Hi,
I am having an issue with my test IDP
Here are the messages that I see
Browser
Unknown or Unusable Identity Provider
The identity provider supplying your login credentials is not authorized for use with this service or does not support the necessary capabilities.
Please include the following error message in any email:
Identity provider lookup failed at (http://dvc7617.lexisnexis.com:25007/SHIRE/SAML/POST)
opensaml::saml2md::MetadataException: Security of SAML 1.x SSO POST response not established.
SP logs
11:17:31.711(01/19) DEBUG OpenSAML.MessageDecoder.SAML1 : extracting issuer from SAML 1.x Response
11:17:31.711(01/19) DEBUG OpenSAML.MessageDecoder.SAML1 : response from (https://elsevier.test.federation/test-IdP2)
11:17:31.711(01/19) DEBUG OpenSAML.MessageDecoder.SAML1 : searching metadata for response issuer...
11:17:31.711(01/19) WARN OpenSAML.MessageDecoder.SAML1 : no metadata found, can't establish identity of issuer (https://elsevier.test.federation/test-IdP2)
IDP logs
2010-01-19 16:09:50,369 DEBUG [IdP] -869056097 - Remote provider has identified itself as: (https://sdauth.sciencedirect.com/).
2010-01-19 16:09:50,369 INFO [IdP] -869056097 - Could not locate Relying Party configuration for (https://sdauth.sciencedirect.com/). Using default Relying Party: (https://elsevier.test.federation).
2010-01-19 16:09:50,381 INFO [IdP] -869056097 - No metadata found for provider: (https://sdauth.sciencedirect.com/).
2010-01-19 16:09:50,381 INFO [IdP] -869056097 - Selecting default Relying Party: (https://elsevier.test.federation).
I looked at the SP and IDP metadata and they look fine. There were no changes made to my IDP in the last 2 months. It was working fine till Dec 31. I see these messages only starting this year.
Please let me know if you infer anything from these messages. I would be happy to provide more details if required
Thanks,
Vijay
Thanks Hari.
Is there any limitation on the validity date? I mean can I give any future date?
Thanks,
Vijay
No. Metadata is either a supplement to a PKI or a replacement for it
depending on how keys are expressed. The latter means that it's exactly like
a CRL in a traditional PKI and you don't just create metadata once and copy
it around. It has to be expired and refreshed on a constant basis. Metadata
is part of a broader trust management strategy, it's not a replacement for
it.
This is why federations exist, so that deployers don't need to understand
this stuff. If you're doing it yourself, you are taking on that
responsibility and if you were affected by this date issue, you should take
that as a sign that you have a problem with your deployment. Possibly a very
serious one.
-- Scott