Dashboard > Shibboleth > Shibboleth 1.3 Infrastructure (Windows) > Problems and Solutions (Attempt to Spoof header)
Problems and Solutions (Attempt to Spoof header) Log In   View a printable version of the current page.

Added by John Spence (NTU) , last edited by John Spence (NTU) on Mar 04, 2008  (view change)
Labels: 

"Attempt to spoof header (Shib-Origin-Site) was detected" error after reinstalling ISAPI filter

Problem: Service provider (SP) refuses to accept attributes from IDP due to SP believing the request headers are spoofed.
Software involved:  Windows 2003 Std servers, IDP = Apache + Tomcat, SP (1.3.1) = IIS6 + ISAPI filter.
Errors and/or error logs:  The log extracts below are taken from our IDP and SP both which are running on Windows 2003 std servers.  Both sides have logging turned on reasonably high (DEBUG).

The scenario below is the result of a user going to a shib protected resources (https://shibsp.ntu.ac.uk/secure/headers.asp) on our SP and being successfully authenticated by our IDP (shibidp.ntu.ac.uk), both servers are members of the UKFederation.

SP log files
-- From SP server in shibboleth-sp\var\log\shibboleth\native.log --
2008-02-22 14:19:10 DEBUG shibtarget.RequestMapper [4576] isapi_shib: mapped https://shibsp.ntu.ac.uk:443/Shibboleth.sso/SAML/POST to default
2008-02-22 14:19:10 DEBUG shibtarget.RequestMapper [4576] isapi_shib: mapped https://shibsp.ntu.ac.uk:443/Shibboleth.sso/SAML/POST to default
2008-02-22 14:19:10 DEBUG shibtarget.RequestMapper [4576] isapi_shib_extension: mapped https://shibsp.ntu.ac.uk:443/Shibboleth.sso/SAML/POST to default
2008-02-22 14:19:10 INFO shibtarget.Listener [4576] isapi_shib_extension: create session for user at (152.71.217.140) for application (default)
2008-02-22 14:19:10 DEBUG shibtarget.Listener [4576] isapi_shib_extension: New RPCHandle created: 01A7EB70
2008-02-22 14:19:10 DEBUG shibtarget.Listener [4576] isapi_shib_extension: trying to connect to socket
2008-02-22 14:19:10 DEBUG shibtarget.Listener [4576] isapi_shib_extension: success: 01A7EB70 -> 01A7FF00
2008-02-22 14:19:10 DEBUG shibtarget.Listener [4576] isapi_shib_extension: RPC completed successfully
2008-02-22 14:19:10 DEBUG shibtarget.Listener [4576] isapi_shib_extension: new session from IdP (https://shibidp.ntu.ac.uk/shibboleth) with key (_0c2527ae6bf2ce6dc6221797006f9761)
2008-02-22 14:19:10 DEBUG shibtarget.ShibTarget [4576] isapi_shib_extension: profile processing succeeded, new session created (_0c2527ae6bf2ce6dc6221797006f9761)
2008-02-22 14:19:10 DEBUG shibtarget.RequestMapper [4576] isapi_shib: mapped https://shibsp.ntu.ac.uk:443/secure/headers.asp to default
2008-02-22 14:19:10 DEBUG shibtarget.Listener [4576] isapi_shib: getting session for client at (152.71.217.140)
2008-02-22 14:19:10 DEBUG shibtarget.Listener [4576] isapi_shib: session cookie (_0c2527ae6bf2ce6dc6221797006f9761)
2008-02-22 14:19:10 DEBUG shibtarget.Listener [4576] isapi_shib: returning existing connection: 01A7EB70 -> 01A7FF00
2008-02-22 14:19:11 DEBUG shibtarget.Listener [4576] isapi_shib: RPC completed successfully
2008-02-22 14:19:11 DEBUG shibtarget.Listener [4576] isapi_shib: trying to decode authentication statement: <AuthenticationStatement xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AuthenticationInstant="2008-02-22T14:19:11.325Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="https://shibidp.ntu.ac.uk/shibboleth">_b6981024a50f41849faec95019de4a1e</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality IPAddress="152.71.217.140"/></AuthenticationStatement>
