[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: Re: [Shib-Users] can't establish identity of issuer
From: Nate Klingenstein <ndk () internet2 ! edu>
Date: 2011-03-27 19:17:27
Message-ID: 463C0B9A-A393-4FE8-946E-F93C5FB83851 () internet2 ! edu
[Download RAW message or body]
Rampage,
The metadata file didn't come through successfully, but the error
message is pretty clear. Either the metadata is expired(as you
noticed), or the IdP's entityID doesn't match any entityID that is in
the metadata. If the metadata was signed and you modified the
expiration date, it will still fail to load.
You'll see any failure to load the metadata successfully on startup of
the SP.
Take care,
Nate.
On Mar 27, 2011, at 19:04 , Rampage wrote:
> Hello everyone,
> i'm pretty new to shibboleth and i'm trying to use the SP to
> implement a
> single sign-on solution with a idP that is third party provided.
>
> yet i'm experiencing this issue, when a user tries to login, the
> page is
> redirected to the IdP page then back to my server but this error is
> returned:
>
>
> The identity provider supplying your login credentials is not
> authorized for
> use with this service or does not support the necessary capabilities.
>
> and in my shibd.log i find this error:
>
> 2011-03-27 19:45:41 WARN OpenSAML.MessageDecoder.SAML1 [3]: no
> metadata
> found, can't establish identity of issuer
> (https://idpcrl.crs.lombardia.it//scauth)
>
> the authentication is supposed to happen using a smartcard
> the metadata file and the attributes are provided by the idp and
> also the
> root CA certificates.
>
> what i've noticed is that the metadata file has this string:
>
> validUntil="2010-06-03T00:00:00Z">
>
> which is obviously expired.
>
> i've verified the validity of the root CA certificates and they
> expire in
> 2016
> so i've tried modifying the validuntil parameter to the expiration
> date of
> the certificates, but this didn't solve my problem.
>
> for convenience here is the metadata file
>
> <?xml version="1.0" encoding="UTF-8"?>
>
>
>
>
>
>
>
>
>
>
>
>
>
> MIIEkDCCA3igAwIBAgIBATANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJJVDEV
> MBMGA1UEChMMTElTSVQgUy5wLkEuMSMwIQYDVQQLExpTZXJ2aXppbyBkaSBjZXJ0
> aWZpY2F6aW9uZTEdMBsGA1UEAxMUTElTSVQgQ0EgZGkgU2Vydml6aW8wHhcNMDQw
> OTAyMTQ1OTQ4WhcNMTYwOTAyMTQ1ODA0WjBoMQswCQYDVQQGEwJJVDEVMBMGA1UE
> ChMMTElTSVQgUy5wLkEuMSMwIQYDVQQLExpTZXJ2aXppbyBkaSBjZXJ0aWZpY2F6
> aW9uZTEdMBsGA1UEAxMUTElTSVQgQ0EgZGkgU2Vydml6aW8wggEiMA0GCSqGSIb3
> DQEBAQUAA4IBDwAwggEKAoIBAQC/vb2Sb3EiCu7TQO26R+SUM7IHTREJMUMqy148
> mcdEe9aZ9kY7M6ZtcZ4zsc3mGT13ZWB5OPQsL7+1yyK5/BnIen0imUlZzhYBbUqL
> TkvOKyJYSORJlrKZ4Be6Sm1N99LxPr/G5ckkZq5H2yvFt8XBaQkUNNAJBksJbu7N
> P7kWBRfbvicdr+2QCe4HjUiMLEUqHxq/X8d1whFBHRGltcfEfX76/LJpMwa1DUR8
> rJfFD4bVKjIZFG9HugN9YAnYnzP2lVrEcuRecuySefirvSmEkWMAQVy+Xn/DwOr/
> bdPsrJatqyyHusHlep6FPNVmfbboEF/3eqRnMbRrT0R8rOpBAgMBAAGjggFDMIIB
> PzASBgNVHRMBAf8ECDAGAQH/AgEAMEcGA1UdIARAMD4wPAYJKwYBBAG8bhMCMC8w
> LQYIKwYBBQUHAgEWIWh0dHA6Ly93d3cubGlzaXQuaXQvZmlybWFkaWdpdGFsZTCB
