By: Miguel Foo user 21 Jun 2017 at 8:37 p.m. CDT

5 Responses
Miguel Foo gravatar
Heya, Continuing from this thread I closed earlier https://support.gluu.org/identity-management/4219/applicationgluu-saml-shibboleth-issues/ I'm really stuck at a dead end. I've tried the link that you guys supplied with no luck. And I figure I'll post some metadata to see if perhaps my lack of SAML knowledge is the issue I get this error in the Shibboleth `idp-process.log` on gluu. I've setup the SP on Gluu, using the `Single SP` entity type and URI as the URI given to me by the SP. I've also put the `/idp/shibbolet` metadata link on the SP's configuration ``` INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] - Message Handler: No metadata returned for https://myredactedurl.com/moodle/auth/saml2/sp/metadata.php in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for relying party configuration shibboleth.UnverifiedRelyingParty WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: InvalidProfileConfiguration ``` Both parties can see each other as far as I can tell, so its not a network/firewall issue. Can curl from each system to the other's metadata fine. Here is the metadata from the SP ``` <?xml version="1.0"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://myredactedurl.com/moodle/auth/saml2/sp/metadata.php"> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MIID/TCCAuWgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBmDEPMA0GA1UEAwwGbW9vZGxlMQswCQYDVQQGEwJBVTEUMBIGA1UEBwwLbW9vZGxldmlsbGUxLzAtBgkqhkiG9w0BCQEWIG5vcmVwbHlAY3BzLWVjcC5kZXYuaW5ub3ZleGEuY29tMQ8wDQYDVQQKDAZtb29kbGUxDzANBgNVBAgMBm1vb2RsZTEPMA0GA1UECwwGbW9vZGxlMB4XDTE3MDYxNDIwNTYzM1oXDTI3MDYxMjIwNTYzM1owgZgxDzANBgNVBAMMBm1vb2RsZTELMAkGA1UEBhMCQVUxFDASBgNVBAcMC21vb2RsZXZpbGxlMS8wLQYJKoZIhvcNAQkBFiBub3JlcGx5QGNwcy1lY3AuZGV2Lmlubm92ZXhhLmNvbTEPMA0GA1UECgwGbW9vZGxlMQ8wDQYDVQQIDAZtb29kbGUxDzANBgNVBAsMBm1vb2RsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANbu4VfKIjc03y86RNrnSiRILkrcmRoulLVTYiDNfdCpIX0MZg2Ts0yPMIAQ9CRA/D91TCYx0JQ4DaH77J8jkb6rm7qkj1ornqEhEmugkFwLuVWL/1QyYPydLDaCbrg1MP4N+sq3jQ1Jfqh0m9EriT6YtSoJZCcnqqwbVCOfjV5wWigSbuED8gBq4etEUkqcBrC7dUzVRdIA6FLdEafjsSGMHZHXJ2k4Szn2D9CN44DPjtba2x69XmCIGcJuoRto4BNaTwQoF/AMUudV7u/BIJSJjvFfq/G4PlAtmLXmbzj8ZHsrKEyMQeSdInVo0J6NE8wuVDYaKmRXb29uqTOPjgkCAwEAAaNQME4wHQYDVR0OBBYEFFsVKVEPcMyPqHWc6lhAf9hhUjrkMB8GA1UdIwQYMBaAFFsVKVEPcMyPqHWc6lhAf9hhUjrkMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBALXbryL3mKrv2uuAIle7edoYnUuuqt9DL1gYE9n86MR4F7vlfSXHSLpKnNIXYNHMYi+E20EznbrIgy5ZBHFNj3bFKkhW7q+BkCu/XSEiedGDTiwqz517BRrX6Bc2EDX1nSuz6e64bZcjNqVcL2FQXMH7pbfm4B+sIDSNNQIRq8pmllFt3IqQzIqtpDctnMa/NCQdd9lQwYsC7tueT2oNGpOpB1W/po8P2+3a4nCMq29/oG/rGeZylkUvbt3Sorzj8xs25Ufet1ueFwXo8e/zCUhorq5ab7yvxZiAAFjOxDp9YkTGpd4OetALJYcTNAl+zvXjU26iiandECuUHw9wjw4=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