Penn Shibboleth - Validation Guide


ISC Networking & Telecommunications


Penn WebLogin
	Help

	Shibboleth Reference
	Main Page
	Service Provider Information
	InCommon Process
	Shibboleth Setup and Configuration
	SP Validation

	Quick Links
	SP Registration Form (Requires Pennkey Login)
	InCommon Registration Form
	Known Issues
	Intake Process Flowchart
	Road Map
	FAQs

Shibboleth SP Validation Guide

The purpose of this document is to validate that a Shibboleth SP is properly configured to federate with either the Penn or InCommon IdPs. Upon successful completion of this guide, the SP will be receiving the attributes necessary to authorize users to use your application.

Preparation

The following must be prepared in order to validate a Shibboleth SP configuration:

The Shibboleth SP must be installed on a web server, such as Apache or IIS.
The metadata and configuration file from Penn have been put in place.

Validation

Navigate your web browser to the following address: https://yourhostname.upenn.edu/secure. Be sure that you use https and that your SP was configured to use SSL.
If the SP has been properly set up with the IdP’s metadata, you should be redirected to a login page from the IdP.
Attempt to log in. If you proceed past the login screen and on to the original address, then the SP is successfully configured for federation with either Penn or InCommon. If you see an error at this point that is not connected to the IdP (such as a 404 error), then do not worry—this does not necessarily mean the SP is misconfigured, only that there is nothing to display at that address. For testing purposes, you may add a simple html page with the filename index.html into the secure directory to avoid the error page.
To check whether or not the correct attributes have been communicated to the SP, navigate to the SP’s Session page.

Common Issues

Error 404 when accessing protected content

If you receive this error when you would normally be redirected to the IdP’s login page, then there are multiple possible causes:

If the error occurs before the redirect to the IdP:

The address may have been typed into the browser incorrectly. Check that it is correct and try again.
The SP and/or web server may not be running. Ensure that they are up and running with no errors and try again.

If the error occurs after the redirect:

There may be an error with the metadata for the IdP. Ensure that the correct metadata for the IdP is imported into the SP.
The IdP may be currently down/non-responsive. Check the Penn WebLogin Status page at status.net.isc.upenn.edu. Click the Authentication link under WebLogin server and find the Shibboleth server’s status.
The SP’s host machine may not be able to reach the IdP’s host machine. Attempt to reach the IdP directly from the SP host machine. Attempt to telnet into the secure port if this fails. If this fails as well, contact the team responsible for managing your local network.

Shibboleth metadata error

There is an error in the configuration file for the SP. Check the entityID for the IdP in the shibboleth2.xml configuration file and make sure that it is accurate.

Failure to log in

Ensure that you have an account on the IdP and that it was inputted correctly. If you are still having issues, contact the Penn WebLogin Team.

Signing Error

Shibboleth may give this error when returning to the protected page after logging in. If you receive this error, then there are two possible causes:

The security certificate in the IdP’s metadata does not match the security certificate that the SP has access to. Contact the Penn WebLogin Team to resolve this issue.
The security certificate in the SP’s metadata does not match the security certificate that the IdP has access to. Contact the Penn WebLogin Team to correct the metadata or certificates.

Incorrect or missing attributes

You may notice this when looking at the Sessions page for the SP. Contact the Penn WebLogin Team to ensure that all necessary attributes are being sent. The attributes may need to be verified in the application itself.

Attributes with incorrect values

If the attributes sent over by the IdP contain the wrong values, the mapping for the attributes may be incorrect. Contact the Penn WebLogin Team and ensure that the correct values are being mapped to the attributes that they are sending.

Unable to meet security requirements

Typically, this is the result of trying to access the IdP before the service provider’s metadata is in place. If the service provider’s metadata was recently transferred to the IdP, allow time for processing. Otherwise, contact the Penn WebLogin Team.

Service Alerts



Information Systems and Computing University of Pennsylvania Comments & Questions