Discussion:
Message was signed, but signature could not be verified.
Farzan Qureshi
2014-08-12 23:31:59 UTC
Permalink
Hi,

I have configured Shiboleth IdP. Metadata and relying-party.xml carries the
same certificate. However I still get this error when I try to authenticate
using testshib.org: I have also referred to most common errors of shiboleth
on the website.

opensaml::FatalProfileException at (
https://sp.testshib.org/Shibboleth.sso/SAML2/POST)

Message was signed, but signature could not be verified.



Following are the logs from shib.org:


2014-08-12 19:15:15 DEBUG XMLTooling.TrustEngine.PKIX [887]:
validating signature using certificate from within the signature
2014-08-12 19:15:15 DEBUG XMLTooling.TrustEngine.PKIX [887]: signature
verified with key inside signature, attempting certificate
validation...
2014-08-12 19:15:15 DEBUG XMLTooling.TrustEngine.PKIX [887]: checking
that the certificate name is acceptable
2014-08-12 19:15:15 DEBUG XMLTooling.TrustEngine.PKIX [887]: adding to
list of trusted names (https://idp.rosmini.school.nz/idp/shibboleth)
2014-08-12 19:15:15 DEBUG XMLTooling.TrustEngine.PKIX [887]:
certificate subject:
emailAddress=admin-***@public.gmane.org,CN=idp.rosmini.school.nz,C=NZ,description=DiT98uKD8Jk33Wf1
2014-08-12 19:15:15 DEBUG XMLTooling.TrustEngine.PKIX [887]: unable to
match DN, trying TLS subjectAltName match
2014-08-12 19:15:15 DEBUG XMLTooling.TrustEngine.PKIX [887]: unable to
match subjectAltName, trying TLS CN match
2014-08-12 19:15:15 ERROR XMLTooling.TrustEngine.PKIX [887]:
certificate name was not acceptable
2014-08-12 19:15:15 ERROR OpenSAML.SecurityPolicyRule.XMLSigning
[887]: unable to verify message signature with supplied trust engine
2014-08-12 19:15:15 WARN Shibboleth.SSO.SAML2 [887]: detected a
problem with assertion: Message was signed, but signature could not be
verified.
2014-08-12 19:16:55 DEBUG Shibboleth.Listener [896]: dispatching
message (default/TestShib::run::SAML2SI)
2014-08-12 19:16:55 WARN Shibboleth.SessionInitiator.SAML2 [896]:
unable to locate metadata for provider
(http://idp.example.org:8080/idp/shibboleth)
2014-08-12 19:23:24 DEBUG Shibboleth.Listener [885]: dispatching
message (default/TestShib::run::SAML2SI)
2014-08-12 19:23:24 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [885]:
validating input
2014-08-12 19:23:24 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [885]:
marshalling, deflating, base64-encoding the message
2014-08-12 19:23:24 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [885]:
marshalled message:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://sp.testshib.org/Shibboleth.sso/SAML2/POST"
Destination="https://idp.rosmini.school.nz/idp/profile/SAML2/Redirect/SSO"
ID="_f1069f296eac8ef017493d2853c81290"
IssueInstant="2014-08-12T23:23:24Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.testshib.org/shibboleth-sp</saml:Issuer><samlp:NameIDPolicy
AllowCreate="1"/></samlp:AuthnRequest>
2014-08-12 19:23:24 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [885]:
message encoded, sending redirect to client
2014-08-12 19:23:25 DEBUG Shibboleth.Listener [887]: dispatching
message (default/SAML2/POST)
2014-08-12 19:23:25 DEBUG OpenSAML.MessageDecoder.SAML2POST [887]:
validating input
2014-08-12 19:23:25 DEBUG OpenSAML.MessageDecoder.SAML2POST [887]:
decoded SAML message:
<?xml version="1.0" encoding="UTF-8"?><saml2p:Response
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://sp.testshib.org/Shibboleth.sso/SAML2/POST"
ID="_4ba1b90bdbb2c8a16e384d43147fbdc4"
InResponseTo="_f1069f296eac8ef017493d2853c81290"
IssueInstant="2014-08-12T23:23:25.065Z" Version="2.0"><saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.rosmini.school.nz/idp/shibboleth</saml2:Issuer><saml2p:Status><saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:EncryptedAssertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="_a89fb4eda8dfd2294b9823a2ce71f25b"
Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey
Id="_49c3ae7fef363bb63828375c9a1ef9e2"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEPjCCAyagAwIBAgIBADANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJVUzEVMBMGA1UECBMM
UGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMSIwIAYDVQQKExlUZXN0U2hpYiBTZXJ2
aWNlIFByb3ZpZGVyMRgwFgYDVQQDEw9zcC50ZXN0c2hpYi5vcmcwHhcNMDYwODMwMjEyNDM5WhcN
MTYwODI3MjEyNDM5WjB3MQswCQYDVQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYD
VQQHEwpQaXR0c2J1cmdoMSIwIAYDVQQKExlUZXN0U2hpYiBTZXJ2aWNlIFByb3ZpZGVyMRgwFgYD
VQQDEw9zcC50ZXN0c2hpYi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJyR6Z
P6MXkQ9z6RRziT0AuCabDd3x1m7nLO9ZRPbr0v1LsU+nnC363jO8nGEqsqkgiZ/bSsO5lvjEt4eh
ff57ERio2Qk9cYw8XCgmYccVXKH9M+QVO1MQwErNobWbAjiVkuhWcwLWQwTDBowfKXI87SA7KR7s
FUymNx5z1aoRvk3GM++tiPY6u4shy8c7vpWbVfisfTfvef/y+galxjPUQYHmegu7vCbjYP3On0V7
/Ivzr+r2aPhp8egxt00QXpilNai12LBYV3Nv/lMsUzBeB7+CdXRVjZOHGuQ8mGqEbsj8MBXvcxIK
bcpeK5ZiJCVXPfarzuriM1G5y5QkKW+LAgMBAAGjgdQwgdEwHQYDVR0OBBYEFKB6wPDxwYrYStNj
U5P4b4AjBVQVMIGhBgNVHSMEgZkwgZaAFKB6wPDxwYrYStNjU5P4b4AjBVQVoXukeTB3MQswCQYD
VQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMSIwIAYD
