[Shib-Users] Error Message: SAML 2 SSO profile is not configured for relying party

1,745 views
Skip to first unread message

Reason

unread,
Oct 8, 2008, 10:47:06 PM10/8/08
to shibbole...@internet2.edu
Hi All,
For Help
When I accessed the page protected by SP, it redirected to the IdP but an erroe occured
Error Message: SAML 2 SSO profile is not configured for relying party https://sp.example.org/shibboleth
I have added this relying-party in the relying-party.xml, details are as fellow
 
<RelyingParty id="https://sp.example.org/shibboleth"
              provider="https://idp.2288.org:8080/idp/profile"
defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
<ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
<ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
<ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
<ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
<ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
</RelyingParty>
 
What's wrong with my configurarion?
 
P.S. I use 2.0 IdP

Chad La Joie

unread,
Oct 9, 2008, 12:07:58 AM10/9/08
to shibbole...@internet2.edu
When asking questions like this you pretty much always need to attach
the log file with DEBUG logging on for the IdP. My guess is that either
the SP isn't authenticated or the IdP isn't finding the metadata for it.

Reason wrote:
> Hi All,
> For Help
> When I accessed the page protected by SP, it redirected to the IdP but an
> erroe occured

> *Error Message: SAML 2 SSO profile is not configured for relying party* *
> https://sp.example.org/shibboleth*
> I have added this relying-party in the *relying-party.xml, *details are as


> fellow
>
> <RelyingParty id="https://sp.example.org/shibboleth"
> provider="https://idp.2288.org:8080/idp/profile"
> defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
> <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
> <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
> <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
> <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
> <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
> <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
> </RelyingParty>
>
> What's wrong with my configurarion?
>
> P.S. I use 2.0 IdP
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch

Reason

unread,
Oct 9, 2008, 1:05:45 AM10/9/08
to shibbole...@internet2.edu
I see
log as follow:
WARN [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:255] - No metadata for relying party https://sp.example.org/shibboleth, treating party as anonymous
 
Where should I make configuration for this?Thank you
 

Reason

unread,
Oct 9, 2008, 1:18:06 AM10/9/08
to shibbole...@internet2.edu
Sorry, I commented the <MetadataProvider> in relying-party.xml....
Now the log said:
 
WARN [org.opensaml.saml2.metadata.provider.FileBackedHTTPMetadataProvider:98] - Unable to read metadata from remote server, attempting to read it from local backup
java.net.SocketTimeoutException: Read timed out

 

Chad La Joie

unread,
Oct 9, 2008, 1:35:00 AM10/9/08
to shibbole...@internet2.edu
Please refer to the documentation for adding new metadata sources.

Chad La Joie

unread,
Oct 9, 2008, 1:36:00 AM10/9/08
to shibbole...@internet2.edu
Well, that error should be pretty self-explanatory. It can't read it
from the URL that you gave it.

Reason wrote:
> Sorry, I commented the <MetadataProvider> in *relying-party.xml....*

Reason

unread,
Oct 9, 2008, 2:34:45 AM10/9/08
to shibbole...@internet2.edu
Thank you very much
Seeing log file is a good habit!!!

 

Reason

unread,
Oct 9, 2008, 2:46:06 AM10/9/08
to shibbole...@internet2.edu
I have a question, maybe very simple
in SP's configuration file:shibboleth2.xml, it has an item <MetaDataProvider>
in IdP's configuration file:relying-party.xml, it also has an item <MetaDataProvider>
 
Are this two Metadata the same? 

 

Chad La Joie

unread,
Oct 9, 2008, 3:17:42 AM10/9/08
to shibbole...@internet2.edu
Anytime you see like named configuration options between the two
components they are meant to refer to the same concept. Sometimes the
functionality is not identical because of language differences, but the
general idea is the same.

Reason wrote:
> I have a question, maybe very simple

> in SP's configuration file:*shibboleth2.xml*, it has an item
> <MetaDataProvider>
> in IdP's configuration file:*relying-party.xml, *it also has an item

Scott Cantor

unread,
Oct 9, 2008, 11:44:18 AM10/9/08
to shibbole...@internet2.edu
> > Are this two Metadata the same?

The concept is, and the underlying metadata profiles(s) are the same, but not the configuration element itself.

-- Scott


Reply all
Reply to author
Forward
0 new messages