Shibboleth SP Validation Guide
The purpose of this document is to validate that a Shibboleth SP is properly configured to federate with either the Penn or InCommon IdPs. Upon successful completion of this guide, the SP will be receiving the attributes necessary to authorize users to use your application.
The following must be prepared in order to validate a Shibboleth SP configuration:
- The Shibboleth SP must be installed on a web server, such as Apache or IIS.
- The metadata and configuration file from Penn have been put in place.
- Navigate your web browser to the following address: https://yourhostname.upenn.edu/secure. Be sure that you use https and that your SP was configured to use SSL.
- If the SP has been properly set up with the IdPís metadata, you should be redirected to a login page from the IdP.
- Attempt to log in. If you proceed past the login screen and on to the original address, then the SP is successfully configured for federation with either Penn or InCommon. If you see an error at this point that is not connected to the IdP (such as a 404 error), then do not worry≠óthis does not necessarily mean the SP is misconfigured, only that there is nothing to display at that address. For testing purposes, you may add a simple html page with the filename index.html into the secure directory to avoid the error page.
- To check whether or not the correct attributes have been communicated to the SP, navigate to the SPís Session page.
Error 404 when accessing protected content
If you receive this error when you would normally be redirected to the IdPís login page, then there are multiple possible causes:
- If the error occurs before the redirect to the IdP:
- The address may have been typed into the browser incorrectly. Check that it is correct and try again.
- The SP and/or web server may not be running. Ensure that they are up and running with no errors and try again.
- If the error occurs after the redirect:
- There may be an error with the metadata for the IdP. Ensure that the correct metadata for the IdP is imported into the SP.
- The IdP may be currently down/non-responsive. Check the Penn WebLogin Status page at status.net.isc.upenn.edu. Click the Authentication link under WebLogin server and find the Shibboleth serverís status.
- The SPís host machine may not be able to reach the IdPís host machine. Attempt to reach the IdP directly from the SP host machine. Attempt to telnet into the secure port if this fails. If this fails as well, contact the team responsible for managing your local network.
Shibboleth metadata error
There is an error in the configuration file for the SP. Check the entityID for the IdP in the shibboleth2.xml configuration file and make sure that it is accurate.
Failure to log in
Ensure that you have an account on the IdP and that it was inputted correctly. If you are still having issues, contact the Penn WebLogin Team.
Shibboleth may give this error when returning to the protected page after logging in. If you receive this error, then there are two possible causes:
- The security certificate in the IdPís metadata does not match the security certificate that the SP has access to. Contact the Penn WebLogin Team to resolve this issue.
- The security certificate in the SPís metadata does not match the security certificate that the IdP has access to. Contact the Penn WebLogin Team to correct the metadata or certificates.
Incorrect or missing attributes
You may notice this when looking at the Sessions page for the SP. Contact the Penn WebLogin Team to ensure that all necessary attributes are being sent. The attributes may need to be verified in the application itself.
Attributes with incorrect values
If the attributes sent over by the IdP contain the wrong values, the mapping for the attributes may be incorrect. Contact the Penn WebLogin Team and ensure that the correct values are being mapped to the attributes that they are sending.
Unable to meet security requirements
Typically, this is the result of trying to access the IdP before the service providerís metadata is in place. If the service providerís metadata was recently transferred to the IdP, allow time for processing. Otherwise, contact the Penn WebLogin Team.