[Shib-Users] SAML2 SSO profile is not configured for relying party https://sp.example.org/shibboleth
a.se...@mipnet.info
-my browser post the following error message: SAML2 SSO profile is not configured for relying party
-the urls for the idp and sp metadata work normaly
-And the url (idp.example.org/idp/Authn/UserPassword) for autentication is working too
here is my relaying party
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is an EXAMPLE configuration file.
This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a
particular relying party should be signed. It also includes metadata provider and credential definitions used
when answering requests to a relying party.
-->
<RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
xmlns:resource="urn:mace:shibboleth:2.0:resource"
xmlns:security="urn:mace:shibboleth:2.0:security"
xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
urn:mace:shibboleth:2.0:resource classpath:/schema/shibboleth-2.0-resource.xsd
urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
<!-- ========================================== -->
<!-- Relying Party Configurations -->
<!-- ========================================== -->
<AnonymousRelyingParty provider="https://idp.example.org/idp/shibboleth" />
<DefaultRelyingParty provider="https://idp.example.org/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<!--
Each attribute in these profiles configuration is set to its default value,
that is, the values that would be in effect if those attributes were not present.
We list them here so that people are aware of them (since they seem reluctant to
read the documentation).
-->
<ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile"
includeAttributeStatement="false"
assertionLifetime="300000"
signResponses="conditional"
signAssertions="never" />
<ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile"
assertionLifetime="300000"
signResponses="conditional"
signAssertions="never" />
<ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile"
signResponses="conditional"
signAssertions="never" />
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
includeAttributeStatement="true"
assertionLifetime="300000"
assertionProxyCount="0"
signResponses="conditional"
signAssertions="never"
encryptAssertions="never"
encryptNameIds="never" />
<ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile"
assertionLifetime="300000"
assertionProxyCount="0"
signResponses="conditional"
signAssertions="never"
encryptAssertions="conditional"
encryptNameIds="conditional" />
<ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile"
signResponses="conditional"
signAssertions="never"
encryptAssertions="conditional"
encryptNameIds="conditional"/>
</DefaultRelyingParty>
<RelyingParty id="https://sp.example.org/shibboleth"
provider="https://idp.example.org/idp/shibboleth"
defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" >
<ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
<ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
<ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
</RelyingParty>
<!-- ========================================== -->
<!-- Metadata Configuration -->
<!-- ========================================== -->
<!-- MetadataProvider the combining other MetadataProviders -->
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
<!-- Load the IdP's own metadata. This is necessary for artifact support. -->
<MetadataProvider id="IdPMD" xsi:type="ResourceBackedMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" >
<MetadataResource xsi:type="resource:FilesystemResource" file="/opt/shibboleth-idp/metadata/idp-metadata.xml" />
</MetadataProvider>
<!-- Example metadata provider. -->
<!-- Reads metadata from a URL and store a backup copy on the file system. -->
<!-- Validates the signature of the metadata and filters out all by SP entities in order to save memory -->
<!-- To use: fill in 'metadataURL' and 'backingFile' properties on MetadataResource element -->
<MetadataProvider id="spMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="https://sp.example.org/Shibboleth/Metadata"
backingFile="/opt/shibboleth-idp/metadata/sp-metadata.xml">
<MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
<MetadataFilter xsi:type="RequiredValidUntil" xmlns="urn:mace:shibboleth:2.0:metadata"
maxValidityInterval="604800" />
<!-- <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
trustEngineRef="shibboleth.MetadataTrustEngine"
requireSignedMetadata="true" /> -->
<MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata">
<RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataFilter>
</MetadataProvider>
</MetadataProvider>
<!-- ========================================== -->
<!-- Security Configurations -->
<!-- ========================================== -->
<security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
<security:PrivateKey>/opt/shibboleth-idp/credentials/idp.key</security:PrivateKey>
<security:Certificate>/opt/shibboleth-idp/credentials/idp.crt</security:Certificate>
</security:Credential>
<!-- Trust engine used to evaluate the signature on loaded metadata. -->
<!--
<security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
<security:Certificate>/opt/shibboleth-idp/credentials/federation1.crt</security:Certificate>
</security:Credential>
</security:TrustEngine>
-->
<!-- DO NOT EDIT BELOW THIS POINT -->
...
...
</RelyingPartyGroup>
and here is my idp-process.log
14:19:10.678 - INFO [Shibboleth-Access:72] - 20090807T121910Z|192.168.201.4|idp.example.org:443|/profile/SAML2/Redirect/SSO|
14:19:10.690 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:85] - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/Redirect/SSO
14:19:10.698 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:93] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler
14:19:10.700 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:144] - Incoming request does not contain a login context, processing as first leg of request
14:19:10.716 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:288] - Decoding message with decoder binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
14:19:10.904 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:126] - Looking up relying party configuration for https://sp.example.org/shibboleth
14:19:10.914 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:132] - No custom relying party configuration found for https://sp.example.org/shibboleth, looking up configuration based on metadata groups.
14:19:10.914 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:155] - No custom or group-based relying party configuration found for https://sp.example.org/shibboleth. Using default relying party configuration.
14:19:10.936 - WARN [org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule:80] - SPSSODescriptor role metadata for entityID 'https://sp.example.org/shibboleth' could not be resolved
14:19:10.968 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:307] - Decoded request
14:19:10.969 - WARN [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:255] - No metadata for relying party https://sp.example.org/shibboleth, treating party as anonymous
14:19:10.972 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:174] - SAML 2 SSO profile is not configured for relying party https://sp.example.org/shibboleth
14:19:10.980 - ERROR [edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85] - Error processing profile request
edu.internet2.middleware.shibboleth.common.profile.ProfileException: SAML 2 SSO profile is not configured for relying party https://sp.example.org/shibboleth
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:176) [shibboleth-identityprovider-2.1.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:145) [shibboleth-identityprovider-2.1.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:82) [shibboleth-identityprovider-2.1.2.jar:na]
at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:82) [shibboleth-common-1.1.2.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:na]
at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:77) [shibboleth-identityprovider-2.1.2.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:na]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) [catalina.jar:na]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:na]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) [catalina.jar:na]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:na]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:na]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) [catalina.jar:na]
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-coyote.jar:na]
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) [tomcat-coyote.jar:na]
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769) [tomcat-coyote.jar:na]
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698) [tomcat-coyote.jar:na]
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891) [tomcat-coyote.jar:na]
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote.jar:na]
at java.lang.Thread.run(Thread.java:619) [na:1.6.0_07]
can you help me please it's my subject for my intership
best regard
Peter Schober
> -my browser post the following error message: SAML2 SSO profile is
> not configured for relying party
> here is my relaying party
[...]
> <RelyingParty id="https://sp.example.org/shibboleth"
> provider="https://idp.example.org/idp/shibboleth"
> defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" >
>
> <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
> <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
> <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
> <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
> </RelyingParty>
It seems you mostly copied this from the example at
https://spaces.internet2.edu/display/SHIB2/IdPRelyingParty but ignored
all the statements that you do not need to configure a relying party
just to be able to communicate, as pointed out in both
https://spaces.internet2.edu/display/SHIB2/IdPSPCommunicate
and at the very beginning of
https://spaces.internet2.edu/display/SHIB2/IdPRelyingParty
> <MetadataProvider id="spMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
> metadataURL="https://sp.example.org/Shibboleth/Metadata"
> backingFile="/opt/shibboleth-idp/metadata/sp-metadata.xml">
Unless that's just a typo that URL will not usually produce metadata
(the handlerURL defaults to Shibboleth.sso and should not be changed
unless you know what you're doing).
What happens if you access the metadataURL with a webbrowser? Is the
file specified in backingFile correctly being created? Seems it's not:
> 14:19:10.969 - WARN
> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:255]
> - No metadata for relying party https://sp.example.org/shibboleth,
which is right above (and explains) that profile error:
> treating party as anonymous 14:19:10.972 - ERROR
> [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:174]
> - SAML 2 SSO profile is not configured for relying party
> https://sp.example.org/shibboleth
-peter
sebane
Thank you for your response
I was changed my relying party, and my shibboleth2.xml, but now the browser
post me a other message
shibsp::Listener Exception at https://sp.example.org/secure
here is my new relayin party
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is an EXAMPLE configuration file.
This file specifies relying party dependent configurations for the IdP,
for example, whether SAML assertions to a
particular relying party should be signed. It also includes metadata
provider and credential definitions used
when answering requests to a relying party.
-->
<RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
xmlns:resource="urn:mace:shibboleth:2.0:resource"
xmlns:security="urn:mace:shibboleth:2.0:security"
xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party
classpath:/schema/shibboleth-2.0-relying-party.xsd
urn:mace:shibboleth:2.0:relying-party:saml
classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
urn:mace:shibboleth:2.0:metadata
<ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile"
includeAttributeStatement="false"
assertionLifetime="300000"
signResponses="conditional"
signAssertions="never" />
<ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile"
assertionLifetime="300000"
signResponses="conditional"
signAssertions="never" />
<ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile"
signResponses="conditional"
signAssertions="never" />
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
includeAttributeStatement="true"
assertionLifetime="300000"
assertionProxyCount="0"
signResponses="conditional"
signAssertions="never"
encryptNameIds="never" />
<ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile"
assertionLifetime="300000"
assertionProxyCount="0"
signResponses="conditional"
signAssertions="never"
encryptAssertions="conditional"
encryptNameIds="conditional" />
<ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile"
signResponses="conditional"
signAssertions="never"
encryptAssertions="conditional"
encryptNameIds="conditional"/>
</DefaultRelyingParty>
<!-- ========================================== -->
<!-- Metadata Configuration -->
<!-- ========================================== -->
<!-- MetadataProvider the combining other MetadataProviders -->
<MetadataProvider id="ShibbolethMetadata"
xsi:type="ChainingMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata">
<!-- Load the IdP's own metadata. This is necessary for artifact
support. -->
<MetadataProvider id="IdPMD"
xsi:type="ResourceBackedMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata" >
<MetadataResource xsi:type="resource:FilesystemResource"
file="/opt/shibboleth-idp/metadata/idp-metadata.xml" />
</MetadataProvider>
<!-- Example metadata provider. -->
<!-- Reads metadata from a URL and store a backup copy on the file
system. -->
<!-- Validates the signature of the metadata and filters out all by
SP entities in order to save memory -->
<!-- To use: fill in 'metadataURL' and 'backingFile' properties on
MetadataResource element -->
<MetadataProvider id="spMD"
xsi:type="FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="https://sp.example.org/Shibboleth.sso/Metadata"
backingFile="/opt/shibboleth-idp/metadata/sp-metadata.xml">
<MetadataFilter xsi:type="ChainingFilter"
xmlns="urn:mace:shibboleth:2.0:metadata">
<MetadataFilter xsi:type="RequiredValidUntil"
xmlns="urn:mace:shibboleth:2.0:metadata"
maxValidityInterval="604800" />
<!-- <MetadataFilter xsi:type="SignatureValidation"
xmlns="urn:mace:shibboleth:2.0:metadata"
trustEngineRef="shibboleth.MetadataTrustEngine"
requireSignedMetadata="true" /> -->
<MetadataFilter xsi:type="EntityRoleWhiteList"
xmlns="urn:mace:shibboleth:2.0:metadata">
<RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataFilter>
</MetadataProvider>
</MetadataProvider>
<!-- ========================================== -->
<!-- Security Configurations -->
<!-- ========================================== -->
<security:Credential id="IdPCredential"
xsi:type="security:X509Filesystem">
<security:PrivateKey>/opt/shibboleth-idp/credentials/idp.key</security:PrivateKey>
<security:Certificate>/opt/shibboleth-idp/credentials/idp.crt</security:Certificate>
</security:Credential>
<!-- Trust engine used to evaluate the signature on loaded metadata. -->
<!--
<security:TrustEngine id="shibboleth.MetadataTrustEngine"
xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="MyFederation1Credentials"
xsi:type="security:X509Filesystem">
<security:Certificate>/opt/shibboleth-idp/credentials/federation1.crt</security:Certificate>
</security:Credential>
</security:TrustEngine>
-->
<!-- DO NOT EDIT BELOW THIS POINT -->
<!--
The following trust engines and rules control every aspect of
security related to incoming messages.
Trust engines evaluate various tokens (like digital signatures) for
trust worthiness while the
security policies establish a set of checks that an incoming message
must pass in order to be considered
secure. Naturally some of these checks require the validation of
the tokens evaluated by the trust
engines and so you'll see some rules that reference the declared
trust engines.
