[Shib-Users] Connect 1.3 SP to 2.1 IdP: Error Message: No peer endpoint available to which to send SAML response

[Etan Weintraub]

I’m pretty sure I’ve messed something up in my metadata somewhere for the SP from what I’ve read on the wiki and the list, but I’m not sure what.

 

When I try to log in to my 1.3 SP, I get all the way to the 2.1 IdP and through the authentication and then get the Error Message: No peer endpoint available to which to send SAML response.

 

Now, in the IdP’s idp-process.log, I have the following:

16:25:02.053 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:397] - No return endpoint available for relying party https://shib13test.esg.johnshopkins.edu/shibboleth

 

I have not made any changes to the handler.xml from what the default is for installation (and that may be where my mistake is…is there something I need to add there to get a 1.3 SP to work with a 2.1 IdP?).

 

And here is the metadata for my 1.3 SP:

 

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://shib13test.esg.johnshopkins.edu/shibboleth">

  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">

    <md:Extensions>

      <DiscoveryResponse xmlns="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://shib13test.esg.johnshopkins.edu/Shibboleth.sso/DS" ind

ex="1"/>

    </md:Extensions>

    <md:KeyDescriptor>

      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

        <ds:X509Data>

          <ds:X509Certificate>

MIICyTCCAjICCQDxftGRsKutUjANBgkqhkiG9w0BAQUFADCBvTELMAkGA1UEBhMC

VVMxETAPBgNVBAgTCE1hcnlsYW5kMRIwEAYDVQQHEwlCYWx0aW1vcmUxIzAhBgNV

BAoTGkpvaG5zIEhvcGtpbnMgSW5zdGl0dXRpb25zMRwwGgYDVQQLExNFbnRlcnBy

aXNlIFNlcnZpY2VzMR0wGwYDVQQDExRFbnRlcnByaXNlIERpcmVjdG9yeTElMCMG

CSqGSIb3DQEJARYWZGlyZWN0b3J5aGVscEBqaG1pLmVkdTAeFw0wOTA4MjcxNDU0

MDZaFw0yOTA4MjcxNDU0MDZaMIGTMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFy

eWxhbmQxEjAQBgNVBAcTCUJhbHRpbW9yZTEhMB8GA1UEChMYSm9obnMgSG9wa2lu

cyBVbml2ZXJzaXR5MRAwDgYDVQQLEwdOVFMtRVNHMSgwJgYDVQQDEx9zaGliMTN0

ZXN0LmVzZy5qb2huc2hvcGtpbnMuZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB

iQKBgQDOrQstCZiXCuq6c68rY30iVximsCwwEhQZsFOKlrurN8XXdHVaQkKnCFwE

ces0GpDrhVCmR8Wl46OgUiVmUEP2sx88SC2AAukx8jRqXO6PwNmeHcD6TA6N3EyC

uLzXOa7xZUq6RAQtQNIajz/bn1lR9bRUor7UQJQIeEm8CnTCMQIDAQABMA0GCSqG

SIb3DQEBBQUAA4GBAKsDm2QKxWAVzejHo/cbQ+EUKiXGdMe5mLOgfQ32+etBDbHX

B+ZIcAOWrTJMv1poQShjPe8w4wowxbhbo+aTkAfUpDLcZTwt+hhZIkpnlPu98lfN

iogZyX/jnZv/kxlac8cXj43FQhvzdOeGSuRpWWTfk0O/ywAYmoqkVCibFpME

          </ds:X509Certificate>

        </ds:X509Data>

      </ds:KeyInfo>

    </md:KeyDescriptor>

 

                        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>

 

                        <AssertionConsumerService index="1" isDefault="true"

                                Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"

                                Location="https://shib13test.esg.johnshopkins.edu/Shibboleth.sso/SAML/POST"/>

                        <AssertionConsumerService index="2"

                                Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"

                                Location="https://shib13test.esg.johnshopkins.edu/Shibboleth.sso/SAML/Artifact"/>

 

                </md:SPSSODescriptor>

 

                <Organization>

                        <OrganizationName xml:lang="en">Orlando's Bidness</OrganizationName>

                        <OrganizationDisplayName xml:lang="en">O-Smith and Company</OrganizationDisplayName>

                        <OrganizationURL xml:lang="en">http://www.o-smith.com</OrganizationURL>

                </Organization>

                <ContactPerson contactType="technical">

                        <GivenName>Orlando</GivenName>

                        <SurName>Smith</SurName>

                        <EmailAddress>hsmi...@jhu.edu</EmailAddress>

                </ContactPerson>

 

        </md:EntityDescriptor>

 

 

 

Any help would be greatly appreciated.

