[Shib-Users] getting opensaml:: FatalProfileException error for IdP

[Ray Cavanaugh]

Hello all:

 

                We’re getting closer, but yet not quite there.  We know there is something possibly incorrect with our reyling-party.xml file, yet we are unable to determine what it is.  Also we are using tomcat for the idp and not httpd apache, but do not believe this is the issue.  I’m going to idp-processing.log to give you further information.   I’ve tried to send a copy of my relying-party.xml file,but it’s too large to send, so if you’d like a copy of that in a separate email.  I can do that too.

 

 

Idp-processing.log

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.28]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.28]

        at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:77) [shibboleth-identityprovider-2.1.5.jar:na]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.28]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.28]

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:6.0.28]

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.28]

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.28]

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.28]

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.28]

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) [catalina.jar:6.0.28]

        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) [tomcat-coyote.jar:6.0.28]

        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) [tomcat-coyote.jar:6.0.28]

        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.28]

        at java.lang.Thread.run(Thread.java:619) [na:1.6.0_20]

13:25:44.897 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:160] - Returning control to profile handler

13:25:44.897 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:296] - LoginContext not bound to HTTP request, retrieving it from storage service

13:25:44.897 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:307] - LoginContext key is 'eb0ee8bc-4fb2-44ff-8e60-fc6fe81926fc'

13:25:44.897 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:310] - parition: loginContexts

13:25:44.897 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:170] - Returning control to profile handler at: /profile/SAML2/Redirect/SSO

13:25:44.898 - INFO [Shibboleth-Access:73] - 20101019T202544Z|10.51.0.112|union.pugetsound.edu:443|/profile/SAML2/Redirect/SSO|

13:25:44.898 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:85] - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/Redirect/SSO

13:25:44.898 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:93] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler

13:25:44.898 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:145] - Incoming request contains a login context, processing as second leg of request

13:25:44.898 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:193] - Checking child metadata provider for entity descriptor with entity ID: https://sp.testshib.org/shibboleth-sp

13:25:44.899 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:237] - Searching for entity descriptor with an entity ID of https://sp.testshib.org/shibboleth-sp

13:25:44.899 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:95] - Metadata document does not contain an EntityDescriptor with the ID https://sp.testshib.org/shibboleth-sp

13:25:44.899 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:193] - Checking child metadata provider for entity descriptor with entity ID: https://sp.testshib.org/shibboleth-sp

13:25:44.899 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:237] - Searching for entity descriptor with an entity ID of https://sp.testshib.org/shibboleth-sp

13:25:44.899 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:193] - Checking child metadata provider for entity descriptor with entity ID: https://sp.testshib.org/shibboleth-sp

13:25:44.899 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:237] - Searching for entity descriptor with an entity ID of https://sp.testshib.org/shibboleth-sp

13:25:44.900 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:95] - Metadata document does not contain an EntityDescriptor with the ID https://sp.testshib.org/shibboleth-sp

13:25:44.900 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:193] - Checking child metadata provider for entity descriptor with entity ID: https://sp.testshib.org/shibboleth-sp

13:25:44.900 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:237] - Searching for entity descriptor with an entity ID of https://sp.testshib.org/shibboleth-sp

13:25:44.900 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:126] - Looking up relying party configuration for https://sp.testshib.org/shibboleth-sp

13:25:44.900 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:132] - No custom relying party configuration found for https://sp.testshib.org/shibboleth-sp, looking up configuration based on metadata groups.

13:25:44.901 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:193] - Checking child metadata provider for entity descriptor with entity ID: https://sp.testshib.org/shibboleth-sp

13:25:44.901 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:237] - Searching for entity descriptor with an entity ID of https://sp.testshib.org/shibboleth-sp

13:25:44.901 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:95] - Metadata document does not contain an EntityDescriptor with the ID https://sp.testshib.org/shibboleth-sp

13:25:44.901 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:193] - Checking child metadata provider for entity descriptor with entity ID: https://sp.testshib.org/shibboleth-sp

13:25:44.901 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:237] - Searching for entity descriptor with an entity ID of https://sp.testshib.org/shibboleth-sp

13:25:44.901 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:155] - No custom or group-based relying party configuration found for https://sp.testshib.org/shibboleth-sp. Using default relying party configuration.

