ComponentSpace

Forums



Exception: "The partner identity provider example.org is not configured"


Exception: "The partner identity provider example.org is not...

Author
Message
HerbWarren
HerbWarren
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 2, Visits: 21
This seems to be a popular error of late. I have tracing enabled, so I can send along that log in it's entirety if it'll be helpful. It looks like the values of metadata entityID matches the saml.config name property, which matches the value of Issuer in the response, so ... I'm stumped. I've used this same code in a half-dozen or more SAML integrations without issue, but I'm really stuck this time around.

iDP metadata (anonymized)

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" entityID="https://login-test.cc.example.org/idp/shibboleth">   
    <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
        <Extensions>
            <shibmd:Scope regexp="false">example.org</shibmd:Scope>
        </Extensions>
        <KeyDescriptor>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
                        <!-- removed -->
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login-test.cc.example.org/idp/profile/SAML2/POST/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://login-test.cc.example.org/idp/profile/SAML2/POST-SimpleSign/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login-test.cc.example.org/idp/profile/SAML2/Redirect/SSO"/>
    </IDPSSODescriptor>
</EntityDescriptor>


My saml.config file - I've verified that this is the file being read (based on messages in the trace file):

<?xml version="1.0" encoding="utf-8"?>
<SAMLConfigurationxmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns="urn:componentspace:SAML:2.0:configuration">
  <ServiceProvider
    AssertionConsumerServiceUrl="~/SAML2/AssertionService"/>
  <PartnerIdentityProvider
   SignAuthnRequest="false"
   PartnerCertificateFile="C:\InVision\config\system\idp_sso_cert.crt"
   WantSAMLResponseSigned="true"
   WantAssertionSigned="false"
   WantAssertionEncrypted="false"
   UseEmbeddedCertificate="false"
   SingleLogoutServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
   SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
</SAMLConfiguration>

The response from the idP looks like this (in part - I've trimmed signatures, and most of the assertion out)
ID="_f4fa858382d868a92357cd2894bd194f"
InResponseTo="_3a733731-7104-4b94-9c99-3992a41bd45f"
IssueInstant="2019-02-01T19:12:24.427Z"
Version="2.0" 
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> 
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://login-test.cc.example.org/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status> 
<saml2:Assertion ID="_cbf3eb4e952aeed9a509fda1a6af1bd1"
IssueInstant="2019-02-01T19:12:24.427Z"
Version="2.0"  
 xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">  
 <saml2:Issuer>https://login-test.cc.example.org/idp/shibboleth</saml2:Issuer>

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)

Group: Administrators
Posts: 2.4K, Visits: 6.6K
Your understanding is correct.
Issuer = EntityID = Partner Provider Name
From the information provided, I'm not sure why there's a mismatch.
Please send the log file as an email attachment to support@componentspace.com mentioning your forum post.

Regards
ComponentSpace Development
HerbWarren
HerbWarren
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 2, Visits: 21
ComponentSpace - 2/6/2019
Your understanding is correct.
Issuer = EntityID = Partner Provider Name
From the information provided, I'm not sure why there's a mismatch.
Please send the log file as an email attachment to support@componentspace.com mentioning your forum post.

Thanks for the assistance - we were getting only a username back from the IdP, and no attributes; I suspect (but can't confirm) that we were getting a null value back for the attribute dictionary, and that was causing exceptions. Mind you, we have a somewhat older version of the library, and this may no longer be relevant to others.

In any event, we had the owner of the IdP add at least one attribute to the assertion, and we're checking for null in the dictionary, just to be on the safe side.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)

Group: Administrators
Posts: 2.4K, Visits: 6.6K
Thanks for the update.
Both those steps make sense.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search