By: Johann Hoermann user 27 Apr 2022 at midnight CDT

2 Responses
Johann Hoermann gravatar
Hello, i try to have fun working thru your book __Schwartz/Machulak: Securing the Perimeter, Apress 2018__. Up to now i am in Chapter 3 SAML on page 82 of paragraph **Configure the Shibboleth SP** In the unsorted list the first point wants me to change > __entityID__ ... should match the value ... in your SP metadata in the file ``` /etc/shibboleth/shibboleth2.xml ``` on my SP Server. In ``` /etc/shibboleth/example-shibboleth2.xml ``` i can find an __entityID__ example with description here ``` <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. Resource requests are mapped by the RequestMapper to an applicationId that points into to this section (or to the defaults here). --> <ApplicationDefaults entityID="" ``` The __entityID__ of my __shib-metagen__-generated SP metadata file *squid-metadata.xml* is ``` entityID=" ``` So i am replacing with . What confuses me is the folder shibboleth in the URL, because such folder does not exist in the *DocumentRoot* of the SP's apache2 Server. The steps in the book on page 79 created the folders ``` /var/www/html/sp ``` and ``` /var/www/protected ``` but there is no folder ``` /var/www/html/shibboleth ``` So what should the correct __entityID__ in *ApplicationDefaults* be, regarding to the book and its steps? Or is __entityID__ just a name, not related to existing folders? Anyway, i continued with the __entityID__ ``` entityID=" ``` in the <ApplicationDefaults Section. Next i set the entityID of my __IDP__ in the __SessionInitiator__ element. Restarting the shibd-service ``` s# service shibd restart Restarting Shibboleth 3 daemon: shibd. ``` the log-file */var/log/shibboleth/shibd_warn.log* mentions ``` WARN Shibboleth.Application : no MetadataProvider available, configure at least one for standard SSO usage ``` With _MetadataProvider_ i found these entries in the shibboleth2.xml ``` <!-- Example of locally maintained metadata. --> <!-- <MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/> --> <!-- Example of remotely supplied batch of signed metadata. --> <!-- <MetadataProvider type="XML" validate="true" url="" backingFilePath="federation-metadata.xml" maxRefreshDelay="7200"> <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> <MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/> <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" attributeName="" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="" /> </MetadataProvider> --> <!-- Example of remotely supplied "on-demand" signed metadata. --> <!-- <MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq" baseUrl="" ignoreTransport="true"> <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> <MetadataFilter type="Signature" certificate="mdqsigner.pem" /> </MetadataProvider> --> ``` I have no idea how to adjust settings here to get rid of the Warning ``` no MetadataProvider available ``` And duckduckgo could not help me out for three days now ... Can it be handled in the ``` locally maintained metadata ``` section? If yes, what content needs the _partner-metadata.xml_ file? Help is very much appreciated here, Johann

By Johann Hoermann user 27 Apr 2022 at 2:24 a.m. CDT

Johann Hoermann gravatar
I got rid of the ``` no MetadataProvider available ``` message I copied the _/opt/shibboleth-idp/metadata/idp-metadata.xml_ File from the IDP into the SP /etc/shibboleth/ folder. And commented out the locally maintained MetadataProvider, pointing to the idp-metadata.xml file. ``` # service shibd restart Restarting Shibboleth 3 daemon: shibd. ``` now does not trigger any WARN or ERR entries in the log-file */var/log/shibboleth/shibd_warn.log* Now i can continue on page 85 *Configure the Gluu Server Shibboleth IDP* :-) Johann

By Aliaksandr Samuseu staff 27 Apr 2022 at 3:54 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Johann. I'm glad you figured it out. Just to be clear: community support normally doesn't cover configuring third-party components, unfortunately. In case of further issues with Shib SP your best chance is Shibboleth doc portal and related communities.