Discussion:
No peer endpoint available to which to send SAML response
Dave Vernon
2014-09-30 16:43:40 UTC
Permalink
Hello all,

I am currently working through my first Shibboleth implementation. I've made it fairly far and had some success (I am able to login with the protected TestShib page).

I'm currently "stuck" on an issue. I've done a lot of reading of the documentation and groups, but I'm still having issues trying to sort this out.

My IdP server is running on IIS 7.5/Windows - explode.lcaat.ca
My SP is running on IIs 7.5/Windows, trying to integrated with Blackboard LMS

I am creating my Shibboleth authentication connector in blackboard, and when I am trying to test the connection, I get redirected to the logon page and I'm able to enter my credentials, but then I get the following error.

Error Message: No peer endpoint available to which to send SAML response

I don't see any errors in any of the logs on the SP side.
On the IdP side I see the following error in the idp-process log

12:25:45.640 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:447] - No return endpoint available for relying party https://explode.lcaat.ca/idp/shibboleth

>From what I have read so far, it seems like my problem is with the SP's metadata being unknown to the IdP. I grabbed the metadata from https://lms.lcaat.ca/Shibboleth.sso/Metadata and then saved it to C:\Program Files (x86)\Internet2\Shib2IdP\metadata\bbdev-Metadata.xml

I then updated my relying-party.xml file on the IdP server with the bit below (in bold)



<!-- ========================================== -->
<!-- Metadata Configuration -->
<!-- ========================================== -->
<!-- MetadataProvider the combining other MetadataProviders -->
<metadata:MetadataProvider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider">

<!-- Load the IdP's own metadata. This is necessary for artifact support. -->
<metadata:MetadataProvider id="IdPMD" xsi:type="metadata:ResourceBackedMetadataProvider">
<metadata:MetadataResource xsi:type="resource:FilesystemResource" file="C:\Program Files (x86)\Internet2\Shib2Idp/metadata/idp-metadata.xml"/>
</metadata:MetadataProvider>

<!-- Download the metadata

This is the point where the posrt install program will add new metadata

-->

<metadata:MetadataProvider id="TestShib" xsi:type="metadata:FileBackedHTTPMetadataProvider"
metadataURL="http://www.testshib.org/metadata/testshib-providers.xml"
backingFile="C:\Program Files (x86)\Internet2\Shib2Idp/metadata/Downloaded-Metadata.xml"
/>


<metadata:MetadataProvider id="lms.lcaat.ca" xsi:type="metadata:ResourceBackedMetadataProvider">
<metadata:MetadataResource xsi:type="resource:FilesystemResource" file="C:\Program Files (x86)\Internet2\Shib2Idp/metadata/bbdev-Metadata.xml" />
</metadata:MetadataProvider>

</metadata:MetadataProvider>


I also read that SAML tracer would be a value tool. I capture the trace and decoded it, but my inexperienced eye doesn't see a mismatch.

Decoded Output:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://lms.lcaat.ca/Shibboleth.sso/SAML2/POST" Destination="https://explode.lcaat.ca:444/idp/profile/SAML2/Redirect/SSO" ID="_6240d39343efcb6c8452e29fe7006b6a" IssueInstant="2014-09-30T16:25:45Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://explode.lcaat.ca/idp/shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest


I would love any advice or help on this. I feel I'm close, but still so far off!

Dave Vernon
dvernon-6gMbXkmN5X7mEV3UZ/***@public.gmane.org<mailto:dvernon-6gMbXkmN5X7mEV3UZ/***@public.gmane.org>
loyalistcollege.com<http://loyalistcollege.com/>

[Loyalist College]<http://www.loyalistcollege.com/>[Facebook]<https://www.facebook.com/loyalistcollege>[Twitter]<https://twitter.com/loyalistcollege>
David Bantz
2014-09-30 16:53:28 UTC
Permalink
https://lms.lcaat.ca/Shibboleth.sso/Metadata doesn’t look like a valid xml metadata file describing an entity.


On Tue, 30 Sep 2014, at 08:43 , Dave Vernon <dvernon-***@public.gmane.org> wrote:

