As Andy has just mentioned, over the weekend, there was a problem with the
Science Direct metadata. As a result, our IdP was issuing the usual vague
error message to would-be users:
Shibboleth Identity Provider Failure
The Shibboleth authentication system experienced a technical failure.
Please email our-local-support-address and include the following error
Identity Provider failure at (/shibboleth-idp/SSO)
org.opensaml.SAMLException: Invalid assertion consumer service URL.
And of course, lots and lots of people did. Some mentioned they were
using Science Direct, and some didn't. And of course, it was a weekend,
so there was minimal support available...
It occurred to me that it would be useful to be able to mention in these
error messages if there are any more persistent known problems, in attempt
to head off the deluge of error reports. So I came up with having a file
that listed "known problems", to be included in the error messages.
I have played around with various means of doing this (SSIs and includes
of various sorts), some of which worked and some of which didn't; I had
two goals in particular, I wanted the minimum possible set of
modifications to the distributed error pages and to
tomcat/apache/whatever, and I wanted the known problems information to be
remotely hosted (ie, not on the IdP itself) (and possibly re-usable in
This is the solution I eventually came up with. It involves no extra
configuration or libraries/etc for tomcat, and very little Apache
configuration. It should be straightforward to anyone with a small amount
of Shib-Apache-foo, and practically zero JSP-foo (like me):
In apache config, just before the ProxyPass for /shibboleth-idp or
ProxyPass /knownproblems.html http://resource.net.strath.ac.uk/federations/knownproblems.html
This URL emits a very simple chunk of HTML content for inclusion in other
pages. It could be modified to be generated in whatever way is useful,
SSI, CGI, blah blah.
Then for each of the .jsp error pages of interest, add the following at
the appropriate place:
<bean:include id="kp" href="/knownproblems.html" />
<bean:write filter="false" name="kp" />
(I think you could in fact put the whole URL in the bean:include href, but
I wanted to abstract the URL out to the Apache config for future
. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK