On 15 May 2009, at 13:19, Jethro R Binks wrote:
> 13:11:19,713 ERROR Assertion consumer service URL
> (http://login.westlaw.co.uk/app/authentication/sso/ukfed/auth/rcv)
> is NOT
> valid for provider (https://www.westlaw.co.uk/metadata). -
> edu
> .internet2.middleware.shibboleth.idp.provider.ShibbolethV1SSOHandler
> [TP-Processor18;20090515]
As Andy points out, the issue here is that the registered endpoints
are all "https://", not the "http://" that is being provided. The
metadata is correct; we don't permit registration of assertion
consumer location URLs that are not "https://". The good news is that
this must have come about through a faulty reconfiguration at the SP,
so it should start working again as soon as the configuration has been
changed back as it won't require new metadata to propagate.
> <AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
> Location="https://login.westlaw.co.uk.ukclt.int.westlaw.com/app/authentication/sso/ukfed/auth/rcv
> "
> index="2"></AssertionConsumerService>
>
> "login.westlaw.co.uk.ukclt.int.westlaw.com" seems an odd hostname, and
> there are similar ones.
Those additional ACS locations are probably for internal test and QA
versions of the entity. Several large SPs use this kind of technique;
it's not a problem as the SP tells the IdP which specific endpoint to
use and all others are ignored.
-- Ian
|