2008-02-22 14:19:11 DEBUG shibtarget.Listener [4576] isapi_shib: trying to decode unfiltered attribute response: <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" InResponseTo="_d599a21239c7828286e398d325c889f2" IssueInstant="2008-02-22T14:19:13.231Z" MajorVersion="1" MinorVersion="1" ResponseID="_cd39e66b76a56f505ff22e64f6a1e966" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><Status><StatusCode Value="samlp:Success"/></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_3168f1240d5d1106eba6a21af38e68fd" IssueInstant="2008-02-22T14:19:13.231Z" Issuer="https://shibidp.ntu.ac.uk/shibboleth" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2008-02-22T14:19:13.231Z" NotOnOrAfter="2008-02-22T14:49:13.231Z"><AudienceRestrictionCondition><Audience>https://shibsp.ntu.ac.uk/shibboleth</Audience><Audience>http://ukfederation.org.uk</Audience></AudienceRestrictionCondition></Conditions><AttributeStatement><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="https://shibidp.ntu.ac.uk/shibboleth">_b6981024a50f41849faec95019de4a1e</NameIdentifier></Subject><Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri" xmlns:typens="urn:mace:shibboleth:1.0"><AttributeValue Scope="ntu.ac.uk" xsi:type="typens:AttributeValueType">staff2</AttributeValue></Attribute><Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri" xmlns:typens="urn:mace:shibboleth:1.0"><AttributeValue xsi:type="typens:AttributeValueType">staff2</AttributeValue></Attribute><Attribute AttributeName="urn:mace:dir:attribute-def:samaccountname" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri" xmlns:typens="urn:mace:shibboleth:1.0"><AttributeValue xsi:type="typens:AttributeValueType">COMxxxxx</AttributeValue></Attribute><Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri" xmlns:typens="urn:mace:shibboleth:1.0"><AttributeValue Scope="ntu.ac.uk" xsi:type="typens:AttributeValueType">comxxxxx</AttributeValue></Attribute></AttributeStatement></Assertion></Response>
2008-02-22 14:19:11 DEBUG shibtarget.Listener [4576] isapi_shib: trying to decode filtered attribute response: <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" InResponseTo="_d599a21239c7828286e398d325c889f2" IssueInstant="2008-02-22T14:19:13.231Z" MajorVersion="1" MinorVersion="1" ResponseID="_cd39e66b76a56f505ff22e64f6a1e966" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><Status><StatusCode Value="samlp:Success"/></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_3168f1240d5d1106eba6a21af38e68fd" IssueInstant="2008-02-22T14:19:13.231Z" Issuer="https://shibidp.ntu.ac.uk/shibboleth" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><Conditions NotBefore="2008-02-22T14:19:13.231Z" NotOnOrAfter="2008-02-22T14:49:13.231Z"><AudienceRestrictionCondition><Audience>https://shibsp.ntu.ac.uk/shibboleth</Audience><Audience>http://ukfederation.org.uk</Audience></AudienceRestrictionCondition></Conditions><AttributeStatement><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="https://shibidp.ntu.ac.uk/shibboleth">_b6981024a50f41849faec95019de4a1e</NameIdentifier></Subject><Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri" xmlns:typens="urn:mace:shibboleth:1.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><AttributeValue Scope="ntu.ac.uk" xsi:type="typens:AttributeValueType">comxxxxx</AttributeValue></Attribute></AttributeStatement></Assertion></Response>
2008-02-22 14:19:11 DEBUG shibtarget.ShibTarget [4576] isapi_shib: doCheckAuthN succeeded
2008-02-22 14:19:11 DEBUG shibtarget.RequestMapper [4576] isapi_shib: mapped https://shibsp.ntu.ac.uk:443/secure/headers.asp to default
2008-02-22 14:19:11 ERROR shibtarget.ShibTarget [4576] isapi_shib: Attempt to spoof header (Shib-Origin-Site) was detected.