> Hello all,
>
> I am currently working through my first Shibboleth implementation. I’ve made it fairly far and had some success (I am able to login with the protected TestShib page).
>
> I’m currently “stuck” on an issue. I’ve done a lot of reading of the documentation and groups, but I’m still having issues trying to sort this out.
>
> My IdP server is running on IIS 7.5/Windows – explode.lcaat.ca
> My SP is running on IIs 7.5/Windows, trying to integrated with Blackboard LMS
>
> I am creating my Shibboleth authentication connector in blackboard, and when I am trying to test the connection, I get redirected to the logon page and I’m able to enter my credentials, but then I get the following error.
>
> Error Message: No peer endpoint available to which to send SAML response
>
> I don’t see any errors in any of the logs on the SP side.
> On the IdP side I see the following error in the idp-process log
>
> 12:25:45.640 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:447] - No return endpoint available for relying party https://explode.lcaat.ca/idp/shibboleth
>
> From what I have read so far, it seems like my problem is with the SP’s metadata being unknown to the IdP. I grabbed the metadata from https://lms.lcaat.ca/Shibboleth.sso/Metadata and then saved it to C:\Program Files (x86)\Internet2\Shib2IdP\metadata\bbdev-Metadata.xml
>
> I then updated my relying-party.xml file on the IdP server with the bit below (in bold)
>
>
>
> <!-- ========================================== -->
> <!-- Metadata Configuration -->
> <!-- ========================================== -->
> <!-- MetadataProvider the combining other MetadataProviders -->
> <metadata:MetadataProvider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider">
>
> <!-- Load the IdP's own metadata. This is necessary for artifact support. -->
> <metadata:MetadataProvider id="IdPMD" xsi:type="metadata:ResourceBackedMetadataProvider">
> <metadata:MetadataResource xsi:type="resource:FilesystemResource" file="C:\Program Files (x86)\Internet2\Shib2Idp/metadata/idp-metadata.xml"/>
> </metadata:MetadataProvider>
>
> <!-- Download the metadata
>
> This is the point where the posrt install program will add new metadata
>
> -->
>
> <metadata:MetadataProvider id="TestShib" xsi:type="metadata:FileBackedHTTPMetadataProvider"
> metadataURL="http://www.testshib.org/metadata/testshib-providers.xml"
> backingFile="C:\Program Files (x86)\Internet2\Shib2Idp/metadata/Downloaded-Metadata.xml"
> />
>
>
> <metadata:MetadataProvider id="lms.lcaat.ca" xsi:type="metadata:ResourceBackedMetadataProvider">
> <metadata:MetadataResource xsi:type="resource:FilesystemResource" file="C:\Program Files (x86)\Internet2\Shib2Idp/metadata/bbdev-Metadata.xml" />
> </metadata:MetadataProvider>
>
> </metadata:MetadataProvider>
>
>
> I also read that SAML tracer would be a value tool. I capture the trace and decoded it, but my inexperienced eye doesn’t see a mismatch.
>
> Decoded Output:
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://lms.lcaat.ca/Shibboleth.sso/SAML2/POST" Destination="https://explode.lcaat.ca:444/idp/profile/SAML2/Redirect/SSO" ID="_6240d39343efcb6c8452e29fe7006b6a" IssueInstant="2014-09-30T16:25:45Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://explode.lcaat.ca/idp/shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest
>
>
> I would love any advice or help on this. I feel I’m close, but still so far off!
>
> Dave Vernon
> dvernon-6gMbXkmN5X7mEV3UZ/***@public.gmane.org
> loyalistcollege.com
>
> <image001.png><image002.png><image003.png>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Dave Vernon
2014-09-30 16:58:01 UTC
Permalink
Hi David,

So does that mean that my problem is that I have the IdP invalid data?

Am I at least getting my metadata from the right spot? (i.e. is the problem that I'm still missing some configuration on the SP, or that I'm simply grabbing the wrong thing)

Thanks for your help

Dave Vernon
Technology Infrastructure Specialist
dvernon-6gMbXkmN5X7mEV3UZ/***@public.gmane.org<mailto:dvernon-6gMbXkmN5X7mEV3UZ/***@public.gmane.org>
loyalistcollege.com<http://loyalistcollege.com/>

[Loyalist College]<http://www.loyalistcollege.com/>[Facebook]<https://www.facebook.com/loyalistcollege>[Twitter]<https://twitter.com/loyalistcollege>

From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of David Bantz
Sent: Tuesday, September 30, 2014 12:53 PM
To: Shib Users
Subject: Re: No peer endpoint available to which to send SAML response

https://lms.lcaat.ca/Shibboleth.sso/Metadata doesn't look like a valid xml metadata file describing an entity.


On Tue, 30 Sep 2014, at 08:43 , Dave Vernon <dvernon-***@public.gmane.org<mailto:dvernon-***@public.gmane.org>> wrote:


Hello all,

I am currently working through my first Shibboleth implementation. I've made it fairly far and had some success (I am able to login with the protected TestShib page).

I'm currently "stuck" on an issue. I've done a lot of reading of the documentation and groups, but I'm still having issues trying to sort this out.

My IdP server is running on IIS 7.5/Windows - explode.lcaat.ca<http://explode.lcaat.ca/>
My SP is running on IIs 7.5/Windows, trying to integrated with Blackboard LMS

I am creating my Shibboleth authentication connector in blackboard, and when I am trying to test the connection, I get redirected to the logon page and I'm able to enter my credentials, but then I get the following error.

