I try to run a Shibboleth SP for the first time, but I immediately ran into an issue that I don't understand for three days now :/
I use the docker image unicon/shibboleth-sp
as base to begin with.
So far I've just modified shibboleth2.xml
in two places. I wrote a specific IdP entityID
into the <SSO>
section and added a <MetadataProvider>
that points to an external XML file containing the metadata of the IdP.
IMHO this should be enough to get redirected to the IdP when I try to access a protected URL on the SP. But instead, I get a Shibb-Exception No MetadataProvider available
.
These are the changes I made to shibboleth2.xml
:
<ApplicationDefaults entityID="https://sp.example.org/shibboleth" ... >
...
<Sessions ... >
...
<!--
Configures SSO for a default IdP. To properly allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
<SSO entityID="https://testidp.aai.dfn.de/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="http://www.aai.dfn.de/DS/WAYF">
SAML2
</SSO>
...
</Sessions>
...
<MetadataProvider type="XML" id="dfn-aai-test-metadata"
url="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-test-metadata.xml"
backingFilePath="federation-dockermeta-metadata.xml" maxRefreshDelay="3600">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.g2.pem" verifyBackup="false"/>
</MetadataProvider>
...
</ApplicationDefaults>
After debugging for days now I'm pretty sure that the SP correctly parses the <MetadataProvider>
tag, but seems to completely ignore it.
Setting Log-Levels to DEBUG
show that the MetadataProvider gets parsed (its XML structure is visible in the log output), but it doesn't try to access the URL. There is not even a DNS request for www.aai.dfn.de
nor does it try to access the URL. Also, there are no Errors in the log. There is not even a hint of it trying to load external Metadata in the logs. The first and only error I get in the logfiles is No MetadataProvider available
after trying to access a protected resource.
I've never set up a Shibboleth SP before (because everybody told me it is a PITA). I'm not sure if it's a problem with the Shibboleth SP or the docker image. Most probably I'm the problem and I'm just missing something pretty obvious...
I need help :)
The complete code I used can be found here: https://gitlab.com/xsrf/shibb-sp/tree/5380f4550ac1a5ffb47d96138d837f1cf6acdb60