2008-02-22 14:19:11 DEBUG shibtarget.RequestMapper [4576] isapi_shib: mapped https://shibsp.ntu.ac.uk:443/shibboleth-sp/main.css to default
2008-02-22 14:19:11 DEBUG shibtarget.RequestMapper [4576] isapi_shib: mapped https://shibsp.ntu.ac.uk:443/shibboleth-sp/logo.jpg to default
2008-02-22 14:19:11 DEBUG shibtarget.RequestMapper [4576] isapi_shib: mapped https://shibsp.ntu.ac.uk:443/shibboleth-sp/logo.jpg to default
-- From SP server, shibboleth-sp\var\log\shibboleth\transaction.log
2008-02-22 14:19:10 INFO Shibboleth-TRANSACTION : New session (ID: _0c2527ae6bf2ce6dc6221797006f9761) with (applicationId: default) for principal from (IdP: https://shibidp.ntu.ac.uk/shibboleth) at (ClientAddress: 152.71.217.140) with (NameIdentifier: _b6981024a50f41849faec95019de4a1e)
2008-02-22 14:19:10 INFO Shibboleth-TRANSACTION : Making attribute query for session (ID: _0c2527ae6bf2ce6dc6221797006f9761) on (applicationId: default) for principal from (IdP: https://shibidp.ntu.ac.uk/shibboleth)
2008-02-22 14:19:11 INFO Shibboleth-TRANSACTION : Caching the following attributes after AAP applied for session (ID: _0c2527ae6bf2ce6dc6221797006f9761) on (applicationId: default) for principal from (IdP: https://shibidp.ntu.ac.uk/shibboleth) {
2008-02-22 14:19:11 INFO Shibboleth-TRANSACTION : 	urn:mace:dir:attribute-def:eduPersonPrincipalName (1 values)
2008-02-22 14:19:11 INFO Shibboleth-TRANSACTION : }
2008-02-22 14:19:11 INFO Shibboleth-TRANSACTION : Successful attribute query for session (ID: _0c2527ae6bf2ce6dc6221797006f9761)

IDP log files

-- From IDP, shib-idp\logs\shib-access.yyyy-mm-dd.log --
2008-02-22 14:19:11,340 Authentication assertion issued to provider (https://shibsp.ntu.ac.uk/shibboleth) on behalf of principal (comxxxxxx). Name Identifier: (_b6981024a50f41849faec95019de4a1e). Name Identifier Format: (urn:mace:shibboleth:1.0:nameIdentifier).
2008-02-22 14:19:13,231 Attribute assertion issued to provider (https://shibsp.ntu.ac.uk/shibboleth) on behalf of principal (comxxxxxx).
-- From IDP, shib-idp\logs\shib-error.yyyy-mm-dd.log --
2008-02-22 14:19:10,543 DEBUG [IdP] Core                                - Memory cache handle cache cleanup thread searching for stale entries.
2008-02-22 14:19:11,153 DEBUG [IdP] Core                                - Resolver Cache cleanup thread searching cache for stale entries.
2008-02-22 14:19:11,325 DEBUG [IdP] 986513156                           - Received a request via GET for location (https://shibidp.ntu.ac.uk/shibboleth-idp/SSO).
2008-02-22 14:19:11,325 DEBUG [IdP] 986513156                           - Matched handler location: (https?://[Problems and Solutions (Attempt to Spoof header)^:/]+(:(443|80))?/shibboleth-idp/SSO).
2008-02-22 14:19:11,325 INFO  [IdP] 986513156                           - Processing Shibboleth v1.x SSO request.
2008-02-22 14:19:11,325 DEBUG [IdP] 986513156                           - Remote provider has identified itself as: (https://shibsp.ntu.ac.uk/shibboleth).
