Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
en:shibidp:troubleshooting [2023/03/02 10:54] – Engl. version of missing sp metadata Silke Meyeren:shibidp:troubleshooting [2023/03/02 12:21] (current) – [Download the metadata of your IdP/SP] Silke Meyer
Line 5: Line 5:
   * [[https://wiki.shibboleth.net/confluence/display/IDP4/Troubleshooting|Troubleshooting]] page in the official Shibboleth documentation   * [[https://wiki.shibboleth.net/confluence/display/IDP4/Troubleshooting|Troubleshooting]] page in the official Shibboleth documentation
  
-===== Download the metadata of your IdP/SP =====+===== Where to download the metadata of your IdP/SP =====
  
 Here is how you can get the metadata of your IdP or SP as they are currently published to the federation: Here is how you can get the metadata of your IdP or SP as they are currently published to the federation:
Line 127: Line 127:
   * Check the IdP's DEBUG-Log. Compare the saml:Issuer from the AuthnRequest with the EntityID you are trying to contact. If there is a different issuer string in the Authentication Request the IdP cannot find the issuer in the federation metadata. Contact the SP operator in this case.   * Check the IdP's DEBUG-Log. Compare the saml:Issuer from the AuthnRequest with the EntityID you are trying to contact. If there is a different issuer string in the Authentication Request the IdP cannot find the issuer in the federation metadata. Contact the SP operator in this case.
  
 +===== DecryptNameIDFailed =====
 +If you see the error message "A non-proceed event occurred while processing the request: DecryptNameIDFailed" this might be after a certificate rollover and maybe it only occurs upon Single Logout. The Service Provider has encrypted data with a certificate for which the IdP does not have a private key (any more). Remove the old certificate from the metadata and wait for 60 to 90 minutes. By then, the information to only use the new certificate has propagated.
  
 +===== Reset a configuration file to default =====
 +Your IdP keeps copies of all original files in the folder ''dist/conf''. Here you can fetch files, if you want to start over or if you want to see what the original file looks like in the latest installed IdP version.
 +
 +===== Duplicate attributes in Shibboleth IdP 4.x =====
 +If you notice that your IdP 4.x transmits duplicate attributes, you probably have copied the file ''conf/attribute-resolver.xml'' from an IdP 3.x without adapting it. The IdP has duplicate transcoding rules: once in ''conf/attribute-resolver.xml'' and once in the Attribute Registry. Remove the Attribute Encoder lines from the resolver configuration so that it looks like in [[de:shibidp:config-attributes-minimal|this example]].
 +
 +===== Duplicate Transcoding Rule =====
 +If you get the error message below, you probably have a duplicate attribute in your Attribute Registry. Maybe you imported attributes from a file like our dfnMisc.xml ([[de:shibidp:config-attributes#edupersontargetedid_und_andere_verbreitete_attribute_hinterlegen|German documentation]]) **and** you have defined one of the attributes in an individual .properties file underneath ''conf/attributes/custom/''? Make sure that each attribute exists in the Attribute Registry exactly once.
 +
 +<code bash>java.lang.IllegalArgumentException: {urn:oasis:names:tc:SAML:2.0:assertion}NameID is
 +already the child of another XMLObject and may not be inserted into this list</code>
 +
 +===== IdP/SP is no longer part of the eduGAIN metadata =====
 +
 +Our downstream eduGAIN metadata (the eduGAIN metadata we distribute to DFN-AAI) have never contained entities from DFN-AAI. We filter them out because your systems already know them from DFN-AAI metadata and we do not want to distribute duplicates. To check whether an entity is part of the eduGAIN metadata, please search for it in the [[https://technical.edugain.org/entities|eduGAIN Entities Database]].
  
 ===== IdP is not displayed in Discovery Services ===== ===== IdP is not displayed in Discovery Services =====
Line 136: Line 153:
   * You have ticked the checkbox "hide from discovery" in the IdP's settings in the metadata administration tool. Remove the tick and wait for 60-90 minutes.   * You have ticked the checkbox "hide from discovery" in the IdP's settings in the metadata administration tool. Remove the tick and wait for 60-90 minutes.
      
 +===== SP Metadata: AuthnRequestsSigned and WantAssertionsSigned =====
 +
 +A Service Provider can announce in its metadata that it
 +  * signs Authentication Requests it sends to IdPs, and/or
 +  * wants to get signed SAML assertions back.
 +
 +Our metadata administration tool only displays this information if it is included in the xml files upon initial upload to the metadata administration. Please extend your SP metadata like this:<code xml><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"></code>
 +    
 {{tag>idp4 troubleshooting debugging debug logging}} {{tag>idp4 troubleshooting debugging debug logging}}
  • Last modified: 3 years ago