Haer, Neelam
2014-09-09 17:30:30 UTC
Hi All
I am getting an error with the idP complaining that there is no peer endpoint available to which to send SAML Response (on the client). On the server logs I see:
09:56:31.782 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:185] - Endpoint 'http://clientDomain/Shibboleth.sso/SAML2/POST-SimpleSign' with binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign' discarded because it does not meet protocol binding selection criteria
Endpoint 'http://clientDomain/Shibboleth.sso/SAML2/Artifact' with binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact' discarded because it does not meet protocol binding selection criteria
Here's my shibboleth2.xml (some sections removed for brevity):
<?xml version="1.0" encoding="ISO-8859-1"?>
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
logger="c:/opt/shibboleth-sp/etc/shibboleth/syslog.logger" clockSkew="180">
<!-- The InProcess section contains settings affecting web server modules/filters. -->
<InProcess logger="c:/opt/shibboleth-sp/etc/shibboleth/native.logger">
<ISAPI normalizeRequest="true">
<!--
Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
required so that the proper <Host> in the request map above is found without
having to cover every possible DNS/IP combination the user might enter.
The port and scheme can usually be omitted, so the HTTP request's port and
scheme will be used.
-->
<Site id="1" name="clienturl scheme="http" port="80"/>
</ISAPI>
</InProcess>
<!--
Be sure to change this port number to the one matching what you used
when installing shibd on your system. Default for Windows systems
seems to be 1600, so that is what is used here, however if you
install on a different port, write that in here.
-->
<TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/>
<!--
The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
Resource requests are mapped by the RequestMapper to an applicationId that
points into to this section.
These are the default global settings for all applications.
!DO NOT CHANGE THIS SECTION! Application-specific settings are set in the
<ApplicationOverride> section.
-->
<ApplicationDefaults id="default" policyId="default"
entityID="https://idpDomain/do-not-use"
homeURL="https://idpDomain/"
REMOTE_USER="eppn persistent-id targeted-id"
signing="true" encryption="false"
<Sessions lifetime="7200" timeout="3600" checkAddress="false" consistentAddress="true"
handlerURL="/Shibboleth.sso" handlerSSL="false"
exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
idpHistory="true" idpHistoryDays="7">
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
relayState="cookie" entityID="https://idpDomain.com/idp/shibboleth"
acsByIndex="false">
<SessionInitiator type="SAML2" acsIndex="1" forceAuthn="true" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
</SessionInitiator>
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService Location="/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
<LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie" >
<!-- <LogoutInitiator type="SAML2" template="bindingTemplate.html"/> -->
<LogoutInitiator type="Local" />
</LogoutInitiator>
<!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
<md:SingleLogoutService Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
<md:ManageNameIDService Location="/NIM/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session"/>
</Sessions>
<Errors session="c:/opt/shibboleth-sp/etc/shibboleth/sessionError.html"
metadata="c:/opt/shibboleth-sp/etc/shibboleth/metadataError.html"
access="c:/opt/shibboleth-sp/etc/shibboleth/accessError.html"
ssl="c:/opt/shibboleth-sp/etc/shibboleth/sslError.html"
localLogout="c:/opt/shibboleth-sp/etc/shibboleth/localLogout.html"
globalLogout="c:/opt/shibboleth-sp/etc/shibboleth/globalLogout.html"
supportContact="someEmail"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<MetadataProvider type="XML"
url="https://idpDomain.com/metadata/dp-stg-metadata.xml"
backingFilePath="c:/opt/shibboleth-sp/etc/shibboleth/idp-stg-metadata.xml"
reloadInterval="86400" />
<ApplicationOverride id="rename--my-application-name"
entityID="https://clientID/shibboleth-sp"
homeURL="http://clientDomain/"
REMOTE_USER="somerandomstring" />
</ApplicationDefaults>
<!-- Each policy defines a set of rules to use to secure messages. -->
<SecurityPolicies>
<!-- The predefined policy enforces replay/freshness and permits signing and client TLS. -->
<Policy id="default" validate="false">
<PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
<PolicyRule type="Conditions">
<PolicyRule type="Audience"/>
<!-- Enable Delegation rule to permit delegated access. -->
<!-- <PolicyRule type="Delegation"/> -->
</PolicyRule>
<PolicyRule type="ClientCertAuth" errorFatal="true"/>
<PolicyRule type="XMLSigning" errorFatal="true"/>
<PolicyRule type="SimpleSigning" errorFatal="true"/>
</Policy>
</SecurityPolicies>
</SPConfig>
I am getting an error with the idP complaining that there is no peer endpoint available to which to send SAML Response (on the client). On the server logs I see:
09:56:31.782 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:185] - Endpoint 'http://clientDomain/Shibboleth.sso/SAML2/POST-SimpleSign' with binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign' discarded because it does not meet protocol binding selection criteria
Endpoint 'http://clientDomain/Shibboleth.sso/SAML2/Artifact' with binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact' discarded because it does not meet protocol binding selection criteria
Here's my shibboleth2.xml (some sections removed for brevity):
<?xml version="1.0" encoding="ISO-8859-1"?>
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
logger="c:/opt/shibboleth-sp/etc/shibboleth/syslog.logger" clockSkew="180">
<!-- The InProcess section contains settings affecting web server modules/filters. -->
<InProcess logger="c:/opt/shibboleth-sp/etc/shibboleth/native.logger">
<ISAPI normalizeRequest="true">
<!--
Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
required so that the proper <Host> in the request map above is found without
having to cover every possible DNS/IP combination the user might enter.