 

I have my 2.1 IdP working with at 2.2.1 SP no problems. Just trying to connect this 1.3 SP is causing me issues…

 

Help?

 

 

-Etan E. Weintraub

Team Leader - Enterprise Authentication

Senior Systems Engineer - Enterprise Directory

IT@Johns Hopkins

Johns Hopkins at Mt. Washington

5801 Smith Ave.

Suite 3110B

Baltimore, MD 21209

Phone: 410-735-7945

E-mail: ewei...@jhmi.edu

 

[Peter Schober]

* Etan Weintraub <ewei...@jhmi.edu> [2009-08-27 22:45]:

> I have not made any changes to the handler.xml from what the default

> is for installation (and that may be where my mistake isis there

> something I need to add there to get a 1.3 SP to work with a 2.1
> IdP?).

From where did you get that impression? Anyway: no, you don't touch
handler.xml to add a new relying party.

As for your error: did you check the common errors page?
https://spaces.internet2.edu/display/SHIB2/IdPTroubleshootingCommonErrors#IdPTroubleshootingCommonErrors-NopeerendpointavailabletowhichtosendSAMLresponse

-peter

[Nate Klingenstein]

Etan,

I'm pretty sure that error message means that the SHIRE value in the legacy Shibboleth SSO authentication query doesn't match any of the AssertionConsumerService endpoints listed in the metadata for that relying party.  Most likely a hostname or an http:// thing, but you can look at the redirect's query string to do a direct comparison.

Take care,

Nate.

[Scott Cantor]

> When I try to log in to my 1.3 SP, I get all the way to the 2.1 IdP and
> through the authentication and then get the Error Message: No peer
endpoint
> available to which to send SAML response.

If the IdP is current, that's the new version of the old "Invalid ACS" error
the old IdP throws any time the metadata doesn't match the shire parameter.

If it's < 2.1.3, something more unusual is going on and more logging would
be relevant.

-- Scott

[Etan Weintraub]

It is 2.1.3 of the IdP, and I found one issue caused because I cloned an existing VM for my SP and forgot to change the hostnames in the apache config. I changed that, but I am still getting the message, and now I can see that the shire is set to the value in the metadata. It's loading the metadata, because it recognizes the entity, but is something wrong in how I have that metadata?

-Etan E. Weintraub
Team Leader - Enterprise Authentication
Senior Systems Engineer - Enterprise Directory
IT@Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: ewei...@jhmi.edu

-----Original Message-----
From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Thursday, August 27, 2009 5:52 PM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Connect 1.3 SP to 2.1 IdP: Error Message: No peer endpoint available to which to send SAML response

> When I try to log in to my 1.3 SP, I get all the way to the 2.1 IdP and
> through the authentication and then get the Error Message: No peer
endpoint
> available to which to send SAML response.

If the IdP is current, that's the new version of the old "Invalid ACS" error

[Etan Weintraub]

Yup. My metadata had issues (needed to start tags with md:). Now I'm past this error and getting back to the SP where I am getting the message:

Session Creation Error at (https://shib13test.esg.johnshopkins.edu/Shibboleth.sso/SAML/POST)

Cannot connect to listener process, a site adminstrator should be notified.

And nothing clear in the logs...though it does look like the shibd process isn't running, which is weird...I'll look into this more in the morning. Thanks all for your help getting me this far. I'll let you know if I run into something else.

-Etan E. Weintraub
Team Leader - Enterprise Authentication
Senior Systems Engineer - Enterprise Directory
IT@Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: ewei...@jhmi.edu

-----Original Message-----
From: Etan Weintraub [mailto:ewei...@jhmi.edu]
Sent: Thursday, August 27, 2009 11:32 PM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Connect 1.3 SP to 2.1 IdP: Error Message: No peer endpoint available to which to send SAML response

* PGP Signed: 08/27/09 at 23:31:45

-- Scott

* Etan Weintraub <ewei...@jhmi.edu>
* 0x33B0BED5

[Scott Cantor]

Etan Weintraub wrote on 2009-08-27:
> It is 2.1.3 of the IdP, and I found one issue caused because I cloned an
> existing VM for my SP and forgot to change the hostnames in the apache
> config. I changed that, but I am still getting the message, and now I can
> see that the shire is set to the value in the metadata. It's loading the
> metadata, because it recognizes the entity, but is something wrong in how I
> have that metadata?

If it matches exactly then something else is interfering and you'll have to trace the log closer to see where it's tripping up.

Your protocolSupportEnum looked ok earlier, so I don't know what else would trip it up. Did you define a special RelyingParty and neglect to enable SAML 1.1 profiles for it?

