[Shib-Users] IdP & SP Metadata Configuration problem.

jay_dee

unread,

Apr 22, 2011, 11:55:20 AM4/22/11

to shibbole...@internet2.edu

Hi all, i'm new to shibboleth2 and i'm facing a problem to configure the basic
settings in Shibboleth2.xml,

relaying-party, metadata provider.

i have configured shibboleth 2.4.2 as SP to use IdP, with jboss5.
What to change in Shibboleth2.xml and relaying-party, metadata provider.
i'm running https://sp.baya.org/Shibboleth.sso/Status on IIS
and https://idp.baya.org:8443/idp/shibboleth on JBoss5

Shibboleth2.xml is
<Site id="1" name="sp.baya.org"/>

--(https://idp.baya.org:8443/spbaya-metadata.xml the path where from i get my
metadata, as its not working when i

write https://sp.baya.org/spbaya-metadata.xml)

When i write same path in relying-party.xml (without changing anything else)
in metadataprovider section, then my idp stops working.

<metadata:MetadataProvider id="ShibbolethMetadata"
xsi:type="metadata:ChainingMetadataProvider">

<metadata:MetadataProvider id="IdPMD"
xsi:type="metadata:ResourceBackedMetadataProvider">
<metadata:MetadataResource
xsi:type="resource:FilesystemResource"

file="c:\shibboleth-idp/metadata/idp-metadata.xml" />
</metadata:MetadataProvider>

<metadata:MetadataProvider id="URLMD"
xsi:type="metadata:FileBackedHTTPMetadataProvider"

metadataURL="https://idp.baya.org:8443/spbaya-metadata.xml"

backingFile="c:\shibboleth-idp/metadata/some-metadata.xml"/>
</metadata:MetadataProvider>

Is there anything that i am missing or need to change something in another
files like attribute-filter, attribute-resolver.xml. If yes then what to
change?

Please help, Thanks in advance.

Cantor, Scott E.

unread,

Apr 22, 2011, 1:38:10 PM4/22/11

to shibbole...@internet2.edu

> i have configured shibboleth 2.4.2 as SP to use IdP, with jboss5.
> What to change in Shibboleth2.xml and relaying-party, metadata provider.

The documentation explains what to change. If you explain what you don't understand, then we can help.

> --(https://idp.baya.org:8443/spbaya-metadata.xml the path where from i get
> my metadata, as its not working when i> write https://sp.baya.org/spbaya-metadata.xml)

Neither makes any sense. Asking the subject of the metadata for its metadata is essentially like going up to a stranger and asking if he's a thief. Metadata has to be trusted. If you can't do it any other way, you need to exchange it out of band.

> When i write same path in relying-party.xml (without changing anything else)
> in metadataprovider section, then my idp stops working.

The IdP needs the SPs metadata. The SP needs the IdP's metadata. It's not the same information.

> Is there anything that i am missing or need to change something in another
> files like attribute-filter, attribute-resolver.xml. If yes then what to
> change?

You have to understand what's in the files and what your requirements are to know whether to change them. There's no way for somebody else to know without talking to you for an extended period of time about your needs.

-- Scott

jay_dee

unread,

Apr 25, 2011, 5:10:35 AM4/25/11

to shibbole...@internet2.edu

Thanks for quick reply.
when i try to run https://sp.baya.org/secure it gives me error

shibsp::ConfigurationException at (https://sp.baya.org/secure)
None of the configured SessionInitiators handled the request.

and i haven't changed anything in relying-party.xml
So where can be the problem..

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/IdP-SP-Metadata-Configuration-problem-tp6297351p6302397.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.

jay_dee

unread,

Apr 25, 2011, 5:15:57 AM4/25/11

to shibbole...@internet2.edu

Thanks for quick reply.
when i try to run https://sp.baya.org/secure it gives me error

shibsp::ConfigurationException at (https://sp.baya.org/secure)
None of the configured SessionInitiators handled the request.

and i haven't changed anything in relying-party.xml
So where can be the problem..

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/IdP-SP-Metadata-Configuration-problem-tp6297351p6302402.html

B.E.N. van der Veen

unread,

Apr 25, 2011, 5:41:58 AM4/25/11

to shibbole...@internet2.edu

Do you have your entityID's correct?

jay_dee schreef:

jay_dee

unread,

Apr 25, 2011, 11:18:14 AM4/25/11

to shibbole...@internet2.edu

Hi,
As this entityID is OK, where from i get Idp's metadata, i.e. reqiured for
SP.
"https://idp.baya.org:8443/idp-metadata.xml" its working when i write this
in URL it shows IdP'smetadata.

My hostname in Shibboleth2 is --
<Host name="sp.baya.org" redirectToSSL="443">

and Entity ID for SP--
<ApplicationDefaults entityID="https://sp.baya.org/Shibboleth.sso"
homeURL="https://sp.baya.org/" REMOTE_USER="eppn persistent-id
targeted-id">
and My Idp's Entity ID--

SessionInitiator type="Chaining" Location="/Login" isDefault="true"
id="Intranet" relayState="cookie"
entityID="https://idp.baya.org:8443/idp/shibboleth">

My metadata in shibboleth2.xml --
<MetadataProvider type="XML" uri="https://idp.baya.org:8443/idp/shibboleth"

backingFilePath="spbaya-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
</MetadataProvider>

my metadata in relying-party.xml --

<metadata:MetadataProvider id="URLMD"
xsi:type="metadata:FileBackedHTTPMetadataProvider"

metadataURL="https://sp.baya.org/Shibboleth.sso/Metadata"
backingFile="C:\IDP_HOME/metadata/some-metadata.xml"/>

when i try to https://sp.baya.org/secure, i get following error
opensaml::saml2md::MetadataException
Unable to locate metadata for identity provider
(https://idp.baya.org:8443/idp/shibboleth)

What is happening there, how to set the metadata in both xml?