-->
<security:TrustEngine id="shibboleth.SignatureTrustEngine"
xsi:type="security:SignatureChaining">
<security:TrustEngine
id="shibboleth.SignatureMetadataExplicitKeyTrustEngine"
xsi:type="security:MetadataExplicitKeySignature"
metadataProviderRef="ShibbolethMetadata" />
<security:TrustEngine
id="shibboleth.SignatureMetadataPKIXTrustEngine"
xsi:type="security:MetadataPKIXSignature"
metadataProviderRef="ShibbolethMetadata" />
</security:TrustEngine>
<security:TrustEngine id="shibboleth.CredentialTrustEngine"
xsi:type="security:Chaining">
<security:TrustEngine
id="shibboleth.CredentialMetadataExplictKeyTrustEngine"
xsi:type="security:MetadataExplicitKey"
metadataProviderRef="ShibbolethMetadata" />
<security:TrustEngine
id="shibboleth.CredentialMetadataPKIXTrustEngine"
xsi:type="security:MetadataPKIXX509Credential"
metadataProviderRef="ShibbolethMetadata" />
</security:TrustEngine>
<security:SecurityPolicy id="shibboleth.ShibbolethSSOSecurityPolicy"
xsi:type="security:SecurityPolicyType">
<security:Rule xsi:type="samlsec:IssueInstant" required="false"/>
<security:Rule xsi:type="samlsec:MandatoryIssuer"/>
</security:SecurityPolicy>
<security:SecurityPolicy
id="shibboleth.SAML1AttributeQuerySecurityPolicy"
xsi:type="security:SecurityPolicyType">
<security:Rule xsi:type="samlsec:Replay"/>
<security:Rule xsi:type="samlsec:IssueInstant"/>
<security:Rule xsi:type="samlsec:ProtocolWithXMLSignature"
trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="security:ClientCertAuth"
trustEngineRef="shibboleth.CredentialTrustEngine" />
<security:Rule xsi:type="samlsec:MandatoryIssuer"/>
<security:Rule xsi:type="security:MandatoryMessageAuthentication" />
</security:SecurityPolicy>
<security:SecurityPolicy
id="shibboleth.SAML1ArtifactResolutionSecurityPolicy"
xsi:type="security:SecurityPolicyType">
<security:Rule xsi:type="samlsec:Replay"/>
<security:Rule xsi:type="samlsec:IssueInstant"/>
<security:Rule xsi:type="samlsec:ProtocolWithXMLSignature"
trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="security:ClientCertAuth"
trustEngineRef="shibboleth.CredentialTrustEngine" />
<security:Rule xsi:type="samlsec:MandatoryIssuer"/>
<security:Rule xsi:type="security:MandatoryMessageAuthentication" />
</security:SecurityPolicy>
<security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy"
xsi:type="security:SecurityPolicyType">
<security:Rule xsi:type="samlsec:Replay"/>
<security:Rule xsi:type="samlsec:IssueInstant"/>
<security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>
<security:Rule xsi:type="samlsec:ProtocolWithXMLSignature"
trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign"
trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign"
trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="security:ClientCertAuth"
trustEngineRef="shibboleth.CredentialTrustEngine" />
<security:Rule xsi:type="samlsec:MandatoryIssuer"/>
</security:SecurityPolicy>
<security:SecurityPolicy
id="shibboleth.SAML2AttributeQuerySecurityPolicy"
xsi:type="security:SecurityPolicyType">
<security:Rule xsi:type="samlsec:Replay"/>
<security:Rule xsi:type="samlsec:IssueInstant"/>
<security:Rule xsi:type="samlsec:ProtocolWithXMLSignature"
trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign"
trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign"
trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="security:ClientCertAuth"
trustEngineRef="shibboleth.CredentialTrustEngine" />
<security:Rule xsi:type="samlsec:MandatoryIssuer"/>
<security:Rule xsi:type="security:MandatoryMessageAuthentication" />
</security:SecurityPolicy>
<security:SecurityPolicy
id="shibboleth.SAML2ArtifactResolutionSecurityPolicy"
xsi:type="security:SecurityPolicyType">
<security:Rule xsi:type="samlsec:Replay"/>
<security:Rule xsi:type="samlsec:IssueInstant"/>
<security:Rule xsi:type="samlsec:ProtocolWithXMLSignature"
trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign"
trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign"
trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="security:ClientCertAuth"
trustEngineRef="shibboleth.CredentialTrustEngine" />
<security:Rule xsi:type="samlsec:MandatoryIssuer"/>
<security:Rule xsi:type="security:MandatoryMessageAuthentication" />
</security:SecurityPolicy>
<security:SecurityPolicy id="shibboleth.SAML2SLOSecurityPolicy"
xsi:type="security:SecurityPolicyType">
<security:Rule xsi:type="samlsec:Replay"/>
<security:Rule xsi:type="samlsec:IssueInstant"/>
<security:Rule xsi:type="samlsec:ProtocolWithXMLSignature"
trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign"
trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign"
trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="security:ClientCertAuth"
trustEngineRef="shibboleth.CredentialTrustEngine" />
<security:Rule xsi:type="samlsec:MandatoryIssuer"/>
<security:Rule xsi:type="security:MandatoryMessageAuthentication" />
</security:SecurityPolicy>
</RelyingPartyGroup>
and here is my shibboleth2.xml
SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
logger="syslog.logger" clockSkew="180">
<!-- The OutOfProcess section contains properties affecting the shibd
daemon. -->
<OutOfProcess logger="/opt/shibboleth-sp2/etc/shibboleth/shibd.logger">
<!--
<Extensions>
<Library path="odbc-store.so" fatal="true"/>
</Extensions>
-->
</OutOfProcess>
<!-- The InProcess section conrains settings affecting web server
modules/filters. -->
<InProcess logger="/opt/shibboleth-sp2/etc/shibboleth/native.logger">
<ISAPI normalizeRequest="true">
<!--
Maps IIS Instance ID values to the host
scheme/name/port/sslport. The name is
required so that the proper <Host> in the request map above is
found without
having to cover every possible DNS/IP combination the user might
enter.
The port and scheme can usually be omitted, so the HTTP
request's port and
scheme will be used.