MIID/TCCAuWgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBmDEPMA0GA1UEAwwGbW9vZGxlMQswCQYDVQQGEwJBVTEUMBIGA1UEBwwLbW9vZGxldmlsbGUxLzAtBgkqhkiG9w0BCQEWIG5vcmVwbHlAY3BzLWVjcC5kZXYuaW5ub3ZleGEuY29tMQ8wDQYDVQQKDAZtb29kbGUxDzANBgNVBAgMBm1vb2RsZTEPMA0GA1UECwwGbW9vZGxlMB4XDTE3MDYxNDIwNTYzM1oXDTI3MDYxMjIwNTYzM1owgZgxDzANBgNVBAMMBm1vb2RsZTELMAkGA1UEBhMCQVUxFDASBgNVBAcMC21vb2RsZXZpbGxlMS8wLQYJKoZIhvcNAQkBFiBub3JlcGx5QGNwcy1lY3AuZGV2Lmlubm92ZXhhLmNvbTEPMA0GA1UECgwGbW9vZGxlMQ8wDQYDVQQIDAZtb29kbGUxDzANBgNVBAsMBm1vb2RsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANbu4VfKIjc03y86RNrnSiRILkrcmRoulLVTYiDNfdCpIX0MZg2Ts0yPMIAQ9CRA/D91TCYx0JQ4DaH77J8jkb6rm7qkj1ornqEhEmugkFwLuVWL/1QyYPydLDaCbrg1MP4N+sq3jQ1Jfqh0m9EriT6YtSoJZCcnqqwbVCOfjV5wWigSbuED8gBq4etEUkqcBrC7dUzVRdIA6FLdEafjsSGMHZHXJ2k4Szn2D9CN44DPjtba2x69XmCIGcJuoRto4BNaTwQoF/AMUudV7u/BIJSJjvFfq/G4PlAtmLXmbzj8ZHsrKEyMQeSdInVo0J6NE8wuVDYaKmRXb29uqTOPjgkCAwEAAaNQME4wHQYDVR0OBBYEFFsVKVEPcMyPqHWc6lhAf9hhUjrkMB8GA1UdIwQYMBaAFFsVKVEPcMyPqHWc6lhAf9hhUjrkMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBALXbryL3mKrv2uuAIle7edoYnUuuqt9DL1gYE9n86MR4F7vlfSXHSLpKnNIXYNHMYi+E20EznbrIgy5ZBHFNj3bFKkhW7q+BkCu/XSEiedGDTiwqz517BRrX6Bc2EDX1nSuz6e64bZcjNqVcL2FQXMH7pbfm4B+sIDSNNQIRq8pmllFt3IqQzIqtpDctnMa/NCQdd9lQwYsC7tueT2oNGpOpB1W/po8P2+3a4nCMq29/oG/rGeZylkUvbt3Sorzj8xs25Ufet1ueFwXo8e/zCUhorq5ab7yvxZiAAFjOxDp9YkTGpd4OetALJYcTNAl+zvXjU26iiandECuUHw9wjw4=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://myredactedurl.com/moodle/auth/saml2/sp/saml2-logout.php/myredactedurl.com"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://myredactedurl.com/moodle/auth/saml2/sp/saml2-acs.php/myredactedurl.com" index="0"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://myredactedurl.com/moodle/auth/saml2/sp/saml1-acs.php/myredactedurl.com" index="1"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://myredactedurl.com/moodle/auth/saml2/sp/saml2-acs.php/myredactedurl.com" index="2"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://myredactedurl.com/moodle/auth/saml2/sp/saml1-acs.php/myredactedurl.com" index="3"/> </md:SPSSODescriptor> <md:Organization> <md:OrganizationName xml:lang="en"/> <md:OrganizationDisplayName xml:lang="en"/> <md:OrganizationURL xml:lang="en">https://myredactedurl.com/moodle</md:OrganizationURL> </md:Organization> <md:ContactPerson contactType="technical"> <md:GivenName>Admin</md:GivenName> <md:SurName>User</md:SurName> <md:EmailAddress>noreply@myredactedurl.com.com</md:EmailAddress> </md:ContactPerson> </md:EntityDescriptor> ``` Every time I try to test the authentication, I'm presented with this ![Not registered with this service](https://i.imgur.com/5WjqXJ1.png "Not registered with this service") Configuration seems to be Okay on gluu ![Gluu trust](https://i.imgur.com/XuAzMM3.png "gluu trust")

