We had problems too which were a basic problem with WAYFless URLs.
Some suppliers produce "managed" wayfless urls, e.g.:
http://supplier.com/shibboleth/idp=somewhere.ac.uk
as opposed to "unmanaged" urls:
they say "just bookmark your IdP login page after clicking on a few
links here".
this was an unmanaged url problem for us. The shire param in the
bookmark disappeared from the metadata (AssertionConsumerService) so
trust failure happened. The metadata update itself wasn't a problem,
it was the way the wayfless url was "managed" or not in this case.
beware unmanaged wayfless urls!
Alistair
--------------
mov eax,1
mov ebx,0
int 80h
On 12 Aug 2009, at 14:03, Jethro R Binks wrote:
> As Andy has just mentioned, over the weekend, there was a problem
> with the
> Science Direct metadata. As a result, our IdP was issuing the usual
> vague
> error message to would-be users:
>
> ==
> Shibboleth Identity Provider Failure
>
> The Shibboleth authentication system experienced a technical failure.
>
> Please email our-local-support-address and include the following error
> message:
>
> Identity Provider failure at (/shibboleth-idp/SSO)
>
> org.opensaml.SAMLException: Invalid assertion consumer service URL.
> ==
>
> And of course, lots and lots of people did. Some mentioned they were
> using Science Direct, and some didn't. And of course, it was a
> weekend,
> so there was minimal support available...
>
> It occurred to me that it would be useful to be able to mention in
> these
> error messages if there are any more persistent known problems, in
> attempt
> to head off the deluge of error reports. So I came up with having a
> file
> that listed "known problems", to be included in the error messages.
>
> I have played around with various means of doing this (SSIs and
> includes
> of various sorts), some of which worked and some of which didn't; I
> had
> two goals in particular, I wanted the minimum possible set of
> modifications to the distributed error pages and to
> tomcat/apache/whatever, and I wanted the known problems information
> to be
> remotely hosted (ie, not on the IdP itself) (and possibly re-usable in
> other contexts).
>
> This is the solution I eventually came up with. It involves no extra
> configuration or libraries/etc for tomcat, and very little Apache
> configuration. It should be straightforward to anyone with a small
> amount
> of Shib-Apache-foo, and practically zero JSP-foo (like me):
>
> In apache config, just before the ProxyPass for /shibboleth-idp or
> equivalent:
>
> ProxyPass /knownproblems.html http://resource.net.strath.ac.uk/federations/knownproblems.html
>
> This URL emits a very simple chunk of HTML content for inclusion in
> other
> pages. It could be modified to be generated in whatever way is
> useful,
> SSI, CGI, blah blah.
>
> Then for each of the .jsp error pages of interest, add the following
> at
> the appropriate place:
>
> <bean:include id="kp" href="/knownproblems.html" />
> <bean:write filter="false" name="kp" />
>
> (I think you could in fact put the whole URL in the bean:include
> href, but
> I wanted to abstract the URL out to the Apache config for future
> flexibility.)
>
> Enjoy,
>
> Jethro.
>
> . . . . . . . . . . . . . . . . . . . . . . . . .
> Jethro R Binks
> Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK
|