2008-02-22 14:19:11,325 INFO  [IdP] 986513156                           - Found matching Relying Party for group (http://ukfederation.org.uk).
2008-02-22 14:19:11,325 INFO  [IdP] 986513156                           - Provider is a member of Relying Party (http://ukfederation.org.uk).
2008-02-22 14:19:11,325 INFO  [IdP] 986513156                           - Supplied consumer URL validated for this provider.
2008-02-22 14:19:11,325 DEBUG [IdP] 986513156                           - Found a supported name identifier format that matches the metadata for the relying party: (urn:mace:shibboleth:1.0:nameIdentifier).
2008-02-22 14:19:11,325 DEBUG [IdP] 986513156                           - Assigning handle (_b6981024a50f41849faec95019de4a1e) to principal (comxxxxxx).
2008-02-22 14:19:11,325 DEBUG [IdP] 986513156                           - User was authenticated via the default method for this relying party (urn:oasis:names:tc:SAML:1.0:am:unspecified).
2008-02-22 14:19:11,325 DEBUG [IdP] 986513156                           - Responding with POST profile.
2008-02-22 14:19:11,325 DEBUG [IdP] 986513156                           - Dumping generated AuthN Assertion:
<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AssertionID="_53d2fbfbbf47c40c4583b97175c5ada7" IssueInstant="2008-02-22T14:19:11.325Z" Issuer="https://shibidp.ntu.ac.uk/shibboleth" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2008-02-22T14:19:11.325Z" NotOnOrAfter="2008-02-22T14:24:11.325Z"><AudienceRestrictionCondition><Audience>https://shibsp.ntu.ac.uk/shibboleth</Audience><Audience>http://ukfederation.org.uk</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement AuthenticationInstant="2008-02-22T14:19:11.325Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="https://shibidp.ntu.ac.uk/shibboleth">_b6981024a50f41849faec95019de4a1e</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality IPAddress="152.71.217.140"></SubjectLocality></AuthenticationStatement></Assertion>
2008-02-22 14:19:11,340 DEBUG [IdP] 986513156                           - Dumping generated SAML Response:
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2008-02-22T14:19:11.325Z" MajorVersion="1" MinorVersion="1" Recipient="https://shibsp.ntu.ac.uk/Shibboleth.sso/SAML/POST" ResponseID="_c63c21e337224bb00d25a097643fd2f4"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#_c63c21e337224bb00d25a097643fd2f4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>6ib3xefAGFLzLj0FATwiouZVRHk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Eyq8gbKgqvvlmzMjf2jT2CKpNH+3kXpJE+26WtcDaXMRFs61qzTE2HkGKTCTF2u2foN46Yf9WHIe
AIvDFmGY1cc8tWZ+biFLtHvrwjzaHY9Ns+J0H7dc5ob6smgdB7WJ3IBFsp97lPrNNfRtZAJvE8Rl
