Hello
The metadata got accepted last week so it has had plenty of time to percolate through.
The 'No end point' message appears when I try the test thing https://sh2testsp1.iay.org.uk/
At this point I think the message is coming from my IDP. This is what is in the address bar when the message appears
https://shibidp.wnc.ac.uk/idp/Authn/RemoteUser;jsessionid=4BE9D00AAAC8D5DA0AC2DD4F8556C83B
This is the error in the idp-process log that corresponds
ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:397] - No return endpoint available for relying party urn:mace:ac.uk:sdss.ac.uk:provider:service:target.iay.org.uk
Everything else in that log is marked with info and does not appear to be anything untoward, but I'm not over confident I understand what I'm seeing!
Thanks
Heather Peake
VLE Development Co-ordinator
Tel 01623 627191 ext 8564
Please consider the environment before printing this email.
-----Original Message-----
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Rod Widdowson
Sent: 03 August 2010 17:22
To: [log in to unmask]
Subject: Re: idp-metadata.xml how do you know if it is right
> Hello
> when I created my IDP I had test certificates in place. Once I was
> ready to register it I had real certificates in place. When I sent
> through my idp-metadata.xml file I was told I still had test
> certificate data in it rather than real certificate data.
> I sent through the certificate info and was duly registered.
> I thought I had fixed the idp-metadata, but now I'm worried that my
> idp-metadata.xml has something wrong with the certificate part of it
> and I don't know what I'm looking at to try to check it. Should the
> ds:x509 section match the contents of the .crt file?
Yes, and you can look at the crt file with openssl ("openssl x509 -noout -text foo.crt" should do it).
> I'm getting an error of 'No return endpoint available for relying
> party... when I try to test against the test thing on the UK Federation
> site and the trouble shooting section suggests no metadata as one
> possibility, hence my worry.
When did the metadata get accepted? If it was today then you will need to wait until the UK Fed support folks mail you that it has been updated (and then a few minutes more) to allow the test SP to learn about you.
> The other option is that there is something wrong with my handler.xml
> but I can't see anything in it, that is jumping off the page screaming
> fix me, fix me!
This doesn't feel like an IdP thing - but just in case, who gave you that message you quoted? Your IdP or the SP?
If in doubt, check your logs...
> I'm really beginning to hate this thing.
> Once I have that fixed I then have to sort out something about a
> computedID no longer in use and I should switch it to StoredID
Yes you _should_, but you might want to wait for two weeks when the odds of you throwing the whole shebang out of the window has reduced. computedID will be OK for a short while - or even longer, so long as you don't mind aggravating all your userbase (worst case) if anyone ever needs to have their Id revoked.
Rod
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Awarded Outstanding (Grade 1) in all categories by OFSTED July 2008.
"Excellent employer engagement... Imaginative and highly effective approach
to social inclusion... Excellent communication, high staff morale and visionary
leadership".
To view our disclaimer please follow this link
http://www.wnc.ac.uk/emaildisclaimer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|