-- Scott

[Etan Weintraub]

OK...I'm stuck.

It appears that every time I actually get back to the SP, the call to it is killing the shibd process. When I start the shibd process using service shibd start, I get nothing, not even in the logs. When I start it using /usr/sbin/shibd -f & I get a segmentation fault error on the console, but nothing else. Nothing seems to be showing in the logs even.

Anyone have any ideas?

-Etan E. Weintraub
Team Leader - Enterprise Authentication
Senior Systems Engineer - Enterprise Directory
IT@Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: ewei...@jhmi.edu

-----Original Message-----
From: Etan Weintraub [mailto:ewei...@jhmi.edu]
Sent: Thursday, August 27, 2009 11:43 PM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Connect 1.3 SP to 2.1 IdP: Error Message: No peer endpoint available to which to send SAML response

* PGP Signed: 08/27/09 at 23:42:49

Yup. My metadata had issues (needed to start tags with md:). Now I'm past this error and getting back to the SP where I am getting the message:

Session Creation Error at (https://shib13test.esg.johnshopkins.edu/Shibboleth.sso/SAML/POST)

Cannot connect to listener process, a site adminstrator should be notified.

And nothing clear in the logs...though it does look like the shibd process isn't running, which is weird...I'll look into this more in the morning. Thanks all for your help getting me this far. I'll let you know if I run into something else.

-Etan E. Weintraub
Team Leader - Enterprise Authentication
Senior Systems Engineer - Enterprise Directory
IT@Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: ewei...@jhmi.edu

-----Original Message-----
From: Etan Weintraub [mailto:ewei...@jhmi.edu]
Sent: Thursday, August 27, 2009 11:32 PM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Connect 1.3 SP to 2.1 IdP: Error Message: No peer endpoint available to which to send SAML response

> Old Signed: 08/27/09 at 23:31:45

[Scott Cantor]

Etan Weintraub wrote on 2009-08-28:
> OK...I'm stuck.
>
> It appears that every time I actually get back to the SP, the call to it is
> killing the shibd process. When I start the shibd process using service
> shibd start, I get nothing, not even in the logs. When I start it using
> /usr/sbin/shibd -f & I get a segmentation fault error on the console, but
> nothing else. Nothing seems to be showing in the logs even.

You can't get no logs if it's failing during a login, it would have already logged something by then. Either way I need a stack trace to tell anything.

The most likely explanation for a login crash with 1.3 and a newer IdP is a failure to include a NameIdentifier, which is a bug in the old code that I'm not fixing. But you have something more critical wrong if it's not logging. SELinux maybe?

-- Scott

[Etan Weintraub]

Nope, not SELinux, I never use that as it's caused major issues with a lot of the stuff we use here. As far as a NameIdentifier, in the metadata I have:

<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>

I'll see if I can get a stack trace out of it. I do see things in the log from startup and actually see a "verified digital signature over SSO response" right before the crash, just nothing on the actual crash. It just stops.

-Etan E. Weintraub
Team Leader - Enterprise Authentication
Senior Systems Engineer - Enterprise Directory
IT@Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: ewei...@jhmi.edu

-----Original Message-----
From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Friday, August 28, 2009 10:29 AM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Connect 1.3 SP to 2.1 IdP: Error Message: No peer endpoint available to which to send SAML response

Etan Weintraub wrote on 2009-08-28:

> OK...I'm stuck.
>
> It appears that every time I actually get back to the SP, the call to it is
> killing the shibd process. When I start the shibd process using service
> shibd start, I get nothing, not even in the logs. When I start it using
> /usr/sbin/shibd -f & I get a segmentation fault error on the console, but
> nothing else. Nothing seems to be showing in the logs even.

You can't get no logs if it's failing during a login, it would have already logged something by then. Either way I need a stack trace to tell anything.

[Scott Cantor]

Etan Weintraub wrote on 2009-08-28:
> Nope, not SELinux, I never use that as it's caused major issues with a
> lot of the stuff we use here. As far as a NameIdentifier, in the
> metadata I have:
>
> <md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>

That has nothing to do with whether it included one or not. If you don't enable an encoder for a SAML 1 Name that has an attribute available to encode, it won't generate one. That's legal, it's just not something the old IdP ever did, and the old SP was never tested for that case.

> I'll see if I can get a stack trace out of it. I do see things in the
> log from startup and actually see a "verified digital signature over SSO
> response" right before the crash, just nothing on the actual crash. It
> just stops.

You seemed to be saying it wasn't logging anything. You'll never get a log from a crash saying "I'm about to hork, prepare for horkage, horked."

It's almost certainly the NameIdentifier missing.