M/e/CJ5aUeYgKVMYuAs=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIEbzCCA1egAwIBAgILAQAAAAABEq27vxowDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCQkUx
EzARBgNVBAoTCkN5YmVydHJ1c3QxFzAVBgNVBAsTDkVkdWNhdGlvbmFsIENBMSIwIAYDVQQDExlD
eWJlcnRydXN0IEVkdWNhdGlvbmFsIENBMB4XDTA3MDUyMTA4MjMyMVoXDTA5MDUyMTA4MjMyMVow
gZwxCzAJBgNVBAYTAkdCMRgwFgYDVQQIEw9Ob3R0aW5naGFtc2hpcmUxEzARBgNVBAcTCk5vdHRp
bmdoYW0xJDAiBgNVBAoTG05vdHRpbmdoYW0gVHJlbnQgVW5pdmVyc2l0eTEcMBoGA1UECxMTSW5m
b3JtYXRpb24gU3lzdGVtczEaMBgGA1UEAxMRc2hpYmlkcC5udHUuYWMudWswgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAJTR7VIPK93c7Cr82xaiqqnmEIXNyYEDqef1vZUX7Xr1wndcXIG5eksB
zn0HJDNUp4RMAo4AWK6w68gjOZDoJmrwQJSk6SYr7GAhKIlWQzV9w06KpxsJPtD3kEggbOS1qIa7
2a4APgIFagR3W7JtwT4lbuC3/IVAhpnk7jffbcA9AgMBAAGjggFwMIIBbDBQBgNVHSAESTBHMEUG
ByqGSLE+AQAwOjA4BggrBgEFBQcCARYsaHR0cDovL3d3dy5nbG9iYWxzaWduLm5ldC9yZXBvc2l0
b3J5L2Nwcy5jZm0wDgYDVR0PAQH/BAQDAgWgMB8GA1UdIwQYMBaAFGVloz3XOxGjCgclN8lCSlt2
d1DhMB0GA1UdDgQWBBSPKlHSPod7E0Sy5TXM2sGHuTAh2jA6BgNVHR8EMzAxMC+gLaArhilodHRw
Oi8vY3JsLmdsb2JhbHNpZ24ubmV0L2VkdWNhdGlvbmFsLmNybDBPBggrBgEFBQcBAQRDMEEwPwYI
KwYBBQUHMAKGM2h0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5uZXQvY2FjZXJ0L2VkdWNhdGlvbmFs
LmNydDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHAYDVR0RBBUwE4IRc2hpYmlkcC5u
dHUuYWMudWswDQYJKoZIhvcNAQEFBQADggEBADehlJ9zK1rJkgjC6UU91UlSlSUFbNdFemLh77Qi
WNbe3tZDiIyimxEmidyPWj04zUguvD6657lSZG05l1PulNDUm0sH4Ub0B55tL/F/oMTgpsU9BTAW
6368ApVKw0YK+LK7YqJSWOTFX5uuCioIpdhHoT41w0BMj4mUOg3MPMF+mUFpZjnJxwwcQFYA2NkK
DY8K6LwjzGdyaIuhrLvY/P/TlJRq2GiSKrNF8oIcgEsAwfRbRJ+IDXSkPuWUAWueMphacyNR9v5U
6ZUA6wMiggHfvpKrdNtaA2Z048IVqrZY5js4/fiEgtGan4Rpi266yrSXpGc2x1g8WzLQAO4v6FM=
</ds:X509Certificate>
<ds:X509Certificate>
MIIEQjCCA6ugAwIBAgIEBAAD+zANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJVUzEYMBYGA1UE
ChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJUcnVzdCBTb2x1dGlvbnMsIElu
Yy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEdsb2JhbCBSb290MB4XDTA2MDMxNDIwMzAwMFoX
DTEzMDMxNDIzNTkwMFowXzELMAkGA1UEBhMCQkUxEzARBgNVBAoTCkN5YmVydHJ1c3QxFzAVBgNV
BAsTDkVkdWNhdGlvbmFsIENBMSIwIAYDVQQDExlDeWJlcnRydXN0IEVkdWNhdGlvbmFsIENBMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlSKhEB1KRmBuBZGb34PC7RKyWnz4q+H4UFwo
LH5+ADiTsItK8cJMPBAsPO+w7KFpL7n8zAgUa41PGPOD0vqpNwggqlyqgGCi1aUiAM9a5bSX37oe
vlyOFxlm/a+ffHuJsg4k2MerY8SVMo1I5mNZfQS4M6i9111kvGO1900o/fkGcjFcukWUZaPStFjs
O2FYRKMvYrObgLSC/dXHzFEl5ZU/Ry8we6zIeG7i4W0n6z3MAYLoNXeNq1i7VdHVpIFWjRzQFLGw
Bt6gkSLz8Kg0F0fG4D72DFqsflBLzeFpbgb8Bn5qTbSVmaBZXDVm7NlJ1BfgYLBdpdca4ipuZvKv
HQIDAQABo4IBbzCCAWswRQYDVR0fBD4wPDA6oDigNoY0aHR0cDovL3d3dy5wdWJsaWMtdHJ1c3Qu
Y29tL2NnaS1iaW4vQ1JMLzIwMTgvY2RwLmNybDAdBgNVHQ4EFgQUZWWjPdc7EaMKByU3yUJKW3Z3
UOEwUwYDVR0gBEwwSjBIBgkrBgEEAbE+AQAwOzA5BggrBgEFBQcCARYtaHR0cDovL3d3dy5wdWJs
aWMtdHJ1c3QuY29tL0NQUy9PbW5pUm9vdC5odG1sMIGJBgNVHSMEgYEwf6F5pHcwdTELMAkGA1UE
BhMCVVMxGDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEnMCUGA1UECxMeR1RFIEN5YmVyVHJ1c3Qg
U29sdXRpb25zLCBJbmMuMSMwIQYDVQQDExpHVEUgQ3liZXJUcnVzdCBHbG9iYWwgUm9vdIICAaUw
DgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQEFBQADgYEAQ7NF
g1RxxB/csjxrTr8m8k7yrZpb+oY3iOgUbEEYQl/vZT7rA3egt551elF8uxVbuK+RoDSSU+1/KkmE
rLmAS7XHsiMi++vY+27JPPPS0bu+yRz/bQHbaYAOmaXqnnuXmI+3zyKcs7hd5akzF3TGlzcPtOkm
gl9hCz8ePWTpK5s=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_53d2fbfbbf47c40c4583b97175c5ada7" IssueInstant="2008-02-22T14:19:11.325Z" Issuer="https://shibidp.ntu.ac.uk/shibboleth" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2008-02-22T14:19:11.325Z" NotOnOrAfter="2008-02-22T14:24:11.325Z"><AudienceRestrictionCondition><Audience>https://shibsp.ntu.ac.uk/shibboleth</Audience><Audience>http://ukfederation.org.uk</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement AuthenticationInstant="2008-02-22T14:19:11.325Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="https://shibidp.ntu.ac.uk/shibboleth">_b6981024a50f41849faec95019de4a1e</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality IPAddress="152.71.217.140"></SubjectLocality></AuthenticationStatement></Assertion></Response>
2008-02-22 14:19:11,746 DEBUG [IdP] Core                                - Memory-based artifact mapper cleanup thread searching for stale entries.
2008-02-22 14:19:13,137 DEBUG [IdP] 1601944776                          - Received a request via POST for location (https://shibidp.ntu.ac.uk:8443/shibboleth-idp/AA).
2008-02-22 14:19:13,137 DEBUG [IdP] 1601944776                          - Dumping generated SAML Request:
<Request xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2008-02-22T14:19:10Z" MajorVersion="1" MinorVersion="1" RequestID="_d599a21239c7828286e398d325c889f2"><AttributeQuery Resource="https://shibsp.ntu.ac.uk/shibboleth"><Subject xmlns="urn:oasis:names:tc:SAML:1.0:assertion"><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="https://shibidp.ntu.ac.uk/shibboleth">_b6981024a50f41849faec95019de4a1e</NameIdentifier></Subject></AttributeQuery></Request>
2008-02-22 14:19:13,137 DEBUG [IdP] 1601944776                          - Matched handler location: (.+:8443/shibboleth-idp/AA).
2008-02-22 14:19:13,137 INFO  [IdP] 1601944776                          - Processing SAML v1.1 Attribute Query request.
2008-02-22 14:19:13,137 INFO  [IdP] 1601944776                          - Request contains credentials: (CN=shibsp.ntu.ac.uk,OU=Information Systems,O=Nottingham Trent University,L=Nottingham,ST=East Midlands,C=GB).
2008-02-22 14:19:13,137 INFO  [IdP] 1601944776                          - Remote provider has identified itself as: (https://shibsp.ntu.ac.uk/shibboleth).
