[Shib-Users] Sp' metadata in the relying-party.xml problems
sebane
Hi
I tried many times to configure a metadata in the relying-party.xml for
communication without federation just between one Idp and one Sp. I
configurated User/password in loging.conf and a Ldap in Handler.xml
when i try to test with the following Url https://sp.example.org/secure. the
browser posted me this error SAML2 SSO profile is not configured for relying
party https://sp.example.org/shibboleth
here is my actual relying-party
<?xml version="1.0" encoding="UTF-8"?>
<RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
xmlns:resource="urn:mace:shibboleth:2.0:resource"
xmlns:security="urn:mace:shibboleth:2.0:security"
xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party
classpath:/schema/shibboleth-2.0-relying-party.xsd
urn:mace:shibboleth:2.0:relying-party:saml
classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
urn:mace:shibboleth:2.0:metadata
classpath:/schema/shibboleth-2.0-metadata.xsd
urn:mace:shibboleth:2.0:resource
classpath:/schema/shibboleth-2.0-resource.xsd
urn:mace:shibboleth:2.0:security
classpath:/schema/shibboleth-2.0-security.xsd
urn:mace:shibboleth:2.0:security:saml
classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
urn:oasis:names:tc:SAML:2.0:metadata
classpath:/schema/saml-schema-metadata-2.0.xsd">
<!-- ========================================== -->
<!-- Relying Party Configurations -->
<!-- ========================================== -->
<AnonymousRelyingParty provider="https://idp.example.org/idp/shibboleth"
/>
<DefaultRelyingParty provider="https://idp.example.org/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile"
includeAttributeStatement="false"
assertionLifetime="300000"
signResponses="conditional"
signAssertions="never" />
<ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile"
assertionLifetime="300000"
signResponses="conditional"
signAssertions="never" />
<ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile"
signResponses="conditional"
signAssertions="never" />
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
includeAttributeStatement="true"
assertionLifetime="300000"
assertionProxyCount="0"
signResponses="conditional"
signAssertions="never"
encryptAssertions="conditional"
encryptNameIds="conditional" />
<ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile"
assertionLifetime="300000"
assertionProxyCount="0"
signResponses="conditional"
signAssertions="never"
encryptAssertions="conditional"
encryptNameIds="conditional" />
<ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile"
signResponses="conditional"
signAssertions="never"
encryptAssertions="conditional"
encryptNameIds="conditional"/>
</DefaultRelyingParty>
<!-- ========================================== -->
<!-- Metadata Configuration -->
<!-- ========================================== -->
<!-- MetadataProvider the combining other MetadataProviders -->
<MetadataProvider id="ShibbolethMetadata"
xsi:type="ChainingMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata">
<!-- Load the IdP's own metadata. This is necessary for artifact
support. -->
<MetadataProvider id="IdPMD"
xsi:type="ResourceBackedMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata" >
<MetadataResource xsi:type="resource:FilesystemResource"
file="/opt/shibboleth-idp/metadata/idp-metadata.xml" />
</MetadataProvider>
<!-- Example metadata provider. -->
<!-- Reads metadata from a URL and store a backup copy on the file
system. -->
<!-- Validates the signature of the metadata and filters out all by
SP entities in order to save memory -->
<!-- To use: fill in 'metadataURL' and 'backingFile' properties on
MetadataResource element -->
<!--
<MetadataProvider id="SpURLMD"
xsi:type="FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="https://sp.example.org/Shibboleth.sso/Metadata"
backingFile="/opt/shibboleth-idp/metadata/sp2-metadata.xml">
<MetadataFilter xsi:type="ChainingFilter"
xmlns="urn:mace:shibboleth:2.0:metadata">
<MetadataFilter xsi:type="RequiredValidUntil"
xmlns="urn:mace:shibboleth:2.0:metadata"
maxValidityInterval="604800" />
<MetadataFilter
xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
requireSignedMetadata="false" />
<MetadataFilter xsi:type="SignatureValidation"
xmlns="urn:mace:shibboleth:2.0:metadata"
trustEngineRef="shibboleth.MetadataTrustEngine"
requireSignedMetadata="true" />
<MetadataFilter xsi:type="EntityRoleWhiteList"
xmlns="urn:mace:shibboleth:2.0:metadata">
<RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataFilter> -->
</MetadataProvider>
-->