Shibd.log--
2011-04-25 19:10:51 INFO OpenSAML.Metadata : applying metadata filter
(RequireValidUntil)
2011-04-25 19:10:51 CRIT OpenSAML.MetadataProvider.XML : maintaining
existing configuration, error reloading resource
(https://idp.baya.org:8443/idp/shibboleth): Metadata did not include a
validUntil attribute.
2011-04-25 20:00:51 INFO OpenSAML.MetadataProvider.XML : reloading remote
resource...
2011-04-25 20:00:53 INFO OpenSAML.MetadataProvider.XML : loaded XML resource
(https://idp.baya.org:8443/idp/shibboleth)
2011-04-25 20:00:53 INFO OpenSAML.Metadata : applying metadata filter
(RequireValidUntil)
2011-04-25 20:00:53 WARN OpenSAML.MetadataProvider.XML : adjusted reload
interval to 3600 seconds
2011-04-25 20:00:53 INFO OpenSAML.MetadataProvider.XML : using local backup
of remote resource
2011-04-25 20:00:53 INFO OpenSAML.MetadataProvider.XML : loaded XML resource
(C:/SP/var/run/shibboleth/spbaya-metadata.xml)
2011-04-25 20:00:53 INFO OpenSAML.Metadata : applying metadata filter
(RequireValidUntil)
2011-04-25 20:00:53 CRIT OpenSAML.MetadataProvider.XML : maintaining
existing configuration, error reloading resource
(https://idp.baya.org:8443/idp/shibboleth): Metadata did not include a
validUntil attribute.

native.log
2011-04-25 17:34:58 ERROR Shibboleth.ISAPI [940] isapi_shib_extension:
Shibboleth handler invoked at an unconfigured location.
2011-04-25 17:35:09 ERROR Shibboleth.Listener [940] isapi_shib_extension:
remoted message returned an error: Unable to locate metadata for identity
provider (https://idp.baya.org:8443/idp/shibboleth)
2011-04-25 17:35:09 ERROR Shibboleth.ISAPI [940] isapi_shib_extension:
Unable to locate metadata for identity provider
(https://idp.baya.org:8443/idp/shibboleth)

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/IdP-SP-Metadata-Configuration-problem-tp6297351p6303051.html

Nate Klingenstein

unread,

Apr 25, 2011, 11:38:55 AM4/25/11

to shibbole...@internet2.edu

Jay Dee,

When you see a CRIT in your logs, it's a great idea to check it out. :D You have two choices: add a validUntil to your IdP's metadata, or remove/comment out the <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> from your shibboleth2.xml file. If you're just in testing, I'd pick option #2.

This has a significant probability of resolving the other issues you see.

Take care,

Nate.

ssuri

unread,

Apr 25, 2011, 11:51:38 AM4/25/11

to shibbole...@internet2.edu

Error Message: SAML 2 SSO profile is not configured for relying party https://sp.ssuri.org/shibboleth is coming now

View this message in context: RE: IdP & SP Metadata Configuration problem.

Nate Klingenstein

unread,

Apr 25, 2011, 12:20:29 PM4/25/11

to shibbole...@internet2.edu

S Suri,

You can find the answer to this and many other questions in the Shibboleth Wiki.

https://wiki.shibboleth.net/confluence/display/SHIB2/Troubleshooting

In particular, you can find this message here:

https://wiki.shibboleth.net/confluence/display/SHIB2/IdPTroubleshootingCommonErrors#IdPTroubleshootingCommonErrors-EndpointIssues

Let me know if you can't figure it out from there,

Nate.

jay_dee

unread,

Apr 26, 2011, 7:04:38 AM4/26/11

to shibbole...@internet2.edu

Hi Nate
I have removed that line, but result is same error.
My first question is when i write https://idp.baya.org:8443/idp/shibboleth
in URL for Idp's Metadata
it shows proper idp's metadata, and when i write
https://idp.baya.org:8443/sp-metadata.xml in URL for SP's Metadata it shows
proper sp's metadata.
When i write same in shobboleth2.xml Metadata section then
https://sp.baya.org/secure gives me error

opensaml::saml2md::MetadataException
opensaml::saml2md::MetadataException at (https://sp.baya.org/secure)

Unable to locate metadata for identity provider

(https://idp.baya.org:8443/idp-metadata.xml)

Second question is when i update metadata section (Uncomment those lines) in
relying-party.xml then my Jboss gives error that idp is not deployed and
https://idp.baya.org/idp/shibboleth does not work.

Any help..

--
View this message in context: http://shibboleth.1660669.n2.nabble.com/IdP-SP-Metadata-Configuration-problem-tp6297351p6305324.html

Cantor, Scott E.

unread,

Apr 26, 2011, 8:56:58 AM4/26/11

to shibbole...@internet2.edu

Please stop trying to be "fancy" and obtain metadata over the network. Produce it, make sure it's correct, copy it to each machine, and load it from local files.

-- Scott

Reply all

Reply to author

Forward