[Shib-Users] Error:No peer endpoint available to which to send SAML response

2,728 views
Skip to first unread message

Reason

unread,
Oct 13, 2008, 9:36:54 AM10/13/08
to shibbole...@internet2.edu
Hi all,
I used the mechanism:Username/Password for configuring user authentication in IdP2.0 and chose LDAP Login Module
After I entered the username and Pwd, an error occured:No peer endpoint available to which to send SAML response
The log said "No return endpoint available for relying party https://sp.example.org/shibboleth"
 
I serched it on google, it said EntityDescriptor for the SP  does not have an AssertionConsumerService endpoint defined for any SAML 2 binding
 
I want to know where to configure AssertionConsumerService endpoint ?In SP's metadata file? and How to configure this?

Nate Klingenstein

unread,
Oct 13, 2008, 10:13:32 AM10/13/08
to shibbole...@internet2.edu
Reason,

Yes, what you found in Google is correct.  However, your problem is more basic.  Your SP didn't modify the entityID in shibboleth2.xml.  It's using the default, and there is no metadata for the default.  If you change that to the right value, then you need to make sure the IdP loads matching, accurate metadata.  Then, this problem should stop.

Thanks,
Nate.

Reason

unread,
Oct 13, 2008, 8:30:08 PM10/13/08
to shibbole...@internet2.edu
Thank you:)
I changed the entityID for SP in metadata and added the AssertionConsumerService endpoint for SAML 2 binding
Problem is solved

 

bil...@edu.physics.uoc.gr

unread,
Oct 16, 2008, 4:48:19 AM10/16/08
to shibbole...@internet2.edu
Hi,

I'm using idp 2 and I'm having the same error while I'm trying to configure
my to idp2.0 with microsoft's dreamspak SP

11:03:18.672 DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:46] - Unable to select endpoint, no entity role metadata available.
11:03:18.673 ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:396] - No return endpoint available for relying party https://staging.dreamspark.com/shibboleth-sp
11:03:18.674 ERROR [edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85] - Error processing profile request
edu.internet2.middleware.shibboleth.common.profile.ProfileException: No peer endpoint available to which to send SAML response


This is some relevant part of the metadata I load from my federation:

<EntityDescriptor entityID="https://staging.dreamspark.com/shibboleth-sp">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
<ds:KeyName>staging.dreamspark.com</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>
MIIFGTCCBAGgAwIBAgICAb4wDQYJKoZIhvcNAQEFBQAwVjELMAkGA1UEBhMCVVMx
</ds:X509Certificate>
</ds:X509Data>

</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://staging.dreamspark.com/Shibboleth.sso/SAML/POST" index="1"/>
</SPSSODescriptor>
<Organization>
<OrganizationName xml:lang="en">Microsoft</OrganizationName> <OrganizationDisplayName xml:lang="en">Microsoft</OrganizationDisplayName> <OrganizationURL xml:lang="en">http://www.microsoft.com/en/us/default.aspx</OrganizationURL>
</Organization>
</EntityDescriptor>

According to the previous post, "EntityDescriptor for the SP does not have an AssertionConsumerService endpoint defined for any SAML 2 binding"

In our metadata there is not any AssertionConsumerService defined for any SAML 2 binding. However my idp works with those SPs. What should be added?

Thanks in advance

Giannis

Reason

unread,
Oct 16, 2008, 4:53:18 AM10/16/08
to shibbole...@internet2.edu
You can access this https://spaces.internet2.edu/display/SHIB2/MetadataExample

Kapetanakis Giannis

unread,
Oct 16, 2008, 5:47:06 AM10/16/08
to shibbole...@internet2.edu, Apostolos Papagiannakis
Reason wrote:
> You can access this
> https://spaces.internet2.edu/display/SHIB2/MetadataExample
>

I've added those in my local metadata copy (and made sure that they were
not updated on reload):

<SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol

urn:oasis:names:tc:SAML:1.1:protocol">

<Extensions>
<idpdisc:DiscoveryResponse
xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
index="1"
Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Location="http://staging.dreamspark.com/Shibboleth.sso/DS"/>
<idpdisc:DiscoveryResponse
xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
index="2"
Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Location="https://staging.dreamspark.com/Shibboleth.sso/DS"/>
</Extensions>

<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>

<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>



<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="https://staging.dreamspark.com/Shibboleth.sso/SAML/POST"
index="1"/>

<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://staging.dreamspark.com/Shibboleth.sso/SAML2/POST"
index="2" />

