Metadata not found

[john...@gmail.com]

Hi,

I am VERY new to web servers and SAML. I am trying to validate SAML and using "auth_mod_mellon" as SP and "simpleSAMLPHP" as IDP.

I configured both SP and IDP to the best of my understanding.When accessing a configured page on the SP, authentication redirection is happening to
IDP. But IDP is returning an error "meta data not found." Any help is highly appreciated.

Regards,
John


sp.example.org is SP's domain
10.78.85.57 is IDP;s IP


Error I am getting:

Metadata not found

Unable to locate metadata for 'https://sp.example.org'

This is most likely a configuration problem on either the service provider or identity provider.

• If you are an user who received this error after following a link on a site, you should report this error to the owner of that site.
• If you are a developer who is deploying a single sign-on solution, you have a problem with the metadata configuration. Verify that metadata is configured correctly on both the identity provider and service provider.

If you report this error, please also report this tracking number which makes it possible to locate your session in the logs available to the system administrator: 20646d4767

Debug information

The debug information below may be of interest to the administrator / help desk:

SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => '\'https://sp.example.org\'')

Backtrace:
3 /var/simplesamlphp/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:293 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaData)
2 /var/simplesamlphp/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:310 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaDataConfig)
1 /var/simplesamlphp/modules/saml/lib/IdP/SAML2.php:296 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 /var/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)

Following is the SP-remote file on IDP

<?php
/**
 * SAML 2.0 remote SP metadata for simpleSAMLphp.
 *
 * See: http://simplesamlphp.org/docs/trunk/simplesamlphp-reference-sp-remote
 */

/*
 * Example simpleSAMLphp SAML 2.0 SP
 */
$metadata['https://saml2sp.example.org'] = array(
        'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
        'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
);

/*
 * This example shows an example config that works with Google Apps for education.
 * What is important is that you have an attribute in your IdP that maps to the local part of the email address
 * at Google Apps. In example, if your google account is foo.com, and you have a user that has an email jo...@foo.com, then you
 * must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the value of 'john'.
 */
$metadata['sp.example.org'] = array(
        'AssertionConsumerService' => 'https://sp.example.org/mellon/postResponse',
        'SingleLogoutService' => 'https://sp.example.org/mellon/logout',
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
        'simplesaml.nameidattribute' => 'uid',
        'simplesaml.attributes' => FALSE,
);


Following is the SP-meta data XML file:

<EntityDescriptor entityID="https://sp.example.org" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIICrjCCAZYCCQDLhgVQxGEZKjANBgkqhkiG9w0BAQUFADAZMRcwFQYDVQQDEw5z
cC5leGFtcGxlLm9yZzAeFw0xMzA4MTYxODAyMDdaFw0yMzA4MTYxODAyMDdaMBkx
FzAVBgNVBAMTDnNwLmV4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEApT1uZqzwzwZc8QydG0MDJP0kYkEmVyfBIBbiq96KeZMJoNepxxZS
Xlcmp3Bb8mblD1izm9b5S5CJKa1Z6z7AL/iLx4zDoA+72IZLF98hA3/5IbcxrIEl
qg96ZN/gumbykDSaEMuI2UWDYr1yBfdlKjqPg0/uEhMkOhPTrxqxRHqKqg67I+3P
IcI/pbdnq3ZakR5iEKYiKcVcKJ8HGLr//NZ4BRtIDloQuQqMJTPs1qG5o5/w4rNE
X+YcUy/y+Vpqj586BZzCtP+nDMtlNcpV9XYQKKqb6dvEhvycLAkfylOnyX+U26mW
IhUlknsZJ7TDwe8RllXvUMSs+HBwjpDL/wIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
AQB0fvdA01/PHh5lv2d8k6ufNS+f7ZXfIgh9Ybw55kCsTAvpgFhAXibV7WWnAPay
YVc3TUaT5U2vQGulorkmWn4nsnoseCdJ2cPzOzw8TJ920fkHZD25YJab7kF/Hxcl
s9kGYTof+dv4ffa/n3f5gUiaEpwvKtkaZjZrqD/lAPyy9FjPx+QZQoYUNW/eVrdX
gMJG0LMgFQIP2vok1b6OUQy6pdyzxY92DwgO+flEeC75u1c0e1MpALWLGpWvXTEV
cDB4XXPxYv2+mQHYCOfLMHVmy50CeG4GuMBnaWoGeV6BMNohanANp0kl9ZxP0uUb
jyMU0zhI7DdD9grL2F7V6YQv</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sp.example.org/mellon/logout"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.example.org/mellon/postResponse" index="0"/>
  </SPSSODescriptor>
</EntityDescriptor>


The IDP Meta data file configured @ SP:


<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://10.78.85.57/simplesaml/saml2/idp/metadata.php">
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://10.78.85.57/simplesaml/saml2/idp/SingleLogoutService.php"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://10.78.85.57/simplesaml/saml2/idp/SSOService.php"/>
  </md:IDPSSODescriptor>
  <md:ContactPerson contactType="technical">
    <md:SurName>john</md:SurName>
    <md:EmailAddress>jo...@example.org</md:EmailAddress>
  </md:ContactPerson>
</md:EntityDescriptor>

[Thijs Kinkhorst]

Op vrijdag 16 augustus 2013 21:02:31 schreef john...@gmail.com:

> Hi,
>
> I am VERY new to web servers and SAML. I am trying to validate SAML and
> using "auth_mod_mellon" as SP and "simpleSAMLPHP" as IDP.
>
> I configured both SP and IDP to the best of my understanding.When accessing
> a configured page on the SP, authentication redirection is happening to
> IDP. But IDP is returning an error "meta data not found." Any help is
> highly appreciated.

Since you posted on the mod_mellon mailinglist later, where the IdP is
working, I'm assuming you managed to solve this problem, but for the record:

> Metadata not found Unable to locate metadata for 'https://sp.example.org'

> $metadata['sp.example.org'] = array(

These are compared stringwise. So if your SP presents its entityId to be
"https://sp.example.org" then you must specify it in your IdP configuration as
"$metadata['https://sp.example.org']".


Cheers,
Thijs

--
Thijs Kinkhorst <th...@uvt.nl> – LIS Unix

Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres > Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl

[Myla John-B22173]

Thank you, I figured it out.

Regards,
John

[mysta...@gmail.com]

Hi John,

Did you find any solution for above error you got?

I am facing same issue and could not sorted out yet.

Please let me know if you have solution.

Thanks.