-- Scott

[Etan Weintraub]

OK, so where exactly do I add the NameIdentifier then? I'm a little confused on that piece...

-Etan E. Weintraub
Team Leader - Enterprise Authentication
Senior Systems Engineer - Enterprise Directory
IT@Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: ewei...@jhmi.edu

-----Original Message-----
From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Friday, August 28, 2009 10:52 AM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Connect 1.3 SP to 2.1 IdP: Error Message: No peer endpoint available to which to send SAML response

Etan Weintraub wrote on 2009-08-28:
> Nope, not SELinux, I never use that as it's caused major issues with a
> lot of the stuff we use here. As far as a NameIdentifier, in the
> metadata I have:
>
> <md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>

That has nothing to do with whether it included one or not. If you don't enable an encoder for a SAML 1 Name that has an attribute available to encode, it won't generate one. That's legal, it's just not something the old IdP ever did, and the old SP was never tested for that case.

> I'll see if I can get a stack trace out of it. I do see things in the

> log from startup and actually see a "verified digital signature over SSO
> response" right before the crash, just nothing on the actual crash. It
> just stops.

You seemed to be saying it wasn't logging anything. You'll never get a log from a crash saying "I'm about to hork, prepare for horkage, horked."

[Scott Cantor]

Etan Weintraub wrote on 2009-08-28:
> OK, so where exactly do I add the NameIdentifier then? I'm a little confused
> on that piece...

The IdP material on NameIDs and Attributes and how to set them all up was substantially rewritten, you probably want to review that from the top.

Mechanically, you add a SAML 1 NameIdentifier encoder plugin to the definition of some attribute that's being released to the relevant SP(s). The default used to omit this, but I thought that was fixed now, so maybe that's not your problem.

If that's not it, and you can't get a trace, file a bug and attach the form data from the browser that's crashing it along with metadata to make it work and I'll reproduce the crash.

-- Scott

[Etan Weintraub]

A million thank you's Scott. That was it. I added the NameIdentifier and all is working fine now.

Thank you so much for your help. As always, it's refreshing to see the helpful responses that you and the others give on this list.

-Etan E. Weintraub
Team Leader - Enterprise Authentication
Senior Systems Engineer - Enterprise Directory
IT@Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: ewei...@jhmi.edu

-----Original Message-----
From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Friday, August 28, 2009 11:14 AM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Connect 1.3 SP to 2.1 IdP: Error Message: No peer endpoint available to which to send SAML response

Etan Weintraub wrote on 2009-08-28:
> OK, so where exactly do I add the NameIdentifier then? I'm a little confused
> on that piece...

The IdP material on NameIDs and Attributes and how to set them all up was substantially rewritten, you probably want to review that from the top.

[Scott Cantor]

Etan Weintraub wrote on 2009-08-28:
> A million thank you's Scott. That was it. I added the NameIdentifier and all
> is working fine now.

Hmm, was that not the default now? Or were you using an older config file or a changed copy that blocked transients? I thought we changed that because it was going to crash so many SPs to leave it out.

-- Scott

[Etan Weintraub]

I hadn't touched that section of the attribute-resolver.xml file, and it was a 2.1.3 that I downloaded earlier this week, so I guess it's not the default.

-Etan E. Weintraub
Team Leader - Enterprise Authentication
Senior Systems Engineer - Enterprise Directory
IT@Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: ewei...@jhmi.edu

-----Original Message-----
From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Friday, August 28, 2009 11:34 AM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Connect 1.3 SP to 2.1 IdP: Error Message: No peer endpoint available to which to send SAML response

Etan Weintraub wrote on 2009-08-28:
> A million thank you's Scott. That was it. I added the NameIdentifier and all
> is working fine now.

Hmm, was that not the default now? Or were you using an older config file or a changed copy that blocked transients? I thought we changed that because it was going to crash so many SPs to leave it out.

-- Scott

[Scott Cantor]

Etan Weintraub wrote on 2009-08-28:
> I hadn't touched that section of the attribute-resolver.xml file, and it
> was a 2.1.3 that I downloaded earlier this week, so I guess it's not the
> default.

Hmm. Seems to be. I see this in svn:

<resolver:AttributeDefinition id="transientId" xsi:type="TransientId" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
<resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />

<resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />

</resolver:AttributeDefinition>

Was that not in your copy already? Did you do something different to fix the problem?

-- Scott

[Etan Weintraub]

It's entirely possible that I commented it out myself and don't remember doing so, but I don't think I did. All I did do was uncomment that though and it all worked.

