Tuesday, September 29, 2015

Shibboleth IdP: "Error Message: SAML 2 SSO profile is not configured for relying party"

Say that your service has suddenly stopped letting you sign on, and you get this error message: "SAML 2 SSO profile is not configured for relying party".

This is an 'accurate' but confusing bit of text for people who are using an SP (Service Provider) which suddenly can't authenticate against an IdP (Identity Provider) in the Shibboleth SAML 2 Single Sign-On system. 

Although there are other possibilities, the probability is that your SP's metadata has expired. 

The metadata (which is an XML response available through a URI, which, after it is fetched from the SP, sits as an XML text file on the IdP) has a 'validUntil' property that you can check, if you have access to the metadata directory of the IdP. If you aren't the admin of the IdP, but are the admin of the SP, you need to contact the IdP, so you can get new metadata to the them, and set up a regular pull of metadata.

If you're a user, you need to contact the SP, the 'service provider', i.e. the administrator of the application you were trying to use, or the web resource you were trying to access.

So, why this error message? If you read the debug output in the logs, it is possible to comprehend. The '/conf/relying-party.xml' file has entries that point to files in the metadata directory, one for each 'relying party', i.e. SP. If the metadata file is no longer valid, then there's no configuration information for the relying party. Just about any configuration problem with the SP could trigger this error, but expiration is clearly the most common occurrence. 

So, I'd recommend to the Shibboleth team that they spend a moment and provide a more detailed reason in this error message ... this increase in detail will actually make it easier to see what's going on, from a non-expert's standpoint. Because 'profile' and 'relying party' may be 'technically correct' here, but these terms don't provide enough hints for human comprehension. 

This is a pretty pervasive issue with Shibboleth ... the software is not written with sufficient quality explanation. This makes it far less useful than it deserves to be. If the meaning of the messages and operations and technical directions of a human-made system are not explained sufficiently and simply enough for smart people, outside of the culture of developers for a project, then the meaning of the software is still locked within the minds of that team, and will die with them, making the software useless. 'Good code' is not enough. It's not good, in fact, if simple things that people need to understand take months of unnecessary study. I would advocate for a consortium to provide grants to some good technical writers to try again at documenting Shibboleth for the rest of humanity.


Post a Comment

<< Home