[Shib-Users] Unusable Identity Provider
Anil Guntur
Can any point me to the right direction, on why this error is occurring… is it because of something I am missing to put in my Shibboleth2.xml
The entityId(EntityID: rapattoni:mlsstgswmichigan:entityId) is provided by the IDP as shown from the IDP’s metadata snippet below
<md:EntityDescriptor entityID="rapattoni:mlsstgswmichigan:entityId" cacheDuration="PT1440M" ID="dJaXCmvMMzo5B7Nqo359dA25ZdV" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
Thank you
Unknown or Unusable Identity Provider
The identity provider supplying your login credentials is not authorized for use with this service or does not support the necessary capabilities.
To report this problem, please contact the site administrator at agu...@analyzesoft.com.
Please include the following error message in any email:
Identity provider lookup failed at (http://sso.reinsighttax.com/sso.aspx)
EntityID: rapattoni:mlsstgswmichigan:entityId
opensaml::saml2md::MetadataException: Unable to locate Shibboleth-aware identity provider role for provider (rapattoni:mlsstgswmichigan:entityId)
Anil Guntur. | AnalyzeSoft, Inc. | 858-674-4321 x233 | agu...@analyzesoft.com | http://www.analyzesoft.com
Peter Williams
Is shib being fussy about the lack of the urn prefix in the EntityID URN?
Or it is just a programming bug in which the message decoder attempting to parse cacheDuration as a time/date type?
Or it is just a profile issue (that Shib just doesn’t (or won’t) handle cacheDuration )?
Scott Cantor
>
>
> Can any point me to the right direction, on why this error is occurring.
is
> it because of something I am missing to put in my Shibboleth2.xml
https://bugs.internet2.edu/jira/browse/CPPOST-22
Change the metadata or it won't work without a patch.
-- Scott
Anil Guntur
It is not because of the cacheDuration. I fixed the IDP metadata with ValidUntil attribute
Anil Guntur | Analyzesoft Inc. | 858-674-4321 x 233 | 858-922-6402 (c) | agu...@analyzesoft.com | www.analyzesoft.com
Peter Williams
Right now, you are down to needing to have correct runtime config of the Shib SP.
First… make it work with TestShib. Then copy and modify. That was the strategy I used ….to dominate shib SDP config (otherwise I’d break *something* when handcrafting, and have to spend hours with the src debugger to find out what).
Scott Cantor
> First. make it work with TestShib. Then copy and modify. That was the
> strategy I used ..to dominate shib SDP config (otherwise I'd break
> *something* when handcrafting, and have to spend hours with the src
debugger
> to find out what).
Or you could look at the log file, and search for the error on the list or
ask what it means.
Note I said *log file*, not *browser*.
-- Scott
Anil Guntur
I tested this successfully with one of the production IDPs we have and it redirected to their login page
Anil Guntur. | AnalyzeSoft, Inc. | 858-674-4321 x233 | agu...@analyzesoft.com | http://www.analyzesoft.com
Anil Guntur
Anil Guntur. | AnalyzeSoft, Inc. | 858-674-4321 x233
| agu...@analyzesoft.com | http://www.analyzesoft.com
-----Original Message-----
From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Wednesday, March 18, 2009 12:11 PM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Unusable Identity Provider
Peter Williams
Ok. I’ve got no more suggestions, unless you can send traces and pdus of the protocol run, etc. With that, its easy to trace the debug log – and see where it breaks.
Peter Williams
Sounds from the high-level nature of that log comment, that the SP is not even initiating.
> -----Original Message-----
> From: Anil Guntur [mailto:agu...@analyzesoft.com]
Scott Cantor
Provider
Wrong log.
/var/log/shibboleth/shibd.log
-- Scott
Anil Guntur
I tested successfully with one of the production IDPs we used before in another project and it worked with no problems and I was able to get to their login page