Shibboleth: SAML 2 SSO profile is not configured for relying party google.com
Chris_D
Hello all,
I’m really struggling to get Google Apps SSO working with Shibboleth.
The problem is, when I go to http://partnerpage.google.com/student.mydomain.ac.com I get the following error message:
Error Message: SAML 2 SSO profile is not configured for relying party google.com
I don’t really know what else to do. I used this guide to set this up (http://code.google.com/apis/apps/articles/shibboleth2.0.html) – hopefully you will see something straight away and if you do it will be a huge help. Many thanks.
Chris.
The log file, idp-process.log states this:
09:42:08.824 - INFO [Shibboleth-Access:73] - 20110627T084208Z|212.219.90.124|shibidp.mydomain.ac.com:443|/profile/SAML2/Redirect/SSO|
09:42:08.824 - WARN [org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule:80] - SPSSODescriptor role metadata for entityID 'google.com' could not be resolved
09:42:08.824 - WARN [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:274] - No metadata for relying party google.com, treating party as anonymous
09:42:08.824 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:194] - SAML 2 SSO profile is not configured for relying party google.com
The google-metadata.xml file:
<EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/student.mydomain.ac.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>
The relying-party.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is an EXAMPLE configuration file.
This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a
particular relying party should be signed. It also includes metadata provider and credential definitions used
when answering requests to a relying party.
-->
<RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
xmlns:resource="urn:mace:shibboleth:2.0:resource"
xmlns:security="urn:mace:shibboleth:2.0:security"
xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
urn:mace:shibboleth:2.0:resource classpath:/schema/shibboleth-2.0-resource.xsd
urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
<!-- ========================================== -->
<!-- Relying Party Configurations -->
<!-- ========================================== -->
<AnonymousRelyingParty provider="https://shibidp.mydomain.ac.com/shibboleth" />
<DefaultRelyingParty provider="https://shibidp.mydomain.ac.com/shibboleth"
defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
defaultSigningCredentialRef="IdPCredential">
<!--
Each attribute in these profiles configuration is set to its default value,
that is, the values that would be in effect if those attributes were not present.
We list them here so that people are aware of them (since they seem reluctant to
read the documentation).
-->
<ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile"
includeAttributeStatement="false"
assertionLifetime="300000"
signResponses="conditional"
signAssertions="never" />
<ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile"
assertionLifetime="300000"
signResponses="conditional"
signAssertions="never" />
<ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile"
signResponses="conditional"
signAssertions="never" />
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
includeAttributeStatement="true"
assertionLifetime="300000"
assertionProxyCount="0"
signResponses="conditional"
signAssertions="never"
encryptAssertions="conditional"
encryptNameIds="never" />
<ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile"
assertionLifetime="300000"
assertionProxyCount="0"
signResponses="conditional"
signAssertions="never"
encryptAssertions="conditional"
encryptNameIds="never" />
<ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile"
signResponses="conditional"
signAssertions="never"
encryptAssertions="conditional"
encryptNameIds="never"/>
</DefaultRelyingParty>
<RelyingParty id="google.com"
provider="https://shibidp.mydomain.ac.com/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>
<!-- ========================================== -->
<!-- Metadata Configuration -->
<!-- ========================================== -->
<!-- MetadataProvider the combining other MetadataProviders -->
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
<!-- Load the IdP's own metadata. This is necessary for artifact support. -->
<MetadataProvider id="IdPMD" xsi:type="ResourceBackedMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" >
<MetadataResource xsi:type="resource:FilesystemResource" file="C:\Program Files\Internet2\Shib2Idp/metadata/idp-metadata.xml" />
</MetadataProvider>
<!-- Download the metadata
This is the point where the posrt install program will add new metadata
-->
<MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" metadataURL="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml" backingFile="C:\Program Files\Internet2\Shib2Idp/metadata/ukfederation-metadata.xml">
<MetadataFilter xsi:type="ChainingFilter">
<MetadataFilter xsi:type="SchemaValidation"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
<MetadataFilter xsi:type="SignatureValidation" trustEngineRef="shibboleth.MetadataTrustEngine" requireSignedMetadata="true"/>
<MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata">
<RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataFilter>
<MetadataProvider id="GoogleMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" metadataFile="C:\Program Files\Internet2\Shib2Idp/metadata/google-metadata.xml" maintainExpiredMetadata="true">
</MetadataProvider>
</MetadataProvider>
</MetadataProvider>
<MetadataProvider id="TestShib" xsi:type="FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="http://www.testshib.org/metadata/testshib-providers.xml"
backingFile="C:\Program Files\Internet2\Shib2Idp/metadata/Downloaded-Metadata.xml"
/>
</MetadataProvider>
<!-- ========================================== -->
<!-- Security Configurations -->
<!-- ========================================== -->
<security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
<security:PrivateKey>C:\Program Files\Internet2\Shib2Idp/credentials/shibidp.key</security:PrivateKey>
<security:Certificate>C:\Program Files\Internet2\Shib2Idp/credentials/shibidp.crt</security:Certificate>
</security:Credential>
<!-- This is where to put the engine used to evaluate the signature on loaded metadata. -->
<security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="FederationCredentials" xsi:type="security:X509Filesystem">
<security:Certificate>C:\Program Files\Internet2\Shib2Idp/credentials/ukfederation.pem</security:Certificate>
</security:Credential>
</security:TrustEngine>
<!-- DO NOT EDIT BELOW THIS POINT -->
<!--
The following trust engines and rules control every aspect of security related to incoming messages.
