Ben, if you are upgrading.. it would be best to use the latest version, Gluu Server 3.1.1. Is that possible?

Hi, Ben. >I am getting "HTTP Status 400 - Error processing AuthnRequest. Error retrieving meta data." From xfinity when I use the new one, but it works fine on the old one. William is right, using 3.0.1 is not recommended. It had some issues with SAML configuration one of which I believe you are describing. If you still insist on using it, please make sure you are always adding custom RP profile configuration to each of your SAML TRs (you can just add `SAML2SSO` profile with default settings for it). [Here is how](https://gluu.org/docs/ce/3.1.1/admin-guide/saml/#relying-party-configuration) (you can ignore the fact it's for 3.1.1, steps are the same). It should resolve most issues with SAML (there may be different kind of issue with federation TRs). Remove your current TR, create a new one as described, and restart `identity`, then`idp`

Is there any easy way to upgrade to 3.1.1?

Also, did what you suggested and it didn't help. Does Comcast need to do anything on their end to get the changes?

>Is there any easy way to upgrade to 3.1.1? The migration script undergoes final QA stage as of now, and should become available within a few days >Does Comcast need to do anything on their end to get the changes? If Shibboleth still complains about inability to find meatadata for this entityid, then it's most likely still issue on your side. 1. Try to do a `# grep -i -r -e 'entityid_in_question' /opt/shibboleth-idp/`, then share results with us 2. Check what ends up in `/opt/shibboleth-idp/logs/idp-process.log` during the flow. You can rise its verbosity if needed in `/opt/shibboleth-idp/conf/logback.xml` Does that TR actually reach the "Active" state at all?

grep -i -r -e 'fed-auth-01.hartford.edu' /opt/shibboleth-idp/ > /opt/shibboleth-idp/conf/idp.properties:idp.entityID = https://fed-auth-01.hartford.edu/idp/shibboleth /opt/shibboleth-idp/conf/idp.properties:idp.scope = fed-auth-01.hartford.edu /opt/shibboleth-idp/metadata/idp-metadata.xml: entityID="https://fed-auth-01.hartford.edu/idp/shibboleth"> /opt/shibboleth-idp/metadata/idp-metadata.xml: <IDPSSODescriptor errorURL="https://fed-auth-01.hartford.edu/identity/feedback.htm" protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"> /opt/shibboleth-idp/metadata/idp-metadata.xml: <shibmd:Scope regexp="false">fed-auth-01.hartford.edu</shibmd:Scope> /opt/shibboleth-idp/metadata/idp-metadata.xml: Location="https://fed-auth-01.hartford.edu/idp/profile/SAML2/SOAP/ArtifactResolution" /opt/shibboleth-idp/metadata/idp-metadata.xml: <SingleSignOnService Binding="urn:mace:shibboleth:2.0:profiles:AuthnRequest" Location="https://fed-auth-01.hartford.edu/idp/profile/SAML2/Unsolicited/SSO"></SingleSignOnService> /opt/shibboleth-idp/metadata/idp-metadata.xml: <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://fed-auth-01.hartford.edu/idp/profile/SAML2/POST/SSO"></SingleSignOnService> /opt/shibboleth-idp/metadata/idp-metadata.xml: <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://fed-auth-01.hartford.ed /idp/profile/SAML2/POST-SimpleSign/SSO"></SingleSignOnService> /opt/shibboleth-idp/metadata/idp-metadata.xml: <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://fed-auth-01.hartford.edu/idp/profile/SAML2/Redirect/SSO"></SingleSignOnService> /opt/shibboleth-idp/metadata/idp-metadata.xml: <OrganizationURL xml:lang="en">https://fed-auth-01.hartford.edu</OrganizationURL> /opt/shibboleth-idp/metadata/7F0C4F7D4CE37831000249524CF50006467ECE89-sp-metadata.xml: <DiscoveryResponse xmlns="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://fed-auth-01.hartford.edu/Shibboleth.sso/DS" index="1"></DiscoveryResponse> /opt/shibboleth-idp/metadata/7F0C4F7D4CE37831000249524CF50006467ECE89-sp-metadata.xml: <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://fed-auth-01.hartford.edu/Shibboleth.sso/SAML2/POST" index="1"></md:AssertionConsumerService> /opt/shibboleth-idp/metadata/7F0C4F7D4CE37831000249524CF50006467ECE89-sp-metadata.xml: <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://fed-auth-01.hartford.edu/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"></md:AssertionConsumerService> /opt/shibboleth-idp/metadata/7F0C4F7D4CE37831000249524CF50006467ECE89-sp-metadata.xml: <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://fed-auth-01.hartford.edu/Shibboleth.sso/SAML2/Artifact" index="3"></md:AssertionConsumerService> /opt/shibboleth-idp/metadata/7F0C4F7D4CE37831000249524CF50006467ECE89-sp-metadata.xml: <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://fed-auth-01.hartford.edu/Shibboleth.sso/SAML2/ECP" index="4"></md:AssertionConsumerService> /opt/shibboleth-idp/metadata/7F0C4F7D4CE37831000249524CF50006467ECE89-sp-metadata.xml: <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://fed-auth-01.hartford.edu/Shibboleth.sso/SAML/POST" index="5"></md:AssertionConsumerService> /opt/shibboleth-idp/metadata/7F0C4F7D4CE37831000249524CF50006467ECE89-sp-metadata.xml: <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://fed-auth-01.hartford.edu/Shibboleth.sso/SAML/Artifact" index="6"></md:AssertionConsumerService> /opt/shibboleth-idp/sp/shibboleth2.xml: <Site id="1" name="fed-auth-01.hartford.edu"></Site> /opt/shibboleth-idp/sp/shibboleth2.xml: <Host name="fed-auth-01.hartford.edu"> /opt/shibboleth-idp/sp/shibboleth2.xml: handlerURL="https://fed-auth-01.hartford.edu/Shibboleth.sso" handlerSSL="false" /opt/shibboleth-idp/sp/shibboleth2.xml: relayState="cookie" entityID="https://fed-auth-01.hartford.edu/idp/shibboleth"> /opt/shibboleth-idp/sp/shibboleth2.xml: <RelyingParty Name="https://fed-auth-01.hartford.edu" keyName="https://fed-auth-01.hartford.edu"></RelyingParty> I don't see anything relevant in the idp-process.log files when I have the issues. I did a server reboot this morning and it looks like the only thing in that log. The log is linked in this as a video or screenshot link below. Also, the TR is Active.