> sAYDVR0fBIGoMIGlMIGioIGfoIGchoGZbGRhcDovL2xkYXAuY3JzLmxvbWJhcmRp
> YS5pdC9jbiUzZExJU0lUJTIwQ0ElMjBkaSUyMFNlcnZpemlvLG91JTNkU2Vydml6
> aW8lMjBkaSUyMGNlcnRpZmljYXppb25lLG8lM2RMSVNJVCUyMFMucC5BLixjJTNk
> SVQ/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlMA4GA1UdDwEB/wQEAwIB
> BjAdBgNVHQ4EFgQUhM2xLxyr0IvPev7BvFewih0OhQswDQYJKoZIhvcNAQEFBQAD
> ggEBAG+nIGrRPLttAA3tB9Hk5X3OfAjmFJPkd1Ggm2cXOTqEPsxB7gXxuVNtRCh8
> z/D+83onq1Nx3YQNrbMqEdPgmkc5qGu5XFJewHuZanJJtjpFauHVovIuV+GcMzBP
> l/iu268LBzb+9AWO/GxE8M7Ay0XfMWwjtStk6Xg/lDFO8TOBrMutpw8TUU2aC1Gb
> XQmIaLoySfLQbo7kopT56GvPwt+45JzuumnK+ZZZd1euDWPcXhcgY3xsyvzHFM0b
> vf9ON3HIEIJhowpePNewqbvT3KirS0dxMUQLkl7TacOKRomWbskBqFWOFzC9SRWj
> b7vPkU0R5NsEsYRLyvekQS5+K9g=
>
>
>
>
>
>
>
>
>
> MIIErjCCA5agAwIBAgIBATANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJJVDEV
> MBMGA1UEChMMTElTSVQgUy5wLkEuMSMwIQYDVQQLExpTZXJ2aXppbyBkaSBjZXJ0
> aWZpY2F6aW9uZTEqMCgGA1UEAxMhTElTSVQgQ0EgU2Vydml6aW8gZGkgSW50ZWdy
> YXppb25lMB4XDTA0MDMwMzA4NTEwMFoXDTE2MDMwMzA4NTAwOVowdTELMAkGA1UE
> BhMCSVQxFTATBgNVBAoTDExJU0lUIFMucC5BLjEjMCEGA1UECxMaU2Vydml6aW8g
> ZGkgY2VydGlmaWNhemlvbmUxKjAoBgNVBAMTIUxJU0lUIENBIFNlcnZpemlvIGRp
> IEludGVncmF6aW9uZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANUe
> vtR0HPzpam1LeDvLbGQyD9eV/E0llmu7jJ1rsciXl5G/oLo44sDhr8sGxzjFFXrw
> UeyCuqN0HPWne0wH3dmMZLMLOjqHM0XldARcE8LcPgu87VH7Uhn1/Y/ez5uLqVeq
> 5Rho8YUI+hHX2Ak/3epgapgoVNDe5OwX3z1ThtnuJTz99BG3nJPhWM6GsrKXODte
> H81f1YZ0ns5gNuLh8WqoMx53tORI+jb/mcjEG18FYXUEP0dx6Yki99eb5J5HNmwc
> bfNYJ5PYve61ftFgS8MYyYBREa+Mwin4bsKnNhzOwLdhzAISNyCf1+DJUIrJGfEv
> GAwk4kLGMP+hd93+Sb8CAwEAAaOCAUcwggFDMBIGA1UdEwEB/wQIMAYBAf8CAQAw
> PAYDVR0gBDUwMzAxBgkrBgEEAbxuFQIwJDAiBggrBgEFBQcCARYWaHR0cDovL3d3
> dy5saXNpdC5pdC9jYTCBvwYDVR0fBIG3MIG0MIGxoIGuoIGrhoGobGRhcDovL2xk
> YXAuY3JzLmxvbWJhcmRpYS5pdC9jbiUzZExJU0lUJTIwQ0ElMjBTZXJ2aXppbyUy
> MGRpJTIwSW50ZWdyYXppb25lLG91JTNkU2Vydml6aW8lMjBkaSUyMGNlcnRpZmlj
> YXppb25lLG8lM2RMSVNJVCUyMFMucC5BLixjJTNkSVQ/Y2VydGlmaWNhdGVSZXZv
> Y2F0aW9uTGlzdD9iYXNlMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUzepn46KJ
> 1CHPfbR0GKlov1FmmowwDQYJKoZIhvcNAQEFBQADggEBAANDWUaeNAz77HTC7dD/
> Z3AV4fuLMmJlI3gZrCfwrz3RWYqIHFeKPQdU163Vjq5DuVMxU3A+NCySoCgtNmGo
> uPE87+E4rY30TueHJ1FMpYLXBvHZCxFmcBQz/pIv/Sahs546mZBGfxPG+su81r8S
> 3PWwpR+/B5QDg7Yr7ijLTS+f3jc3mwormgwtpOqoSNtRs6j+EyDlZEExZ4IMykMC
> qvr0Bh4m68GThoVe4fcafbCGoSWssgFUJY0ny5EUkqpZKItgCUuiyVTIS2l3GbOZ
> YrF7OW3iUHcfi4QP2J5BXiC+7eCt46Y6MICw+ffTuEmf62b5VjhkNdo3oHDgx2gi
> eeU=
>
>
>
>
>
>
>
>
>
>
>
>
>
> Lisit S.p.A./ITSIDPCRL/
> vl18833/18136
>
> CN=LISIT S.P.A./168637,OU=U.O.
> Sviluppo,O=Altri Certificati,C=IT
>
>
>
> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
>
>
>
>
>
>
> any suggestions?
>
> thanks in advice.
>
> --
> View this message in context: \
> http://shibboleth.1660669.n2.nabble.com/can-t-establish-identity-of-issuer-tp6212874p6212874.html
> Sent from the Shibboleth - Users mailing list archive at Nabble.com.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic