Usually when it all looks correct, the solution is that you're not
actually using the metadata you think you are. Are you loading the SP's
metadata from a local file? Does the log verify it's loading?
-- Scott
-----------------
Usually when it all looks correct, the solution is that you're not actually using the metadata you think you are. Are you loading the SP's metadata from a local file? Does the log verify it's loading? -----------------
Thanks Scott,
My relying-party.xml has a very simple entry for it:
<metadata:MetadataProvider id="sciquestMD" xsi:type="metadata:FileBackedHTTPMetadataProvider"
metadataURL="https://test.SomePlace.com/apps/Router/SAMLMetadata/USU"
backingFile="/opt/shibboleth-idp/metadata/someplace-metadata.xml">
</metadata:MetadataProvider>
When all this began, the validUntil date in my someplace-metadata.xml was the very first thing I checked. It shows a recent update of the metadata, as the validUntil is some future date. (approx 24hrs since the first request in the morning for it)
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_535c0455b0
b464f0718636ff0f" entityID="https://test.SomePlace.com" validUntil="2011-07-27T20:08:23.655Z">
Scrolling up in the debug information, as you've suggested, it does seem to find the entity in the metadata, but thinks it's expired?
14:17:12.677 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:170] - Metadata document contained an EntityDescriptor with the ID https://test.SomePlace.com, but it was no longer valid
14:17:12.677 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:199] - Checking child metadata provider for entity descriptor with entity ID: https://test.SomePlace.com
14:17:12.677 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:509] - Searching for entity descriptor with an entity ID of https://test.SomePlace.com
14:17:12.678 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:166] - Metadata document does not contain an EntityDescriptor with the ID https://test.SomePlace.com
14:17:12.678 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:170] - Metadata document contained an EntityDescriptor with the ID https://test.SomePlace.com, but it was no longer valid
14:17:12.678 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:199] - Checking child metadata provider for entity descriptor with entity ID: https://test.SomePlace.com
14:17:12.678 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:509] - Searching for entity descriptor with an entity ID of https://test.SomePlace.com
14:17:12.678 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:155] - No custom or group-based relying party configuration found for https://test.SomePlace.com. Using default relying p
arty configuration.
You don't want to do that. There's no security there if you're asking
somebody to vouch for their own metadata. That's aside from the issue in
question.
>Scrolling up in the debug information, as you've suggested, it does seem
>to find the entity in the metadata, but thinks it's expired?
I'm not sure that's true, I think there are some spurious messages about
that, but I would bypass it for now by pulling it into a file, editing the
validUntil or removing it, and just seeing if that changes things.
-- Scott
I'm not sure that's true, I think there are some spurious messages about
that, but I would bypass it for now by pulling it into a file, editing the
validUntil or removing it, and just seeing if that changes things.
I'm not sure what you're asking. Does there need to be an
SPSSODescriptor in SP metadata? Most definitely, yes. Will the
exchange fail without it? Oh, yes, if the IdP can't verify the
endpoint location at the SP, it has no choice.
Tom
Now maybe this is more interesting:
14:49:26.096 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:317] - Metadata document did not containany role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity https://test.SomePlace.com
14:49:26.097 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:286] - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity https://test.SomePlace.com
14:49:26.097 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:254] - Checking child metadata provider for entity descriptor with entity ID: https://test.SomePlace.com