Error Message: No peer endpoint available to which to send SAML response

I don't see any errors in any of the logs on the SP side.
On the IdP side I see the following error in the idp-process log

12:25:45.640 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:447] - No return endpoint available for relying party https://explode.lcaat.ca/idp/shibboleth

>From what I have read so far, it seems like my problem is with the SP's metadata being unknown to the IdP. I grabbed the metadata from https://lms.lcaat.ca/Shibboleth.sso/Metadata and then saved it to C:\Program Files (x86)\Internet2\Shib2IdP\metadata\bbdev-Metadata.xml

I then updated my relying-party.xml file on the IdP server with the bit below (in bold)



<!-- ========================================== -->
<!-- Metadata Configuration -->
<!-- ========================================== -->
<!-- MetadataProvider the combining other MetadataProviders -->
<metadata:MetadataProvider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider">

<!-- Load the IdP's own metadata. This is necessary for artifact support. -->
<metadata:MetadataProvider id="IdPMD" xsi:type="metadata:ResourceBackedMetadataProvider">
<metadata:MetadataResource xsi:type="resource:FilesystemResource" file="C:\Program Files (x86)\Internet2\Shib2Idp/metadata/idp-metadata.xml"/>
</metadata:MetadataProvider>

<!-- Download the metadata

This is the point where the posrt install program will add new metadata

-->

<metadata:MetadataProvider id="TestShib" xsi:type="metadata:FileBackedHTTPMetadataProvider"
metadataURL="http://www.testshib.org/metadata/testshib-providers.xml"
backingFile="C:\Program Files (x86)\Internet2\Shib2Idp/metadata/Downloaded-Metadata.xml"
/>


<metadata:MetadataProvider id="lms.lcaat.ca<http://lms.lcaat.ca/>" xsi:type="metadata:ResourceBackedMetadataProvider">
<metadata:MetadataResource xsi:type="resource:FilesystemResource" file="C:\Program Files (x86)\Internet2\Shib2Idp/metadata/bbdev-Metadata.xml" />
</metadata:MetadataProvider>

</metadata:MetadataProvider>


I also read that SAML tracer would be a value tool. I capture the trace and decoded it, but my inexperienced eye doesn't see a mismatch.

Decoded Output:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://lms.lcaat.ca/Shibboleth.sso/SAML2/POST" Destination="https://explode.lcaat.ca:444/idp/profile/SAML2/Redirect/SSO" ID="_6240d39343efcb6c8452e29fe7006b6a" IssueInstant="2014-09-30T16:25:45Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://explode.lcaat.ca/idp/shibboleth<http://explode.lcaat.ca/idp/shibboleth></saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest


I would love any advice or help on this. I feel I'm close, but still so far off!

Dave Vernon
dvernon-6gMbXkmN5X7mEV3UZ/***@public.gmane.org<mailto:dvernon-6gMbXkmN5X7mEV3UZ/***@public.gmane.org>
loyalistcollege.com<http://loyalistcollege.com/>

<image001.png><http://www.loyalistcollege.com/><image002.png><https://www.facebook.com/loyalistcollege><image003.png><https://twitter.com/loyalistcollege>

--
To unsubscribe from this list send an email to users-***@shibboleth.net<mailto:users-unsubscribe-***@public.gmane.org>
Cantor, Scott
2014-09-30 17:04:14 UTC
Permalink
On 9/30/14, 12:58 PM, "Dave Vernon" <dvernon-***@public.gmane.org> wrote:

>So does that mean that my problem is that I have the IdP invalid data?
>

Your problem is that the SP requested the response be sent to an endpoint
that is not in the metadata you gave the IdP. So you need to look at
what's in the metadata and look at what it's asking for in the SAML
request, which means logging and/or browser plugins like SAML Tracer.

>Am I at least getting my metadata from the right spot?

There isn't any one spot to get it. You can get examples out of the
software to build on, nothing more. The way you get metadata is by
reviewing what's in it and adjusting it as needed to reflect the way the
system is in fact set up.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Dave Vernon
2014-09-30 17:26:14 UTC
Permalink
Thank you, that does help.

Now that I have a direction, I'll sit down with these docs and see if I can write a working set.

https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataForSP

Dave Vernon
Technology Infrastructure Specialist
dvernon-6gMbXkmN5X7mEV3UZ/***@public.gmane.org
loyalistcollege.com




-----Original Message-----
From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of Cantor, Scott
Sent: Tuesday, September 30, 2014 1:04 PM
To: Shib Users
Subject: Re: No peer endpoint available to which to send SAML response

On 9/30/14, 12:58 PM, "Dave Vernon" <dvernon-***@public.gmane.org> wrote:

>So does that mean that my problem is that I have the IdP invalid data?
>

Your problem is that the SP requested the response be sent to an endpoint that is not in the metadata you gave the IdP. So you need to look at what's in the metadata and look at what it's asking for in the SAML request, which means logging and/or browser plugins like SAML Tracer.

>Am I at least getting my metadata from the right spot?

There isn't any one spot to get it. You can get examples out of the software to build on, nothing more. The way you get metadata is by reviewing what's in it and adjusting it as needed to reflect the way the system is in fact set up.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Cantor, Scott
2014-09-30 17:30:43 UTC
Permalink
On 9/30/14, 1:26 PM, "Dave Vernon" <dvernon-***@public.gmane.org> wrote:

>Thank you, that does help.
>
>Now that I have a direction, I'll sit down with these docs and see if I
>can write a working set.

You don't need to write it from scratch, access /Shibboleth.sso/Metadata
on the server running an SP (using the scheme, port, and hostname you need
to be using), and you should have something that is mostly correct. But if
you gave that metadata to the IdP and you're getting that error, that
means it's not actually correct and you have to review it figure out why.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Dave Vernon
2014-10-01 20:55:03 UTC
Permalink
If anyone out there would be willing the spend the time, I would appreciate any tips on how to go about troubleshooting this. I've read the documentation, especially about SP metadata several times over, but I feel like I am going in circle and not making any progress.