By Mohib Zico Account Admin 22 Jun 2017 at 1:40 a.m. CDT

Mohib Zico gravatar
Can you please check if your moodle metadata is loaded in Gluu server? Location /opt/shibboleth-idp/metadata/

By Miguel Foo user 22 Jun 2017 at 6:23 a.m. CDT

Miguel Foo gravatar
Just checked and yes the metadata is there. Ran diff just to make sure they're the same. ``` . ├── 037F7407DCC3D36D00024ED7BB4C000610DB9C3D-sp-metadata.xml <= this one is the SP ├── 037F7407DCC3D36D00024ED7BB4C000644287551-sp-metadata.xml └── idp-metadata.xml ``` I have a `SAML tracer plugin` for my browser and here is the assertion that `POST`ed to gluu that causes the error ``` <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_2b1e3cab3200733f5a20b763f37b92e754a5ff1432" Version="2.0" IssueInstant="2017-06-22T11:18:58Z" Destination="https://auth.myredactedurl.com/idp/profile/SAML2/POST/SSO" AssertionConsumerServiceURL="https://myredactedurl.com/moodle/auth/saml2/sp/saml2-acs.php/myredactedurl.com" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > <saml:Issuer>https://myredactedurl.com/moodle/auth/saml2/sp/metadata.php</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#_2b1e3cab3200733f5a20b763f37b92e754a5ff1432"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>HVHqG+kVDsb+zj4VdA79b8jdaCvvOpg0qyAbaFyi3Pc=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>WIXRlnJkq2PsqmBFNIAdLZUx2SnrC+5OFrIgpGOMCfEFINoTjpoELiVHAEcEbAVi4ZO12hAOLDAtfEJRnu1efIuWN0rJ5x71l5tkjsJAKj32ahMWz3gO88x23x8v5PW6EG6saMaO5gmszIQVY8NOlo92plS7f3f7149DmWYnEnXwRIgVnpFNI0QEFW9RQqcgNi5/eUZXi22dnoPxRtnrX4xAjYIZsgxFAuVP6NloxQIM0I8DUqd1FstU5n3atkjsyhZ9KmWEHkMU2dk/GiKIPgz7ujYdwtD4KWD77Mus44KgI2kv404ihYN3sVGME11BRedIg5ks6Rm4VaN24h+pfA==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIID/TCCAuWgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBmDEPMA0GA1UEAwwGbW9vZGxlMQswCQYDVQQGEwJBVTEUMBIGA1UEBwwLbW9vZGxldmlsbGUxLzAtBgkqhkiG9w0BCQEWIG5vcmVwbHlAY3BzLWVjcC5kZXYuaW5ub3ZleGEuY29tMQ8wDQYDVQQKDAZtb29kbGUxDzANBgNVBAgMBm1vb2RsZTEPMA0GA1UECwwGbW9vZGxlMB4XDTE3MDYxNDIwNTYzM1oXDTI3MDYxMjIwNTYzM1owgZgxDzANBgNVBAMMBm1vb2RsZTELMAkGA1UEBhMCQVUxFDASBgNVBAcMC21vb2RsZXZpbGxlMS8wLQYJKoZIhvcNAQkBFiBub3JlcGx5QGNwcy1lY3AuZGV2Lmlubm92ZXhhLmNvbTEPMA0GA1UECgwGbW9vZGxlMQ8wDQYDVQQIDAZtb29kbGUxDzANBgNVBAsMBm1vb2RsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANbu4VfKIjc03y86RNrnSiRILkrcmRoulLVTYiDNfdCpIX0MZg2Ts0yPMIAQ9CRA/D91TCYx0JQ4DaH77J8jkb6rm7qkj1ornqEhEmugkFwLuVWL/1QyYPydLDaCbrg1MP4N+sq3jQ1Jfqh0m9EriT6YtSoJZCcnqqwbVCOfjV5wWigSbuED8gBq4etEUkqcBrC7dUzVRdIA6FLdEafjsSGMHZHXJ2k4Szn2D9CN44DPjtba2x69XmCIGcJuoRto4BNaTwQoF/AMUudV7u/BIJSJjvFfq/G4PlAtmLXmbzj8ZHsrKEyMQeSdInVo0J6NE8wuVDYaKmRXb29uqTOPjgkCAwEAAaNQME4wHQYDVR0OBBYEFFsVKVEPcMyPqHWc6lhAf9hhUjrkMB8GA1UdIwQYMBaAFFsVKVEPcMyPqHWc6lhAf9hhUjrkMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBALXbryL3mKrv2uuAIle7edoYnUuuqt9DL1gYE9n86MR4F7vlfSXHSLpKnNIXYNHMYi+E20EznbrIgy5ZBHFNj3bFKkhW7q+BkCu/XSEiedGDTiwqz517BRrX6Bc2EDX1nSuz6e64bZcjNqVcL2FQXMH7pbfm4B+sIDSNNQIRq8pmllFt3IqQzIqtpDctnMa/NCQdd9lQwYsC7tueT2oNGpOpB1W/po8P2+3a4nCMq29/oG/rGeZylkUvbt3Sorzj8xs25Ufet1ueFwXo8e/zCUhorq5ab7yvxZiAAFjOxDp9YkTGpd4OetALJYcTNAl+zvXjU26iiandECuUHw9wjw4=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </samlp:AuthnRequest> ```