-->
<Site id="1" name="sp.example.org"/>
</ISAPI>
</InProcess>
<!-- Only one listener can be defined, to connect in process modules to
shibd. -->
<UnixListener address="shibd.sock"/>
<!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
<!-- This set of components stores sessions and other persistent data in
daemon memory. -->
<StorageService type="Memory" id="mem" cleanupInterval="900"/>
<SessionCache type="StorageService" StorageService="mem"
cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="mem"/>
<ArtifactMap artifactTTL="180"/>
<!-- This set of components stores sessions and other persistent data in
an ODBC database. -->
<!--
<StorageService type="ODBC" id="db" cleanupInterval="900">
<ConnectionString>
DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
</ConnectionString>
</StorageService>
<SessionCache type="StorageService" StorageService="db"
cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="db"/>
<ArtifactMap StorageService="db" artifactTTL="180"/>
-->
<RequestMapper type="Native">
<RequestMap applicationId="default">
<!--
The example requires a session for documents in /secure on the
containing host with http and
https on the default ports. Note that the name and port in the
<Host> elements MUST match
Apache's ServerName and Port directives or the IIS Site name in
the <ISAPI> element
below.
-->
<Host name="sp.example.org">
<Path name="secure" authType="shibboleth"
requireSession="true"/>
</Host>
<!-- Example of a second vhost mapped to a different
applicationId. -->
<!--
<Host name="admin.example.org" applicationId="admin"
authType="shibboleth" requireSession="true"/>
-->
</RequestMap>
</RequestMapper>
<!--
The ApplicationDefaults element is where most of Shibboleth's SAML bits
are defined.
Resource requests are mapped by the RequestMapper to an applicationId
that
points into to this section.
-->
<ApplicationDefaults id="default" policyId="default"
entityID="https://sp.example.org/shibboleth"
homeURL="https://sp.example.org/secure"
REMOTE_USER="eppn persistent-id targeted-id"
signing="false" encryption="false"
>
<!--
Controls session lifetimes, address checks, cookie handling, and the
protocol handlers.
You MUST supply an effectively unique handlerURL value for each of
your applications.
The value can be a relative path, a URL with no hostname
(https:///path) or a full URL.
The system can compute a relative value based on the virtual host.
Using handlerSSL="true"
will force the protocol to be https. You should also add a
cookieProps setting of "; path=/; secure"
in that case. Note that while we default checkAddress to "false",
this has a negative
impact on the security of the SP. Stealing cookies/sessions is much
easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/Shibboleth.sso" handlerSSL="false"
exportLocation="http://sp.example.org/Shibboleth.sso/GetAssertion"
exportACL="127.0.0.1"
idpHistory="false" idpHistoryDays="7">
<!--
SessionInitiators handle session requests and relay them to a
Discovery page,
or to an IdP if possible. Automatic session setup will use the
default or first
element (or requireSessionWith can specify a specific id to
use).
-->
<!-- Default example directs to a specific IdP's SSO service
(favoring SAML 2 over Shib 1). -->
<SessionInitiator type="Chaining" Location="/Login"
isDefault="true" id="Intranet"
relayState="cookie"
entityID="https://idp.example.org/idp/shibboleth">
<SessionInitiator type="SAML2" defaultACSIndex="1"
acsByIndex="false" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" Location="/login-example"
id="LOGIN-EXAMPLE" relayState="cookie"
defaultACSIndex="5"
entityID="https://idp.example.org/idp" />
</SessionInitiator>
<!-- An example using an old-style WAYF, which means Shib 1 only
unless an entityID is provided. -->
<!--
<SessionInitiator type="Chaining" Location="/WAYF" id="WAYF"
relayState="cookie">
<SessionInitiator type="SAML2" defaultACSIndex="1"
acsByIndex="false" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
<SessionInitiator type="WAYF" defaultACSIndex="5"
URL="https://wayf.example.org/WAYF"/>
</SessionInitiator>
-->
<!-- An example supporting the new-style of discovery service.
-->
<!--
<SessionInitiator type="Chaining" Location="/DS" id="DS"
relayState="cookie">
<SessionInitiator type="SAML2" defaultACSIndex="1"
acsByIndex="false" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
<SessionInitiator type="SAMLDS"
URL="https://ds.example.org/DS"/>
</SessionInitiator>
-->
<!--
md:AssertionConsumerService locations handle specific SSO
protocol bindings,
such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and
index attributes
are used when sessions are initiated to determine how to tell
the IdP where and
how to return the response.
-->
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign"
index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact"
index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService Location="/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<!-- LogoutInitiators enable SP-initiated local or global/single
logout of sessions. -->
<LogoutInitiator type="Chaining" Location="/Logout"
relayState="cookie">
<LogoutInitiator type="SAML2"
template="bindingTemplate.html"/>
<LogoutInitiator type="Local"/>
</LogoutInitiator>
<!-- md:SingleLogoutService locations handle single logout (SLO)
protocol messages. -->
<md:SingleLogoutService Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="/SLO/Redirect"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="/SLO/POST"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Artifact"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!-- md:ManageNameIDService locations handle NameID management
(NIM) protocol messages. -->
<md:ManageNameIDService Location="/NIM/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:ManageNameIDService Location="/NIM/Redirect"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:ManageNameIDService Location="/NIM/POST"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:ManageNameIDService Location="/NIM/Artifact"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!--
md:ArtifactResolutionService locations resolve artifacts issued
when using the
SAML 2.0 HTTP-Artifact binding on outgoing messages, generally
uses SOAP.
-->
<md:ArtifactResolutionService Location="/Artifact/SOAP"
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<!-- Extension service that generates "approximate" metadata
based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session"
showAttributeValues="false"/>
</Sessions>
<!--
You should customize these pages! You can add attributes with values
that can be plugged
into your templates. You can remove the access attribute to cause
the module to return a
standard 403 Forbidden error code if authorization fails, and then
customize that condition
using your web server.