The fact of the matter is, I'm really having troubles identifying what my data should be, and how to go about 'review and adjusting' what's in it. I have used the SAML tracer plugin to FireFox to capture (and then decode), but again, nothing is clear to me as the problem

Thanks

Dave

Original Message-----
From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of Cantor, Scott
Sent: Tuesday, September 30, 2014 1:31 PM
To: Shib Users
Subject: Re: No peer endpoint available to which to send SAML response

On 9/30/14, 1:26 PM, "Dave Vernon" <dvernon-***@public.gmane.org> wrote:

>Thank you, that does help.
>
>Now that I have a direction, I'll sit down with these docs and see if I
>can write a working set.

You don't need to write it from scratch, access /Shibboleth.sso/Metadata on the server running an SP (using the scheme, port, and hostname you need to be using), and you should have something that is mostly correct. But if you gave that metadata to the IdP and you're getting that error, that means it's not actually correct and you have to review it figure out why.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Kevin Foote
2014-10-01 21:02:49 UTC
Permalink
On Oct 1, 2014, at 1:55 PM, Dave Vernon <dvernon-***@public.gmane.org> wrote:

> If anyone out there would be willing the spend the time, I would appreciate any tips on how to go about troubleshooting this. I've read the documentation, especially about SP metadata several times over, but I feel like I am going in circle and not making any progress.
>
> The fact of the matter is, I'm really having troubles identifying what my data should be, and how to go about 'review and adjusting' what's in it. I have used the SAML tracer plugin to FireFox to capture (and then decode), but again, nothing is clear to me as the problem

Hi Dave,

The list is here to help.

Scott has indicated the issue that you are having. Your metadata that the IdP has for your SP does not align with apache or IIS server is thinking it is. The result is that the IdP is receiving a request from some entity it does not know about.

If your MD matches up with what your server is doing things will just work.

Places to look are - in no particular order:
- check your ACS endpoints http / vs https
- check your entityid matching at the SP and within the MD you give the IdP
- check the http server itself

--------
thanks
kevin.foote

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Dave Vernon
2014-10-01 23:04:17 UTC
Permalink
Hello Kevin,

Thanks for the specifics. I'm going to run through them here in case I'm missing something:

Item #1:

I think the http / https part is okay -- everything on the web server is running with https, and here is the snip from the SP'd XML data that is on the IdP server:

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://lms.lcaat.ca/Shibboleth.sso/SAML2/POST" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://lms.lcaat.ca/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://lms.lcaat.ca/Shibboleth.sso/SAML2/Artifact" index="3"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://lms.lcaat.ca/Shibboleth.sso/SAML2/ECP" index="4"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://lms.lcaat.ca/Shibboleth.sso/SAML/POST" index="5"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://lms.lcaat.ca/Shibboleth.sso/SAML/Artifact" index="6"/>

Item #2:
check your entityid matching at the SP and within the MD you give the IdP... I think I am understanding the question properly..

In the SP's metadata file on the IdP I have this defined as the entityid
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_b319c7699fa297e30adac2631426536fe3332552" entityID="https://explode.lcaat.ca/idp/shibboleth">

In shibboleth2.xml on the SP server I have this:
<ApplicationDefaults entityID="https://explode.lcaat.ca/idp/shibboleth"
and further down
<SSO entityID="https://explode.lcaat.ca/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2 SAML1
</SSO>

I want to call out the discovery URL there. From what I understand, since I am only dealing with 1 IdP I don't need to define that? Is that correct?

Item #3:
The webserver itself is the part that is most familiar to me, and the documentation on the setup (and manual steps if necessary) are very good. It's IIS 7.5. There is a stopped "default" website with an ID of 1, and my actual website ("BBLEARN") as ID 2. The SP install seemed to go fine, and I do see the Shibboleth ISAPI filter installed as the site level. I would say the only 'unusual' part that I encountered was that the handler mapping was enabled at the root level, but disabled on the site level. I changed the site level to grant the 'script' permission.

I am able to browse to https://localhost/Shibboleth.sso/Status on the server itself, but I am forbidden to https://lms.lcaat.ca/Shibboleth.sso/Status -- I do recall reading somewhere in the docs that SPECIFICALLY said it had to be local host for testing this though.

Scott - Regarding your comments about properly configuring web servers to allow self-referential links being the entire issue... Is there something I should look for specifically, or some docs that deal with configuring the web server itself past the install docs? I have seen reference to setting the http host on Apache properly (i.e. to match) but I"m not aware of a similar IIS setting.

Thanks again all

________________________________________
From: users-bounces-***@public.gmane.org [users-bounces-***@public.gmane.org] on behalf of Kevin Foote [kpfoote-C0Jp+***@public.gmane.org]
Sent: Wednesday, October 01, 2014 5:02 PM
To: Shib Users
Subject: Re: No peer endpoint available to which to send SAML response

On Oct 1, 2014, at 1:55 PM, Dave Vernon <dvernon-***@public.gmane.org> wrote:

> If anyone out there would be willing the spend the time, I would appreciate any tips on how to go about troubleshooting this. I've read the documentation, especially about SP metadata several times over, but I feel like I am going in circle and not making any progress.
>
> The fact of the matter is, I'm really having troubles identifying what my data should be, and how to go about 'review and adjusting' what's in it. I have used the SAML tracer plugin to FireFox to capture (and then decode), but again, nothing is clear to me as the problem

Hi Dave,

The list is here to help.