By Miguel Foo user 22 Jun 2017 at 6:40 a.m. CDT

Miguel Foo gravatar
I turned on Debug logging for the Shibboleth `idp-process` and got a bit more info but nothing that's meaningful for me. ``` 2017-06-22 11:33:30,263 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler' on INBOUND message context 2017-06-22 11:33:30,266 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2017-06-22 11:33:30,266 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml1.binding.impl.SAML1ArtifactRequestIssuerHandler' on INBOUND message context 2017-06-22 11:33:30,266 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2017-06-22 11:33:30,267 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLProtocolAndRoleHandler' on INBOUND message context 2017-06-22 11:33:30,267 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2017-06-22 11:33:30,268 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler' on INBOUND message context 2017-06-22 11:33:30,268 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2017-06-22 11:33:30,268 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] - Message Handler: No metadata returned for https://myredactedurl.com/moodle/auth/saml2/sp/metadata.php in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol 2017-06-22 11:33:30,268 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler' on INBOUND message context 2017-06-22 11:33:30,269 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2017-06-22 11:33:30,269 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:132] - Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching RelyingPartyContext based on SAML peer https://myredactedurl.com/moodle/auth/saml2/sp/metadata.php 2017-06-22 11:33:30,271 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:293] - Resolving relying party configuration 2017-06-22 11:33:30,271 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:299] - Profile request is unverified, returning configuration shibboleth.UnverifiedRelyingParty 2017-06-22 11:33:30,271 - DEBUG [net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:136] - Profile Action SelectRelyingPartyConfiguration: Found relying party configuration shibboleth.UnverifiedRelyingParty for request 2017-06-22 11:33:30,272 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for relying party configuration shibboleth.UnverifiedRelyingParty 2017-06-22 11:33:30,277 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: InvalidProfileConfiguration ```

By Miguel Foo user 22 Jun 2017 at 3:40 p.m. CDT

Miguel Foo gravatar
Found the issue! [https://github.com/GluuFederation/oxTrust/issues/490](https://github.com/GluuFederation/oxTrust/issues/490) Version `3.0.2` is suppose to fix it, will be updating tonight to see if it gets fixed. Seems to be a race condition in oxTrust. If you choose configure relying party(even if you're not going to configure the relying party), it works 100%

By Mohib Zico Account Admin 23 Jun 2017 at 7:46 a.m. CDT

Mohib Zico gravatar
Great, Miguel!