VQQKExlUZXN0U2hpYiBTZXJ2aWNlIFByb3ZpZGVyMRgwFgYDVQQDEw9zcC50ZXN0c2hpYi5vcmeC
AQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAc06Kgt7ZP6g2TIZgMbFxg6vKwvDL
0+2dzF11Onpl5sbtkPaNIcj24lQ4vajCrrGKdzHXo9m54BzrdRJ7xDYtw0dbu37l1IZVmiZr12eE
Iay/5YMU+aWP1z70h867ZQ7/7Y4HW345rdiS6EW663oH732wSYNt9kr7/0Uer3KD9CuPuOidBaco
spDaFyfsaJruE99Kd6Eu/w5KLAGG+m0iqENCziDGzVA47TngKz2vPVA+aokoOyoz3b53qeti77ij
atSEoKjxheBWpO+eoJeGq/e49Um3M2ogIX/JAlMaInh+vYSYngQB2sx9LGkR9KHaMKNIGCDehk93
Xla4pWJx1w==</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>rKO0FOpQjNwEMECoJLlNcDlPqC3BRaocJyci1sXX/ngnYCYPqz5QhGNrc7k+FYYOXFEyE18R+dbgKXpkReWdsQnYN5HN5OWA2TXutcgWMNdi3KImrdjFOuT7eR/ZdBo1vSTjLp+YrezC+G7ojxBcw7CaFRilxU/Y0caYK1fJSPhd+C4tYY+HbchCS7DOuFdGug+IS61NiMWRW11yHe97jva2dpM0CF5Ai5VOZ8XaLV69AaMToL55VcW/hPsx82f+IlFxIxOu81dZrPgmsEXy5i/ybwL0TZcq1tvnGAiP7qFLdBHtMfMWxsOZP6G/Xtb78Nt8MpHt4RX3s4HyUm1AQw==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>IjcBqr3GPS6PEulnsfGbR/e5y06F5RFRkD5cxoQk6xIp1u5nlnM8uUGJJyCFEc6HLE2GZWRDUHmMwki7HvCmZVkamXQ6Qrv8kQnl3b7puDLVRFncjEq8wjc5WxPah4tq556couRXssrnX/6uce9mA0caPf2jo6k+bVEvJnTueE8/CPClTl6ba5+IH7gJHdxs2ypy0MbpTtUQZ5EcBDg44Ap6FLnoExeKcxrR+Rrp7TBzyMX3a4DSOZZak4Lo24wyla3cSFScgeRc1DpoSkDBPRzf63OVOchbuSmStYL5To1z2RCbDg691tv0gDxeO2B5Cr2H2167FAn0EWGA5r2gehS6ZYfPTKO5t7W21Clv7gAtGizKvtOdTupdQ5nbpczt1TS2k7hFLGMzNBoZDW/lI2VEXshCHTkXkxPUvM2GbPyLtqmq8Ce2q9jZaMn2bcQ40a3I5eudrZ0bDDO5RKdCkr3YZb8GieJfupMSkqN/ON1n0HvyUvMZp6oGDatI1KzFlDu1YHzPS17yRZfhA7nOxifGbXkO+nlnZRdOtbyo56003yNS5Pe9DjSYZ9+yhhld+XJjFaR+Q2q3BkzcKobian5ityqs0CzJc8aa5TPsAEm09Im4FuX5Zm2qnd1yYMecgROIEyhRcGU+Td9zXsHaRsZkIv1PLM/zib7Wy5NBwiosgabqHAEh4F6o5OSkjc5djQOEe37No9uIExh+U4Isv6Blks88BJVDC4RxbWXD10XJexm098oKoLp5Rk0J/qGl02ilkcXmyOkDjIRwemdhKBqIj3YnBvupUBW+KXpFvgs/Mlv8gZ0A47OvhLFq2GuEBCY2jbfKGPdjWgcyETzehRKqUChyzrZhEPbogORBS5KYzjayufH5hoYQ1eAuMItiLlEUc/9EZsgkqeb/Xxrq6edYEqsxW6RqazxlKw0CNVA0Q6FFa3Y6mTQEIesLR8ocCG7zoyKmuZvneDn0uH1abFMOUvrqnl7NneYvnVqYX3x+WhBtO+GaUppJU2vrvqNrBzRFdEVNcdw8vB7SKxF6yt1lm72AkyL4C7+K7qprtoUvvX5kd9huesWh53xu6KMtQYSHYrF+EUOSsGGcq1CoYYTi7NDV1tZz5NUgY0kHxwvABVdDfnPRydmE4uL99JudpiKCghHTrUb6IJtHuseMvjjOm280fFpmeOVGwlR7cwbOaoWcy8Yrjro/kwXn54bWJjE+17T/bIIwRKDzePEsILvwY6BBjDm2OdkRasKc50p1au4p7Ob3qg4ZAd82R+n+EEJ6Vv2AyorRdcX5nibHcefAJaV1cURssYwlWfrjVY3ZfCdCur0cGDHMoigvWvojL4nG7jiWGdrbwQYVY4AAEtP2JC7GOisBvf6xUdICT608Ak69mHIGWjhgjtF4ti9BKLDohXsFNaHyPcHyikpooPhOzCPU/tPuLfN8f66Wgxq4R4IeL5kELZSCjEwxl/U0LwV9XP09QuYroWCZfnmLi2VPXr/9hG8Cio9N6X15VEQusrzfRSdcaUyjjCGQF6JoXH4Dtsqvhn+vneKA65AODBYrn//8SwtEQRiS3Zr7H/i1kFGGHPNUqMc+CQ26UVazQiZpMaG/r6ak0k0hBHRXb92/eg0GE/+MXPuiWc8FpTZKo2ZE/9BDsTRA2WY+rD1NiAe7nzMJ+7Gp5/8QSE42wXyAoZJ1vIypQh4IB65JSJvYzPcXyf/u3OGww6Bu52nOKpxsyLkElZUMnDdTZxq7cvVjI+l9dkuoISDBy4efH4bEuxJQpWNw7eNDRxZBzO8sb7meYqMFKavGiT7T7mwwsL7Ew7exVn//2QF8xa5qi2YDesgD+Q4wZ9q69Q6PKycjgswsnHJ0D8u8OQx3zoRbXYZ7+OZUAFvaijVqDwsLIWA4yfftcN279U2aKtZ4CoLpZEj+y5ybbvDw686Np4jPxheU5RZwdUur7NicFOlGjhxM7P2CaXxqqbhaB4G4vhknTv/mfVMNNNjc73+1aZVujNgoqWWolzLzsOgTUnBsbnKmTbZi8xo6j29RcVl5tcmoPKd7kVC06kIhUSJyV6CeK6EtosjtzF7UwJ4CcIvXiu+KPbyBb7pi/62dx4Ld9E2jMISL7+aJSGMWsJX4LKC+CxgUCK3UWve1W04CJUOz2K1dw4q7Hv4yeGap+fcQIQytYKcp5EHFfcLEdLHKUdTxWgF2gswHTbcB9BKZGgjsRKNedCaQcGcmxN9aY670E0GzWhzvW+skypkvijw3Fu9jeLSm4veg5NeAUcviuLnntcFupzIsVtZGzC1vcFbr9DWVDKWYxeroFIiopgvhDSvTixzjJa4f2QFiIRYKexzHvLODViEzU6fvI/IdHfhOaB68uqcitOABVytUVTZ/LFRdN/lZ+7SzhrTPxsKBK/kMOkBR2qN4k52xIo1L92+R6l59VNb65T/vFXyDqqUIrHsraB8xRDz1nMNvBiV8SD5WLSUpK0z4bVuGfVx30Ai3oD/A5ScMPXWVSa006pgirf3tyopKlvE4QTXmfz5glJXXXIiJJoryRYeWd87rVCRRSTulb16DiPQfBojraWCb+C6Ax/cmUtXcpeZrYOXF4S0uSNHJeF8/vLtka/kpydd3q5ZKDdXcwdknXURC73p7NHW/1Pmmyo6Iqr2fMwYANp/KfVNkOinyQMIbyE3Bs5ztOTlO7EGcMpbzXfHRknnlTGEQUS8ATBQb72LWQGpONTgxRGU1k6FBQZZfPdeXS1dWvN+Z3psaZjxLR4uFkCsCdTVRMo+NoECNmQb1pbnD2AjeKjGqT8CO0EYojqh9ps0M/2yrWKDpfvXQeKhzTFZe3OBWNwapVZzmbFnoxEjfBGC1D9lLU94t8VJyDVYZb6LD22e2ADk+KQKqqUaH3opKlWbYynhMMyEWZiCsDOAnMga9T21huJ9Ro4MiHPoeOdzh7/S+/fmJ3QDXImy4+RwDH70Txejv9l2P7R78bS3mf338VNAgw3SWgndISJX25w5wlCBXh7DNHBlUHjiWupWFPjXNRnYyAf56/G71JXXNmfSwKPtUBT3bgmYKN9LO8V1mabE4NvJLpRmzj28G7XPkksR2UT5qOuuJOGEmPcXZ1tsoqSM1AIyRM+/rGP8eL0zLafrJ+8yWcxSIKn87KWKX/qHJhuawexLS+ei7E8LC38bY5Uwu8ZNuAy7t7Ybh7lALJvtmiIxoftuA+5+hsv9L49NR97AasDCeGlNiJE/bvMnAZzkZotaNh9eEV60WVTsdpNwmdGtcyGWr31sA6QDLQgBADPPo1XOtkFf/maqwtuDjylxfDX9y1dYd/cL1/UBEG0K9rtla7FGYRUH0/MT2ukTqzm96NzxAsZogs9odRDj0VigFMn3WsO47I+NuZ58zxVO0vs2ui1Ym218CsFWzBuYSTecUrzX9mELmXCWSeMDsx2RIOGKje2vLrPlL5nfVIL4E3YP6mi68jHrKEjMjSatWyKm0pScBonlPjYUAPjwUD34yCS4YspO6sIaGW1nF11O1UtEJAUVMVRAPlb8dBmr3RP6q23Y1HeKCc4UXBLM5xSJvuAfrcZwjO9BZ4rtplhdXUeQgttjZirQrLK6g8D2O4/0QkBq4rfnQOotUh95I7RDFg03q5k1b7EgDRG2pKk/ETJxW66af10GzblzzXMV9VLqVn7dtV02Myh8LVjdaH33KKVhNpI8OxAm6V/PIzrRLoqT9sZpa/ZZHLdMt5UZcA/4EAMwDOCCby6JaOuJd+KuVknQbT0hfC/q7x6L7ehAgeJyHTlvEHODHgBna/LeL6fLYRRzT9S9mSo6YY8s9W9iXK6cx7EHPf30cXeXCIcKlSJOFDhrtjZyaPftkAGzDhuERQWFhaYXD63bVpBjHz8K+BrQ5xKaHKzSDThdWbZIvyOK3UQHGx+hN3G9feN2MFspnTdXCkedboFZquGMQAUbftewqWb9kOnwEV6ubfWglfew52AL0h6y2UdoWJifYNTL71/xQ3Al7DmSIbnVaouE8MgKP6YpLGqaxOSKkCcBlcGqoESso46iAzWAAuHtIoLOBShx0aMzULNZeGr5ux5Dpge8hHii8cxwj7LXS4nyT2RZLvC6Hno/cjh/f1kyVKxDQTJj8oYKq3uJUQDlrEEuvQq5XfcP57hMcMyobyyjOQzyKotnvKbkm8irryWw1Z1b38jxPWvVvXANxoWcMF5