Embedded Discovery Service: Configuration Question

342 views
Skip to first unread message

Joshua Brodie

unread,
Oct 15, 2011, 4:25:09 PM10/15/11
to users
Hi:

I am attempting to migrate one of our SPs from using our federations
WAYF service to EDS.

The SP protects the folder '/secure'.

When attempting to access the protected folder, the following message
is received: 'FATAL - DISCO UI:Failed to download metadata from
/Shibboleth.sso/DiscoFeed'.

Looking at the HTTP headers, it looks like the browser was redirected
to 'https://sp.example.com/Shibboleth.sso/DiscoFeed'; whereas, based
on my understanding, the browser should redirect to
'https://sp.example.com/secure/Shibboleth.sso/DiscoFeed' (i.e. with
path to the protected folder).

If my understanding is correct, I must have made a configuration error
- listed below is a snippet from my SP's 'shibboleth2.xml' file - can
anyone point me in the correct direction? Thanks.


<ApplicationDefaults entityID="https://sp.example.com"
homeURL="https://sp.example.com/secure"
REMOTE_USER="eppn persistent-id targeted-id">

<Sessions handlerURL="/secure/Shibboleth.sso"
cookieProps="; path=/secure; secure" lifetime="28800" timeout="3600"
checkAddress="false" relayState="ss:mem" handlerSSL="true">


<SSO discoveryProtocol="SAMLDS"
discoveryURL="https://sp.example.com//shibboleth-ds/index.html">
SAML2 SAML1
</SSO>

<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>

<!-- Extension service that generates "approximate"
metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>

<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>

<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session"
showAttributeValues="false"/>

<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>


</Sessions>
--
To unsubscribe from this list send an email to users-un...@shibboleth.net

Bryan Wooten

unread,
Oct 15, 2011, 5:30:48 PM10/15/11
to Shib Users
Fatal disco ui ?

Chad La Joie

unread,
Oct 15, 2011, 5:40:12 PM10/15/11
to Shib Users
You Shibboleth config is a bit odd, but that's not what is causing the
error.

With the EDS, the SP redirects to a given web page with the EDS embedded
in to it. The EDS then makes an XmlHttpRequest back to the SP's
discovery feed in order to pull in the data it needs to render the UI.

So, what should happen, given your current config, is the SP should
redirect to 'https://sp.example.org//shibboleth-ds/index.html' (note you
have a double '/' in your path, you should fix that). Then it will call
back to the URL you have configured in the EDS config. Because you
changed your shibboleth configuration to put the handler in a
non-standard location you'll also need to update the EDS config to pull
in its data feed from the non-standard location:
https://sp.example.com/secure/Shibboleth.sso/DiscoFeed

Joshua Brodie

unread,
Oct 16, 2011, 1:40:45 AM10/16/11
to Shib Users
Thanks Chad - you saved my Saturday.

Cantor, Scott

unread,
Oct 16, 2011, 1:40:07 PM10/16/11
to us...@shibboleth.net
On 10/15/11 4:25 PM, "Joshua Brodie" <josb...@gmail.com> wrote:
>
>The SP protects the folder '/secure'.

For the benefit of the archive, it is generally not advisable, and
certainly isn't necessary, to change the handlerURL like this. The
resource paths have nothing to do with the handler locations unless you're
overriding applicationId by subdividing a vhost.

-- Scott

Reply all
Reply to author
Forward
0 new messages