Troubleshooting

• Troubleshooting page in the official Shibboleth documentation

Here is how you can get the metadata of your IdP or SP as they are currently published to the federation:

• Log in to the metadata administration tool.
• Select the Entity you are interested in from the list of IdPs/SPs and click the blue “XML” as shown below.
• The metadata are then displayed in your browser so that you can copy and save them.

“opensaml::SecurityPolicyException Message was signed, but signature could not be verified.”

You see this error message whenever the IdP certificate published in the federation metadata does not match the one configured on the actual IdP. During installation the Shibboleth installer generates a self-signed certificate and preconfigures it in conf/idp.properties. Adapt that file to point to the certificate you want the IdP to use and make sure the same one is published.

By the way: The file metadata/idp-metadata.xml is autogenerated, too. It contains the initial post-installation IdP metadata. It is parsed when you first add the IdP to the metadata administration tool, but in the actual federation this file is ignored. The valid IdP metadata that you maintain are those in the administration tool.

“opensaml::FatalProfileException at (https://testsp2.aai.dfn.de/Shibboleth.sso/SAML2/POST)”

You get this error message when the Service Provider cannot find any metadata for the Identity Provider.

• Check if you have added the IdP to the metadata administration tool and if it was added to the respective federation correctly (DFN-AAI-Test, DFN-AAI-Basic, or DFN-AAI).
• Compare the Entity ID in conf/idp.properties with the one in the metadata entry. They have to be identical.
• After a change to the federation metadata, keep in mind that you have to wait for 60-90 minutes for the metadata to be aggregated and redistributed to all SPs.

“Web Login Service - Unsupported Request The application you have accessed is not registered for use with this service”, or in German: “Web Anmeldedienst - Nicht unterstützte Anfrage Die Applikation, auf die Sie zugreifen möchten, ist für die Benutzung dieses Dienstes nicht registriert.”

This error message is displayed when the IdP cannot find the SP in metadata.

• Check whether all required metadata providers have been added to conf/metadata-providers.xml (Documentation).
• Check the folder /opt/shibboleth-idp/metadata to see if up-to-date federation metadata have been downloaded. You can also access this information on the IdP status page (default: https://YOUR-HOST/idp/status). In the following example DFN_AAI metadata have expired:

  service: shibboleth.MetadataResolverService
  last successful reload attempt: 2020-12-22T07:58:12Z
  last reload attempt: 2020-12-22T07:58:12Z
  
  	metadata source: DFN_AAI
  	last refresh attempt: 2020-12-24T05:26:48Z
  	last update: 2020-12-24T05:26:48Z
  
  	metadata source: DFN_AAI_eduGAIN
  	last refresh attempt: 2021-01-05T08:57:55Z
  	last update: 2021-01-05T08:57:55Z
  
  	metadata source: DFN_AAI_TEST
  	last refresh attempt: 2021-01-05T09:36:13Z
  	last update: 2021-01-05T09:36:13Z

• Check the IdP's DEBUG-Log. Compare the saml:Issuer from the AuthnRequest with the EntityID you are trying to contact. If there is a different issuer string in the Authentication Request the IdP cannot find the issuer in the federation metadata. Contact the SP operator in this case.

You have added your Identity Provider to the federation but it doesn't show in discovery services? This can happen for several reasons:

• The Service Provider hasn't fetched the latest metadata yet. Please wait for 60-90 minutes before testing in DFN-AAI or our test federation). Wait for up to 24 hours before testing in eduGAIN. You can check if your IdP is already included in the eduGAIN metadata: https://technical.edugain.org/entities.
• You have ticked the checkbox “hide from discovery” in the IdP's settings in the metadata administration tool. Remove the tick and wait for 60-90 minutes.