13:25:44.902 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:193] - Checking child metadata provider for entity descriptor with entity ID: https://union.pugetsound.edu/idp/shibboleth

13:25:44.902 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:237] - Searching for entity descriptor with an entity ID of https://union.pugetsound.edu/idp/shibboleth

13:25:44.903 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:100] - Filtering peer endpoints.  Supported peer endpoint bindings: [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact]

13:25:44.903 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:115] - Removing endpoint https://sp.testshib.org/Shibboleth.sso/SAML/POST because its binding urn:oasis:names:tc:SAML:1.0:profiles:browser-post is not supported

13:25:44.903 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:115] - Removing endpoint https://sp.testshib.org/Shibboleth.sso/SAML/Artifact because its binding urn:oasis:names:tc:SAML:1.0:profiles:artifact-01 is not supported

13:25:44.904 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:115] - Removing endpoint https://sp.testshib.org/Shibboleth.sso/ADFS because its binding http://schemas.xmlsoap.org/ws/2003/07/secext is not supported

13:25:44.904 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:115] - Removing endpoint https://www.testshib.org/Shibboleth.sso/SAML/POST because its binding urn:oasis:names:tc:SAML:1.0:profiles:browser-post is not supported

13:25:44.904 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:70] - Selecting endpoint by ACS URL 'https://sp.testshib.org/Shibboleth.sso/SAML2/POST' and protocol binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' for request '_f9dd0c7f691c4de8646951c93f177fd0' from entity 'https://sp.testshib.org/shibboleth-sp'

13:25:44.904 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:524] - Encoding response to SAML request _f9dd0c7f691c4de8646951c93f177fd0 from relying party https://sp.testshib.org/shibboleth-sp

13:25:44.904 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder:47] - Beginning encode message to outbound transport of type: org.opensaml.ws.transport.http.HttpServletResponseAdapter

13:25:44.906 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:99] - Starting to marshall {http://www.w3.org/2000/09/xmldsig#}Signature

13:25:44.907 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:102] - Creating XMLSignature object

13:25:44.907 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:112] - Adding content to XMLSignature.

13:25:44.907 - DEBUG [org.opensaml.common.impl.SAMLObjectContentReference:172] - Adding list of inclusive namespaces for signature exclusive canonicalization transform

13:25:44.908 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:117] - Creating Signature DOM element

13:25:44.908 - DEBUG [org.opensaml.xml.signature.Signer:77] - Computing signature over XMLSignature object

13:25:44.923 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPPostEncoder:121] - Invoking Velocity template to create POST body

13:25:44.924 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPPostEncoder:152] - Encoding action url of: https://sp.testshib.org/Shibboleth.sso/SAML2/POST

13:25:44.924 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPPostEncoder:155] - Marshalling and Base64 encoding SAML message

13:25:44.934 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder:54] - Successfully encoded message.

13:25:44.935 - INFO [Shibboleth-Audit:1019] - 20101019T202544Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_f9dd0c7f691c4de8646951c93f177fd0|https://sp.testshib.org/shibboleth-sp|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://union.pugetsound.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_3dc2a4bc5c23baeee434cf143fe913b1||||||

 

ray

 

[Scott Cantor]

> We're getting closer, but yet not quite there. We know
> there is something possibly incorrect with our reyling-party.xml file, yet
> we are unable to determine what it is.

The IdP isn't the one reporting the error, so you're going to need to
determine why the SP is unhappy.

-- Scott

[Ray Cavanaugh]

Well interesting, because our SP is running on a separate server, should it not be accessing the SP if we're running this on the testshib.org link to test the idp? This is the error message we're getting.

opensaml::FatalProfileException

The system encountered an error at Tue Oct 19 16:25:45 2010

To report this problem, please contact the site administrator at root@localhost.

Please include the following message in any email:

opensaml::FatalProfileException at (https://sp.testshib.org/Shibboleth.sso/SAML2/POST)

SAML response contained an error.

Error from identity provider:

Status: urn:oasis:names:tc:SAML:2.0:status:Responder
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed

[Scott Cantor]

On Oct 19, 2010, at 4:57 PM, Ray Cavanaugh <rcava...@pugetsound.edu> wrote:
> Well interesting, because our SP is running on a separate server, should it not be accessing the SP if we're running this on the testshib.org link to test the idp? This is the error message we're getting.

You hadn't posted that, so I assumed the error was in the SP log, but that's an IDP error, and was not in the log you posted earlier that I could see.
>

-- Scott

[Ray Cavanaugh]

Yeah sorry about that. I tried to put a copy of the error, as well as our relying-party.xml file into the message but it was all too long. We're going to try something else that might fix the problem today.

ray

-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Scott Cantor

[Chad La Joie]

The most common reasons for the IdP sending that particular error back
to the SP would be the IdP's inability to meet the authentication
requirements given by the SP, i.e. SP requested a particular authn
method, forced authentication, or passive authentication and the IdP
didn't support it.

--
Chad La Joie
www.itumi.biz
trusted identities, delivered