Metadata backing store does not contain any EntityDescriptors with the ID: ERROR

By: Andreas Elstner user 20 Jun 2018 at 4:44 a.m. CDT

5 Responses
Andreas Elstner gravatar
Hallo, we do have a Problem with SAML authentication for out Gluu 3.1.2. We habe two Applications running SAML to authenticate to our gluu. One of them is working fine, the other one is not running because of this Error I can see in the shibboleth idp-process.log: > 2018-06-20 08:48:02,091 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder:93] - Decoded RelayState: null > 2018-06-20 08:48:02,091 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder:125] - Base64 decoding and inflating SAML message > 2018-06-20 08:48:02,092 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder:108] - Decoded SAML message > 2018-06-20 08:48:02,092 - DEBUG [PROTOCOL_MESSAGE:127] - > <?xml version="1.0" encoding="UTF-8"?> > <samlp:AuthnRequest > AssertionConsumerServiceURL="https://issuer.eu/saml/acs" > Destination="https://our.gluu.de/idp/profile/SAML2/Redirect/SSO" > ID="_f8986929-ae77-43cf-a890-3525037758cf" > IssueInstant="2018-06-20T08:48:02Z" Version="2.0" > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> > <saml:Issuer>https://issuer.eu/saml/metadata</saml:Issuer> > <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> > </samlp:AuthnRequest> > > 2018-06-20 08:48:02,093 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler' on INBOUND message context > 2018-06-20 08:48:02,093 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' > 2018-06-20 08:48:02,093 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml1.binding.impl.SAML1ArtifactRequestIssuerHandler' on INBOUND message context > 2018-06-20 08:48:02,093 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' > 2018-06-20 08:48:02,094 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLProtocolAndRoleHandler' on INBOUND message context > 2018-06-20 08:48:02,094 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' > 2018-06-20 08:48:02,094 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler' on INBOUND message context > 2018-06-20 08:48:02,094 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' > 2018-06-20 08:48:02,094 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:434] - Metadata Resolver FilesystemMetadataResolver SiteSP4: Metadata backing store does not contain any EntityDescriptors with the ID: https://issuer.eu/saml/metadata > 2018-06-20 08:48:02,095 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver:161] - Metadata Resolver FilesystemMetadataResolver SiteSP4: Resolved 0 candidates via EntityIdCriterion: EntityIdCriterion [id=https://issuer.eu/saml/metadata] > 2018-06-20 08:48:02,095 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:586] - Metadata Resolver FilesystemMetadataResolver SiteSP4: Candidates iteration was empty, nothing to filter via predicates > 2018-06-20 08:48:02,095 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:260] - Resolved no EntityDescriptors via underlying MetadataResolver, returning empty collection > 2018-06-20 08:48:02,095 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] - Message Handler: No metadata returned for https://issuer.eu/saml/metadata in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol > 2018-06-20 08:48:02,095 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler' on INBOUND message context > 2018-06-20 08:48:02,095 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' > 2018-06-20 08:48:02,096 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:110] - Message Handler: No metadata context found, nothing to do > 2018-06-20 08:48:02,096 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:132] - Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching RelyingPartyContext based on SAML peer https://issuer.eu/saml/metadata > 2018-06-20 08:48:02,096 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:293] - Resolving relying party configuration > 2018-06-20 08:48:02,096 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:299] - Profile request is unverified, returning configuration shibboleth.UnverifiedRelyingParty > 2018-06-20 08:48:02,096 - DEBUG [net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:136] - Profile Action SelectRelyingPartyConfiguration: Found relying party configuration shibboleth.UnverifiedRelyingParty for request > 2018-06-20 08:48:02,096 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for RP configuration shibboleth.UnverifiedRelyingParty (RPID https://issuer.eu/saml/metadata) > 2018-06-20 08:48:02,097 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration > 2018-06-20 08:48:02,097 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:154] - No SAMLBindingContext or binding URI available, error must be handled locally If I fgrep the entityID in metadata Folder I find the right xml-File so I can't imagine why shibboleth isn't able to find it. The SP-Metadata for this Trust we get from the SP via URI. I Have testet to download the sp-metadata and provide it to the trust per File but it occures the same issue. Here also the Head of the provided sp-metadata: > > <?xml version="1.0" encoding="UTF-8"?> > <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_12680670-4832-4dd9-9416-9ff4942e945d" entityID="https://issuer.eu/saml/metadata"> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> > <ds:SignedInfo> > <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <ds:Reference URI="#_12680670-4832-4dd9-9416-9ff4942e945d"> > <ds:Transforms> > <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> > <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default samlp saml ds xs xsi md"/> > </ds:Transform> > </ds:Transforms> Some Idea`s why the idp isn`t able to find and resolve the correct metadata ? Thank you
Ubuntu 16.04
closed

Answers

By Sahil Arora user 20 Jun 2018 at 5:35 p.m. CDT

Copy
Sahil Arora gravatar
Hi Andreas Can you please share the content of 'metadata-provider.xml' file under /opt/shibboleth-idp/conf/ ? Are you able to connect to Metadata host from the Gluu server?

By Andreas Elstner user 21 Jun 2018 at 5:37 a.m. CDT

Copy
Andreas Elstner gravatar
Hi Sahil, meanwhile I was able to fix the Problem. It was the metadata-provider.xml you requestet for. In this file there was no entry for the Trust that failed. Is this file not updated automatically if I save the configuration of the Trust Relationship ? Yes we have access to the sp-metadata.xml via HTTP - Link and gluu has saved the metadata provided there in /opt/shibboleth-idp/metadata . The File saved there by gluu was not written to the metadata-providers.xml. Any idea why gluu dont write to the metadata-providers.xml at this point ?

By Mohib Zico Account Admin 27 Jun 2018 at 5:20 a.m. CDT

Copy
Mohib Zico gravatar
Andreas, You still facing issues?

By Andreas Elstner user 02 Jul 2018 at 2:05 a.m. CDT

Copy
Andreas Elstner gravatar
Hallo Mohib, yes we are still facing issues if we restart Gluu. After restarting Gluu the metadata-providers.xml not contains all metadata-files needed for the activated Trusts. If I change the file manualy it works fine, after restart of gluu the changes are removed.

By Mohib Zico Account Admin 11 Jul 2018 at 3:18 a.m. CDT

Copy
Mohib Zico gravatar
Andreas, Can you please share your metadata-providers.xml.vm ?

Post an answer