Troubleshooting

• Troubleshooting page in the official Shibboleth documentation

Here is how you can get the metadata of your IdP or SP as they are currently published to the federation:

• Log in to the metadata administration tool.
• Select the Entity you are interested in from the list of IdPs/SPs and click the blue “XML” as shown below.
• The metadata are then displayed in your browser so that you can copy and save them.

“opensaml::SecurityPolicyException Message was signed, but signature could not be verified.”

You see this error message whenever the IdP certificate published in the federation metadata does not match the one configured on the actual IdP. During installation the Shibboleth installer generates a self-signed certificate and preconfigures it in conf/idp.properties. Adapt that file to point to the certificate you want the IdP to use and make sure the same one is published.

By the way: The file metadata/idp-metadata.xml is autogenerated, too. It contains the initial post-installation IdP metadata. It is parsed when you first add the IdP to the metadata administration tool, but in the actual federation this file is ignored. The valid IdP metadata that you maintain are those in the administration tool.

“opensaml::FatalProfileException at (https://testsp2.aai.dfn.de/Shibboleth.sso/SAML2/POST)”

You get this error message when the Service Provider cannot find any metadata for the Identity Provider.

• Check if you have added the IdP to the metadata administration tool and if it was added to the respective federation correctly (DFN-AAI-Test, DFN-AAI-Basic, or DFN-AAI).
• Compare the Entity ID in conf/idp.properties with the one in the metadata entry. They have to be identical.
• After a change to the federation metadata, keep in mind that you have to wait for 60-90 minutes for the metadata to be aggregated and redistributed to all SPs.

“Web Login Service - Unsupported Request The application you have accessed is not registered for use with this service”, zu deutsch: “Web Anmeldedienst - Nicht unterstützte Anfrage Die Applikation, auf die Sie zugreifen möchten, ist für die Benutzung dieses Dienstes nicht registriert.”

Diese Fehlermeldung erscheint, wenn der IdP keinen Metadatensatz geladen hat, in dem der SP drinsteht. Prüfen Sie, ob alle benötigten Metadata Provider in conf/metadata-providers.xml konfiguriert (Doku) sind und ob auf der Platte auch aktuelle Föderationsmetadaten ankommen (im Ordner /opt/shibboleth-idp/metadata). Dies können Sie übrigens auch der IdP-Statusseite (standardmäßig https://IHR-HOST/idp/status) entnehmen. In diesem Beispiel sind die DFN_AAI Metadaten abgelaufen:

service: shibboleth.MetadataResolverService
last successful reload attempt: 2020-12-22T07:58:12Z
last reload attempt: 2020-12-22T07:58:12Z

	metadata source: DFN_AAI
	last refresh attempt: 2020-12-24T05:26:48Z
	last update: 2020-12-24T05:26:48Z

	metadata source: DFN_AAI_eduGAIN
	last refresh attempt: 2021-01-05T08:57:55Z
	last update: 2021-01-05T08:57:55Z

	metadata source: DFN_AAI_TEST
	last refresh attempt: 2021-01-05T09:36:13Z
	last update: 2021-01-05T09:36:13Z

Die Konfigurationsdateien im Auslieferungszustand finden Sie im Verzeichnis dist/conf. Von hier können Sie sich Dateien holen, wenn Sie noch einmal von vorn beginnen möchten oder wenn Sie schauen möchten, wie die Originaldatei in einer neueren Shibboleth-Version aussieht.

Wenn Sie untenstehende Fehlermeldung bekommen, dann haben Sie wahrscheinlich ein Attribut, z.B. die eduPersonTargetedId doppelt in der Attribute Registry hinterlegt. Möglicherweise haben Sie sowohl die Datei dfnMisc.xml eingebunden (wie hier beschrieben), als auch das Einzelattribut eduPersonTargetedId in einer .properties-Datei unterhalb von conf/attributes/custom/ hinterlegt. Löschen Sie am besten einfach die .properties-Datei, dann wird nur noch das Attribut aus dfnMisc.xml gelesen.

java.lang.IllegalArgumentException: {urn:oasis:names:tc:SAML:2.0:assertion}NameID is
already the child of another XMLObject and may not be inserted into this list

You have added your Identity Provider to the federation but it doesn't show in discovery services? This can happen for several reasons:

• The Service Provider hasn't fetched the latest metadata yet. Please wait for 60-90 minutes before testing.
• You have ticked the checkbox “hide from discovery” in the IdP's settings in the metadata administration tool. Remove the tick and wait for 60-90 minutes.
• The SP is only available to IdPs complying with the “advanced” degree of reliance, but your Identity Management System has been classified as “Basic”. In our documentation of Degrees of Reliance we explain under which circumstances certain users of your institution may access the service even if your IdM as a whole does not (yet) comply with the advanced degree.