[Shib-Users] Unknown or Unusable Identity Provider

[t...@coalliance.org]

Greetings All,

I am attempting to set up a test Shibboleth environment using a single server. I have followed the instructions on the Internet 2 site, in fact I have gone over each step numerous times, and am still encountering a problem. I have searched this list as well as Google several times, but have never found a concise solution to my problem.

The problem occurs when I try to complete the Login Testing portion of the instructions.

Going to https://ophelia.coalliance.org/secure brings me to the "Unknown or Unusable Identity Provider" page with the following details:

The identity provider supplying your login credentials is not authorized for use with this service or does not support the necessary capabilities.

To report this problem, please contact the site administrator at root@localhost.

Please include the following error message in any email:

Identity provider lookup failed at (https://www.example.com/secure)

EntityID: https://ophelia.coalliance.org/idp/shibboleth

opensaml::saml2md::MetadataException: Unable to locate metadata for identity provider (https://ophelia.coalliance.org/idp/shibboleth)

And of course in the /var/log/shibboleth/shibd.log file the line:

2008-11-11 08:42:04 WARN Shibboleth.SessionInitiator.SAML2 [1]: unable to locate metadata for provider (https://ophelia.coalliance.org/idp/shibboleth)

I have posted the shibboleth2.xml and the relying-party.xml files at:

http://horus.coalliance.org/~tdonnelly/shibb/index.php

Doing the Initial testing steps in the SP install section brings up the contents of the /usr/local/idp/metadata/idp-metadata.xml file. I can make that available as well if it would be useful, as well as any logs that may help. Although nothing is being written to the native.log.

Thanks for any insights.

Tim Donnelly
Colorado Alliance of Research Libraries

[Nate Klingenstein]

Tim,

This file's contents would be extremely useful. As your SP notes,
it's trying to send you to an IdP that it doesn't recognize, so it
has no idea where to send you. This is the only metadata file
loaded, so if that IdP (https://ophelia.coalliance.org/idp/
shibboleth) isn't listed in the file, you'll get this error.

Also, you might have installed the IdP at a different location, in
which case you just need to fix the path. You would see a non-fatal
error during startup of the SP if that were the case. You should try
restarting the SP and watching for it.

If that's not the case, could you upload the IdP's metadata, please?
Nate.

[Tim Donnelly]

I have uploaded the idp-metadata.xml file to the same location.

Restarting SP looks clean to me, but just in case I also uploaded the
shibd.log file.

The install was by-the-book from the provided instructions. It is on a
CentOS 5.2 32-bit platform. Apache and Tomcat were both installed from
source and Java from an rpm.

One thing that puzzled me in the error page was the reference to
https://www.example.com/secure. Is that really just some example text
on the page, or was it trying to contact that URL?

Thanks

[Scott Cantor]

> I have uploaded the idp-metadata.xml file to the same location.

That's your SP's metadata. You haven't given the SP any metadata for the
IdP.

> One thing that puzzled me in the error page was the reference to
> https://www.example.com/secure. Is that really just some example text
> on the page, or was it trying to contact that URL?

Neither. You told your web server that it's name was www.example.com.

-- Scott

[Nate Klingenstein]

I have uploaded the idp-metadata.xml file to the same location.

That's your SP's metadata. You haven't given the SP any metadata for the

IdP.

Just to elaborate briefly on Scott's point, metadata describes a provider and where to talk to it.  Every provider needs to load the metadata of its partners, so it knows how to talk to them, and its partners need to load its own metadata.  That means here your IdP needs to load the SP's metadata, and the SP needs to load the IdP's metadata.

[Tim Donnelly]

OK, so did I miss a step in the instructions?

 

I would guess that the relevant step is in Basic Configuration, number 3 in the shibboleth2.xml file?

 

Or is it the modification to the relaying-party.xml file?

 

Also to address Scott’s point about the webserver name, in the httpd.conf file the ServerName directive is set as ophelia.coalliance.org.

[Nate Klingenstein]

Tim,

My guess is that you invented a new step. :D  You seem to have copied the SP's metadata from /Shibboleth.sso/Metadata and used it to overwrite /usr/local/idp/metadata/idp-metadata.xml.

Unless you backed up the original, it would probably be easiest to reinstall the IdP.  The file can be written other ways, but they're all a little more difficult.  All you need to do is delete /usr/local/idp, re-run the installation script, and then do the "Basic Configuration" bit for the IdP again.

The SP doesn't need to be changed at all.

Take care,

Nate.

[Scott Cantor]

> Also to address Scott's point about the webserver name, in the httpd.conf
> file the ServerName directive is set as ophelia.coalliance.org.

Can't be. My guess is you have a vhost with its own ServerName set.

-- Scott

[Tim Donnelly]

For lack of a better explanation, that must be what happened.

 

I reinstalled the IdP portion and now it works.

 

Thanks for the help.

 

From: Nate Klingenstein [mailto:n...@internet2.edu]
Sent: Tuesday, November 11, 2008 11:03 AM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] Unknown or Unusable Identity Provider

 

Tim,