[Shib-Users] No peer endpoint available to which to send SAML response
Janusz U
I'm trying to log into wiki usinf sp 2.1 and idp 2.0.
And after correct authentication on
https://idp.example.org:443/idp/login.jsp?actionUrl=%2Fidp%2FAuthn%2FUserPassword
I get error No return endpoint available for relying party
I can't figure out where the problem is.
my metadata,xml:
<EntitiesDescriptor
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<EntityDescriptor entityID="https://idp.example.org/idp">
<IDPSSODescriptor
protocolSupportEnumeration="urn:mace:shibboleth:1.0
urn:oasis:names:tc:SAML:1.1:protocol
urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">example.org</shibmd:Scope>
</Extensions>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDcDCCAtmgAwIBAgIJAMdwdRbJRX9mMA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNV
OQQK6q6oEIBj1uU0EG2FUhK2Sko=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<ArtifactResolutionService
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/ArtifactResolution"
index="1"/>
<ArtifactResolutionService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://idp.example.org:8443/idp/profile/SAML2/SOAP/ArtifactResolution"
index="2"/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<SingleSignOnService
Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
Location="https://idp.example.org/idp/profile/Shibboleth/SSO" />
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://idp.example.org/idp/profile/SAML2/POST/SSO" />
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="https://idp.example.org/idp/profile/SAML2/POST-SimpleSign/SSO"
/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://idp.example.org/idp/profile/SAML2/Redirect/SSO" />
</IDPSSODescriptor>
<AttributeAuthorityDescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol
urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">example.org</shibmd:Scope>
</Extensions>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDcDCCAtmgAwIBAgIJAMdwdRbJRX9mMA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNV
OQQK6q6oEIBj1uU0EG2FUhK2Sko=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AttributeService
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/AttributeQuery"
/>
<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://idp.example.org:8443/idp/profile/SAML2/SOAP/AttributeQuery"
/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
</AttributeAuthorityDescriptor>
</EntityDescriptor>
<EntityDescriptor entityID="https://wiki.example.org/shibboleth-sp">
<SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol
urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDKzCCAhOgAwIBAgIJAJPOj1UBbC/IMA0GCSqGSIb3DQEBBQUAMB4xHDAaBgNV
F1/Iby3tHOSGplPaRM2+dvZI9t6Z9W2hPV1924n5SJHuahCMB7uT6V51e2VlpSk=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="https://wiki.example.org/Shibboleth.sso/SAML/POST"/>
<AssertionConsumerService index="2" isDefault="true"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="https://wiki.example.org/Shibboleth.sso/SAML/Artifact"/>
</SPSSODescriptor>
<Organization>
<OrganizationName xml:lang="en">Janulku
</OrganizationName>
<OrganizationDisplayName
xml:lang="en">Janulj</OrganizationDisplayName>
<OrganizationURL
xml:lang="en">http://www.example.org/</OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
<SurName>Janusz</SurName>
<EmailAddress>feder...@listserv.example.org</EmailAddress>
</ContactPerson>
</EntityDescriptor>
</EntitiesDescriptor>
--------------------------------------
idp-process.log.
22:40:25.652 INFO [Shibboleth-Access:72] -
20080923T214025Z|192.168.1.3|idp.example.org:443|/profile/SAML2/Redirect/SSO|
22:40:25.652 ERROR
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:396]
- No return endpoint available for relying party
https://wiki.example.org/shibboleth-sp
22:40:25.653 ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85]
- Error processing profile request
edu.internet2.middleware.shibboleth.common.profile.ProfileException:
No peer endpoint available to which to send SAML response
....
shibd.log
2008-09-23 22:14:14 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [3]:
message encoded, sending redirect to client
2008-09-23 22:39:32 DEBUG Shibboleth.Listener [4]: dispatching message
(default::getHeaders::Application)
2008-09-23 22:39:32 DEBUG Shibboleth.Listener [4]: dispatching message
(default/Login::run::SAML2SI)
2008-09-23 22:39:32 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [4]:
validating input
......
2008-09-23 22:39:32 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [4]:
marshalled message:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://wiki.example.org/Shibboleth.sso/SAML2/POST"
Destination="https://idp.example.org/idp/profile/SAML2/Redirect/SSO"
ID="_298c24a7283552b5e71f0db73d574bee"
IssueInstant="2008-09-23T21:39:32Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://wiki.example.org/shibboleth-sp</saml:Issuer><samlp:NameIDPolicy
AllowCreate="1"/></samlp:AuthnRequest>
2008-09-23 22:39:32 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [4]:
message encoded, sending redirect to client
Brent Putman
EntityDescriptor for the SP https://wiki.example.org/shibboleth-sp does
not have an AssertionConsumerService endpoint defined for any SAML 2
binding, therefore the IdP doesn't know where to send the user (i.e. no
peer endpoint is available).
There should be example of what that SAML 2 ACS endpoint should look
like in the original SP metadata examples that come with the Shib SP.
Janusz U
now i get
Status: urn:oasis:names:tc:SAML:2.0:status:Responder
Message: Unable to construct NameID
but this is probably problem with certs.
Thanks,
2008/9/23 Brent Putman <put...@georgetown.edu>:
Brent Putman
mutually supported NameIDFormat defined and/or you need to have the
right name ID support configured in your IdP's resolver. The
out-of-the-box config for both should work with at least SAML 2
transient ID's I believe, so double-check what you changed on both from
the installation defaults.
Brent Putman
will be helpful:
https://spaces.internet2.edu/display/SHIB2/IdPNameIdentifier
Owen Williams
I nicked this tune from a Led Zeppelin track. It's wrong and needs to
be better.
They may ask for silence but I'm also going to be producing a copyright
notice video that will need a backing tune. The notice will be played
before the root menu.
Do you have titling software over there?
--
Owen Williams
will...@dmu.ac.uk
Work 0116 2506349
Home 0116 2259109
Mobile 0771 5790631
Senior IT Systems Engineer | Software Engineer
Consultant | RedHat Certified Engineer
DMU Libraries http://www.library.dmu.ac.uk/
Does the Invisible Hand have an opposable thumb?