By: Conan Malone user 08 Feb 2017 at 5:43 a.m. CST

13 Responses

Recently upgraded to gluu-server-3.0.0 and have tried to reconfigure our shibboleth SP to work, used to work before but now we get the error ``` ERROR XMLTooling.ParserPool : error on line 97, column 24, message: element 'SingleLogoutService' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*,ArtifactResolutionService*,SingleLogoutService*,ManageNameIDService*,NameIDFormat*,SingleSignOnService+,NameIDMappingService*,AssertionIDRequestService*,AttributeProfile*,Attribute*)' ERROR OpenSAML.MetadataProvider.XML : error while loading resource (https://gluu.domain/idp/shibboleth): XML error(s) during parsing, check log for specifics ``` Has something changed in the upgrade?

CentOS72

closed

By Aliaksandr Samuseu staff 08 Feb 2017 at 5:50 a.m. CST

Copy

Hi, Conan. Gluu CE 3.0 now uses Shibboleth IdPv3, it changes a lot of things internally. Single Logout SAML profile always was a tricky thing to approach, I don't think we really supported it before in Gluu. If you don't need it for your setup, may be you could try to remove all its definitions from SP's metadata, and try it this way?

By Conan Malone user 08 Feb 2017 at 6:40 a.m. CST

Copy

The Shibboleth SP is trying to parse the metadata supplied from the Gluu Shibboleth IDP at /idp/shibboleth and is failing as the metadata on Gluu's side has the SingleLogoutService within, wouldn't it still show this error if I removed the SingleLogout definitions from the SPs metadata? What would be the best approach if I were wanting some form of single logout?

By Aliaksandr Samuseu staff 08 Feb 2017 at 6:45 a.m. CST

Copy

>What would be the best approach if I were wanting some form of single logout? Now I see, I thought it was the opposite. >What would be the best approach if I were wanting some form of single logout? Perhaps, it would be to upgrade to latest Shibboleth SP version? Seems like the one you are using may expect a different metadata's layout. What version of SP do you use at the moment?

By Conan Malone user 08 Feb 2017 at 6:53 a.m. CST

Copy

Currently using version 2.6.0 which I believe may be the newest stable version.

By Aliaksandr Samuseu staff 08 Feb 2017 at 6:59 a.m. CST

Copy

Yes, it is, indeed. I'm about to give a try to Shibboleth SP's compatibility for CentOS7 package myself, I'll keep you updated on the results. Meanwhile, may I ask you to share some details of your setup? Metadata of both IdP and SP, any errors and warnings in any logs that will appear to you as they are related to the issue, etc.

By Aliaksandr Samuseu staff 08 Feb 2017 at 7:05 a.m. CST

Copy

At Gluu's side, you should check next log directories - `/opt/gluu/jetty/idp/logs/` - mostly related to app's loading phase - `/opt/shibboleth-idp/logs/` - those are operational logs - `/opt/gluu/jetty/identity/logs/` - check `wrapper.log` and `oxtrust.log`, especially when you'll be re-creating the TR in question, some errors may pop-up too. You may see **"failed to send email notification"** kind of error, those can be ignored.

By Conan Malone user 08 Feb 2017 at 7:30 a.m. CST

Copy

The only errors from any of these logs are from the the last logs you listed ``` ERROR [qtp2008017533-16] [org.gluu.oxtrust.ldap.service.Shibboleth3ConfService] (Shibboleth3ConfService.java:935) - Failed to read metadata file '/opt/shibboleth-idp/metadata/1C4638AED077C1500002FA7B661F0006E041972B-sp-metadata.xml' ERROR [pool-2-thread-1] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:214) - Can not download ssl certificate ``` I will post my metadata from IDP and SP below

By Conan Malone user 08 Feb 2017 at 7:31 a.m. CST

Copy

Metadata validatiopn log within Gluu TR shows ``` schema_reference.4: Failed to read schema document 'http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd', because 1) could not find the document; 2) the document could not be read; 3) the root element of the document is not <xsd:schema> ```