Hi, Ben. >grep -i -r -e 'fed-auth-01.hartford.edu' /opt/shibboleth-idp/ If I got it right, `fed-auth-01.hartford.edu` is your IdP? You have a problem with a specific SP, `xfinity`, so you should grep for this SP's entityid. Sorry if I wasn't specific enough.

> GLUU.root@fed-auth-01:~# grep -i -r -e 'xoc.sp.comcast.com' /opt/shibboleth-idp/ /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 02:46:41,657 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:465] - New metadata successfully loaded for 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 02:46:41,658 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:306] - Next refresh cycle for metadata provider 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' will occur on '2017-11-10T13:46:41.437Z' ('2017-11-10T08:46:41.437-05:00' local time) /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 07:59:59,577 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:465] - New metadata successfully loaded for 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 07:59:59,578 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:306] - Next refresh cycle for metadata provider 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' will occur on '2017-11-10T18:59:59.363Z' ('2017-11-10T13:59:59.363-05:00' local time) /opt/shibboleth-idp/conf/metadata-providers.xml: metadataURL="https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com" /opt/shibboleth-idp/conf/attribute-filter.xml: <PolicyRequirementRule xsi:type="Requester" value="https://xoc.sp.comcast.com" ></PolicyRequirementRule> /opt/shibboleth-idp/conf/relying-party.xml: <bean parent="RelyingPartyByName" id="7F0C4F7D4CE37831000249524CF5000603AC0256" c:relyingPartyIds="https://xoc.sp.comcast.com"> /opt/shibboleth-idp/metadata/7F0C4F7D4CE37831000249524CF5000603AC0256-sp-metadata.xml:<EntityDescriptor entityID="https://xoc.sp.comcast.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> And for reference, their metadata url is: https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com

Thanks, seems like it appears in all config files it's expected to be. But in the log you provided there are no signs of request processing for this SP. Please consider the following: 1. Rise the log's verbosity levels to `DEBUG` 2. Remove the current log file 3. Restart `idp` again, wait for 5 minutes 4. Retry accessing this SP, and in case issue will happen again retrieve and share the recreated log file with us 5. Set logs verbosity back to defaults Log verbosity is changed in `/opt/shibboleth-idp/conf/logback.xml` You need to tweak next clauses: ``` <variable name="idp.loglevel.idp" value="INFO" ></variable> <variable name="idp.loglevel.messages" value="INFO" ></variable> <variable name="idp.loglevel.opensaml" value="INFO" ></variable> <variable name="idp.loglevel.props" value="INFO" ></variable> ```