-->
<Errors session="sessionError.html"
metadata="metadataError.html"
access="accessError.html"
ssl="sslError.html"
localLogout="localLogout.html"
globalLogout="globalLogout.html"
supportContact="root@localhost"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Uncomment and modify to tweak settings for specific IdPs or
groups. -->
<!-- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
-->
<!-- Chains together all your metadata sources. -->
<MetadataProvider type="Chaining">
<!-- Example of remotely supplied batch of signed metadata. -->
<!--
<MetadataProvider type="XML"
uri="http://federation.org/federation-metadata.xml"
backingFilePath="federation-metadata.xml"
reloadInterval="7200">
<SignatureMetadataFilter certificate="fedsigner.pem"/>
</MetadataProvider>
-->
<!-- Example of locally maintained metadata. -->
<MetadataProvider type="XML"
uri="https://idp.example.org/idp/profile/Metadata/SAML"
backingFilePath="/etc/shibboleth/idp-metadata.xml"
reloadInterval="7200">
</MetadataProvider>
<!-- Chain the two built-in trust engines together. -->
<TrustEngine type="Chaining">
<TrustEngine type="ExplicitKey"/>
<TrustEngine type="PKIX"/>
</TrustEngine>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query"/>
<!-- Default filtering policy for recognized attributes, lets other
data pass. -->
<AttributeFilter type="XML" path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="sp-key.pem"
certificate="sp-cert.pem"/>
<!-- Example of a second application (using a second vhost) that has
a different entityID. -->
<!-- <ApplicationOverride id="admin"
entityID="https://admin.example.org/shibboleth"/> -->
</ApplicationDefaults>
<!-- Each policy defines a set of rules to use to secure messages. -->
<SecurityPolicies>
<!-- The predefined policy enforces replay/freshness and permits
signing and client TLS. -->
<Policy id="default" validate="false">
<Rule type="MessageFlow" checkReplay="true" expires="60"/>
<Rule type="ClientCertAuth" errorFatal="true"/>
<Rule type="XMLSigning" errorFatal="true"/>
<Rule type="SimpleSigning" errorFatal="true"/>
</Policy>
</SecurityPolicies>
</SPConfig>
and my idp-process.log
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
[catalina.jar:na]
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
[catalina.jar:na]
at org.apache.catalina.startup.Catalina.start(Catalina.java:583)
[catalina.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[na:1.6.0_07]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
[na:1.6.0_07]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
[na:1.6.0_07]
at java.lang.reflect.Method.invoke(Method.java:597) [na:1.6.0_07]
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
[bootstrap.jar:na]
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
[bootstrap.jar:na]
19:59:38.432 - ERROR
[edu.internet2.middleware.shibboleth.common.config.BaseService:187] -
Configuration was not loaded for shibboleth.RelyingPartyConfigurationManager
service, error creating components. The root cause of this error was:
org.opensaml.saml2.metadata.provider.FilterException: Metadata did not
include a validUntil attribute
thank you very much for your help
best regards
--
View this message in context: http://n2.nabble.com/SAML2-SSO-profile-is-not-configured-for-relying-party--https%3A--sp.example.org-shibboleth-tp3404702p3406134.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
Peter Schober
> I was changed my relying party, and my shibboleth2.xml, but now the browser
> post me a other message
> shibsp::Listener Exception at https://sp.example.org/secure
Have a look at the SP's log files. Possibly your configuration is
invalid and shibd refused to start or something like that.
Always make sure shibboleth2.xml (and any other XML file you changed)
at least is well formed (e.g. with xmlwf(1) from the expat package).
Then test the config with `shibd -t`.
OK, you undid the custom relying party and fixed the metadata URL:
> 19:59:38.432 - ERROR
> [edu.internet2.middleware.shibboleth.common.config.BaseService:187] -
> Configuration was not loaded for shibboleth.RelyingPartyConfigurationManager
> service, error creating components. The root cause of this error was:
> org.opensaml.saml2.metadata.provider.FilterException: Metadata did not
> include a validUntil attribute
You just uncommented the exmaple metdata configuration which has
configured a MetadataFilter of xsi:type="RequiredValidUntil".
Since the SP's Metadata generator handler /Shibboleth.sso/Metadata
does not provide this attribute, just uncomment this filter, like you
already did with the SignatureValidation filter.
-peter
sebane
Hi
thank you for your response :) my last error was in shibboleth2.xml, it was
not well formed.
but once I corrected it the browser posted me the first error : SAML2 SSO
profile is not configured for relying party
https://sp.example.org/shibboleth
and when I refreshed the browser I got this error: Message did not meet
security requirements
I think that the Idp can't load the sp's metatdata via the relingparty.xml,
but i did not understand the reason
here is my relyingparty.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is an EXAMPLE configuration file.
This file specifies relying party dependent configurations for the IdP,
for example, whether SAML assertions to a
particular relying party should be signed. It also includes metadata
provider and credential definitions used
when answering requests to a relying party.
-->
<RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
xmlns:resource="urn:mace:shibboleth:2.0:resource"
xmlns:security="urn:mace:shibboleth:2.0:security"
xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party
classpath:/schema/shibboleth-2.0-relying-party.xsd
urn:mace:shibboleth:2.0:relying-party:saml
classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
urn:mace:shibboleth:2.0:metadata
classpath:/schema/shibboleth-2.0-metadata.xsd
urn:mace:shibboleth:2.0:resource
classpath:/schema/shibboleth-2.0-resource.xsd
urn:mace:shibboleth:2.0:security
classpath:/schema/shibboleth-2.0-security.xsd
urn:mace:shibboleth:2.0:security:saml
classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
urn:oasis:names:tc:SAML:2.0:metadata
classpath:/schema/saml-schema-metadata-2.0.xsd">
<!-- ========================================== -->
<!-- Relying Party Configurations -->
<!-- ========================================== -->
<AnonymousRelyingParty provider="https://idp.example.org/idp/shibboleth"
/>
<DefaultRelyingParty provider="https://idp.example.org/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile"
includeAttributeStatement="false"
assertionLifetime="300000"
signResponses="conditional"
signAssertions="never" />
<ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile"
assertionLifetime="300000"
signResponses="conditional"
signAssertions="never" />
<ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile"
signResponses="conditional"
signAssertions="never" />
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
includeAttributeStatement="true"
assertionLifetime="300000"
assertionProxyCount="0"
signResponses="conditional"
signAssertions="never"
encryptAssertions="conditional"
encryptNameIds="conditional" />
<ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile"
assertionLifetime="300000"
assertionProxyCount="0"
signResponses="conditional"
signAssertions="never"
encryptAssertions="conditional"
encryptNameIds="conditional" />
<ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile"
signResponses="conditional"
signAssertions="never"
encryptAssertions="conditional"
encryptNameIds="conditional"/>
</DefaultRelyingParty>
<!-- ========================================== -->
<!-- Metadata Configuration -->
<!-- ========================================== -->
<!-- MetadataProvider the combining other MetadataProviders -->
<MetadataProvider id="ShibbolethMetadata"
xsi:type="ChainingMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata">
<!-- Load the IdP's own metadata. This is necessary for artifact
support. -->
<MetadataProvider id="IdPMD"
xsi:type="ResourceBackedMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata" >
<MetadataResource xsi:type="resource:FilesystemResource"
file="/opt/shibboleth-idp/metadata/idp-metadata.xml" />
</MetadataProvider>
<!-- Example metadata provider. -->
<!-- Reads metadata from a URL and store a backup copy on the file
system. -->
<!-- Validates the signature of the metadata and filters out all by
SP entities in order to save memory -->
<!-- To use: fill in 'metadataURL' and 'backingFile' properties on
MetadataResource element -->
<MetadataProvider id="URLMD"
xsi:type="FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="https://sp.example.org/Shibboleth.sso/Metadata"
backingFile="/opt/shibboleth-idp/metadata/sp-metadata.xml">
<MetadataFilter xsi:type="ChainingFilter"
xmlns="urn:mace:shibboleth:2.0:metadata">
<MetadataFilter xsi:type="RequiredValidUntil"
xmlns="urn:mace:shibboleth:2.0:metadata"
maxValidityInterval="604800" />
<MetadataFilter
xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
requireSignedMetadata="false" />
<MetadataFilter xsi:type="SignatureValidation"
xmlns="urn:mace:shibboleth:2.0:metadata"
trustEngineRef="shibboleth.MetadataTrustEngine"
requireSignedMetadata="true" />
<MetadataFilter xsi:type="EntityRoleWhiteList"
xmlns="urn:mace:shibboleth:2.0:metadata">
<RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataFilter>
</MetadataProvider>
</MetadataProvider>
<!-- ========================================== -->
<!-- Security Configurations -->
<!-- ========================================== -->
<security:Credential id="IdPCredential"
xsi:type="security:X509Filesystem">
<security:PrivateKey>/opt/shibboleth-idp/credentials/idp.key</security:PrivateKey>
<security:Certificate>/opt/shibboleth-idp/credentials/idp.crt</security:Certificate>
</security:Credential>
<!-- Trust engine used to evaluate the signature on loaded metadata. -->
<!--
<security:TrustEngine id="shibboleth.MetadataTrustEngine"
xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="MyFederation1Credentials"
xsi:type="security:X509Filesystem">
<security:Certificate>/opt/shibboleth-idp/credentials/idp.crt</security:Certificate>
</security:Credential>
</security:TrustEngine>
-->
<!-- DO NOT EDIT BELOW THIS POINT -->
here is my shibboleth2.xml
<!-- To customize behavior, map hostnames and path components to
applicationId and other settings. -->
entityID="https://idp.example.org/idp/shibboleth" />
</SessionInitiator>
</Sessions>
backingFilePath="/opt/shibboleth-sp2/etc/shibboleth/idp-metadata.xml"
reloadInterval="7200">
</MetadataProvider>
</MetadataProvider>
<!-- Chain the two built-in trust engines together. -->
<TrustEngine type="Chaining">
<TrustEngine type="ExplicitKey"/>
<TrustEngine type="PKIX"/>
</TrustEngine>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query"/>
<!-- Default filtering policy for recognized attributes, lets other
data pass. -->
<AttributeFilter type="XML" path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File"
key="/opt/shibboleth-sp2/etc/shibboleth/sp-key.pem"
certificate="/opt/shibboleth-sp2/etc/shibboleth/sp-cert.pem" />
<!-- Example of a second application (using a second vhost) that has
a different entityID. -->
<!-- <ApplicationOverride id="admin"
entityID="https://admin.example.org/shibboleth"/> -->
</ApplicationDefaults>
<!-- Each policy defines a set of rules to use to secure messages. -->
<SecurityPolicies>
<!-- The predefined policy enforces replay/freshness and permits
signing and client TLS. -->
<Policy id="default" validate="false">
<Rule type="MessageFlow" checkReplay="true" expires="60"/>
<Rule type="ClientCertAuth" errorFatal="true"/>
<Rule type="XMLSigning" errorFatal="true"/>
<Rule type="SimpleSigning" errorFatal="true"/>
</Policy>
</SecurityPolicies>
</SPConfig>
here is my idp-process.log
17:30:16.844 - INFO [Shibboleth-Access:72] -
20090811T153016Z|192.168.201.4|idp.example.org:443|/profile/SAML2/Redirect/SSO|
17:30:16.848 - WARN
[org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule:80] -
SPSSODescriptor role metadata for entityID 'https://
sp.example.org/shibboleth' could not be resolved
17:30:16.852 - WARN
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:255]
- No metadata for relying party https://sp.
example.org/shibboleth, treating party as anonymous
17:30:16.852 - ERROR
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:174]
- SAML 2 SSO profile is not configured for re
lying party https://sp.example.org/shibboleth
17:30:16.852 - ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85]
- Error processing profile request
edu.internet2.middleware.shibboleth.common.profile.ProfileException: SAML 2
SSO profile is not configured for relying party https://sp.example.o
rg/shibboleth
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:176)
[shibboleth -identityprovider-2.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:145)
[shibboleth-identi typrovider-2.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:82)
[shibboleth-identit yprovider-2.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:82)
[ shibboleth-common-1.1.2.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
[servlet-api.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:77)
[shibboleth-identityprovider-2.1. 2.jar:na]
here is my shibd.log
2009-08-11 16:30:51 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.10
2009-08-11 16:30:51 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
2009-08-11 16:30:51 INFO Shibboleth.Application : building AttributeFilter
of type XML...
2009-08-11 16:30:51 INFO Shibboleth.AttributeFilter : loaded XML resource
(/opt/shibboleth-sp-2.1//etc/shibboleth/attribute-policy.xml)
2009-08-11 16:30:51 INFO Shibboleth.Application : building AttributeResolver
of type Query...
2009-08-11 16:30:51 INFO Shibboleth.Application : building
CredentialResolver of type File...
2009-08-11 16:30:51 INFO XMLTooling.CredentialResolver.File : loading
private key from file (/opt/shibboleth-sp2/etc/shibboleth/sp-key.pem)
2009-08-11 16:30:51 INFO XMLTooling.CredentialResolver.File : loading
certificate from file (/opt/shibboleth-sp2/etc/shibboleth/sp-cert.pem)
2009-08-11 16:30:51 INFO Shibboleth.Listener : registered remoted message
endpoint (default::getHeaders::Application)
2009-08-11 16:30:51 INFO Shibboleth.Listener : listener service starting
for the MetadataProvider of the relying party and shibboleth2 I downloaded
the XML document from the uri and copied and pasted it in the
backingFilePath
thank you very much for your help
Best regards
--
View this message in context: http://n2.nabble.com/SAML2-SSO-profile-is-not-configured-for-relying-party--https%3A--sp.example.org-shibboleth-tp3404702p3424604.html
Mahabalagiri, Datta
at this URL https://sp.example.org/Shibboleth.sso/Metadata. IdP can't
find SP metadata resulting in error.
