skip to Main Content

I’m setting up, on a test environment with CentOS 7, SSO with Shibboleth SP and Shibboleth IDP.
After all configurations, if I try to access a protected source on the server got only an error page:

shibsp::ConfigurationException at (http://server_ip/secure/index.html)

None of the configured SessionInitiators handled the request.

I can find the same message on apache logs (/var/log/httpd/error_log) but in shib_d logs (shibd_warm.log, shibd_d.log) there is nothing about that error.
Is there some permissions that need to be set? Or this is the correct behavior?

I think that the error is on metadata files, but the missing logs things is driving me crazy….

PS: if I try to override the login visiting manually the page “http://server_ip/Shibboleth.sso/Login?entityID=my_idp_entity_id” I can reach the login page and the logs files are correctly updated.

UPDATE:

I’ve configured the Shibboleth embedded Discovery Service (for now with only one IDP) and I have succesfully reached the iIDP login page after requesting the protected resource, and also the logs where correctly updated.
This is the configuration I will use and deploy, but why with only one IDP I cannot login?
Here are the different SSO tag in shibboleth2.xml
One IDP:

<SSO entityId="my_idp_entity_id">
  SAML2 SAML1
</SSO>

Discovery service:

<SSO discoveryProtocol="SAMLDS" discoveryURL="http://ip_address/shibboleth-ds/index.html">
  SAML2 SAML2
</SSO>

2

Answers


  1. Chosen as BEST ANSWER

    I've managed to get log file, the problem was the permissions of "shibd.log". Even if was created by the shibd service, the owner of this file war root, and only a part of log was reported.

    Resolved by changing the user/group owner of the file

    chown shibd /var/log/shibboleth/shibd.log
    chgrp shibd /var/log/shibboleth/shibd.log
    

  2. Configures SSO for a default IdP. To properly allow for >1 IdP, remove entityID property and adjust discoveryURL to point to discovery service. You can also override entityID on /Login query string, or in RequestMap/htaccess.

    To idp:

            <SSO entityID="https://idp-test.website.org">
              SAML2
            </SSO>
            
    

    To WAYF:

            <SSO Location="/Login" 
                discoveryProtocol="SAMLDS" discoveryURL="https://discovery.site.org/test">
                SAML2
            </SSO>
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search