JNb946+x+0fWheVylohhyhKhN5NPupQM4O2CjNYZul5wCf/jgp4ctMJ+64HFoUsZAiuWIqJDaH23gnwb5ZYbx7c1WgjxoM5G8H7W7exIG9kBfTsOtFcp1NvEcGw1l4UwGCCNOnVf6SqvNxJkt2KIkb3Zv/WzsO6I9RsfiB6F5mo3QYwvxMwfn69WZaQE/bSKZd4J9HUONbFc85TyBxvM2NptiEubALk+7w7oIL1qPIiPVSKcKI9HAQOTXk1oVWM2bWtLxfm+9CEocYmpw4Wtmqr996x3ivZwazxd4Qgc9fKhqhF8iji9t7B7NgHllb3/JTLSzvW7s1T/r0/j6e3PxMDXrb/C83IqWwxmDHK/oPycvEJfXNSIwIKNuO28YSTEC1J7tyqCmDzMAXjSi8lY00L6p7OV4h4x4RBVfvgYw8P7at6zFyrcBBy65AsOoPT9DYdQebzHx+MZsIZrnzzAdc56/7G+HiuyZ3CAXXpXdjApAKctqUcaDTDmWjghPbTaIEktNqDzzsRuoQ5wvyfgE6caTyei0/8XkE6i9dJp2Q/tofLEa8ju/vT26FeOfu6N5CVxpl9BiwlUai3o3MPSs+WWu2+TToYsz7/FHCNBhQiRyOwEUjbtSUJip+RXIeit3FYbdYDa8yKxSMfWlX2hGlmgcWMG9OEJdW1YauKVZS5EUlW/WzRjWdwx0tkSBB3MtKocu446xs/wIV1aOWs5bMampetmTkpJtOkQ7jwsdj0HGpkKcBq9ZEArLvxb370lM79WnSAMV6N375g5K/T2ABvREqtWH3Nx1BZhQZl2Y/8B7KxWqz69qoHZHP++o5YWnWDTo6N1Szz9wecQVhGwhrw9BMPCSwjN1qSp+naP5L8xOFXy/ZlxLDS2Jw320ajkj16uD3PzyOZ2d8rLfyVRufEtWoDWoHv7haI8bRVACpkGg0x+D/+cnYZaFHTUQEN5q5/qRQDjzeZQUmDxfHaATKM8nU7E5JSNk8SfDjFNblvtx+pEKIoRrGYrUJMyXmJZoCBh/fcJIRig+gW1B7636gGzPUY72v/XeRdnPtSj7Z9F+S1p9x/9sd4xbPnmQQA2tloe8kmF2RERo+kLIJcLg9Ej7iwE0fp9SNMcKzXscpwe3OXDbnqnK7L0PAcNrSeNugzYUCMcp5EYDBjbyOp8mHdHZLPUqKMpKaaQqvu9b2Np9PPme94LArlFYd212DQCAAgSop04zA5vyJRSXg1am6CwWSMylCid4NVph0U7d2syC4nxKG2ZSk1rn3uIqI9u4GfIc9Zl0I84Zbw08HcDr929Irbgjh1In26FVWMDifXCHH9u+21Th7kch8kDq5m9DnPOqVnSaMHi7dy4jpxMw4/2s/Q/7daJ7UBWeBARFWs4JZpI/5QROOxaTQOD/CiROwYgeVwCn7LNy5WNxss8Qh9CGNAhZUeUbuZW1yPzHv/gu7frPb2Ubkesn7Kb2mRUaEySk0tH/P0Imjh6R2TnG9scwAAYkgWxttPG0qL9GgWctyGfJ8pcDXWKoMQCt9te0wXKETZhsVLcbkyrJwZA7w9IqvI5D4P1mNXjAeptWwfxoB6b+/8g50PmgeKC2sy7j4KM81IU4O63CfW2leC+3e0TyB/dRQZBUYjU6P/axBC/hHHaHvejfY2p6/9A9u6R43JZuUWDNO8BD/qRaJikeP3E+11Ga2Sn66PCmcq3vKWW01UnVCr3V0wo5IR8pl55LH0XQlokjiRuskP0qlJ99rBMa6Re1XbvZ7rihSyKRYfPxV7LErsPHkheZbuKTMtBgMxq1y0UNH9OWIeDcrHe65RN/hxUmrMMC2JTSfGMZNmv/kklaUSbId4Ld/Huz2nsa8IbrHCbdU/dn7FXlWeXmjsqgeEiRvGrnT9tsq4oSgdqfLHJI0uSEExB7/i2pWgxvUTffNivfnkLvr3GAIkNyxGXv2eu+fyBC7HwO+/CCFcwsW+QGeOLMOz5NRzmsRSsuScjNQgyQdn3Icq8GBtxM4ZntX6e2lmmdksWPcmwZIVF9JoFf9+EzWGmRAOCkpf359Xa8sR/k64RS8mc0aPVbmqcKYAPJ4izurqG2uN+bnNM6p0kDOy1fqkVav10TGd4HSiw2g3x6IOYg9bzqlZj2vWC+K7nFMXjowz7ZHrb1lTmt5bwgrBdO4renD4bJiS8w/HrZOr6TgyWp51bztLMPJ22cJc7mJgtLlIXCje4oX+jtqFXzLJTVlFurkbjx5WiWikqQHSZQ0nCBK50NWfKROYDjlKEt6CfjnHpQ/aY7FjHt+dWhBUyZKluQLe4VoY1FSnwkDJzzMLhcdAgR3Oku3nb4yz5JP9U588T1rFCSKSrfLLuTzf9h1qZtLB29ABukBbHXfMyKLOl2MgkAfqIVzPazBi1m/zHk0lefUjkXIRzkWNypWyOOxjLhONNJdQo/zvyOsWJXCaxN6GIG5Eclc</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml2:EncryptedAssertion></saml2p:Response>
2014-08-12 19:23:25 DEBUG OpenSAML.MessageDecoder.SAML2 [887]:
extracting issuer from SAML 2.0 protocol message
2014-08-12 19:23:25 DEBUG OpenSAML.MessageDecoder.SAML2 [887]: message
from (https://idp.rosmini.school.nz/idp/shibboleth)
2014-08-12 19:23:25 DEBUG OpenSAML.MessageDecoder.SAML2 [887]:
searching metadata for message issuer...
2014-08-12 19:23:25 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow
[887]: evaluating message flow policy (replay checking on, expiration
60)
2014-08-12 19:23:25 DEBUG XMLTooling.StorageService [887]: inserted
record (_4ba1b90bdbb2c8a16e384d43147fbdc4) in context (MessageFlow)
with expiration (1407886045)
2014-08-12 19:23:25 DEBUG Shibboleth.SSO.SAML2 [887]: processing
message against SAML 2.0 SSO profile
2014-08-12 19:23:25 DEBUG XMLTooling.KeyInfoResolver.Inline [887]:
resolved 0 certificate(s)
2014-08-12 19:23:25 DEBUG XMLTooling.CredentialCriteria [887]: key
algorithm didn't match ('AES' != 'RSA')
2014-08-12 19:23:25 DEBUG XMLTooling.CredentialCriteria [887]: key
algorithm didn't match ('AES' != 'RSA')
2014-08-12 19:23:25 DEBUG XMLTooling.CredentialCriteria [887]: key
algorithm didn't match ('AES' != 'RSA')
2014-08-12 19:23:25 DEBUG XMLTooling.KeyInfoResolver.Inline [887]:
resolving ds:X509Certificate
2014-08-12 19:23:25 DEBUG XMLTooling.KeyInfoResolver.Inline [887]:
resolved 1 certificate(s)
2014-08-12 19:23:25 DEBUG XMLTooling.CredentialCriteria [887]:
credential name(s) didn't overlap
2014-08-12 19:23:25 DEBUG XMLTooling.CredentialCriteria [887]: keys didn't match
2014-08-12 19:23:25 DEBUG Shibboleth.SSO.SAML2 [887]: decrypted
Assertion: <saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_7506ca814f12c59ef7c647e5a5e05371"
IssueInstant="2014-08-12T23:23:25.065Z" Version="2.0"><saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.rosmini.school.nz/idp/shibboleth</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_7506ca814f12c59ef7c647e5a5e05371"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>TMmuq3mRBndWoKRILUgTsf/jPHo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>xE75wLvpfygm3sZapcBfrlPFzclRHR6wnf6Ai5gVn0cmLF61PIV/4Yxfoi4cJ2lKW9NQ47XSKKqaWzOfxLug91oAeufJ9DxNsNL1WKikBLUA2QPTKZ452sBkjn7fnM07wZjwenyTAVSoORXiPtTmkfW0xIuJ1JCERLD23Mbm3ttz1p8car7fMbEHMVBKserg3LOpX3jxgP1v9kPuftTu4kQg5PHuPwtSOiVymxmF5pmOtLuhjP96o53cxkMRTKBJkXgxdhU4WeVo+XBWIkisgf1LDqKpM3JZRQ7MNccg9KRnF8x8hjiVpDBTex58PszFgZgvUF+RQxswCw3FbFPePg==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIGaTCCBVGgAwIBAgIDEf6MMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UE
ChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2ln
bmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2
ZXIgQ0EwHhcNMTQwODA1MTA0NTQwWhcNMTUwODA2MDgxNTE2WjBwMRkwFwYDVQQNExBEaVQ5OHVL
RDhKazMzV2YxMQswCQYDVQQGEwJOWjEeMBwGA1UEAxMVaWRwLnJvc21pbmkuc2Nob29sLm56MSYw
JAYJKoZIhvcNAQkBFhdhZG1pbkByb3NtaW5pLnNjaG9vbC5uejCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAPtH9+WDF2UEmDJZzs5t6FVLcMtlvwpHqUIY+LuIMK/QJGQSLZmJ3XEpBajj
tnFG24pzHsc7mweGIGniqMkHh28zXPRzvJkCDoEB0xJymNSUKzrxExhSQ9ey9EH+qfkGOE5b65cw
bkTl1yq+p74J0lybSbj1GG1WIqbwxs6N8Vde9G7H42royKCVsBnoAOWw4I8UrgmLyOsIjbQDdiim
ynyiV7xW7dWa7uGizYT5v37cMhuWmF0yfNKRoXdfqP8BJyZt80xFg2psdnZQru8TKhXRfFr47Tua
QHtsKRpM/1B0QZ7otxMbjPzK20paw9c/swslWZxXs4chi5fMTiASoYUCAwEAAaOCAu0wggLpMAkG
A1UdEwQCMAAwCwYDVR0PBAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBQrvKPp
hIQ1ERjjCfo4FvMbvkV7+DAfBgNVHSMEGDAWgBTrQjTQmLCrn/Qbawj3zGQu7w4sRTAzBgNVHREE
LDAqghVpZHAucm9zbWluaS5zY2hvb2wubnqCEXJvc21pbmkuc2Nob29sLm56MIIBVgYDVR0gBIIB
TTCCAUkwCAYGZ4EMAQIBMIIBOwYLKwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8v
d3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBD
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVk
IGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMSBWYWxpZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUg
U3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBvbmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9z
ZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA1BgNVHR8E
LjAsMCqgKKAmhiRodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnQxLWNybC5jcmwwgY4GCCsGAQUF
BwEBBIGBMH8wOQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3Mx
L3NlcnZlci9jYTBCBggrBgEFBQcwAoY2aHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc3Vi
LmNsYXNzMS5zZXJ2ZXIuY2EuY3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29t
LzANBgkqhkiG9w0BAQUFAAOCAQEAF/fJgiqghXld6zYKlmA0dqiz9aa6dBej5Mqj690Z0JTgjwG2
Ej76hCP4iP907qnG9cm62khJ2is5bwXEExNKIwacmFUusxYbH76SdKyaW24PFpLka5UtUFO7vTke
Ku3BcNlX6N3QmOuLAZGUJce2Di5WFrwqHfvgEeuvk/zSx9SRBaqnDEgHYNWgESsWVnebyuZvtyLv
aVIRiWGmHvzDFGZVtxvmw/2j49TtDveQDhbmno0v1Xm+3+DaThG4WSfN9dAu9w/aE54PfJ/W+PCw
SYXFO4IfOlf7tE8GmkYM/E5Ms9by5GSpQDybeIN9ZGulB5FB2YoXb9HF4Ql5rMtlcw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://idp.rosmini.school.nz/idp/shibboleth"
SPNameQualifier="https://sp.testshib.org/shibboleth-sp">_6df1981d745e7d41b34826e36dc0bb5e</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData
Address="192.168.100.254"
InResponseTo="_f1069f296eac8ef017493d2853c81290"
NotOnOrAfter="2014-08-12T23:28:25.065Z"
Recipient="https://sp.testshib.org/Shibboleth.sso/SAML2/POST"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
NotBefore="2014-08-12T23:23:25.065Z"
NotOnOrAfter="2014-08-12T23:28:25.065Z"><saml2:AudienceRestriction><saml2:Audience>https://sp.testshib.org/shibboleth-sp</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement
AuthnInstant="2014-08-12T23:15:13.640Z"
SessionIndex="_f94654d8f00a3a646b2420001348ea57"><saml2:SubjectLocality
Address="192.168.100.254"/><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion>
2014-08-12 19:23:25 DEBUG Shibboleth.SSO.SAML2 [887]: extracting
issuer from SAML 2.0 assertion
2014-08-12 19:23:25 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow
[887]: evaluating message flow policy (replay checking on, expiration
60)
2014-08-12 19:23:25 DEBUG XMLTooling.StorageService [887]: inserted
record (_7506ca814f12c59ef7c647e5a5e05371) in context (MessageFlow)
with expiration (1407886045)
2014-08-12 19:23:25 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning
[887]: validating signature profile
2014-08-12 19:23:25 DEBUG XMLTooling.CredentialCriteria [887]: keys didn't match
2014-08-12 19:23:25 DEBUG XMLTooling.TrustEngine.ExplicitKey [887]:
unable to validate signature, no credentials available from peer
2014-08-12 19:23:25 DEBUG XMLTooling.TrustEngine.PKIX [887]:
validating signature using certificate from within the signature
2014-08-12 19:23:25 DEBUG XMLTooling.TrustEngine.PKIX [887]: signature
verified with key inside signature, attempting certificate
validation...
2014-08-12 19:23:25 DEBUG XMLTooling.TrustEngine.PKIX [887]: checking
that the certificate name is acceptable
2014-08-12 19:23:25 DEBUG XMLTooling.TrustEngine.PKIX [887]: adding to
list of trusted names (https://idp.rosmini.school.nz/idp/shibboleth)
2014-08-12 19:23:25 DEBUG XMLTooling.TrustEngine.PKIX [887]:
certificate subject:
emailAddress=admin-***@public.gmane.org,CN=idp.rosmini.school.nz,C=NZ,description=DiT98uKD8Jk33Wf1
2014-08-12 19:23:25 DEBUG XMLTooling.TrustEngine.PKIX [887]: unable to
match DN, trying TLS subjectAltName match
2014-08-12 19:23:25 DEBUG XMLTooling.TrustEngine.PKIX [887]: unable to
match subjectAltName, trying TLS CN match
2014-08-12 19:23:25 ERROR XMLTooling.TrustEngine.PKIX [887]:
certificate name was not acceptable
2014-08-12 19:23:25 ERROR OpenSAML.SecurityPolicyRule.XMLSigning
[887]: unable to verify message signature with supplied trust engine
2014-08-12 19:23:25 WARN Shibboleth.SSO.SAML2 [887]: detected a
problem with assertion: Message was signed, but signature could not be
verified.