Datta
sebane
Hi
I am very sorry but I did't stop to try and the borwser still poste me the
same error
1- I copied the metadata from https://sp.example.org/Shibboleth.sso/Metadata
and I pasted it in sp-metadata.xml and i tried whith this metadata
<MetadataProvider id="SpURLMD" xsi:type="FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="https://sp.example.org/Shibboleth.sso/Metadata"
backingFile="/opt/shibboleth-idp/metadata/metadata.xml">
<MetadataFilter xsi:type="ChainingFilter"
xmlns="urn:mace:shibboleth:2.0:metadata">
<MetadataFilter xsi:type="RequiredValidUntil"
xmlns="urn:mace:shibboleth:2.0:metadata"
maxValidityInterval="604800" />
<MetadataFilter
xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
requireSignedMetadata="false" />
<MetadataFilter xsi:type="SignatureValidation"
xmlns="urn:mace:shibboleth:2.0:metadata"
trustEngineRef="shibboleth.MetadataTrustEngine"
requireSignedMetadata="true" />
<MetadataFilter xsi:type="EntityRoleWhiteList"
xmlns="urn:mace:shibboleth:2.0:metadata">
<RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataFilter>
</MetadataProvider>
2- I used the same metadata and I tried with this MetadataProvieder
<MetadataProvider xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
id="InternalMetadata"
metadataFile="/opt/shibboleth-idp/metadata/sp-metadata.xml" >
</MetadataProvider>
</MetadataProvider>
3- I copied th metadata file from
https://spaces.internet2.edu/display/SHIB2/MetadataForSP and I adjusted it
<MetadataProvider xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
id="InternalMetadata"
metadataFile="/opt/shibboleth-idp/metadata/sp2-metadata.xml"
>
</MetadataProvider>
</MetadataProvider>
here is my sp's metadata from https://sp.example.org/Shibboleth.sso/Metadata
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://sp.example.org/shibboleth">
<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>https://sp.example.org/shibboleth</ds:KeyName>
<ds:KeyName>sp.example.org</ds:KeyName>
<ds:X509Data>
<ds:X509SubjectName>CN=sp.example.org</ds:X509SubjectName>
<ds:X509Certificate>
Contenu of sp-cert.pem
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>https://sp.example.org/shibboleth</ds:KeyName>
<ds:KeyName>sp.example.org</ds:KeyName>
<ds:X509Data>
<ds:X509SubjectName>CN=sp.example.org</ds:X509SubjectName>
<ds:X509Certificate>
Contenu of sp-cert.pem
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://sp.example.org/Shibboleth.sso/SLO/SOAP"/>
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://sp.example.org/Shibboleth.sso/SLO/Redirect"/>
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://sp.example.org/Shibboleth.sso/SLO/POST"/>
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://sp.example.org/Shibboleth.sso/SLO/Artifact"/>
<md:ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://sp.example.org/Shibboleth.sso/NIM/SOAP"/>
<md:ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://sp.example.org/Shibboleth.sso/NIM/Redirect"/>
<md:ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://sp.example.org/Shibboleth.sso/NIM/POST"/>
<md:ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://sp.example.org/Shibboleth.sso/NIM/Artifact"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://sp.example.org/Shibboleth.sso/SAML2/POST" index="1"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="https://sp.example.org/Shibboleth.sso/SAML2/POST-SimpleSign"
index="2"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://sp.example.org/Shibboleth.sso/SAML2/Artifact" index="3"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
Location="https://sp.example.org/Shibboleth.sso/SAML2/ECP" index="4"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="https://sp.example.org/Shibboleth.sso/SAML/POST" index="5"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact" index="6"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
and here is my sp's metadata from
https://spaces.internet2.edu/display/SHIB2/MetadataForSP
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="https://sp.example.org/shibboleth"
validUntil="2010-01-01T00:00:00Z">
<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol
urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
Contenu of sp-cert.pem
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService
Location="https://sp.example.org/Shibboleth.sso/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService
Location="https://sp.example.org/Shibboleth.sso/SLO/Redirect"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService
Location="https://sp.example.org/Shibboleth.sso/SLO/POST"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService
Location="https://sp.example.org/Shibboleth.sso/SLO/Artifact"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService
Location="https://sp.example.org/Shibboleth.sso/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService
Location="https://sp.example.org/Shibboleth.sso/SAML2/POST-SimpleSign"
index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService
Location="https://sp.example.org/Shibboleth.sso/SAML2/Artifact" index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService
Location="https://sp.example.org/Shibboleth.sso/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService
Location="https://sp.example.org/Shibboleth.sso/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService
Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<md:AttributeConsumingService index="1">
<md:ServiceName xml:lang="en">Sample Service</md:ServiceName>
<md:ServiceDescription xml:lang="en">An example service that requires
a human-readable identifier and optional name and e-mail
address.</md:ServiceDescription>
<md:RequestedAttribute FriendlyName="eduPersonPrincipalName"
Name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"
isRequired="true"/>
<md:RequestedAttribute FriendlyName="mail"
Name="urn:mace:dir:attribute-def:mail"
NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
<md:RequestedAttribute FriendlyName="displayName"
Name="urn:mace:dir:attribute-def:displayName"
NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
</md:AttributeConsumingService>
<md:AttributeConsumingService index="2">
<md:ServiceName xml:lang="en">Sample Service</md:ServiceName>
<md:ServiceDescription xml:lang="en">An example service that requires
a human-readable identifier and optional name and e-mail
address.</md:ServiceDescription>
<md:RequestedAttribute FriendlyName="eduPersonPrincipalName"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true"/>
<md:RequestedAttribute FriendlyName="mail"
Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<md:RequestedAttribute FriendlyName="displayName"
Name="urn:oid:2.16.840.1.113730.3.1.241"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">Example Organization,
Ltd.</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">Example
Organization</md:OrganizationDisplayName>
<md:OrganizationURL
xml:lang="en">https://service.example.org/</md:OrganizationURL>
</md:Organization>
</md:EntityDescriptor>
here id my idp.process.log With the third try
Caused by: org.xml.sax.SAXParseException: The prefix "md" for element
"md:EntityDescriptor" is not bound.
at org.apache.xerces.parsers.DOMParser.parse(Unknown Source) [na:na]
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
[na:na]
at javax.xml.parsers.DocumentBuilder.parse(Unknown Source)
[na:1.3.04]
at
org.opensaml.xml.parse.BasicParserPool$DocumentBuilderProxy.parse(BasicParserPool.java:602)
[xmltooling-1.2.0.jar:na]
at
org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:206)
[xmltooling-1.2.0.jar:na]
... 70 common frames omitted
15:19:09.118 - ERROR
[edu.internet2.middleware.shibboleth.common.config.BaseService:187] -
Configuration was not loaded for shibboleth.RelyingPartyConfigurationManager
service, error creating components. The root cause of this error was:
org.xml.sax.SAXParseException: The prefix "md" for element
"md:EntityDescriptor" is not bound.
