Troubleshooting Shibboleth Service Provider Issues : AAF Support AUSTRALIAN ACCESS FEDERATION Home Announcements Knowledge Base Forums Ask for Help Login Troubleshooting Shibboleth Service Provider Issues If you are not able to find an answer or require addtional assistance contact AAF Support support@aaf.edu.au Solution home Advanced Federation Service Providers Troubleshooting Shibboleth Service Provider Issues Modified on: Thu, 22 Oct, 2020 at 2:13 PM The AAF strongly recommends that deployers and developers work with the latest versions of the Shibboleth software. The latest stable point releases address security vulnerabilities, the resolution of bugs and fixes and avoids iteration over resolved issues. Log files and level of logging provide good indicators which assist in troubleshooting issues. Details The Shibboleth Wiki is an excellent source of both configuration and troubleshooting information. The troubleshooting guides do require some understanding of the product configuration and how the identity provider and service provider components interact with a user web browser. This general knowledge will assist in pinpointing common issues. The Shibboleth Wiki article on Troubleshooting the Service Provider is a good starting point to begin resolving issues with the Service Provider software https://wiki.shibboleth.net/confluence/display/SP3/Troubleshooting The following list, copied verbatim from the Shibboleth Wiki, presents a few errors commonly encountered by deployers, usually when initially setting up their Service Provider version 3. opensaml::SecurityPolicyException: Message expired, was issued too long ago. Message was signed, but signature could not be verified. Unable to establish security of incoming assertion Unable to locate metadata for identity provider (https://identities.supervillain.edu/idp/shibboleth). HTTP POST form data is lost when Shibboleth session expired or does not exist yet SAML message delivered with POST to incorrect server URL. opensaml::saml2md::MetadataException: Security of SAML 1.x SSO POST response not established. opensaml::FatalProfileException: A valid authentication statement was not found in the incoming message. supplied TrustEngine failed to validate SSL/TLS server certificate Unable to resolve any key decryption keys ERROR Shibboleth.AttributeResolver []: exception during SAML query to : CURLSOAPTransport failed while contacting SOAP responder: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ERROR Shibboleth.AttributeResolver.Query []: exception during SAML query to : CURLSOAPTransport failed while contacting SOAP endpoint (): error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown Can't connect to listener process Links Shibboleth Consortium Wiki https://wiki.shibboleth.net/confluence Shibboleth Service Provider v3 Troubleshooting https://wiki.shibboleth.net/confluence/display/SP3/Troubleshooting Did you find it helpful? Yes NoSend feedback Sorry we couldn't be helpful. Help us improve this article with your feedback. Related Articles Newsletter Sign-up To receive regular updates from AAF: Add Me to the General List or Add Me to the Technical List or Add Me to the ORCID mailing list Home Announcements Knowledge Base Forums Ask for Help ABN 13 155 355 685 Trade Mark: 169 1608 ® Privacy Policy Privacy Collection Notice