<MetadataProvider xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
id="SpMD"
metadataFile="/opt/shibboleth-idp/metadata/sp2-metadata.xml"
>
</MetadataProvider>
</MetadataProvider>
<!-- ========================================== -->
<!-- Security Configurations -->
<!-- ========================================== -->
<security:Credential id="IdPCredential"
xsi:type="security:X509Filesystem">
<security:PrivateKey>/opt/shibboleth-idp/credentials/idp.key</security:PrivateKey>
<security:Certificate>/opt/shibboleth-idp/credentials/idp.crt</security:Certificate>
</security:Credential>
<!-- Trust engine used to evaluate the signature on loaded metadata. -->
<!--
<security:TrustEngine id="shibboleth.MetadataTrustEngine"
xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="MyFederation1Credentials"
xsi:type="security:X509Filesystem">
<security:Certificate>/opt/shibboleth-idp/credentials/idp.crt</security:Certificate>
</security:Credential>
</security:TrustEngine>
-->
<!-- DO NOT EDIT BELOW THIS POINT -->
and here is my sp2-metadata.xml
<md:EntityDescriptor entityID="https://sp.example.org/shibboleth"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
validUntil="2010-01-01T00:00:00Z">
<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol
urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService
Location="https://sp.example.org/Shibboleth.sso/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService
Location="https://sp.example.org/Shibboleth.sso/SLO/Redirect"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService
Location="https://sp.example.org/Shibboleth.sso/SLO/POST"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService
Location="https://sp.example.org/Shibboleth.sso/SLO/Artifact"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService
Location="https://sp.example.org/Shibboleth.sso/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService
Location="https://sp.example.org/Shibboleth.sso/SAML2/POST-SimpleSign"
index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService
Location="https://sp.example.org/Shibboleth.sso/SAML2/Artifact" index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService
Location="https://sp.example.org/Shibboleth.sso/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService
Location="https://sp.example.org/Shibboleth.sso/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService
Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<md:AttributeConsumingService index="1">
<md:ServiceName xml:lang="en">Sample Service</md:ServiceName>
<md:ServiceDescription xml:lang="en">An example service that requires
a human-readable identifier and optional name and e-mail
address.</md:ServiceDescription>
<md:RequestedAttribute FriendlyName="eduPersonPrincipalName"
Name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"
isRequired="true"/>
<md:RequestedAttribute FriendlyName="mail"
Name="urn:mace:dir:attribute-def:mail"
NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
<md:RequestedAttribute FriendlyName="displayName"
Name="urn:mace:dir:attribute-def:displayName"
NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
</md:AttributeConsumingService>
<md:AttributeConsumingService index="2">
<md:ServiceName xml:lang="en">Sample Service</md:ServiceName>
<md:ServiceDescription xml:lang="en">An example service that requires
a human-readable identifier and optional name and e-mail
address.</md:ServiceDescription>
<md:RequestedAttribute FriendlyName="eduPersonPrincipalName"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true"/>
<md:RequestedAttribute FriendlyName="mail"
Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<md:RequestedAttribute FriendlyName="displayName"
Name="urn:oid:2.16.840.1.113730.3.1.241"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">Example Organization,
Ltd.</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">Example
Organization</md:OrganizationDisplayName>
<md:OrganizationURL
xml:lang="en">https://service.example.org/</md:OrganizationURL>
</md:Organization>
</md:EntityDescriptor>
and here is my idp.process.log
16:53:20.660 - INFO [Shibboleth-Access:72] -
20090813T145320Z|192.168.201.4|idp.example.org:443|/profile/SAML2/Redirect/SSO|
16:53:20.664 - WARN
[org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule:80] -
SPSSODescriptor role metadata for entityID
'https://sp.example.org/shibboleth' could not be resolved
16:53:20.668 - WARN
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:255]
- No metadata for relying party https://sp.example.org/shibboleth, treating
party as anonymous
16:53:20.668 - ERROR
