Very often this is because a misconfiguration is biting you before you even get to start up logging (often a mismatched < ... /> pair)
What is your container? Check the container’s logging (catalina.out if useful for tomcat, but check them all just in case) and see if there is anything there.
--
To unsubscribe from this list send an email to dev-uns...@shibboleth.net
Well that certainly won’t help.
Before you even start trying to debug your shibboleth install make sure that tomcat is working (so you can get to http://localhost:8080/ & https://localhost/ or whatever). This mailing list won’t be able to help you with that.
Once that’s done get the deployment fragment in place. If you are still not getting the IdP logs you should look again at catalina.out .
> <metadata:MetadataFilter xsi:type="metadata:SignatureValidation"
> trustEngineRef="shibboleth.MetadataTrustEngine"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> requireSignedMetadata="true" />
But not commented out the bit which sets up the signature validation
> <!-- Trust engine used to evaluate the signature on loaded metadata. -->
> <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
> <security:Certificate>$IDP_HOME$/credentials/federation1.crt</security:Certificate>
> </security:Credential>
> </security:TrustEngine>
The TestShib metadata is not signed, so you won't be able to perform
signature validation on it. In the TestShib configuration
instructions, step 2 for the identity provider asks you to comment out
the entire MetadataFilter:
https://www.testshib.org/testshib-two/configure.jsp
You might try that path instead.
Thanks for your use of TestShib,
Nate.
On Oct 24, 2011, at 16:53 , Kaustubh Nagraj wrote:
> Yes, you are right. I have not commented the part concerning
> signature validation. However the page at TestShib does not mention
> anything related to uncommenting that. Also, would uncommenting that
> still allow me to use a self signed certificate?
--