Unable to locate metadata for identity provider

single-sign-on saml saml-2.0 shibboleth opensaml
Vsevolod picture Vsevolod · Jun 17, 2014 · Viewed 8.1k times · Source

I'm trying to configure both Shibboleth service provider and identity provider on localhost for testing purposes.

The problem is that I'm getting "unable to locate metadata for identity provider" error when trying to access a protected resource.

I've already read all tutorials and discussions that are related to software configuration and this particular error fixing, but nothing works for me.

shibboleth2.xml config for SP:

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">

<InProcess logger="native.logger">
    <ISAPI normalizeRequest="true" safeHeaderNames="true">
        <Site id="1" name="localhost" />
    </ISAPI>
</InProcess>

<TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1" />

<StorageService type="Memory" id="mem" cleanupInterval="900" /> 
<SessionCache type="StorageService" StorageService="mem" cacheAssertions="false" cacheAllowance="900" inprocTimeout="900" cleanupInterval="900" /> 
<ReplayCache StorageService="mem" /> 
<ArtifactMap artifactTTL="180" /> 

<RequestMapper type="Native">
    <RequestMap>
        <Host name="localhost">
            <Path name="secure" authType="shibboleth" requireSession="true"/>
        </Host>
    </RequestMap>
</RequestMapper>

<ApplicationDefaults  id="default" policyId="default"
    entityID="http://localhost/secure"
    homeURL="http://localhost/secure"
    signing="false" encryption="false"
    REMOTE_USER="eppn persistent-id targeted-id">

    <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" handlerURL="/Shibboleth.sso"
              checkAddress="false" handlerSSL="false" cookieProps="http">
        <SSO entityID="https://bios-hp/idp/shibboleth">
          SAML2 SAML1
        </SSO>

        <Logout>SAML2 Local</Logout>

        <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
        <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
        <Handler type="Session" Location="/Session" showAttributeValues="false"/>
        <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>

        <md:AssertionConsumerService Location="/SAML2/POST" index="1"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
        <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
        <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
        <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
        <md:AssertionConsumerService Location="/SAML/POST" index="5"
            Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
        <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
            Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>

        <LogoutInitiator type="Local" Location="/SLO/Logout"/>

        <md:SingleLogoutService Location="/SLO/SOAP"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
        <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
        <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
        <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>

        <md:ManageNameIDService Location="/NIM/SOAP"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
        <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
        <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
        <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>

        <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
    </Sessions>

    <Errors supportContact="root@localhost"
        helpLocation="/about.html"
        styleSheet="/shibboleth-sp/main.css"/>

    <MetadataProvider type="XML" file="C:/opt/shibboleth-sp/etc/shibboleth/idp.metadata.xml"/>

    <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

    <AttributeResolver type="Query" subjectMatch="true"/>

    <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

    <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>

<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

idp.metadata.xml references by SP config:

<?xml version="1.0" encoding="UTF-8"?><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://bios-hp/idp/shibboleth" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"><Extensions><shibmd:Scope regexp="false"/></Extensions><KeyDescriptor><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIID...zY=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></KeyDescriptor><ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://bios-hp:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/><ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://bios-hp:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/><NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://bios-hp/idp/profile/Shibboleth/SSO"/><SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://bios-hp/idp/profile/SAML2/POST/SSO"/><SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://bios-hp/idp/profile/SAML2/POST-SimpleSign/SSO"/><SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://bios-hp/idp/profile/SAML2/Redirect/SSO"/></IDPSSODescriptor><AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"><Extensions><shibmd:Scope regexp="false"/></Extensions><KeyDescriptor><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIID...SzY=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></KeyDescriptor><AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://bios-hp:8443/idp/profile/SAML1/SOAP/AttributeQuery"/><AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://bios-hp:8443/idp/profile/SAML2/SOAP/AttributeQuery"/><NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat></AttributeAuthorityDescriptor></EntityDescriptor>

Note, that entityID in both files is equal as its the common reason for my error.

The protected site is hosted on local IIS and is accessible via 

http://bios-hp/secure

URL where I get the error.

All possible status URLs for both SP and IdP return successfull results.

Any ideas?

Answer

Akshay picture Akshay · Jun 18, 2014

Don't know about your secured path, but it seems that your entityId is http://bios-hp/secure, with a http not https, so I believe your secured path would be a http and shibboleth works with https.

Common errors are:

  • EntityId typo: but that is not your case
  • metadata file path mistake: but that too is not your case
  • SP configuration in IdP side: you got to check that, too.

Related questions

What is the purpose of SAML 2 Subject Name Identifier?

When doing authn against a SAML 2 IdP, what does the Subject Name Identifier supposed to be for? Does it track each user login? I'm wondering if my SAML 2 service provider application should track these for different users. Since they are …

Read More
What is exactly RelayState parameter used in SSO (Ex. SAML)?

I am trying to understand SSO using SAML. I have come across the RelayState parameter and am very confused exactly why it comes first in SSO to send encoded URLs? What exactly does it mean? Please read the following from …

Read More
What is the correct format for SAML 2.0 Assertions?

We have a customer trying to use ADFS to SSO on to our web application. We are using the ComponentSpace SAML 2.0 library. The assertion being sent to us looks like: <Assertion ID="_b8a24809-ab6b-4acd-ad6a-8bcb97…

Read More