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:174]
- SAML 2 SSO profile is not configured for relying party
https://sp.example.org/shibboleth
16:53:20.668 - ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85]
- Error processing profile request
edu.internet2.middleware.shibboleth.common.profile.ProfileException: SAML 2
SSO profile is not configured for relying party
https://sp.example.org/shibboleth
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:176)
[shibboleth-identityprovider-2.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:145)
[shibboleth-identityprovider-2.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:82)
[shibboleth-identityprovider-2.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:82)
[shibboleth-common-1.1.2.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
[servlet-api.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:77)
[shibboleth-identityprovider-2.1.2.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
[catalina.jar:na]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
[catalina.jar:na]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
[catalina.jar:na]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[catalina.jar:na]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[catalina.jar:na]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
[catalina.jar:na]
at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
[tomcat-coyote.jar:na]
at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
[tomcat-coyote.jar:na]
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769)
[tomcat-coyote.jar:na]
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698)
[tomcat-coyote.jar:na]
at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891)
[tomcat-coyote.jar:na]
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
[tomcat-coyote.jar:na]
at java.lang.Thread.run(Thread.java:619) [na:1.6.0_07]
I think that the idp can't to load the sp's metadata but i didn't understand
why I was used the FileBackedHTTPMetadataProvider type firsty and it didn't
response .and i use the "FilesystemMetadataProvider type and it continu to
don't response
thank you lot of for your helps
best regards
--
View this message in context: http://n2.nabble.com/Sp%27-metadata-in-the-relying-party.xml-problems-tp3438612p3438612.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
Paul Hethmon
> I tried many times to configure a metadata in the relying-party.xml for
> communication without federation just between one Idp and one Sp. I
> configurated User/password in loging.conf and a Ldap in Handler.xml
>
> when i try to test with the following Url https://sp.example.org/secure. the
> browser posted me this error SAML2 SSO profile is not configured for relying
> party https://sp.example.org/shibboleth
It looks like the IdP is not loading the SP metadata. I would suggest
switching back to the file based metadata load. Turn up debug on the IdP and
make sure you see it load the metadata first.
Paul
-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----
God does not play dice with the universe; He plays an ineffable game of his
own devising, which might be compared, from the perspective of any of the
other players, to being involved in an obscure and complex version of poker
in a pitch dark room, with blank cards, for infinite stakes, with a dealer
who won't tell you the rules, and who smiles all the time.
-- Terry Pratchett, Good Omens
sebane
hi
It looks like the IdP is not loading the SP metadata. I would suggest
switching back to the file based metadata load. Turn up debug on the IdP and
make sure you see it load the metadata first.
yes the Idp can't load the Sp metadata ...., I changed the logging.xml,
<logger name="org.springframework">
<level value="DEBUG" />
</logger>
<logger name="org.apache.catalina">
<level value="DEBUG" />
</logger>
and retried with this MetadataProvider in the first time. The Url post me th
metadatta nomally
<MetadataProvider id="SpURLMD" xsi:type="FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="https://sp.example.org/Shibboleth.sso/Metadata"
backingFile="/opt/shibboleth-idp/metadata/sp3-metadata.xml">
</MetadataProvider>
and I retried with with this MetdataPrivide
<MetadataProvider xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
id="SpMD"
metadataFile="/opt/shibboleth-idp/metadata/sp2-metadata.xml"
>
</MetadataProvider>
and I still have the same error
I block realy thank you for your help
Best regards
--
View this message in context: http://n2.nabble.com/Sp%27-metadata-in-the-relying-party.xml-problems-tp3438612p3444196.html