By: Johann Hoermann user 27 Apr 2022 at 1:40 p.m. CDT

2 Responses
Johann Hoermann gravatar
Hello, i try to have fun working thru your book __Schwartz/Machulak: Securing the Perimeter, Apress 2018__. Up to now i am in Chapter 3 SAML on page 87 in paragraph **Configure the Gluu Server Shibboleth IDP** I did setup a Trust Relationship as described in the book, pages 85 and 86. After Update and Activate of the TR in the IDP the log ``` /opt/shibboleth-idp/logs/idp-process.log ``` writes an error every five minutes: ``` ERROR [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:376] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Error occurred while attempting to refresh metadata from '/opt/shibboleth-idp/metadata/493a12d6-b96e-4bad-b9a7-52aebf0f329d-sp-metadata.xml' java.lang.IllegalStateException: ApplicationContext:shibboleth.MetadataResolverService has been closed already ``` Requesting ``` ``` results in ``` This service requires information about you that your identity provider did not release. ``` Restarting shibd at the SP ``` # service shibd restart ``` causes this log entries in ``` /var/log/shibboleth/shibd.log : ``` log entries are at It seems as if my IDP does not release the admin identity to the SP, and this seems to cause an immediate remove of every session at the SP. Can you give me an hint what to configure at the ISP so the admin indentity is released to the SP with SAML? Help is very much appreciated, Johann

By Aliaksandr Samuseu staff 27 Apr 2022 at 3:50 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Johann. The log you provided doesn't seem to contain any flow-related records, it's just a normal Shib SP start up log. Not sure about the Metadata Resolver error you mentioned, can't recall seeing such recently. I suggest to increase verbosity of the IDP's `idp-process.log` to DEBUG and study it throughly, there should be some answer. It also will contain SAML request and response, so you'll be able to see what your SP needs and what your IDP sends. Here is how set it to DEBUG: [link]( Change it for "idp", "messages" and "opensaml" loggers. Value may be different from the one in the article, like this: ` value="${idp.loglevel.idp:-INFO}"` It's ok, then you need to change just the "INFO" or "WARN" part.

By Johann Hoermann user 29 Apr 2022 at 5:28 a.m. CDT

Johann Hoermann gravatar
In the meantime my Shibboleth SP has *Validation Status Success* at its IDP's Trust Relationship, which makes me glad! Thank you for your help, Johann