Menu
▾
▴
Re: [Unity-idm-discuss] Shibboleth - Issuer is not among trusted
|
From: D B. <ba...@aw...> - 2020-03-16 17:49:34
|
Hi, thanks for the hints! For posterity: I had mismatching entityIDs in my Shibboleth config: "https://mydomain/shibboleth" in shibboleth2.xml and "https://mydomain/shibboleth/" in the sp-metadata.xml Yes, of course, that last slash makes a difference %-) It seems that Shibboleth will send to the IDP the entityID set in shibboleth2.xml - or at least it did in my case. Cheers, D On 14/03/2020 10:41, Krzysztof Benedyczak wrote: > Hi, > > W dniu 12.03.2020 o 19:59, D Baum pisze: >> Hi! >> >> I feel I've asked about this before but could not find the message any >> more - sorry! >> >> I'm trying to configure two SAML SPs in parallel in >> conf/modules/saml/saml-webidp.properties: >> >> unity.saml.acceptedSPMetadataSource.a.url=file:///conf/saml/a-metadata.xml >> >> unity.saml.acceptedSPMetadataSource.b.url=file:///conf/saml/b-metadata.xml >> >> unity.saml.spAcceptPolicy=validRequester >> >> SP A works fine, but I've got issues with SP B, which is a >> Shibboleth/Apache setup. When I try to access a protected resource, I >> get forwarded to unity and it tells me: >> >> SAML IdP got an invalid request. > > So certainly the B's metadata is a problem. You can enable more detailed > logging on the saml facility (DEBUG should be enough, but try TRACE to > get all insights) and check what SPs were extracted from the config. > Especially the logger 'unity.server.saml.MetaToSPConfigConverter' should > be helpful. > > HTH, > Krzysztof > > > |