Trust engines evaluate various tokens (like digital signatures) for trust worthiness while the
security policies establish a set of checks that an incoming message must pass in order to be considered
secure. Naturally some of these checks require the validation of the tokens evaluated by the trust
engines and so you'll see some rules that reference the declared trust engines.
-->
<security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:SignatureChaining">
<security:TrustEngine id="shibboleth.SignatureMetadataExplicitKeyTrustEngine" xsi:type="security:MetadataExplicitKeySignature"
metadataProviderRef="ShibbolethMetadata" />
<security:TrustEngine id="shibboleth.SignatureMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXSignature"
metadataProviderRef="ShibbolethMetadata" />
</security:TrustEngine>
<security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:Chaining">
<security:TrustEngine id="shibboleth.CredentialMetadataExplictKeyTrustEngine" xsi:type="security:MetadataExplicitKey"
metadataProviderRef="ShibbolethMetadata" />
<security:TrustEngine id="shibboleth.CredentialMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXX509Credential"
metadataProviderRef="ShibbolethMetadata" />
</security:TrustEngine>
<security:SecurityPolicy id="shibboleth.ShibbolethSSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
<security:Rule xsi:type="samlsec:IssueInstant" required="false"/>
<security:Rule xsi:type="samlsec:MandatoryIssuer"/>
</security:SecurityPolicy>
<security:SecurityPolicy id="shibboleth.SAML1AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
<security:Rule xsi:type="samlsec:Replay"/>
<security:Rule xsi:type="samlsec:IssueInstant"/>
<security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
<security:Rule xsi:type="samlsec:MandatoryIssuer"/>
<security:Rule xsi:type="security:MandatoryMessageAuthentication" />
</security:SecurityPolicy>
<security:SecurityPolicy id="shibboleth.SAML1ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
<security:Rule xsi:type="samlsec:Replay"/>
<security:Rule xsi:type="samlsec:IssueInstant"/>
<security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
<security:Rule xsi:type="samlsec:MandatoryIssuer"/>
<security:Rule xsi:type="security:MandatoryMessageAuthentication" />
</security:SecurityPolicy>
<security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
<security:Rule xsi:type="samlsec:Replay"/>
<security:Rule xsi:type="samlsec:IssueInstant"/>
<security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>
<security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:MandatoryIssuer"/>
</security:SecurityPolicy>
<security:SecurityPolicy id="shibboleth.SAML2AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
<security:Rule xsi:type="samlsec:Replay"/>
<security:Rule xsi:type="samlsec:IssueInstant"/>
<security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
<security:Rule xsi:type="samlsec:MandatoryIssuer"/>
<security:Rule xsi:type="security:MandatoryMessageAuthentication" />
</security:SecurityPolicy>
<security:SecurityPolicy id="shibboleth.SAML2ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
<security:Rule xsi:type="samlsec:Replay"/>
<security:Rule xsi:type="samlsec:IssueInstant"/>
<security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
<security:Rule xsi:type="samlsec:MandatoryIssuer"/>
<security:Rule xsi:type="security:MandatoryMessageAuthentication" />
</security:SecurityPolicy>
<security:SecurityPolicy id="shibboleth.SAML2SLOSecurityPolicy" xsi:type="security:SecurityPolicyType">
<security:Rule xsi:type="samlsec:Replay"/>
<security:Rule xsi:type="samlsec:IssueInstant"/>
<security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
<security:Rule xsi:type="samlsec:MandatoryIssuer"/>
<security:Rule xsi:type="security:MandatoryMessageAuthentication" />
</security:SecurityPolicy>
</RelyingPartyGroup>