Scott has indicated the issue that you are having. Your metadata that the IdP has for your SP does not align with apache or IIS server is thinking it is. The result is that the IdP is receiving a request from some entity it does not know about.

If your MD matches up with what your server is doing things will just work.

Places to look are - in no particular order:
- check your ACS endpoints http / vs https
- check your entityid matching at the SP and within the MD you give the IdP
- check the http server itself

--------
thanks
kevin.foote

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Kevin Foote
2014-10-01 23:23:29 UTC
Permalink
On Oct 1, 2014, at 4:04 PM, Dave Vernon <dvernon-***@public.gmane.org> wrote:
> In shibboleth2.xml on the SP server I have this:
> <ApplicationDefaults entityID="https://explode.lcaat.ca/idp/shibboleth"
> and further down
> <SSO entityID="https://explode.lcaat.ca/idp/shibboleth"
> discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
> SAML2 SAML1
> </SSO>

Your entityId does not need to go in the <SSO> section. The IdPs entityId goes there.

> I want to call out the discovery URL there. From what I understand, since I am only dealing with 1 IdP I don't need to define that? Is that correct?

You should not need the DS unless you are using a/the discovery service.
(Unless you need it that is)

> Item #3:
> The webserver itself is the part that is most familiar to me,

Like Scott said this is the main part you need to get straight.
Your web server is not responding how you thin it is.


--------
thanks
kevin.foote
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Dave Vernon
2014-10-01 23:52:59 UTC
Permalink
>Your entityId does not need to go in the <SSO> section. The IdPs entityId goes there.

That actually is the entity ID for the IdP. (IdP is expode.lcaat.ca and SP is lms.lcaat.ca)

>Your web server is not responding how you think it is.
I know Scott hasn't had a crack to reply to the last message to him, but any advice on what to look for there?



________________________________________
From: users-bounces-***@public.gmane.org [users-bounces-***@public.gmane.org] on behalf of Kevin Foote [kpfoote-C0Jp+***@public.gmane.org]
Sent: Wednesday, October 01, 2014 7:23 PM
To: Shib Users
Subject: Re: No peer endpoint available to which to send SAML response

On Oct 1, 2014, at 4:04 PM, Dave Vernon <dvernon-***@public.gmane.org> wrote:
> In shibboleth2.xml on the SP server I have this:
> <ApplicationDefaults entityID="https://explode.lcaat.ca/idp/shibboleth"
> and further down
> <SSO entityID="https://explode.lcaat.ca/idp/shibboleth"
> discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
> SAML2 SAML1
> </SSO>

Your entityId does not need to go in the <SSO> section. The IdPs entityId goes there.

> I want to call out the discovery URL there. From what I understand, since I am only dealing with 1 IdP I don't need to define that? Is that correct?

You should not need the DS unless you are using a/the discovery service.
(Unless you need it that is)

> Item #3:
> The webserver itself is the part that is most familiar to me,

Like Scott said this is the main part you need to get straight.
Your web server is not responding how you thin it is.


--------
thanks
kevin.foote
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Kevin Foote
2014-10-01 23:57:39 UTC
Permalink
On Oct 1, 2014, at 4:52 PM, Dave Vernon <dvernon-***@public.gmane.org> wrote:

>> Your entityId does not need to go in the <SSO> section. The IdPs entityId goes there.
>
> That actually is the entity ID for the IdP. (IdP is expode.lcaat.ca and SP is lms.lcaat.ca)

There in lies your problem .. your entityID is messed up in your SP shibboleth2.xml file

>> <ApplicationDefaults entityID="https://explode.lcaat.ca/idp/shibboleth”

This needs to change to be the entityID for your SP .. the lms box.
Fix your entityID issues and you should be good


--------
thanks
kevin.foote
--
To unsubscribe from this list send an email to users-***@shibboleth.net
Dave Vernon
2014-10-02 00:12:10 UTC
Permalink
Wow!!

*WE* have made some real progress here! Blackboard's Shibboleth 'test' is now passing it's checks! I have a little more work to do, but I'm VERY happy to have made it this far.

Thank you all so much for the help!