By Conan Malone user 08 Feb 2017 at 7:33 a.m. CST

Copy

SP ``` <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_0c6c6377f7619cc10cb702eb96638fb2bb2f7b04" entityID="https://shibboleth.sp/"> <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"> <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/> <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/> <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/> <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/> <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> </md:Extensions> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol"> <md:Extensions> <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://shibboleth.sp/Shibboleth.sso/Login"/> <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://shibboleth.sp/Shibboleth.sso/Login" index="1"/> </md:Extensions> <md:KeyDescriptor> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:KeyName>xxxxxx</ds:KeyName> <ds:X509Data> <ds:X509SubjectName>emailAddress=xxxxx@xxxx,CN=xxxxxxx.xxxx,OU=xxx,O=xxx,L=xxx,ST=xxx,C=xxxx</ds:X509SubjectName> <ds:X509Certificate> xxxxxxxxxxxxxxxxxxx </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> </md:KeyDescriptor> <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://shibboleth.sp/Shibboleth.sso/Artifact/SOAP" index="1"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://shibboleth.sp/Shibboleth.sso/SLO/SOAP"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://shibboleth.sp/Shibboleth.sso/SLO/Redirect"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibboleth.sp/Shibboleth.sso/SLO/POST"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://shibboleth.sp/Shibboleth.sso/SLO/Artifact"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibboleth.sp/Shibboleth.sso/SAML2/POST" index="1"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://shibboleth.sp/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://shibboleth.sp/Shibboleth.sso/SAML2/Artifact" index="3"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://shibboleth.sp/Shibboleth.sso/SAML2/ECP" index="4"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://shibboleth.sp/Shibboleth.sso/SAML/POST" index="5"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://shibboleth.sp/Shibboleth.sso/SAML/Artifact" index="6"/> </md:SPSSODescriptor> </md:EntityDescriptor> ``` IDP ``` <EntityDescriptor entityID="https://gluu.idp/idp/shibboleth"> <IDPSSODescriptor errorURL="https://gluu.idp/identity/feedback.htm" protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"> <Extensions> <shibmd:Scope regexp="false">gluu.idp</shibmd:Scope> </Extensions> <KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> xxxxxxxxxxxxxxxxxxxxxxxxxx </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <KeyDescriptor use="encryption"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> xxxxxxxxxxxxxxxxxxxxxxxxx </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://gluu.idp:9443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> <SingleSignOnService Binding="urn:mace:shibboleth:2.0:profiles:AuthnRequest" Location="https://gluu.idp/idp/profile/SAML2/Unsolicited/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://gluu.idp/idp/profile/SAML2/POST/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://gluu.idp/idp/profile/SAML2/POST-SimpleSign/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://gluu.idp/idp/profile/SAML2/Redirect/SSO"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://gluu.idp/idp/profile/SAML2/Redirect/SLO"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://gluu.idp/idp/profile/SAML2/POST/SLO"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://gluu.idp/idp/profile/SAML2/POST-SimpleSign/SLO"/>  </IDPSSODescriptor> <Organization> <OrganizationName xml:lang="en">Our Org</OrganizationName> <OrganizationDisplayName xml:lang="en">Our Org</OrganizationDisplayName> <OrganizationURL xml:lang="en">https://gluu.idp</OrganizationURL> </Organization> </EntityDescriptor> ```

By Aliaksandr Samuseu staff 09 Feb 2017 at 12:36 p.m. CST

Copy

Hi, Conan. That's strange, I'm also using Shib SP v2.6, and I don't see any problems **at SP's side**. It seems to digest IdP's metadata, and when I try to initiate login flow, it sends me back to IdP (Gluu CE 3.0), that's when [another issue](https://github.com/GluuFederation/oxShibboleth/issues/23#issuecomment-278262372) happens (which is already attended by our dev team), but that doesn't seem like your case. What output `# shibd -v` at your SP machine does give?

By Conan Malone user 13 Feb 2017 at 2:14 a.m. CST

Copy

Output of shibd -v is 'shibboleth 2.6.0'

By Conan Malone user 13 Feb 2017 at 4:04 a.m. CST

Copy

Note if I grab the metadata from Gluu at gluu.idp/idp/shibboleth and put it into a local file on my Shibboleth SP and remove the lines ``` <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://gluu.idp/idp/profile/SAML2/Redirect/SLO"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://gluu.idp/idp/profile/SAML2/POST/SLO"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://gluu.idp/idp/profile/SAML2/POST-SimpleSign/SLO"/>  ``` This gives no errors on the SP side.. If I create a TR it still fails though thinking this might be the same issue as you mentioned there

By Alejandro Calderon user 27 May 2020 at 8:19 p.m. CDT

Copy

I got the same error after I upgraded my Gluu version from version 3.1.5 to version 4.1. My current version of Shibboleth is shibboleth 2.5.3. Do you have any idea of what it could be the problem? Is there any way to update my shibboleth version?

You need to Login in order to post an answer

Shibboleth SP in v3.0.0

By: Conan Malone user 08 Feb 2017 at 5:43 a.m. CST

Answers

By Aliaksandr Samuseu staff 08 Feb 2017 at 5:50 a.m. CST

By Conan Malone user 08 Feb 2017 at 6:40 a.m. CST

By Aliaksandr Samuseu staff 08 Feb 2017 at 6:45 a.m. CST

By Conan Malone user 08 Feb 2017 at 6:53 a.m. CST

By Aliaksandr Samuseu staff 08 Feb 2017 at 6:59 a.m. CST

By Aliaksandr Samuseu staff 08 Feb 2017 at 7:05 a.m. CST

By Conan Malone user 08 Feb 2017 at 7:30 a.m. CST

By Conan Malone user 08 Feb 2017 at 7:31 a.m. CST

By Conan Malone user 08 Feb 2017 at 7:33 a.m. CST

By Aliaksandr Samuseu staff 09 Feb 2017 at 12:36 p.m. CST

By Conan Malone user 13 Feb 2017 at 2:14 a.m. CST

By Conan Malone user 13 Feb 2017 at 4:04 a.m. CST

By Alejandro Calderon user 27 May 2020 at 8:19 p.m. CDT

Post an answer