> GLUU.root@fed-auth-01:/opt/shibboleth-idp/logs# grep -i -r -e 'xoc.sp.comcast.com' /opt/shibboleth-idp/ /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 09:51:10,209 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:283] - Beginning refresh of metadata from 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 09:51:10,210 - DEBUG [org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver:226] - Attempting to fetch metadata document from 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 09:51:10,493 - DEBUG [org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver:344] - Attempting to extract metadata from response to request for metadata from 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 09:51:10,495 - DEBUG [org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver:246] - Successfully fetched 6372 bytes of metadata from https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 09:51:10,495 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:290] - Processing new metadata from 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 09:51:10,496 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:379] - Unmarshalling metadata from 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 09:51:10,500 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:423] - Preprocessing metadata from 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 09:51:10,502 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:433] - Releasing cached DOM for metadata from 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 09:51:10,503 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:437] - Post-processing metadata from 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 09:51:10,505 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:441] - Computing expiration time for metadata from 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 09:51:10,505 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:446] - Expiration of metadata from 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' will occur at 2017-11-10T22:51:10.209Z /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 09:51:10,506 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:465] - New metadata successfully loaded for 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 09:51:10,506 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:306] - Next refresh cycle for metadata provider 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' will occur on '2017-11-10T20:51:10.284Z' ('2017-11-10T15:51:10.284-05:00' local time) /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 10:33:03,992 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:465] - New metadata successfully loaded for 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' /opt/shibboleth-idp/logs/idp-process.log:2017-11-10 10:33:03,993 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:306] - Next refresh cycle for metadata provider 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' will occur on '2017-11-10T21:33:03.764Z' ('2017-11-10T16:33:03.764-05:00' local time) /opt/shibboleth-idp/logs/idp-process.old.log:2017-11-10 02:46:41,657 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:465] - New metadata successfully loaded for 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' /opt/shibboleth-idp/logs/idp-process.old.log:2017-11-10 02:46:41,658 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:306] - Next refresh cycle for metadata provider 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' will occur on '2017-11-10T13:46:41.437Z' ('2017-11-10T08:46:41.437-05:00' local time) /opt/shibboleth-idp/logs/idp-process.old.log:2017-11-10 07:59:59,577 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:465] - New metadata successfully loaded for 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' /opt/shibboleth-idp/logs/idp-process.old.log:2017-11-10 07:59:59,578 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:306] - Next refresh cycle for metadata provider 'https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com' will occur on '2017-11-10T18:59:59.363Z' ('2017-11-10T13:59:59.363-05:00' local time) /opt/shibboleth-idp/conf/metadata-providers.xml: metadataURL="https://xocsp.ccp.xcal.tv:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=https://xoc.sp.comcast.com" /opt/shibboleth-idp/conf/attribute-filter.xml: <PolicyRequirementRule xsi:type="Requester" value="https://xoc.sp.comcast.com" /> /opt/shibboleth-idp/conf/relying-party.xml: <bean parent="RelyingPartyByName" id="7F0C4F7D4CE37831000249524CF5000603AC0256" c:relyingPartyIds="https://xoc.sp.comcast.com"> /opt/shibboleth-idp/metadata/7F0C4F7D4CE37831000249524CF5000603AC0256-sp-metadata.xml:<EntityDescriptor entityID="https://xoc.sp.comcast.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

Looking at this, I am still not seeing our IDP being accessed. Is it possible there is something wrong with our metadata that is causing this? https://fed-auth-01.hartford.edu/idp/shibboleth

It's not necessarily metadata what points to a specific IdP SP should use. Each SP may have it's own way of specifying it, like, in addition to providing metadata you still may need to specify some url to what SAML request must be sent etc. But if you can't see signs of SAML request from this SP in `idp-process.log`, then it's very likely not reaching it. Though it's strange, as in your first post you mentioned this: >I am getting "HTTP Status 400 - Error processing AuthnRequest. Error retrieving meta data." What did return you this error? What url was set in browser's address bar at that time? I think you need to do a more thorough investigation of what's happening in your network.

Hi, Ben. Any updates on this one? Do we still should keep it open?