[Shib-Users] Unable to establish security of incoming assertion
1,822 views
Skip to first unread message
Kidd, Don W.
Mar 26, 2011, 11:44:36 PM3/26/11
to shibbole...@internet2.edu
I am trying to get shib 2.2 installed for our IDP.. I know I should probably try to do this with 2.2.1, but I started this before 2.2.1 came out and I didn't want to do the updates again...
My situation is this, I am trying to test this new version, with the sp.testshib, I can login with my IDP, but when it is passed back to the SP, I get the following error:
I am trying to get shib 2.2 installed for our IDP.. I know I should probably try to do this with 2.2.1, but I started this before 2.2.1 came out and I didn't want to do the updates again...
My situation is this, I am trying to test this new version, with the sp.testshib, I can login with my IDP, but when it is passed back to the SP, I get the following error:
opensaml::FatalProfileException
The system encountered an error at Sat Mar 26 23:35:21 2011
To report this problem, please contact the site administrator at root@localhost.
Please include the following message in any email:
opensaml::FatalProfileException at (https://sp.testshib.org/Shibboleth.sso/SAML2/POST)
Unable to establish security of incoming assertion.
So I assume I am missing something, but I am not sure what it is that I am missing.. Here is the request from my IDP log...
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest
AssertionConsumerServiceURL="https://sp.testshib.org/Shibboleth.sso/SAML2/POST"
ID="_77c1894f6bbf0d3d4ab8df254a047c06"
IssueInstant="2011-03-27T03:36:32Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.testshib.org/shibboleth-sp</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="1"/>
</samlp:AuthnRequest>
Could someone advise me what I am missing?
Thanks,
Don
--------
Don W. Kidd
Senior Systems Analyst
Information Technology Services
Office : 513.529.9655
EMail: dk...@muohio.edu
Don W. Kidd
Senior Systems Analyst
Information Technology Services
Office : 513.529.9655
EMail: dk...@muohio.edu
Nate Klingenstein
Mar 27, 2011, 12:02:43 AM3/27/11
to shibbole...@internet2.edu
Don,
The best thing to do is to check the SP's logs, which in the case of TestShib, are open to everyone.
In this case, the logs indicate that your IdP is using an entityID that is not recognized by TestShib:
2011-03-26 23:36:34 DEBUG OpenSAML.MessageDecoder.SAML2 [1]: message from (https://shib-idp.muohio.edu) 2011-03-26 23:36:34 DEBUG OpenSAML.MessageDecoder.SAML2 [1]: searching metadata for message issuer... 2011-03-26 23:36:34 WARN OpenSAML.MessageDecoder.SAML2 [1]: no metadata found, can't establish identity of issuer (https://shib-idp.muohio.edu)
and, checking your metadata in TestShib, it looks like there is indeed a mismatch:
<md:EntityDescriptor
entityID="https://shib-idp.muohio.edu/idp-2.2.0" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
Try getting that synched up first.
Have a great evening,
Nate.
Kidd, Don W.
Mar 28, 2011, 10:43:38 AM3/28/11
to shibbole...@internet2.edu
FYI... I seem to be getting a 503 error when I go to https://www.testshib.org/testshib-two/index.jsp
Is the testshib site having issues?
Don
--------
Don W. Kidd
Senior Systems Analyst
Information Technology Services
Office : 513.529.9655
EMail: dk...@muohio.edu
Don W. Kidd
Senior Systems Analyst
Information Technology Services
Office : 513.529.9655
EMail: dk...@muohio.edu
Nate Klingenstein
Mar 28, 2011, 11:43:03 AM3/28/11
to shibbole...@internet2.edu
Don,
Quite clearly, yes. There was various excitement in the logs that seems to be rooted in an attempt to parse a creatively invalid metadata submission. Java choked on an ensuing lack of heap space and the whole thing fell over.
It's propped back up again. Thanks for the report.
Nate.
Reply all
Reply to author
Forward
0 new messages