Error in Shibboleth IdP

[Geo P.C.]

We configured Shibboleth IdP as per the instruction in https://wiki.shibboleth.net/confluence/display/SHIB2/IdPInstall and tested with testshib. While testing Identity Provider through https://sp.testshib.org/ we given the entityID as https://shibboleth.citrus.local/idp/shibboleth but we are getting an error message in browser as follows:

-------------

ERROR

An error occurred while processing your request. Please contact your helpdesk or user ID office for assistance.

This service requires cookies. Please ensure that they are enabled and try your going back to your desired resource and trying to login again.

Use of your browser's back button may cause specific errors that can be resolved by going back to your desired resource and trying to login again.

If you think you were sent here in error, please contact technical support

Error Message: Error decoding authentication request message

-----------------

In idp-process.log it shows:

12:33:18.417 - INFO [Shibboleth-Access:74] - 20120321T070318Z|192.168.1.75|shibboleth.citrus.local:443|/profile/SAML2/Redirect/SSO|

12:33:19.459 - ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:618] - No user identified by login handler.

12:33:19.467 - ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:563] - Authentication failed with the error:

edu.internet2.middleware.shibboleth.idp.authn.AuthenticationException: No user identified by login handler.

at edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.validateSuccessfulAuthentication(AuthenticationEngine.java:619) [shibboleth-identityprovider-2.3.6.jar:na]

................

12:33:19.475 - INFO [Shibboleth-Access:74] - 20120321T070319Z|192.168.1.75|shibboleth.citrus.local:443|/profile/SAML2/Redirect/SSO|

12:33:19.481 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:373] - Error decoding authentication request message

org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message

---------------------

Can anyone please help us on it.

Thanks

Geo

[Geo P.C.]

We are able to test both servers shibboleth idp and shibboleth sp in two different servers seperately with testshib. So let me know whether we can avoid testshib and we can use our shibboleth idp and sp for SSO authentication. Please update me.

Thanks
Geo

[Paul Hethmon]

There is no requirement to use TestShib, it's there as a convenience so you have a known working installation to test yours against.

Looking at your log, it appears the ERROR messages are referring to your login handlers not being set up properly. Out of the box, Shib itself does not know how to authenticate a user, you must configure a login handler for that. Several are included in the distribution that you can choose from and/or you can write your own.

I would suggest looking at your login handler set up first. Make sure what you've set up is correct and has access to validate credentials. Also make sure there are no ERROR level logs on a start up prior to attempting a login.

Paul

-- To unsubscribe from this list send an email to users-un...@shibboleth.net

[Geo P.C.]

Can anyone please update us the steps to integrate this idp and sp with out using testshib. Also please help me to create metadata for sp.  Please help us on it.

Thanks
Geo

[Paul Hethmon]

wiki.shibboleth.net

There are guides there for installation and configuration of both the IdP and SP software.