The port and scheme can usually be omitted, so the HTTP request's port and
scheme will be used.
-->
<Site id="1" name="clienturl scheme="http" port="80"/>
</ISAPI>
</InProcess>
<!--
Be sure to change this port number to the one matching what you used
when installing shibd on your system. Default for Windows systems
seems to be 1600, so that is what is used here, however if you
install on a different port, write that in here.
-->
<TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/>
<!--
The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
Resource requests are mapped by the RequestMapper to an applicationId that
points into to this section.
These are the default global settings for all applications.
!DO NOT CHANGE THIS SECTION! Application-specific settings are set in the
<ApplicationOverride> section.
-->
<ApplicationDefaults id="default" policyId="default"
entityID="https://idpDomain/do-not-use"
homeURL="https://idpDomain/"
REMOTE_USER="eppn persistent-id targeted-id"
signing="true" encryption="false"
<Sessions lifetime="7200" timeout="3600" checkAddress="false" consistentAddress="true"
handlerURL="/Shibboleth.sso" handlerSSL="false"
exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
idpHistory="true" idpHistoryDays="7">
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
relayState="cookie" entityID="https://idpDomain.com/idp/shibboleth"
acsByIndex="false">
<SessionInitiator type="SAML2" acsIndex="1" forceAuthn="true" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
</SessionInitiator>
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService Location="/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
<LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie" >
<!-- <LogoutInitiator type="SAML2" template="bindingTemplate.html"/> -->
<LogoutInitiator type="Local" />
</LogoutInitiator>
<!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
<md:SingleLogoutService Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
<md:ManageNameIDService Location="/NIM/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session"/>
</Sessions>
<Errors session="c:/opt/shibboleth-sp/etc/shibboleth/sessionError.html"
metadata="c:/opt/shibboleth-sp/etc/shibboleth/metadataError.html"
access="c:/opt/shibboleth-sp/etc/shibboleth/accessError.html"
ssl="c:/opt/shibboleth-sp/etc/shibboleth/sslError.html"
localLogout="c:/opt/shibboleth-sp/etc/shibboleth/localLogout.html"
globalLogout="c:/opt/shibboleth-sp/etc/shibboleth/globalLogout.html"
supportContact="someEmail"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<MetadataProvider type="XML"
url="https://idpDomain.com/metadata/dp-stg-metadata.xml"
backingFilePath="c:/opt/shibboleth-sp/etc/shibboleth/idp-stg-metadata.xml"
reloadInterval="86400" />
<ApplicationOverride id="rename--my-application-name"
entityID="https://clientID/shibboleth-sp"
homeURL="http://clientDomain/"
REMOTE_USER="somerandomstring" />
</ApplicationDefaults>
<!-- Each policy defines a set of rules to use to secure messages. -->
<SecurityPolicies>
<!-- The predefined policy enforces replay/freshness and permits signing and client TLS. -->
<Policy id="default" validate="false">
<PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
<PolicyRule type="Conditions">
<PolicyRule type="Audience"/>
<!-- Enable Delegation rule to permit delegated access. -->
<!-- <PolicyRule type="Delegation"/> -->
</PolicyRule>
<PolicyRule type="ClientCertAuth" errorFatal="true"/>
<PolicyRule type="XMLSigning" errorFatal="true"/>
<PolicyRule type="SimpleSigning" errorFatal="true"/>
</Policy>
</SecurityPolicies>
</SPConfig>