[Shib-Users] Shibbolet Unknown or Unusable Identity Provider Error
Sohail Bashadi
Hi
I am getting the following error when I try to authenticate via an IdP that is registered with InCommon:
Unknown or Unusable Identity Provider
The identity provider supplying your login credentials is not authorized for use with this service or does not support the necessary capabilities.
To report this problem, please contact the site administrator at administrator@local.
Please include the following error message in any email:
Identity provider lookup failed at (https://test41.peopleadmin.com/Shibboleth.sso/SAML/POST)
opensaml::saml2md::MetadataException: Security of SAML 1.x SSO POST response not established.
I googled the error message, but did not find anything conclusive. Also, I am running a Shibboleth 2.0 Daemon and have another IdP from InCommon that I am able to connect with fine.
Any pointers are greatly appreciated.
Thanks,
Sohail
Scott Cantor
> I googled the error message, but did not find anything conclusive. Also, I
> am running a Shibboleth 2.0 Daemon and have another IdP from InCommon that
I
> am able to connect with fine.
The error in the page is mentioned on the common errors page.
https://spaces.internet2.edu/display/SHIB2/NativeSPTroubleshootingCommonErro
rs
The explanation it lists as the "usual" cause is the applicable one.
-- Scott
Sohail Bashadi
resulted in another question. I have a Shibboleth2 SP setup
authenticating against a Shibboleth1.3 IdP; I know Shibboleth2 is
backward compatible, but I did not find any documentation for this?
Currently my Shibboleth2.xml looks like the following:
<!-- Session Initiator -->
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/Shibboleth.sso" handlerSSL="false">
<SessionInitiator type="Chaining" Location="/Login"
id="wayf.incommonfederation.org" relayState="cookie"
entityID="urn:mace:incommon:jmu.edu">
<!-- <SessionInitiator type="SAML2"
defaultACSIndex="1" template="bindingTemplate.html"/> -->
<SessionInitiator type="Shib1"
defaultACSIndex="4"/>
</SessionInitiator>
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" />
<md:AssertionConsumerService Location="/SAML/POST" index="4"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" />
<Handler type="MetadataGenerator" Location="/Metadata"
signing="false" />
<Handler type="Status" Location="/Status" acl="127.0.0.1" />
<Handler type="Session" Location="/Session" />
</Sessions>
<!-- Metadata -->
<MetadataProvider type="Chaining" >
<MetadataProvider type="XML"
uri="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml"
backingFilePath="InCommon-metadata.xml" reloadInterval="180000" />
<MetadataProvider type="XML"
uri="http://www.testshib.org/metadata/testshib-two-metadata.xml"
backingFilePath="testshib-two-metadata.xml" reloadInterval="180000" />
</MetadataProvider>
Any pointers are greatly appreciated.
Thanks,
Sohail
Scott Cantor
> Thanks! For the response, I found the solution there, but this has
> resulted in another question. I have a Shibboleth2 SP setup
> authenticating against a Shibboleth1.3 IdP; I know Shibboleth2 is
> backward compatible, but I did not find any documentation for this?
Documentation for doing what specifically? It just works, unless you make
changes to things that break its behavior.
> Currently my Shibboleth2.xml looks like the following:
You're making unnecessary changes, though it isn't going to hurt anything to
comment out the SAML 2 request plugin. The out of the box settings are fine
for handling SAML 1 and 2 at the same time.
-- Scott
Sohail Bashadi
setup I get a response that I posted yesterday:
opensaml::saml2md::MetadataException: Security of SAML 1.x SSO POST
response not established.
The solution which on the FAQ page is:
The usual cause for this is an incoming SAML assertion/response from an
issuer for which the SP has no metadata loaded. This means either the
metadata is wrong, or the IdP in question is using the wrong entityID in
its configuration, so the URI passed to the SP doesn't match what it
expects.
More specific information is usually available from the shibd.log file.
And my Shibd.log has the following error:
2009-05-22 10:59:24 WARN Shibboleth.SessionInitiator.SAML2 [1]: unable
to locate SAML 2.0 identity provider role for provider
(urn:mace:incommon:jmu.edu)
Is it possible that there is some mis-configuration at the IdP end?
Thanks,
Sohail
-----Original Message-----
From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Friday, May 22, 2009 1:15 PM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Shibbolet Unknown or Unusable Identity
Provider Error
Scott Cantor
> The issue I have is that when I connect to the 1.3IdP with my current
> setup I get a response that I posted yesterday:
That has nothing to do with compatibility, it just means what the
explanation says, the metadata's probably wrong.
> And my Shibd.log has the following error:
>
> 2009-05-22 10:59:24 WARN Shibboleth.SessionInitiator.SAML2 [1]: unable
^^^
A warning is not an error.
> Is it possible that there is some mis-configuration at the IdP end?
I have no idea, but your log has to be telling you more than that. If it
can't issue a legacy request, then you don't have metadata identifying that
the IdP can support that.
-- Scott
Sohail Bashadi
There isn't that much more interesting information in the logs except
for the normal initialization stuff, here is another warning and an Info
line:
2009-05-22 10:59:24 WARN Shibboleth.SessionInitiator.SAML2 [1]: unable
to locate SAML 2.0 identity provider role for provider
(urn:mace:incommon:jmu.edu)
2009-05-22 11:05:05 WARN OpenSAML.MessageDecoder.SAML1 [1]: no metadata
found, can't establish identity of issuer
(https://idp.example.org/shibboleth)
2009-05-22 11:39:43 INFO XMLTooling.StorageService : purged 1 expired
record(s) from storage
I understood most of what you meant except this:
> If it can't issue a legacy request, then
> you don't have metadata identifying that
> the IdP can support that.
Not sure, how I would go about setting up my Shibboleth2.xml to issue a
legacy request?
Thanks,
Sohail
-----Original Message-----
From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Friday, May 22, 2009 2:58 PM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Shibbolet Unknown or Unusable Identity
Provider Error
Scott Cantor
> There isn't that much more interesting information in the logs except
> for the normal initialization stuff, here is another warning and an Info
> line:
>
> 2009-05-22 10:59:24 WARN Shibboleth.SessionInitiator.SAML2 [1]: unable
> to locate SAML 2.0 identity provider role for provider
> (urn:mace:incommon:jmu.edu) 2009-05-22 11:05:05
> WARN OpenSAML.MessageDecoder.SAML1 [1]: no metadata found, can't establish
> identity of issuer (https://idp.example.org/shibboleth)
Those are two different ends of the process. You have to be issuing a
request in between because the second one is an indicator that you don't
have metadata for the IdP in question (which is identifying itself as a
dummy IdP, apparently).
For it to send a request in the first place, you either have metadata, which
makes no sense here, or you're pointing at a WAYF or something like that.
> Not sure, how I would go about setting up my Shibboleth2.xml to issue a
> legacy request?
It already did, because it's failing processing a response.
-- Scott
Scott Cantor
happening is you're routing the request directly to an IdP that's in the
InCommon metadata, and it's sending you a bogus response with an invalid
entityID in it. So it's an IdP issue, as you suggested.
-- Scott
Sohail Bashadi
have another Shibboleth1.3 IdP that I am connecting to in this file, I
was just not absolutely sure and hence all the posts.
-Sohail
-----Original Message-----
From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Friday, May 22, 2009 3:51 PM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Shibbolet Unknown or Unusable Identity
Provider Error