Hi Ian
The problem most likely lies at our end, we cannot access multiple SPs.
We use apache as the front end, it is configured to listen on two ports,
443 for IdP traffic and 8443 for AA traffic. All traffic on these ports is
forwarded to Tomcat via the AJP connectors. There is no need to listen on
port 80.
The shib access logs indicate the problem occurred at around 5:45pm last
Friday. I've restarted the IdP, re-deployed the IdP, no luck. Our local
copy of the UK fed metadata is up-to-date.
However the shibb error log from yesterday shows the following errors:-
3>2009-09-14 15:44:45,257 ERROR [IdP] Core -
Failed to instantiate a Name Identifier Mapping:
java.lang.reflect.InvocationTargetException:edu.internet2.middleware.shibboleth.common.NameIdentifierMappingException:
Unable to configure or start Handle mapping replication service: Unable to
start data replication service.
4>2009-09-14 15:44:45,258 ERROR [IdP] Core -
Name Identifier mapping could not be loaded:
edu.internet2.middleware.shibboleth.common.NameIdentifierMappingException:
Failed to instantiate a Name Identifier Mapping:
java.lang.reflect.InvocationTargetException
5>2009-09-14 15:44:45,337 ERROR [IdP] Core -
Relying Party NameID refers to a name mapping that is not loaded.
6>2009-09-14 15:44:45,337 ERROR [IdP] Core -
Encountered an error while attempting to load Relying Party configuration.
Skipping...
7>2009-09-14 15:44:45,337 ERROR [IdP] Core -
Default Relying Party refers to a Relying Party that has not been loaded.
8>2009-09-14 15:44:45,338 ERROR [IdP] Core -
Could not load Identity Provider configuration:
edu.internet2.middleware.shibboleth.common.ServiceProviderMapperException:
Invalid configuration (Default Relying Party).
9>2009-09-14 15:44:45,338 FATAL [IdP] Core -
The Identity Provider could not be initialized:
edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException:
Could not load Identity Provider configuration.
Any help appreciated.
Naveed
--On 15 September 2009 11:10 +0100 Ian Young <[log in to unmask]> wrote:
>
> On 15 Sep 2009, at 10:59, NS Hashmi, Information Systems and Computing
> wrote:
>
>> Our IdP access logs show: -
>> .... Attribute assertion (_....) issued to anonymous provider at
>> (...) on behalf of principal etc ..
>
> This means that your IdP can't tell which SP is making the request for
> attributes. That generally means that they won't get anything
> interesting.
>
> If you're seeing this from only one SP, it's probably a configuration
> error at their end. If you're seeing it from multiple SPs, and
> particularly if you're seeing it from major services like Digimap, it's
> probably a configuration error at your end.
>
> Is your IdP built using just Shib in Tomcat, or is Apache also in there
> front-ending it? I think the places things can go wrong would differ in
> these two cases.
>
> -- Ian
>
>
>
--------------------------------------------------------
Naveed Hashmi
Information Systems and Computing
University of Bristol
|