Any help will be much appreciated.

Kind regards,

Farzan
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Cantor, Scott
2014-08-12 23:51:08 UTC
Permalink
Post by Farzan Qureshi
I have configured Shiboleth IdP. Metadata and relying-party.xml carries
the same certificate. However I still get this error when I try to
authenticate using testshib.org <http://testshib.org>: I have also
referred to most common errors of shiboleth on the website.
That is the only cause you're going to find. Chances are that testshib has
multiple copies of your information at this point, and somebody will have
to clean it up.

You can wait for that, or just run your own SP, and you won't have the
problem of not being able to totally control the other half.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Farzan Qureshi
2014-08-12 23:54:10 UTC
Permalink
Thanks for your prompt reply Scott.

But when I upload metadata to testshib, won't it get overwritten?

Farzan Qureshi
------------------
Network Administrator & Helpdesk support
Rosmini College
Post by Cantor, Scott
Post by Farzan Qureshi
I have configured Shiboleth IdP. Metadata and relying-party.xml carries
the same certificate. However I still get this error when I try to
authenticate using testshib.org <http://testshib.org>: I have also
referred to most common errors of shiboleth on the website.
That is the only cause you're going to find. Chances are that testshib has
multiple copies of your information at this point, and somebody will have
to clean it up.
You can wait for that, or just run your own SP, and you won't have the
problem of not being able to totally control the other half.
-- Scott
--
To unsubscribe from this list send an email to
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Cantor, Scott
2014-08-13 00:00:15 UTC
Permalink
Post by Farzan Qureshi
Thanks for your prompt reply Scott.
But when I upload metadata to testshib, won't it get overwritten?
Not always.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Farzan Qureshi
2014-08-13 00:02:50 UTC
Permalink
That's pity!!

But I am still waiting for others to respond. Just in case I can collect
more ideas..
Post by Cantor, Scott
Post by Farzan Qureshi
Thanks for your prompt reply Scott.
But when I upload metadata to testshib, won't it get overwritten?
Not always.
-- Scott
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Cantor, Scott
2014-08-13 00:18:09 UTC
Permalink
Post by Farzan Qureshi
But I am still waiting for others to respond. Just in case I can collect
more ideas..
The only people who can help you are Kevin or Nate.

Installing a simple SP takes a few minutes on Linux, so you're wasting
your time, essentially.

Install RPM, set SP and IdP entityIDs, load metadata, access /secure,
login and get a 404, check session results at /Shibboleth.sso/Session,
done.

The IdP is orders of magnitude harder to deal with than the SP for
testing. It's just not worth avoiding.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Farzan Qureshi
2014-08-13 00:19:53 UTC
Permalink
I have just installed SP and now busy configuring it. Yes you are right. I
can't wait for long as I have to answer my manager :(
Post by Cantor, Scott
Post by Farzan Qureshi
But I am still waiting for others to respond. Just in case I can collect
more ideas..
The only people who can help you are Kevin or Nate.
Installing a simple SP takes a few minutes on Linux, so you're wasting
your time, essentially.
Install RPM, set SP and IdP entityIDs, load metadata, access /secure,
login and get a 404, check session results at /Shibboleth.sso/Session,
done.
The IdP is orders of magnitude harder to deal with than the SP for
testing. It's just not worth avoiding.
-- Scott
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Nate Klingenstein
2014-08-13 01:24:59 UTC
Permalink
Farzan,

Nate is here and ready. I'll delete your entries. It'll be done in about 5 minutes unless something really weird happened.

In the future you can do this yourself by using the same filename.

Thanks,
Nate.

On Aug 12, 2014, at 6:19 PM, Farzan Qureshi <fqureshi-***@public.gmane.org<mailto:fqureshi-***@public.gmane.org>> wrote:

I have just installed SP and now busy configuring it. Yes you are right. I can't wait for long as I have to answer my manager :(
Post by Farzan Qureshi
But I am still waiting for others to respond. Just in case I can collect
more ideas..
The only people who can help you are Kevin or Nate.

Installing a simple SP takes a few minutes on Linux, so you're wasting
your time, essentially.

Install RPM, set SP and IdP entityIDs, load metadata, access /secure,
login and get a 404, check session results at /Shibboleth.sso/Session,
done.

The IdP is orders of magnitude harder to deal with than the SP for
testing. It's just not worth avoiding.

-- Scott

--
To unsubscribe from this list send an email to users-***@shibboleth.net<mailto:users-unsubscribe-***@public.gmane.org>



--
Farzan Qureshi | Network Administrator & Help-desk Support | Rosmini College | (09) 487 0 530

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager (admin-***@public.gmane.org<mailto:admin-***@public.gmane.org>). Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. Rosmini College accepts no liability for any damage caused by any virus transmitted by this email.--
To unsubscribe from this list send an email to users-***@shibboleth.net<mailto:users-unsubscribe-***@public.gmane.org>
Farzan Qureshi
2014-08-13 01:26:27 UTC
Permalink
Hi Nate,

Thanks for your help. I will try in 10 minutes.