I block and i can't understand why the Idp cant' load the sp's metadata from
the Url an form the file , what kind of xsi:type of the metadata must I use.
thank you for your helps and exuse my bad English
--
View this message in context: http://n2.nabble.com/SAML2-SSO-profile-is-not-configured-for-relying-party--https%3A--sp.example.org-shibboleth-tp3404702p3430727.html
Scott Cantor
Metadata page I put together, that you apparently found.
https://spaces.internet2.edu/display/SHIB2/Metadata
"As a novice, it's going to be virtually impossible to approach learning
about metadata unless you understand XML well enough to read and write it.
We've found the w3schools site to be a good source of introductory material.
Understanding namespaces is particularly important."
Your error is with namespaces. You're copying XML around without
understanding how to do it properly, or apparently how to interpret simple
errors from the parser. Some simple tutorials should fix that.
-- Scott
sebane
Hi thank you for your response
in the relying-party.xml
<MetadataProvider xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/sp2-metadata.xml"
>
</MetadataProvider>
and I tried with this MetadataProvider
<MetadataProvider id="SpURLMD" xsi:type="FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="https://sp.example.org/Shibboleth.sso/Metadata"
backingFile="/opt/shibboleth-idp/metadata/sp2-metadata.xml">
</MetadataProvider>
I change the logging.xml
<logger name="org.springframework">
<level value="DEBUG" />
</logger>
<logger name="org.apache.catalina">
<level value="DEBUG" />
</logger>
I dont stop to tray but I have still the same error. my idp dont want to
load sp metadata.
thank you very much for your helps
here is my sp2-matadata.xml
<md:EntityDescriptor entityID="https://sp.example.org/shibboleth"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
validUntil="2010-01-01T00:00:00Z">
<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol
urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
</md:SPSSODescriptor>
</md:EntityDescriptor>
and my idp-process.log
12:03:46.060 - DEBUG
[org.springframework.web.context.support.XmlWebApplicationContext:273] -
Publishing event in context
[org.springframework.web.context.support.XmlWebApplicationContext@1f1b5ee]:
edu.internet2.middleware.shibboleth.common.util.EventingMapBasedStorageService$RemoveEntryEvent[source=edu.internet2.middleware.shibboleth.common.util.EventingMapBasedStorageService@11084df]
12:03:46.060 - DEBUG
[org.springframework.web.context.support.XmlWebApplicationContext:273] -
Publishing event in context
[org.springframework.web.context.support.XmlWebApplicationContext@1f1b5ee]:
edu.internet2.middleware.shibboleth.common.util.EventingMapBasedStorageService$RemoveEntryEvent[source=edu.internet2.middleware.shibboleth.common.util.EventingMapBasedStorageService@11084df]
12:03:46.060 - DEBUG
[org.springframework.web.context.support.XmlWebApplicationContext:273] -
Publishing event in context
[org.springframework.web.context.support.XmlWebApplicationContext@1f1b5ee]:
edu.internet2.middleware.shibboleth.common.util.EventingMapBasedStorageService$RemoveEntryEvent[source=edu.internet2.middleware.shibboleth.common.util.EventingMapBasedStorageService@11084df]
12:13:46.065 - DEBUG
[org.springframework.web.context.support.XmlWebApplicationContext:273] -
Publishing event in context
[org.springframework.web.context.support.XmlWebApplicationContext@1f1b5ee]:
edu.internet2.middleware.shibboleth.common.util.EventingMapBasedStorageService$RemoveEntryEvent[source=edu.internet2.middleware.shibboleth.common.util.EventingMapBasedStorageService@11084df]
15:59:31.037 - INFO [Shibboleth-Access:72] -
20090814T135931Z|192.168.200.4|idp.example.org:443|/profile/Metadata/SAML|
15:59:39.657 - INFO [Shibboleth-Access:72] -
20090814T135939Z|192.168.201.4|idp.example.org:443|/profile/SAML2/Redirect/SSO|
15:59:39.663 - DEBUG
[org.springframework.web.context.support.XmlWebApplicationContext:273] -
Publishing event in context
[org.springframework.web.context.support.XmlWebApplicationContext@1f1b5ee]:
edu.internet2.middleware.shibboleth.common.util.EventingMapBasedStorageService$AddEntryEvent[source=edu.internet2.middleware.shibboleth.common.util.EventingMapBasedStorageService@11084df]
15:59:39.663 - WARN
[org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule:80] -
SPSSODescriptor role metadata for entityID
'https://sp.example.org/shibboleth' could not be resolved
15:59:39.667 - WARN
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:255]
- No metadata for relying party https://sp.example.org/shibboleth, treating
party as anonymous
15:59:39.667 - ERROR
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:174]
- SAML 2 SSO profile is not configured for relying party
https://sp.example.org/shibboleth
15:59:39.669 - ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85]
- Error processing profile request
edu.internet2.middleware.shibboleth.common.profile.ProfileException: SAML 2
SSO profile is not configured for relying party
https://sp.example.org/shibboleth
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:176)
[shibboleth-identityprovider-2.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:145)
[shibboleth-identityprovider-2.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:82)
[shibboleth-identityprovider-2.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:82)
[shibboleth-common-1.1.2.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
[servlet-api.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:77)
[shibboleth-identityprovider-2.1.2.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
[catalina.jar:na]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
[catalina.jar:na]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
[catalina.jar:na]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[catalina.jar:na]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[catalina.jar:na]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
[catalina.jar:na]
at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
[tomcat-coyote.jar:na]
at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
[tomcat-coyote.jar:na]
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769)
[tomcat-coyote.jar:na]
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698)
[tomcat-coyote.jar:na]
at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891)
[tomcat-coyote.jar:na]
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
[tomcat-coyote.jar:na]
at java.lang.Thread.run(Thread.java:619) [na:1.6.0_07]
best regards
--
View this message in context: http://n2.nabble.com/SAML2-SSO-profile-is-not-configured-for-relying-party--https%3A--sp.example.org-shibboleth-tp3404702p3445237.html