No it passes the endoint binding:
12:38:29.656 DEBUG
[org.opensaml.saml2.binding.AuthnResponseEndpointSelector:95] -
Filtering peer endpoints. Supported peer endpoint bindings:
[urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign,
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST,
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact]

but gives an error later on:

12:38:30.098 DEBUG
[org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:75]
- Registry located evaluable criteria class
org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria
for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
12:38:30.099 DEBUG
[org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:106]
- Registry could not locate evaluable criteria for criteria class
org.opensaml.security.MetadataCriteria
12:38:30.104 DEBUG [org.opensaml.xml.security.SecurityHelper:264] -
Unable to determine length in bits of specified Key instance
12:38:30.121 DEBUG [org.opensaml.xml.encryption.Encrypter:642] -
Generating random symmetric data encryption key from algorithm URI:
http://www.w3.org/2001/04/xmlenc#aes128-cbc
12:38:30.125 DEBUG [org.opensaml.xml.encryption.Encrypter:427] -
Encrypting XMLObject using algorithm URI
http://www.w3.org/2001/04/xmlenc#aes128-cbc with content mode false
12:38:30.136 ERROR

[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85]
- Error processing profile request

java.lang.NoClassDefFoundError:
org/apache/xml/utils/URI$MalformedURIException
at
org.opensaml.xml.encryption.Encrypter.encryptElement(Encrypter.java:440)


Thanks

Giannis


> On 16/10/2008, *bil...@edu.physics.uoc.gr
> <mailto:bil...@edu.physics.uoc.gr>* <bil...@edu.physics.uoc.gr

> <mailto:bil...@edu.physics.uoc.gr>> wrote:
>
> Hi,
>
> I'm using idp 2 and I'm having the same error while I'm trying to
> configure
> my to idp2.0 with microsoft's dreamspak SP
>
> 11:03:18.672 DEBUG
> [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:46] -
> Unable to select endpoint, no entity role metadata available.
> 11:03:18.673 ERROR
> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:396]
> - No return endpoint available for relying party
> https://staging.dreamspark.com/shibboleth-sp
> 11:03:18.674 ERROR
> [edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85]
> - Error processing profile request
> edu.internet2.middleware.shibboleth.common.profile.ProfileException:
> No peer endpoint available to which to send SAML response
>
>
> This is some relevant part of the metadata I load from my federation:
>
> <EntityDescriptor
> entityID="https://staging.dreamspark.com/shibboleth-sp">
> <SPSSODescriptor
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
> <ds:KeyName>staging.dreamspark.com

> <http://staging.dreamspark.com></ds:KeyName>

Nate Klingenstein

unread,
Oct 16, 2008, 10:23:07 AM10/16/08
to shibbole...@internet2.edu
Giannis,

That probably means what it says: you have a malformed URI somewhere in the metadata.  Could you send me a copy so I can look at it?

Also, Microsoft should have a copy they maintain.  If they do, you should ask for it, and then you can just load that instead.

Take care,
Nate.

Kapetanakis Giannis

unread,
Oct 16, 2008, 12:38:50 PM10/16/08
to shibbole...@internet2.edu, Nate Klingenstein, ap...@ccf.auth.gr
Nate Klingenstein wrote:
> Giannis,
>
> Aha. Think I found it. Check your xalan version, particularly the
> one endorsed by Tomcat.
>
> https://mail.internet2.edu/wws/arc/shibboleth-users/2008-05/msg00547.html
>
> Yugh,
> Nate.
>

Indeed it needed the xalan and xerces that ship with the IdP copied in
/var/lib/tomcat5/common/endorsed/

Greetings, you are successfully verified...!
Click here
<javascript:__doPostBack('ctl00$ContentPlaceHolder1$lnkClickHere','')>
to continue...

:))

thanks for all the help Nate
my best regards,

Giannis

Kapetanakis Giannis

unread,
Oct 16, 2008, 12:41:41 PM10/16/08
to shibbole...@internet2.edu
Nate Klingenstein wrote:
> Giannis,
>
> That probably means what it says: you have a malformed URI somewhere
> in the metadata. Could you send me a copy so I can look at it?
>
> Also, Microsoft should have a copy they maintain. If they do, you
> should ask for it, and then you can just load that instead.
>
> Take care,
> Nate.
>
> On 16 Oct 2008, at 09:47, Kapetanakis Giannis wrote:

case closed :)
https://mail.internet2.edu/wws/arc/shibboleth-users/2008-05/msg00547.html

tomcat needs xalan and xerces that ship with the IdP.

regards
Giannis


Reply all
Reply to author
Forward
0 new messages