Kind regards,

Farzan
Post by Nate Klingenstein
Farzan,
Nate is here and ready. I'll delete your entries. It'll be done in
about 5 minutes unless something really weird happened.
In the future you can do this yourself by using the same filename.
Thanks,
Nate.
I have just installed SP and now busy configuring it. Yes you are right.
I can't wait for long as I have to answer my manager :(
Post by Cantor, Scott
Post by Farzan Qureshi
But I am still waiting for others to respond. Just in case I can collect
more ideas..
The only people who can help you are Kevin or Nate.
Installing a simple SP takes a few minutes on Linux, so you're wasting
your time, essentially.
Install RPM, set SP and IdP entityIDs, load metadata, access /secure,
login and get a 404, check session results at /Shibboleth.sso/Session,
done.
The IdP is orders of magnitude harder to deal with than the SP for
testing. It's just not worth avoiding.
-- Scott
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
presented in this email are solely those of the author and do not
necessarily represent those of the company. Finally, the recipient should
check this email and any attachments for the presence of viruses. Rosmini
College accepts no liability for any damage caused by any virus
transmitted by this email.--
To unsubscribe from this list send an email to
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Farzan Qureshi
2014-08-13 03:12:24 UTC
Permalink
Hi,

After authentication using local IdP and SP, I get the following error:

ERROR

An error occurred while processing your request. Please contact your
helpdesk or user ID office for assistance.

This service requires cookies. Please ensure that they are enabled and try
your going back to your desired resource and trying to login again.

Use of your browser's back button may cause specific errors that can be
resolved by going back to your desired resource and trying to login again.

If you think you were sent here in error, please contact technical support




*Error Message: No peer endpoint available to which to send SAML response*
I can't figure out what does this mean that no end point available

*.*
Please help.
Post by Cantor, Scott
Post by Farzan Qureshi
I have configured Shiboleth IdP. Metadata and relying-party.xml carries
the same certificate. However I still get this error when I try to
authenticate using testshib.org <http://testshib.org>: I have also
referred to most common errors of shiboleth on the website.
That is the only cause you're going to find. Chances are that testshib has
multiple copies of your information at this point, and somebody will have
to clean it up.
You can wait for that, or just run your own SP, and you won't have the
problem of not being able to totally control the other half.
-- Scott
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Farzan Qureshi
2014-08-13 03:27:03 UTC
Permalink
Hi,

I am testing https://myserver.mydomain.nz/secure

I get authentication form. I get authenticated providing my credentials.

But then I get error:


ERROR

An error occurred while processing your request. Please contact your
helpdesk or user ID office for assistance.

This service requires cookies. Please ensure that they are enabled and try
your going back to your desired resource and trying to login again.

Use of your browser's back button may cause specific errors that can be
resolved by going back to your desired resource and trying to login again.

If you think you were sent here in error, please contact technical support




*Error Message: No peer endpoint available to which to send SAML response*
Is this normal because I don't get any errors or warnings in logs?

Thanks.

Farzan
Post by Farzan Qureshi
Hi,
ERROR
An error occurred while processing your request. Please contact your
helpdesk or user ID office for assistance.
This service requires cookies. Please ensure that they are enabled and try
your going back to your desired resource and trying to login again.
Use of your browser's back button may cause specific errors that can be
resolved by going back to your desired resource and trying to login again.
If you think you were sent here in error, please contact technical support
*Error Message: No peer endpoint available to which to send SAML response *
I can't figure out what does this mean that no end point available
*. *
Please help.
Post by Cantor, Scott
Post by Farzan Qureshi
I have configured Shiboleth IdP. Metadata and relying-party.xml carries
the same certificate. However I still get this error when I try to
authenticate using testshib.org <http://testshib.org>: I have also
referred to most common errors of shiboleth on the website.
That is the only cause you're going to find. Chances are that testshib has
multiple copies of your information at this point, and somebody will have
to clean it up.
You can wait for that, or just run your own SP, and you won't have the
problem of not being able to totally control the other half.
-- Scott
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Cantor, Scott
2014-08-13 03:32:08 UTC
Permalink
Post by Farzan Qureshi
I can't figure
out what does this mean that no end point available.
It's in the troubleshooting page. I don't know why so many people get it,
but you simply have incorrect metadata for your SP or you've failed to
properly configure your web server with hostname information.

You simply need to properly assign names, and properly verify the metadata
you supply to include appropriate URLs that your client is accessing.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Farzan Qureshi
2014-08-13 03:36:31 UTC
Permalink
Hi Scott,


Meta data file is on my localhost system and also the SP. Would you please
help me if you can share how I can use the local meta datafile for both my
IDP and SP?

Thanks.
Post by Cantor, Scott
Post by Farzan Qureshi
I can't figure
out what does this mean that no end point available.
It's in the troubleshooting page. I don't know why so many people get it,
but you simply have incorrect metadata for your SP or you've failed to
properly configure your web server with hostname information.
You simply need to properly assign names, and properly verify the metadata
you supply to include appropriate URLs that your client is accessing.
-- Scott
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Cantor, Scott
2014-08-13 15:30:04 UTC
Permalink
Post by Farzan Qureshi
Meta data file is on my localhost system and also the SP. Would you
please help me if you can share how I can use the local meta datafile for
both my IDP and SP?
There are two metadata files, one for each. You can generate example
metadata from the SP at /Shibboleth.sso/Metadata and review it. The IdP's
example metadata is generated at installation time. You need to exchange
them and load them into the opposite system to make it work. Whatever you
gave the IdP is wrong, that's all.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Farzan Qureshi
2014-08-13 22:48:36 UTC
Permalink
Hi,

I have loaded metadata to IdP and to SP. When I try to access /secure, I am
presented with login form. I provide my credentials and I am authenticated
but then I get following error. However I should get a HTTP 404 error which
is a success anyway which I read on testshib.org. But it is not happening.
I have spent days but I don't know what I am missing. Why it is not
straight forward?? Please help.


ERROR

An error occurred while processing your request. Please contact your
helpdesk or user ID office for assistance.

This service requires cookies. Please ensure that they are enabled and try
your going back to your desired resource and trying to login again.

Use of your browser's back button may cause specific errors that can be
resolved by going back to your desired resource and trying to login again.

If you think you were sent here in error, please contact technical support
*Error Message: No peer endpoint available to which to send SAML response*
Post by Cantor, Scott
Post by Farzan Qureshi
Meta data file is on my localhost system and also the SP. Would you
please help me if you can share how I can use the local meta datafile for
both my IDP and SP?
There are two metadata files, one for each. You can generate example
metadata from the SP at /Shibboleth.sso/Metadata and review it. The IdP's
example metadata is generated at installation time. You need to exchange
them and load them into the opposite system to make it work. Whatever you
gave the IdP is wrong, that's all.
-- Scott
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Paul Hethmon
2014-08-13 22:54:34 UTC
Permalink
On Aug 13, 2014, at 6:48 PM, Farzan Qureshi <fqureshi-***@public.gmane.org<mailto:fqureshi-***@public.gmane.org>> wrote:

Error Message: No peer endpoint available to which to send SAML response


This means the ACS URL in your AuthnRequest does not match any ACS URL in the metadata given to the IdP. ACS URL's are an EXACT match, case included, etc. Your SP is sending something that is wrong, or you gave the IdP the wrong metadata. Either way, it doesn't match.