________________________________________
From: users-bounces-***@public.gmane.org [users-bounces-***@public.gmane.org] on behalf of Kevin Foote [kpfoote-C0Jp+***@public.gmane.org]
Sent: Wednesday, October 01, 2014 7:57 PM
To: Shib Users
Subject: Re: No peer endpoint available to which to send SAML response

On Oct 1, 2014, at 4:52 PM, Dave Vernon <dvernon-***@public.gmane.org> wrote:

>> Your entityId does not need to go in the <SSO> section. The IdPs entityId goes there.
>
> That actually is the entity ID for the IdP. (IdP is expode.lcaat.ca and SP is lms.lcaat.ca)

There in lies your problem .. your entityID is messed up in your SP shibboleth2.xml file

>> <ApplicationDefaults entityID="https://explode.lcaat.ca/idp/shibboleth”

This needs to change to be the entityID for your SP .. the lms box.
Fix your entityID issues and you should be good


--------
thanks
kevin.foote
--
To unsubscribe from this list send an email to users-***@shibboleth.net
--
To unsubscribe from this list send an email to users-***@shibboleth.net
Cantor, Scott
2014-10-01 21:09:47 UTC
Permalink
> If anyone out there would be willing the spend the time, I would appreciate
> any tips on how to go about troubleshooting this. I've read the
> documentation, especially about SP metadata several times over, but I feel
> like I am going in circle and not making any progress.

The AuthnRequest from the SP will contain an AssertionConsumerServiceURL attribute. The location will not be one of the AssertionConsumerService endpoint Locations in the metadata. That's it.

The ACS location generated by the SP is a self-referential location. Understanding how web servers have to be configured to properly allow self-referential links to be generated is basically the entire issue.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Dave Vernon
2014-10-01 23:10:17 UTC
Permalink
I'm sorry, I should add (regarding your first comment)

In the AuthnRequest I have this ACS

"https://lms.lcaat.ca/Shibboleth.sso/SAML2/POST"

In the SD's metadata on the IdP server I have this in the md:ACS section

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://lms.lcaat.ca/Shibboleth.sso/SAML2/POST" index="1"/>


This looks like a match to me?

________________________________________
From: users-bounces-***@public.gmane.org [users-bounces-***@public.gmane.org] on behalf of Cantor, Scott [cantor.2-ZbGKxL/***@public.gmane.org]
Sent: Wednesday, October 01, 2014 5:09 PM
To: Shib Users
Subject: RE: No peer endpoint available to which to send SAML response

> If anyone out there would be willing the spend the time, I would appreciate
> any tips on how to go about troubleshooting this. I've read the
> documentation, especially about SP metadata several times over, but I feel
> like I am going in circle and not making any progress.

The AuthnRequest from the SP will contain an AssertionConsumerServiceURL attribute. The location will not be one of the AssertionConsumerService endpoint Locations in the metadata. That's it.

The ACS location generated by the SP is a self-referential location. Understanding how web servers have to be configured to properly allow self-referential links to be generated is basically the entire issue.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Nate Klingenstein
2014-10-01 23:29:51 UTC
Permalink
Dave,

It looks like a match to me too, which leads me to wonder again about what's getting loaded by that IdP. Your IdP, if Shibboleth, should be very explicit about what it's loading or receiving and why it's being discarded.

Thanks,
Nate.

On Oct 1, 2014, at 5:10 PM, Dave Vernon <dvernon-***@public.gmane.org> wrote:

> I'm sorry, I should add (regarding your first comment)
>
> In the AuthnRequest I have this ACS
>
> "https://lms.lcaat.ca/Shibboleth.sso/SAML2/POST"
>
> In the SD's metadata on the IdP server I have this in the md:ACS section
>
> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://lms.lcaat.ca/Shibboleth.sso/SAML2/POST" index="1"/>
>
>
> This looks like a match to me?
>
> ________________________________________
> From: users-bounces-***@public.gmane.org [users-bounces-***@public.gmane.org] on behalf of Cantor, Scott [cantor.2-ZbGKxL/***@public.gmane.org]
> Sent: Wednesday, October 01, 2014 5:09 PM
> To: Shib Users
> Subject: RE: No peer endpoint available to which to send SAML response
>
>> If anyone out there would be willing the spend the time, I would appreciate
>> any tips on how to go about troubleshooting this. I've read the
>> documentation, especially about SP metadata several times over, but I feel
>> like I am going in circle and not making any progress.
>
> The AuthnRequest from the SP will contain an AssertionConsumerServiceURL attribute. The location will not be one of the AssertionConsumerService endpoint Locations in the metadata. That's it.
>
> The ACS location generated by the SP is a self-referential location. Understanding how web servers have to be configured to properly allow self-referential links to be generated is basically the entire issue.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
> --
> To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Dave Vernon
2014-10-01 23:52:48 UTC
Permalink
Hi,

The IdP is in fact Shibboleth.

When I try the test, and I look at the idp-process log on the IdP server I see the following:

19:46:09.153 - INFO [Shibboleth-Access:73] - 20141001T234609Z|10.10.12.25|explode.lcaat.ca:444|/profile/SAML2/Redirect/SSO|
19:46:13.872 - INFO [Shibboleth-Access:73] - 20141001T234613Z|10.10.12.25|explode.lcaat.ca:444|/profile/SAML2/Redirect/SSO|
19:46:13.872 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:447] - No return endpoint available for relying party https://explode.lcaat.ca/idp/shibboleth


The idp-access log shows events like this
20141001T234613Z|10.10.12.25|explode.lcaat.ca:444|/profile/SAML2/Redirect/SSO|

Nothing in the audit logs.


