Common Problems during Shibboleth SP Install
Some of the common problems SPs might see when setting up/running Shibboleth
Cannot start shibd daemon/service
There may be a typo in xml configuration file shibboleth.xml. Open in IE or xml editor to verify.
Verify all the paths inside shibboleth.xml are correct (Path to log files, dlls, key/certs).
Check shibd.log for specific information.
Continuous redirect: Browser caught in redirect loop
The cookieProps element might be set incorrectly in shibboleth.xml.
If you are not using SSL (for ex, http://myhost.ucla.edu/yourapp/somepage) use cookieProps="; path=/; ".
If you are using SSL (for ex, https://myhost.ucla.edu/yourapp/somepage) use cookieProps="; path=/; secure".
Header spoofing
Configure checkSpoofing property in shibboleth.xml. Use checkSpoofing="false" in Local section.
This ia most likely to occur in Windows/IIS installation.
Invalid Consumer Service URL
User will see this error on the browser, after authentication:
Error: org.opensaml.SAMLException: Invalid assertion consumer service URL
The IdP has recognized the providerId of the SP in its MetaData, but there is no AssertionConsumerService element that matches the one that was supplied by the SP.
Check your ACS in your metadata. Make sure the handlerURL element in the shibboleth.xml file is a subset of the ACS. For instance if your ACS is https://yourdomain/testapp/Shibboleth.sso/SAML/POST then make sure your handlerURL is handlerURL="/testapp/Shibboleth.sso".
Unauthorized Identity Provider
User will see this error on the browser, after authentication:
Metadata lookup failure at https://yourdomain/testapp/Shibboleth.sso/SAML/POST
SP is not trusting the authentication response issued by IDP(issuer). IDP is not in the metadata. Contatc IDP and verify you have IDP metadata.
Issues with Timeout
If you are having issues with users timing out too quickly (ie they time out before the values of your shibboleth.xml), this might happen for a few reasons
propagateErrors
If you have set propagateErrors in your shibboleth.xml to be true, this might cause a problem. Please visit the Internet2 site for more information on propagateErrors. By default, we leave it to be false, due to the fact that "most" applications do not need/desire realtime updates of attributes.
Session element
If you configured your lifetime/timeout element in your shibboleth.xml to be very small, this could also be a problem.
A session Lifetime of 7200 (2 hours) and Timeout of 3600 (1 hour) normally works for most installaitons.
| Code Block |
|---|
<Sessions lifetime="7200" timeout="3600" |
It is important to understand how these two parameters work before tweaking.
clockSkew error
User will see this error on the browser, after authentication:
ession Creation Error at (https://$host-name/shibboleth.sso/SAML/POST) unable to accept assertion because of clock skew
shibd.log will have this error:
2008-01-01 12:00:00 ERROR shibd.Listener sessionNew: caught exception while creating session: unable to accept assertion because of clock skew
Solution: Maintain accurate system time on SP server. Sync up with a central time server in the campus. In UCLA CTS offers this service, more at http://www.cts.ucla.edu/noc/timesync.htm.
See this article https://spaces.internet2.edu/display/SHIB/ClockSkew
ERROR SAML.SAMLSOAPHTTPBinding nn sessionGet: failed while contacting SAML responder: connect() timed out!
It means SP is not able to connect to IDP.
SP makes a back channel call to IDP to retrieve attributes. IDP Attribute Service is usually available on port 8443 or 7443, for ex, https://shb1.ais.ucla.edu:7443/shibboleth-idp/AA. Some networks have aggressive egress firewall rules which prevent the SP from initiating a call to ports 7443/8443. Contact your network admin to relax this rule.
Where is my Attribute ?
Application may not se any attribute even though there is no visible error (on the page or shibd.log)
1. Perhaps IDP is not releasing any. Check with IDP
2. Check AAP.xml and make sure mappings are correct
3. Perhaps user does not have the specific attribute. Try with a different logon-id
More Info
For more common problems visit the shibboleth site