Get a copy of FireFox and install the SAML Tracer plugin. Open SAML Tracer and run your test. You will see the exact value in the AuthnRequest the SP is sending. Match it against the metadata provided to the IdP. Then trace back to figure out why they are different.

Paul

Paul Hethmon
Chief Software Architect
paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org<mailto:paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org>
Farzan Qureshi
2014-08-13 23:30:50 UTC
Permalink
Hi Paul,

I have installed SAML Trace. I get following trace from the plugin:


<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

AssertionConsumerServiceURL="https://idp.rosmini.school.nz/Shibboleth.sso/SAML2/POST"

Destination="https://idp.rosmini.school.nz/idp/profile/SAML2/Redirect/SSO"
ID="_8b677a03966229fa6253887da45d58c2"
IssueInstant="2014-08-13T23:13:31Z"

ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.rosmini.school.nz/idp/shibboleth</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="1" />
</samlp:AuthnRequest>



I then matched it with the metadata Provided to IdP.

Following value exists which matches the SP AuthnRequest:

<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol

My "entityID" is

https://idp.rosmini.school.nz/idp/shibboleth



There is no mismatch
Any further ideas?
Post by Farzan Qureshi
*Error Message: No peer endpoint available to which to send SAML response*
This means the ACS URL in your AuthnRequest does not match any ACS URL
in the metadata given to the IdP. ACS URL's are an EXACT match, case
included, etc. Your SP is sending something that is wrong, or you gave the
IdP the wrong metadata. Either way, it doesn't match.
Get a copy of FireFox and install the SAML Tracer plugin. Open SAML
Tracer and run your test. You will see the exact value in the AuthnRequest
the SP is sending. Match it against the metadata provided to the IdP. Then
trace back to figure out why they are different.
Paul
Paul Hethmon
Chief Software Architect
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Paul Hethmon
2014-08-13 23:40:24 UTC
Permalink
On Aug 13, 2014, at 7:30 PM, Farzan Qureshi <fqureshi-***@public.gmane.org<mailto:fqureshi-***@public.gmane.org>> wrote:


AssertionConsumerServiceURL="https://idp.rosmini.school.nz/Shibboleth.sso/SAML2/POST"

This is the value its complaining about. That value from your request does not match anything in your metadata file. It also looks suspect as you are telling the IdP process to send the response back to the SP at a hostname that looks like the IdP hostname.

Did you install the IdP and SP on the same machine? If so, I would strongly recommend stopping right now and moving one of them to another machine. Running them both on the same machine is possible, but if you are doing so, then you have to make sure they are logically independent web servers.

Paul

Paul Hethmon
Chief Software Architect
paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org<mailto:paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org>
Farzan Qureshi
2014-08-13 23:46:32 UTC
Permalink
Yes I am configuring both on the same server.

But when I access https://idp.rosmini.school.nz/Shibboleth.sso/Metadata I
get the meta data file which means that both services are working
independently isn't it?

And yes after authentication it must be sending back to SP based on the
metadata.

Can you please guide me what should I do? Any guidelines would be much
appreciated.
Post by Farzan Qureshi
AssertionConsumerServiceURL="https://idp.rosmini.school.nz/Shibboleth.sso/SAML2/POST"
This is the value its complaining about. That value from your request
does not match anything in your metadata file. It also looks suspect as you
are telling the IdP process to send the response back to the SP at a
hostname that looks like the IdP hostname.
Did you install the IdP and SP on the same machine? If so, I would
strongly recommend stopping right now and moving one of them to another
machine. Running them both on the same machine is possible, but if you are
doing so, then you have to make sure they are logically independent web
servers.
Paul
Paul Hethmon
Chief Software Architect
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Paul Hethmon
2014-08-13 23:54:51 UTC
Permalink
On Aug 13, 2014, at 7:46 PM, Farzan Qureshi <fqureshi-***@public.gmane.org<mailto:fqureshi-***@public.gmane.org>> wrote:

Yes I am configuring both on the same server.

Not a good idea for your first setup.

But when I access https://idp.rosmini.school.nz/Shibboleth.sso/Metadata I get the meta data file which means that both services are working independently isn't it?

Since the IdP requires a Java container and the SP runs in Apache/IIS, how did you manage it at all?

Regardless, I would toss what you have, it will be simpler. Get two machines to work with, one dedicated to the IdP and the other to the SP. If that really isn't possible, then configure the machine you have with 2 IP addresses. Bind one for the IdP, the other for the SP. Assign them different hostnames. Make them logically separate.

Then go to the wiki and follow the information there on configuring them.

Paul


Paul Hethmon
Chief Software Architect
paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org<mailto:paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org>
Farzan Qureshi
2014-08-13 23:58:47 UTC
Permalink
Hi Paul,

I am using ajp proxy to proxy tomcat through apache.

It is not possible for me to get one more machine. I will try to logically
separate the two services and will see if it is possible? What I want to
achieve is to integrate Office 365 at our organization. I am not sure if SP
is really a need to be configured or only IdP will work :(
Post by Farzan Qureshi
Yes I am configuring both on the same server.
Not a good idea for your first setup.
But when I access https://idp.rosmini.school.nz/Shibboleth.sso/Metadata I
get the meta data file which means that both services are working
independently isn't it?
Since the IdP requires a Java container and the SP runs in Apache/IIS,
how did you manage it at all?
Regardless, I would toss what you have, it will be simpler. Get two
machines to work with, one dedicated to the IdP and the other to the SP. If
that really isn't possible, then configure the machine you have with 2 IP
addresses. Bind one for the IdP, the other for the SP. Assign them
different hostnames. Make them logically separate.
Then go to the wiki and follow the information there on configuring them.
Paul
Paul Hethmon
Chief Software Architect
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Cantor, Scott
2014-08-13 23:55:38 UTC
Permalink
Post by Farzan Qureshi
But when I access
https://idp.rosmini.school.nz/Shibboleth.sso/Metadata I get the meta
data file which means that both services are working independently isn't
it?
Probably, but you can't assign them the same entityID, not without knowing
much more about metadata than you understand at this point.

I can tell from the Issuer element that you did this. So don't do that.
Post by Farzan Qureshi
Can you please guide me what should I do? Any guidelines would be much
appreciated.
Change the SP's entityID to something different from the IdP's entityID.
Your mistake is that they match, and so the IdP's own metadata is being
loaded into the IdP by default and it's hiding/masking the SP's metadata.

This is not entirely your fault; the IdP has no reason to be loading it's
own metadata, but that's a design flaw that isn't going to be corrected
until the next version.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Farzan Qureshi
2014-08-14 00:02:01 UTC
Permalink
Hi Scott,

Thank you for the explanation and I agree with you. This is it. It must be
overlapping SP metadata due to the entityID. I will try to separate the
services.

Just a quick question. Do you have any idea or know someone who has
integrated office 365 with Shibboleth. Is there really a need to configure
SP?

Kind regards,

Farzan
Post by Cantor, Scott
Post by Farzan Qureshi
But when I access
https://idp.rosmini.school.nz/Shibboleth.sso/Metadata I get the meta
data file which means that both services are working independently isn't
it?
Probably, but you can't assign them the same entityID, not without knowing
much more about metadata than you understand at this point.
I can tell from the Issuer element that you did this. So don't do that.
Post by Farzan Qureshi
Can you please guide me what should I do? Any guidelines would be much
appreciated.
Change the SP's entityID to something different from the IdP's entityID.
Your mistake is that they match, and so the IdP's own metadata is being
loaded into the IdP by default and it's hiding/masking the SP's metadata.
This is not entirely your fault; the IdP has no reason to be loading it's
own metadata, but that's a design flaw that isn't going to be corrected
until the next version.
-- Scott
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Paul Hethmon
2014-08-14 00:07:54 UTC
Permalink
On Aug 13, 2014, at 8:02 PM, Farzan Qureshi <fqureshi-***@public.gmane.org<mailto:fqureshi-***@public.gmane.org>> wrote:

Just a quick question. Do you have any idea or know someone who has integrated office 365 with Shibboleth. Is there really a need to configure SP?

