How Can I Debug My IdP-SP Connection? What Does This Error Message Mean?

opensaml::FatalProfileException for SURFconext

Error Message

opensaml::FatalProfileException The system encountered an error at Thu Oct 11 15:43:34 2012 To report this problem, please contact the site administrator at […] Please include the following message in any email: opensaml::FatalProfileException at (https://weblicht.sfs.uni-tuebingen.de/Shibboleth.sso/SAML2/POST) Unable to establish security of incoming assertion.

Solution

This has to do with a mismatch between the federation modes used by us and expected by this SP. The SURFconext gateway operates in one of two different modes, which we refer to as transparent mode and proxy mode. The first is the mode that is commonly used in full-mesh (Shibboleth-style) federations, where metadata lists all the individual IDPs in the federation. The second is the mode that is commonly used in hub&spoke federations, where there is a single gateway acting as the IDP (but bridging to the actual IDPs behind the gateway). I see our gateway is configured in proxy mode for this particular SP, but I suspect it should be configured in transparent mode, given that it is a Shibboleth SP.

For more information see this page. In case of continued problems contact surfconext-beheer /at/ surfnet.nl