Now I'm running into issues where I think I don't have Terracotta configured right, because I have my SP connecting to one IdP, and my browser connecting to the other, and am getting a message in my SP's log file that says:
2009-08-28 14:20:56 ERROR shibtarget.SessionCache [2] sessionGet: caught SAML exception during SAML attribute query: Error resolving principal

So I'm guessing that the IdP's aren't talking to each other (or rather to the Terracota cluster) properly. I've followed the directions on https://spaces.internet2.edu/display/SHIB2/IdPCluster but I guess I'm missing something...

-Etan E. Weintraub
Team Leader - Enterprise Authentication
Senior Systems Engineer - Enterprise Directory
IT@Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: ewei...@jhmi.edu

-----Original Message-----
From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Friday, August 28, 2009 1:12 PM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Connect 1.3 SP to 2.1 IdP: Error Message: No peer endpoint available to which to send SAML response

Etan Weintraub wrote on 2009-08-28:
> I hadn't touched that section of the attribute-resolver.xml file, and it
> was a 2.1.3 that I downloaded earlier this week, so I guess it's not the
> default.

Hmm. Seems to be. I see this in svn:

[Scott Cantor]

Etan Weintraub wrote on 2009-08-28:
> It's entirely possible that I commented it out myself and don't remember
> doing so, but I don't think I did. All I did do was uncomment that though
> and it all worked.

You must have, it's uncommented in the distribution.

-- Scott

[Etan Weintraub]

Probably...wouldn't surprise me...

Now I can't get my sessions to translate between my two IdP's...so something is up with my Terracotta, and the main thing I'm trying to find is how exactly do I tell the IdP to use Terracotta? It seems from the documentation that it's just the JAVA_OPTS stuff on the Tomcat startup, but I'm guessing that there has to be something else missing...

-Etan E. Weintraub
Team Leader - Enterprise Authentication
Senior Systems Engineer - Enterprise Directory
IT@Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: ewei...@jhmi.edu

-----Original Message-----
From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Friday, August 28, 2009 3:51 PM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Connect 1.3 SP to 2.1 IdP: Error Message: No peer endpoint available to which to send SAML response

Etan Weintraub wrote on 2009-08-28:
> It's entirely possible that I commented it out myself and don't remember
> doing so, but I don't think I did. All I did do was uncomment that though
> and it all worked.

You must have, it's uncommented in the distribution.

-- Scott

[Paul Hethmon]

Nope, that's pretty much it. When Tomcat starts, TC inserts itself into the
boot loader process and instruments the classes that Shib uses to maintain
state.

On 8/28/09 4:02 PM, "Etan Weintraub" <ewei...@jhmi.edu> wrote:

> Now I can't get my sessions to translate between my two IdP's...so something
> is up with my Terracotta, and the main thing I'm trying to find is how exactly
> do I tell the IdP to use Terracotta? It seems from the documentation that it's
> just the JAVA_OPTS stuff on the Tomcat startup, but I'm guessing that there
> has to be something else missing...

-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----

God does not play dice with the universe; He plays an ineffable game of his
own devising, which might be compared, from the perspective of any of the
other players, to being involved in an obscure and complex version of poker
in a pitch dark room, with blank cards, for infinite stakes, with a dealer
who won't tell you the rules, and who smiles all the time.

-- Terry Pratchett, Good Omens

[Etan Weintraub]

Hmmm.......so why am I getting the following in my logs when I point my Browser at one of my IdP's and my SP at the other?

2009-08-28 16:12:14 INFO Shibboleth.ShibBrowserProfile [8] sessionNew: verified digital signature over SSO response
2009-08-28 16:12:14 INFO shibtarget.SessionCache [8] sessionNew: new session created with session ID (_dc8301c1844744ac715e00b56ff6e109)
2009-08-28 16:12:14 INFO SAML.SAMLSOAPHTTPBinding [9] sessionGet: sending SOAP message to https://shibpep.johnshopkins.edu:8443/idp/profile/SAML1/SOAP/AttributeQuery
2009-08-28 16:12:14 INFO OpenSSL [9] sessionGet: verified server's TLS key/certificate
2009-08-28 16:12:14 ERROR shibtarget.SessionCache [9] sessionGet: caught SAML exception during SAML attribute query: Error resolving principal
2009-08-28 16:12:14 WARN shibtarget.SessionCache [9] sessionGet: skipping binding on unsupported protocol (urn:oasis:names:tc:SAML:2.0:bindings:SOAP)
2009-08-28 16:12:14 ERROR shibtarget.SessionCache [9] sessionGet: no response obtained

Any ideas?

-Etan E. Weintraub
Team Leader - Enterprise Authentication
Senior Systems Engineer - Enterprise Directory
IT@Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: ewei...@jhmi.edu