I restarted the service so I could recapture the startup logs. I won't copy and paste it all, but everything is 'info' except one (I believe unrelated) warn
19:49:16.467 - WARN [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.ComputedIDDataConnector:64] - This data connector is deprecated. The StoredID data connector should be used in its place.


I haven't come across any type of log that is showing received or discarded info. Is there another location?

Thanks

________________________________________
From: users-bounces-***@public.gmane.org [users-bounces-***@public.gmane.org] on behalf of Nate Klingenstein [ndk-H4aWS73dXup+***@public.gmane.org]
Sent: Wednesday, October 01, 2014 7:29 PM
To: Shib Users
Subject: Re: No peer endpoint available to which to send SAML response

Dave,

It looks like a match to me too, which leads me to wonder again about what's getting loaded by that IdP. Your IdP, if Shibboleth, should be very explicit about what it's loading or receiving and why it's being discarded.

Thanks,
Nate.

On Oct 1, 2014, at 5:10 PM, Dave Vernon <dvernon-***@public.gmane.org> wrote:

> I'm sorry, I should add (regarding your first comment)
>
> In the AuthnRequest I have this ACS
>
> "https://lms.lcaat.ca/Shibboleth.sso/SAML2/POST"
>
> In the SD's metadata on the IdP server I have this in the md:ACS section
>
> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://lms.lcaat.ca/Shibboleth.sso/SAML2/POST" index="1"/>
>
>
> This looks like a match to me?
>
> ________________________________________
> From: users-bounces-***@public.gmane.org [users-bounces-***@public.gmane.org] on behalf of Cantor, Scott [cantor.2-ZbGKxL/***@public.gmane.org]
> Sent: Wednesday, October 01, 2014 5:09 PM
> To: Shib Users
> Subject: RE: No peer endpoint available to which to send SAML response
>
>> If anyone out there would be willing the spend the time, I would appreciate
>> any tips on how to go about troubleshooting this. I've read the
>> documentation, especially about SP metadata several times over, but I feel
>> like I am going in circle and not making any progress.
>
> The AuthnRequest from the SP will contain an AssertionConsumerServiceURL attribute. The location will not be one of the AssertionConsumerService endpoint Locations in the metadata. That's it.
>
> The ACS location generated by the SP is a self-referential location. Understanding how web servers have to be configured to properly allow self-referential links to be generated is basically the entire issue.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
> --
> To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Nate Klingenstein
2014-10-01 23:58:06 UTC
Permalink
I haven't come across any type of log that is showing received or discarded info. Is there another location?

The startup process should have been explicit in exactly which metadata's getting loaded. I'm pretty sure that Kevin stumbled on your underlying problem -- SSO entityID matches ApplicationDefaults but shouldn't in virtually all deployments -- but that's just instinct.
Cantor, Scott
2014-10-02 00:37:55 UTC
Permalink
On 10/1/14, 7:10 PM, "Dave Vernon" <dvernon-***@public.gmane.org> wrote:
>
>This looks like a match to me?

I misled you because the problem was in fact the entityIDs being
mis-assigned. That should cause a different error, and generally does, but
because you set the SP's name to that of the IdP, the IdP still found
metadata for that entityID, namely the idp-metadata.xml content that is
also loaded. And there's no SP role or endpoint in that metadata.

TL;DR, the IdP in V2 loads it own metadata, which was a huge mistake and
causes all sorts of confusing errors like this one.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
John Hascall
2014-09-30 17:10:08 UTC
Permalink
Your md:EntityDescriptor(s) need to be enclosed in EntitiesDescriptor
Something along these lines:

<?xml version="1.0" encoding="UTF-8"?>
<EntitiesDescriptor
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Name="https://iastate.edu/metadata/ISU.xml"
ID="ISU-20140925-202800"
><!-- Generated 2014-09-25 15:28:00 CDT -->

<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="https://apps.gpss.iastate.edu/shibboleth">
...
</md:EntityDescriptor>
</EntitiesDescriptor>

On Tue, Sep 30, 2014 at 11:58 AM, Dave Vernon <dvernon-***@public.gmane.org>
wrote:

