[Shib-Users] No metadata found for provider in IdP logs

145 views
Skip to first unread message

Achugatla, Vijay K. (LNG-CON)

unread,
Jan 19, 2010, 5:41:43 PM1/19/10
to shibbole...@internet2.edu

Hi,

 

I am having an issue with my test IDP

 

Here are the messages that I see

 

Browser

 

Unknown or Unusable Identity Provider

The identity provider supplying your login credentials is not authorized for use with this service or does not support the necessary capabilities.

Please include the following error message in any email:

Identity provider lookup failed at (http://dvc7617.lexisnexis.com:25007/SHIRE/SAML/POST)

opensaml::saml2md::MetadataException: Security of SAML 1.x SSO POST response not established.

 

SP logs

 

11:17:31.711(01/19) DEBUG OpenSAML.MessageDecoder.SAML1 : extracting issuer from SAML 1.x Response

11:17:31.711(01/19) DEBUG OpenSAML.MessageDecoder.SAML1 : response from (https://elsevier.test.federation/test-IdP2)

11:17:31.711(01/19) DEBUG OpenSAML.MessageDecoder.SAML1 : searching metadata for response issuer...

11:17:31.711(01/19) WARN  OpenSAML.MessageDecoder.SAML1 : no metadata found, can't establish identity of issuer (https://elsevier.test.federation/test-IdP2)

 

IDP logs

 

2010-01-19 16:09:50,369 DEBUG [IdP] -869056097                          - Remote provider has identified itself as: (https://sdauth.sciencedirect.com/).

2010-01-19 16:09:50,369 INFO  [IdP] -869056097                          - Could not locate Relying Party configuration for (https://sdauth.sciencedirect.com/).  Using default Relying Party: (https://elsevier.test.federation).

2010-01-19 16:09:50,381 INFO  [IdP] -869056097                          - No metadata found for provider: (https://sdauth.sciencedirect.com/).

2010-01-19 16:09:50,381 INFO  [IdP] -869056097                          - Selecting default Relying Party: (https://elsevier.test.federation).

 

I looked at the SP and IDP metadata and they look fine. There were no changes made to my IDP in the last 2 months. It was working fine till Dec 31. I see these messages only starting this year.

Please let me know if you infer anything from these messages. I would be happy to provide more details if required

 

Thanks,
Vijay

 

Mailvaganam, Hari

unread,
Jan 19, 2010, 6:04:07 PM1/19/10
to shibbole...@internet2.edu

 

Hi:

 

It is probably the date related issue described in attached email.

 

Regards,

 

Hari

 

 

Re Shib-Users Urgent All Shibboleth SP stopped working with unable to locate metadata for provider.txt

Achugatla, Vijay K. (LNG-CON)

unread,
Jan 19, 2010, 8:04:36 PM1/19/10
to shibbole...@internet2.edu

Thanks Hari.

Is there any limitation on the validity date? I mean can I give any future date?

 

Thanks,

Vijay

Scott Cantor

unread,
Jan 19, 2010, 9:07:35 PM1/19/10
to shibbole...@internet2.edu
Achugatla, Vijay K. (LNG-CON) wrote on 2010-01-19:
> Is there any limitation on the validity date? I mean can I give any
> future date?

No. Metadata is either a supplement to a PKI or a replacement for it
depending on how keys are expressed. The latter means that it's exactly like
a CRL in a traditional PKI and you don't just create metadata once and copy
it around. It has to be expired and refreshed on a constant basis. Metadata
is part of a broader trust management strategy, it's not a replacement for
it.

This is why federations exist, so that deployers don't need to understand
this stuff. If you're doing it yourself, you are taking on that
responsibility and if you were affected by this date issue, you should take
that as a sign that you have a problem with your deployment. Possibly a very
serious one.

-- Scott


Russell Beall

unread,
Jan 21, 2010, 1:35:30 PM1/21/10
to shibbole...@internet2.edu
This issue occurred for quite a few IdPs on December 31st.

Check your validUntil dates in your metadata files.  They are probably expired.

Russ.
Reply all
Reply to author
Forward
0 new messages