Test the Service Provider
Prepare the /secure directory
The default config file /etc/httpd/conf.d/shib.conf includes an example Location block defining the /secure URL as a Shibboleth-protected directory. That code should look something like this:
<Location /secure> AuthType shibboleth <IfVersion < 2.3> ShibCompatWith24 On </IfVersion> ShibRequestSetting requireSession 1 require shib-session </Location>
For the sake of this first test, we will use that Location to setup a test of the new SP software. We need to add some content to that directory that will display when a user successfully logs in to Shibboleth.
First, you need to locate your server's DocumentRoot. You should be able to find this declaration in the httpd.conf file for your server, or perhaps in an included virtual host file if you use such things. On my Realm Linux 6 test server, this is how I found it:
grep DocumentRoot /etc/httpd/conf/httpd.conf # DocumentRoot: The directory out of which you will serve your DocumentRoot "/var/www/html" # This should be changed to whatever you set DocumentRoot to. # DocumentRoot /www/docs/dummy-host.example.com
Next, go to the DocumentRoot directory and make a subdirectory named "secure":
cd /var/www/html mkdir secure
Next, go into that directory, and download a copy of the example page. This page will use PHP to check for a successful Shibboleth login, and it will dump out all of the environment variables that are passed to the page.
cd secure wget -O index.php https://docs.shib.ncsu.edu/docs/testpage.php.txt
Note: This test assumes your httpd server will support PHP files. If you are not running PHP on your server, just place a static index.html file in your DocumentRoot/secure directory.
Test the directory
Open your favorite browser and enter the appropriate URL for the /secure/ directory on your server. That URL will be something like:
- http://yourserver.ncsu.edu/secure/ or
You should be redirected to the NC State IdP to login. You should see the page https://shib.ncsu.edu/idp/Authn/UserPassword where you are asked to enter your Unity ID and Password.
Assuming you reached the login page, enter your own Unity credentials and submit them. Since this is the first time you've logged in to the new SP, you should be presented with the uApprove page which lists that attributes that will be released to your site. Click "Confirm" on that page to proceed.
If all goes well, your browser will be redirected back to your site's /secure/ url. You should now be logged in, and you should see the output of the the example page that you downloaded and installed earlier. (Or, at the least, you should see the static index.html page that you installed instead.)
The example page shows something like this:
Login Success! Welcome! Your EPPN is firstname.lastname@example.org, and your affiliation is email@example.com;firstname.lastname@example.org. Environment Dump Array ( [Shib-Application-ID] => default [Shib-Session-ID] => _c46a90a276f18a1ce2ffdaa79e03a76c [Shib-Identity-Provider] => https://shib.ncsu.edu/idp/shibboleth [Shib-Authentication-Instant] => 2014-05-21T14:32:20.255Z [Shib-Authentication-Method] => urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport [Shib-AuthnContext-Class] => urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport [Shib-Session-Index] => _dfcc7963fcbc5ac17cd8d7cd4c70ee3c [SHIB_AFFILIATION] => email@example.com;firstname.lastname@example.org [SHIB_CPID] => email@example.com [SHIB_DISPLAYNAME] => John Public [SHIB_EPPN] => firstname.lastname@example.org [SHIB_EPTID] => https://shib.ncsu.edu/idp/shibboleth!https://yourdomain.ncsu.edu/sp/shibboleth!uyYFtUrumNE+goK4WQ/kydYBtvw= [SHIB_GIVENNAME] => John [SHIB_MAIL] => email@example.com [SHIB_PWEXPIRED] => N [SHIB_PWEXPIREDATE] => Mon Dec 01 2014 06:23:58 GMT-0500 (EST) [SHIB_SN] => Public [SHIB_UID] => unityid [SHIB_UNAFFILIATION] => member;staff [transient-id] => _0934d085b1dcd4c7537e181457afe488 [REMOTE_USER] => firstname.lastname@example.org [AUTH_TYPE] => shibboleth ... additional output omitted ... )
You may not see all of these attributes in your output. You should see variables for each of the attributes that you were approved to receive when you registered your SP.
Errors in testing
Message did not meet security requirements
When you are first redirected to the IdP, you may get an error page with a message at the bottom that says "Message did not meet security requirements". This usually indicates that your SP metadata was not loaded by the IdP from the Federation.
Fix: Please wait four hours after registration is completed to test the connection. By that time, the servers should have loaded the updated metadata.
If the fix did not work, this is the next thing to check. Did you regenerate your SP key and certificate files after registering? If you did, then our IdP has the wrong certificate for your SP, and it will throw this error.
Fix: Either restore the key and certificate files that were used when you registered the site; or, contact us to ask that we download and re-register your metadata with the new certificate information.
It is also possible to get this error if your metadata did not contain a copy of your certificate at all. You should see this mistake in the configuration testing done earlier, or we should catch it when you try to register metadata without a certificate. If it slipped through this far, contact us to register the corrected metadata.
No peer endpoint available to which to send SAML response
After you login to the IdP, and after you Confirm uApprove, you may get an error page with a message at the bottom that says "No peer endpoint available to which to send SAML response". This indicates that the metadata on the IdP does not contain the same endpoint URL that was requested by the SP when you initiated the login. There are two common causes for this error:
You changed the Sessions handlerSSL setting in shibboleth2.xml after your SP metadata was registered. Your SP is now sending https URLs where it is registered to use http, or vice-versa.
You are testing your site from a different domain name than the one found in your registered metadata.
Fix: If you are using NCSU Federation, you should be able to set your SP to sign its login requests. Our IdP server will trust the the handler URL found in a signed request and should not be giving this error. Check your configuration as decribed in this document: Bypass Endpoint Checks in Metadata.
If you are not using NCSU Federation, this setup may not be available. In that case you need to register the correct endpoints in your metadata.
Fix: Contact us with the URL that you tried to test and let us know that you received this error message. We will add additional endpoints to your registered metadata so the new URL will work correctly.
Additional troubleshooting docs
Refer to the Shibboleth wiki documents:
After you have tested your Service Provider software, you can proceed to the instructions on how to use htaccess files to configure Shibboleth on individual directories on your server. Or, if you need to expand your SP to cover additional servers or virtual hosts, you should proceed to Advanced Configuration.