> Hi David,
>
>
>
> So does that mean that my problem is that I have the IdP invalid data?
>
>
>
> Am I at least getting my metadata from the right spot? (i.e. is the
> problem that I’m still missing some configuration on the SP, or that I’m
> simply grabbing the wrong thing)
>
>
>
> Thanks for your help
>
>
>
> *Dave Vernon*
>
> *Technology Infrastructure Specialist*
>
> dvernon-6gMbXkmN5X7mEV3UZ/***@public.gmane.org
>
> loyalistcollege.com
>
>
>
> [image: Loyalist College] <http://www.loyalistcollege.com/>[image:
> Facebook] <https://www.facebook.com/loyalistcollege>[image: Twitter]
> <https://twitter.com/loyalistcollege>
>
>
>
> *From:* users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org]
> *On Behalf Of *David Bantz
> *Sent:* Tuesday, September 30, 2014 12:53 PM
> *To:* Shib Users
> *Subject:* Re: No peer endpoint available to which to send SAML response
>
>
>
> https://lms.lcaat.ca/Shibboleth.sso/Metadata doesn’t look like a valid
> xml metadata file describing an entity.
>
>
>
>
>
> On Tue, 30 Sep 2014, at 08:43 , Dave Vernon <dvernon-***@public.gmane.org>
> wrote:
>
>
>
> Hello all,
>
>
>
> I am currently working through my first Shibboleth implementation. I’ve
> made it fairly far and had some success (I am able to login with the
> protected TestShib page).
>
>
>
> I’m currently “stuck” on an issue. I’ve done a lot of reading of the
> documentation and groups, but I’m still having issues trying to sort this
> out.
>
>
>
> My IdP server is running on IIS 7.5/Windows – explode.lcaat.ca
>
> My SP is running on IIs 7.5/Windows, trying to integrated with Blackboard
> LMS
>
>
>
> I am creating my Shibboleth authentication connector in blackboard, and
> when I am trying to test the connection, I get redirected to the logon page
> and I’m able to enter my credentials, but then I get the following error.
>
>
>
> Error Message: No peer endpoint available to which to send SAML response
>
>
>
> I don’t see any errors in any of the logs on the SP side.
>
> On the IdP side I see the following error in the idp-process log
>
>
>
> 12:25:45.640 - ERROR
> [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:447]
> - No return endpoint available for relying party
> https://explode.lcaat.ca/idp/shibboleth
>
>
>
> From what I have read so far, it seems like my problem is with the SP’s
> metadata being unknown to the IdP. I grabbed the metadata from
> https://lms.lcaat.ca/Shibboleth.sso/Metadata and then saved it to
> C:\Program Files (x86)\Internet2\Shib2IdP\metadata\bbdev-Metadata.xml
>
>
>
> I then updated my relying-party.xml file on the IdP server with the bit
> below (in bold)
>
>
>
>
>
>
>
> <!-- ========================================== -->
>
> <!-- Metadata Configuration -->
>
> <!-- ========================================== -->
>
> <!-- MetadataProvider the combining other MetadataProviders -->
>
> <metadata:MetadataProvider id="ShibbolethMetadata"
> xsi:type="metadata:ChainingMetadataProvider">
>
>
>
> <!-- Load the IdP's own metadata. This is necessary for
> artifact support. -->
>
> <metadata:MetadataProvider id="IdPMD"
> xsi:type="metadata:ResourceBackedMetadataProvider">
>
> <metadata:MetadataResource
> xsi:type="resource:FilesystemResource" file="C:\Program Files
> (x86)\Internet2\Shib2Idp/metadata/idp-metadata.xml"/>
>
> </metadata:MetadataProvider>
>
>
>
> <!-- Download the metadata
>
>
>
> This is the point where the posrt install program will add new
> metadata
>
>
>
> -->
>
>
>
> <metadata:MetadataProvider id="TestShib"
> xsi:type="metadata:FileBackedHTTPMetadataProvider"
>
> metadataURL="
> http://www.testshib.org/metadata/testshib-providers.xml"
>
> backingFile="C:\Program Files
> (x86)\Internet2\Shib2Idp/metadata/Downloaded-Metadata.xml"
>
> />
>
>
>
>
>
> *<metadata:MetadataProvider id="lms.lcaat.ca
> <http://lms.lcaat.ca/>" xsi:type="metadata:ResourceBackedMetadataProvider">*
>
> * <metadata:MetadataResource
> xsi:type="resource:FilesystemResource" file="C:\Program Files
> (x86)\Internet2\Shib2Idp/metadata/bbdev-Metadata.xml" />*
>
> * </metadata:MetadataProvider>*
>
>
>
> </metadata:MetadataProvider>
>
>
>
>
>
> I also read that SAML tracer would be a value tool. I capture the trace
> and decoded it, but my inexperienced eye doesn’t see a mismatch.
>
>
>
> Decoded Output:
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> AssertionConsumerServiceURL="
> https://lms.lcaat.ca/Shibboleth.sso/SAML2/POST" Destination="
> https://explode.lcaat.ca:444/idp/profile/SAML2/Redirect/SSO"
> ID="_6240d39343efcb6c8452e29fe7006b6a" IssueInstant="2014-09-30T16:25:45Z"
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Version="2.0"><saml:Issuer
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://
> explode.lcaat.ca/idp/shibboleth</saml:Issuer><samlp:NameIDPolicy
> AllowCreate="1"/></samlp:AuthnRequest
>
>
>
>
>
> I would love any advice or help on this. I feel I’m close, but still so
> far off!
>
>
>
> *Dave Vernon*
>
> dvernon-6gMbXkmN5X7mEV3UZ/***@public.gmane.org
>
> loyalistcollege.com
>
>
>
> <image001.png> <http://www.loyalistcollege.com/><image002.png>
> <https://www.facebook.com/loyalistcollege><image003.png>
> <https://twitter.com/loyalistcollege>
>
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe-***@public.gmane.org
>
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe-***@public.gmane.org
>
Cantor, Scott
2014-09-30 17:20:11 UTC
Permalink
On 9/30/14, 1:10 PM, "John Hascall" <john-KgB/***@public.gmane.org> wrote:

>Your md:EntityDescriptor(s) need to be enclosed in EntitiesDescriptor

No, that is not a requirement.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Loading...