5:17 PM, Scott Cantor <[hidden email]> wrote:
Lee Foltz wrote on 2010-02-04:
> I believe that we have done that.  In what file would we confirm that the
SP
> is configure to point to the IDP?

You need to start by not making up names and using appropriate entityIDs and
metadata for your testing.

https://spaces.internet2.edu/display/SHIB2/EntityNaming

https://spaces.internet2.edu/display/SHIB2/Metadata

Alternatives would be to utilize a real federation to facilitate your work
or try testshib.org.

There's no "just check this" answer here.

-- Scott





--
Lee Foltz
Oakland University - UTS
Systems Administrator

248-370-2675
Reply | Threaded
Open this post in threaded view
|

RE: Metadata Error for identity provider

Cantor, Scott E.
Lee Foltz wrote on 2010-02-05:
> Would it help if I included our shibboleth2.xml file from /etc/shibboleth
> and sp-metadata.xml, idp-metadata.xml from /opt/shibboleth-idp/metadata

If somebody else wants to walk you through the entire process, that's fine,
but you're literally saying "configure it for me", and I won't do that.

If you have specific questions after reading the documentation, including
what I already suggested, I'm happy to answer them.

-- Scott


Reply | Threaded
Open this post in threaded view
|

RE: Metadata Error for identity provider

Cantor, Scott E.
In reply to this post by Lee Foltz
More relevant starting points on each end.

https://spaces.internet2.edu/display/SHIB2/IdPSPCommunicate

https://spaces.internet2.edu/display/SHIB2/NativeSPGettingStarted

If you don't understand what a setting means or is supposed to be set to
after reading the documentation for it, just ask.
 
-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: Metadata Error for identity provider

Lee Foltz
In reply to this post by Lee Foltz
We have it configured.........I am not asking you to that for us.....
 
This is the error we are getting and don't understand it after we have configured.
 
Unable to locate metadata for identity provider.
Also, if we run the shibd -tc command we get the follow error.  We were just looking for some direction on what to try next.
 
shibd -tc /etc/shibboleth/shibboleth2.xml
2010-02-05 14:24:18 CRIT OpenSAML.Metadata.Chaining : failure initializing MetadataProvider: Metadata did not include a validUntil attribute.
overall configuration is loadable, check console for non-fatal problems


On Fri, Feb 5, 2010 at 1:32 PM, Scott Cantor <[hidden email]> wrote:
Lee Foltz wrote on 2010-02-05:
> Would it help if I included our shibboleth2.xml file from /etc/shibboleth
> and sp-metadata.xml, idp-metadata.xml from /opt/shibboleth-idp/metadata

If somebody else wants to walk you through the entire process, that's fine,
but you're literally saying "configure it for me", and I won't do that.

If you have specific questions after reading the documentation, including
what I already suggested, I'm happy to answer them.

-- Scott





--
Lee Foltz
Oakland University - UTS
Systems Administrator

248-370-2675
Reply | Threaded
Open this post in threaded view
|

RE: Metadata Error for identity provider

Cantor, Scott E.
Lee Foltz wrote on 2010-02-05:
> Unable to locate metadata for identity provider.
> Also, if we run the shibd -tc command we get the follow error.  We were
just
> looking for some direction on what to try next.

You need to fix the CRIT error you're getting so that the metadata you gave
it actually loads. If you created the metadata, either put in the validUntil
date or remove the filter from the configuration.

> shibd -tc /etc/shibboleth/shibboleth2.xml
> 2010-02-05 14:24:18 CRIT OpenSAML.Metadata.Chaining : failure initializing
> MetadataProvider: Metadata did not include a validUntil attribute.

Note that it didn't do that by accident, you had to have put a
RequireValidUntil metadata filter into it (which is generally advisable
depending on the trust model in use, but still...)

https://spaces.internet2.edu/display/SHIB2/NativeSPMetadataFilter

-- Scott