I haven't done it, but from what I've gathered, you will be the IdP and Office365 will be the SP. I would hope the MS documentation would give you that information, but that is likely too much to hope for.

Paul

Paul Hethmon
Chief Software Architect
paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org<mailto:paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org>
Farzan Qureshi
2014-08-14 00:15:22 UTC
Permalink
Hi Paul,

Exactly. Well. I will first read on office 365 if there is a need for SP or
not. Otherwise if it only needs IdP then I am already done with IdP config
:)

Thanks for your help.
Post by Farzan Qureshi
Just a quick question. Do you have any idea or know someone who has
integrated office 365 with Shibboleth. Is there really a need to configure
SP?
I haven't done it, but from what I've gathered, you will be the IdP and
Office365 will be the SP. I would hope the MS documentation would give you
that information, but that is likely too much to hope for.
Paul
Paul Hethmon
Chief Software Architect
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Paul Hethmon
2014-08-14 00:20:37 UTC
Permalink
On Aug 13, 2014, at 8:15 PM, Farzan Qureshi <fqureshi-***@public.gmane.org<mailto:fqureshi-***@public.gmane.org>> wrote:

Exactly. Well. I will first read on office 365 if there is a need for SP or not. Otherwise if it only needs IdP then I am already done with IdP config :)

Heed Scott's advice, you will need to know how an SP works, especially working with Office365 which sort of, kind of does SAML. MS implementations do not use the same language as SAML to specify stuff, knowing what things are helps with that translation. For example, SAML uses "attributes", ADFS uses "claims". Same thing, but you won't find an ADFS person who knows an attribute from a hole in the ground.

cheers,

Paul

Paul Hethmon
Chief Software Architect
paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org<mailto:paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org>
Farzan Qureshi
2014-08-14 00:22:12 UTC
Permalink
Thanks Paul. I will do :)

Thanks.
Post by Farzan Qureshi
Exactly. Well. I will first read on office 365 if there is a need for SP
or not. Otherwise if it only needs IdP then I am already done with IdP
config :)
Heed Scott's advice, you will need to know how an SP works, especially
working with Office365 which sort of, kind of does SAML. MS implementations
do not use the same language as SAML to specify stuff, knowing what things
are helps with that translation. For example, SAML uses "attributes", ADFS
uses "claims". Same thing, but you won't find an ADFS person who knows an
attribute from a hole in the ground.
cheers,
Paul
Paul Hethmon
Chief Software Architect
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Cantor, Scott
2014-08-14 00:08:31 UTC
Permalink
Post by Farzan Qureshi
Thank you for the explanation and I agree with you. This is it. It must
be overlapping SP metadata due to the entityID. I will try to separate
the services.
You seem to have managed to get them running isolated on one server, so
you can split the names up and try that before spending time on separate
machines, but you do not run SPs on IdP machines unless they have some
reason to be that way.
Post by Farzan Qureshi
Just a quick question. Do you have any idea or know someone who has
integrated office 365 with Shibboleth. Is there really a need to
configure SP?
It has nothing to do with "need".

Running an IdP in production requires understanding how it works and
having the ability to test and make changes, and that requires running and
understanding SAML SPs. Period. If you skip that step, you'll be one of
the many sites whose IdP constantly fails every time you change something.
You can't manage a SSO system without understanding both halves.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Farzan Qureshi
2014-08-14 00:16:45 UTC
Permalink
Thanks Scott. I better read on Office 365 because I have a working IdP.
That might all it needs to integrate.

I will look for SP at later stage then in case it is a requirement.

Thanks a lot for your help.
Post by Cantor, Scott
Post by Farzan Qureshi
Thank you for the explanation and I agree with you. This is it. It must
be overlapping SP metadata due to the entityID. I will try to separate
the services.
You seem to have managed to get them running isolated on one server, so
you can split the names up and try that before spending time on separate
machines, but you do not run SPs on IdP machines unless they have some
reason to be that way.
Post by Farzan Qureshi
Just a quick question. Do you have any idea or know someone who has
integrated office 365 with Shibboleth. Is there really a need to
configure SP?
It has nothing to do with "need".
Running an IdP in production requires understanding how it works and
having the ability to test and make changes, and that requires running and
understanding SAML SPs. Period. If you skip that step, you'll be one of
the many sites whose IdP constantly fails every time you change something.
You can't manage a SSO system without understanding both halves.
-- Scott
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Nate Klingenstein
2014-08-13 22:59:23 UTC
Permalink
Farzan,

Your metadata still doesn't match the way that you're accessing the SP. You might need to use https or something. It's hard for anyone on the outside to guess. You'll be able to see what's considered valid in your SP metadata as loaded by your IdP and you'll be able to see exactly what the requested destination endpoint is in the logs. They'll need to be reconciled.

Thanks,
Nate.

On Aug 13, 2014, at 4:48 PM, Farzan Qureshi <fqureshi-***@public.gmane.org<mailto:fqureshi-***@public.gmane.org>> wrote:

Hi,

I have loaded metadata to IdP and to SP. When I try to access /secure, I am presented with login form. I provide my credentials and I am authenticated but then I get following error. However I should get a HTTP 404 error which is a success anyway which I read on testshib.org<http://testshib.org/>. But it is not happening. I have spent days but I don't know what I am missing. Why it is not straight forward?? Please help.


ERROR

An error occurred while processing your request. Please contact your helpdesk or user ID office for assistance.

This service requires cookies. Please ensure that they are enabled and try your going back to your desired resource and trying to login again.

Use of your browser's back button may cause specific errors that can be resolved by going back to your desired resource and trying to login again.

If you think you were sent here in error, please contact technical support

Error Message: No peer endpoint available to which to send SAML response
Post by Farzan Qureshi
Meta data file is on my localhost system and also the SP. Would you
please help me if you can share how I can use the local meta datafile for
both my IDP and SP?
There are two metadata files, one for each. You can generate example
metadata from the SP at /Shibboleth.sso/Metadata and review it. The IdP's
example metadata is generated at installation time. You need to exchange
them and load them into the opposite system to make it work. Whatever you
gave the IdP is wrong, that's all.

-- Scott

--
To unsubscribe from this list send an email to users-***@shibboleth.net<mailto:users-unsubscribe-***@public.gmane.org>



--
Farzan Qureshi | Network Administrator & Help-desk Support | Rosmini College | (09) 487 0 530

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager (admin-***@public.gmane.org<mailto:admin-***@public.gmane.org>). Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. Rosmini College accepts no liability for any damage caused by any virus transmitted by this email.--
To unsubscribe from this list send an email to users-***@shibboleth.net<mailto:users-unsubscribe-***@public.gmane.org>
Christopher Bongaarts
2014-08-14 17:34:36 UTC
Permalink
Post by Cantor, Scott
Post by Farzan Qureshi
I can't figure
out what does this mean that no end point available.
It's in the troubleshooting page. I don't know why so many people get it,
but you simply have incorrect metadata for your SP or you've failed to
properly configure your web server with hostname information.
Most common reason I've seen: using http://.../Shibboleth.sso/Metadata
to generate the metadata, then trying to access the actual site on https://.
--
%% Christopher A. Bongaarts %% cab-***@public.gmane.org %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Loading...