Forums, Documentation & Knowledge Base - ComponentSpace

Exception: "The partner identity provider example.org is not configured"


http://componentspace.com/Forums/Topic9715.aspx

By HerbWarren - 2/6/2019

This seems to be a popular error of late. I have tracing enabled, so I can send along that log in it's entirety if it'll be helpful. It looks like the values of metadata entityID matches the saml.config name property, which matches the value of Issuer in the response, so ... I'm stumped. I've used this same code in a half-dozen or more SAML integrations without issue, but I'm really stuck this time around.

iDP metadata (anonymized)

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" entityID="https://login-test.cc.example.org/idp/shibboleth">   
    <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
        <Extensions>
            <shibmd:Scope regexp="false">example.org</shibmd:Scope>
        </Extensions>
        <KeyDescriptor>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
                        <!-- removed -->
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login-test.cc.example.org/idp/profile/SAML2/POST/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://login-test.cc.example.org/idp/profile/SAML2/POST-SimpleSign/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login-test.cc.example.org/idp/profile/SAML2/Redirect/SSO"/>
    </IDPSSODescriptor>
</EntityDescriptor>


My saml.config file - I've verified that this is the file being read (based on messages in the trace file):

<?xml version="1.0" encoding="utf-8"?>
<SAMLConfigurationxmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns="urn:componentspace:SAML:2.0:configuration">
  <ServiceProvider
    AssertionConsumerServiceUrl="~/SAML2/AssertionService"/>
  <PartnerIdentityProvider
   SignAuthnRequest="false"
   PartnerCertificateFile="C:\InVision\config\system\idp_sso_cert.crt"
   WantSAMLResponseSigned="true"
   WantAssertionSigned="false"
   WantAssertionEncrypted="false"
   UseEmbeddedCertificate="false"
   SingleLogoutServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
   SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
</SAMLConfiguration>

The response from the idP looks like this (in part - I've trimmed signatures, and most of the assertion out)
ID="_f4fa858382d868a92357cd2894bd194f"
InResponseTo="_3a733731-7104-4b94-9c99-3992a41bd45f"
IssueInstant="2019-02-01T19:12:24.427Z"
Version="2.0" 
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> 
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://login-test.cc.example.org/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status> 
<saml2:Assertion ID="_cbf3eb4e952aeed9a509fda1a6af1bd1"
IssueInstant="2019-02-01T19:12:24.427Z"
Version="2.0"  
 xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">  
 <saml2:Issuer>https://login-test.cc.example.org/idp/shibboleth</saml2:Issuer>
By ComponentSpace - 3/13/2019

Thanks for the update.
Both those steps make sense.