2008-02-22 14:19:13,137 INFO  [IdP] 1601944776                          - Metadata found for providerId: (https://shibsp.ntu.ac.uk/shibboleth).
2008-02-22 14:19:13,137 DEBUG [IdP] 1601944776                          - Inline validation was unsuccessful.  Attmping PKIX...
2008-02-22 14:19:13,137 DEBUG [IdP] 1601944776                          - Matched against hostname.
2008-02-22 14:19:13,137 DEBUG [IdP] 1601944776                          - Attemping to validate against parent group.
2008-02-22 14:19:13,153 DEBUG [IdP] 1601944776                          - Constructed a trust list from key authority.  Attempting path validation...
2008-02-22 14:19:13,153 DEBUG [IdP] 1601944776                          - Path successfully validated.
2008-02-22 14:19:13,153 INFO  [IdP] 1601944776                          - Supplied credentials validated for this provider.
2008-02-22 14:19:13,153 DEBUG [IdP] 1601944776                          - Mapping authenticated provider (https://shibsp.ntu.ac.uk/shibboleth) to Relying Party.
2008-02-22 14:19:13,153 INFO  [IdP] 1601944776                          - Found matching Relying Party for group (http://ukfederation.org.uk).
2008-02-22 14:19:13,153 INFO  [IdP] 1601944776                          - Provider is a member of Relying Party (http://ukfederation.org.uk).
2008-02-22 14:19:13,153 DEBUG [IdP] 1601944776                          - Name Identifier format: (urn:mace:shibboleth:1.0:nameIdentifier).
2008-02-22 14:19:13,153 DEBUG [IdP] 1601944776                          - Attribute Query Handle recognized.
2008-02-22 14:19:13,153 INFO  [IdP] 1601944776                          - Request is for principal (comxxxxxx).
2008-02-22 14:19:13,153 INFO  [IdP] 1601944776                          - Request does not designate specific attributes, resolving all available.
2008-02-22 14:19:13,153 DEBUG [IdP] 1601944776                          - Received a query for all policies applicable to principal: (comxxxxxx).
2008-02-22 14:19:13,153 DEBUG [IdP] 1601944776                          - Attempting to load site ARP from: (file:/c:/shib-idp/etc/arps/arp.site.xml).
2008-02-22 14:19:13,153 DEBUG [IdP] 1601944776                          - Loading XML from (null) with Schema validation
2008-02-22 14:19:13,153 DEBUG [IdP] 1601944776                          - Returning site policy.
2008-02-22 14:19:13,153 DEBUG [IdP] 1601944776                          - Attempting to load user (comxxxxxx) ARP from: (file:/c:/shib-idp/etc/arps/arp.user.comxxxxxx.xml).
2008-02-22 14:19:13,153 DEBUG [IdP] 1601944776                          - No ARP found.
2008-02-22 14:19:13,153 DEBUG [IdP] 1601944776                          - Creating effective ARP from (1) polic(y|ies).
2008-02-22 14:19:13,168 DEBUG [IdP] 1601944776                          - Dumping ARP:
<AttributeReleasePolicy xmlns="urn:mace:shibboleth:arp:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd"><Description>Internet2 Shibboleth Wiki</Description><Rule><Description>Internet2 Shibboleth Wiki</Description><Target><Requester>https://wiki.it.ohio-state.edu/shibboleth</Requester><AnyResource></AnyResource></Target><Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"><AnyValue release="permit"></AnyValue></Attribute></Rule><Rule><Description>Internet2 Shibboleth Wiki2</Description><Target><Requester>https://spaces.internet2.edu/shibboleth</Requester><AnyResource></AnyResource></Target><Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"><AnyValue release="permit"></AnyValue></Attribute></Rule><Rule><Description>SquirrelWS Distributed Online CV Builder</Description><Target><Requester>https://shibsp.ntu.ac.uk/squirrelws</Requester><AnyResource></AnyResource></Target><Attribute name="urn:mace:dir:attribute-def:samaccountname"><AnyValue release="permit"></AnyValue></Attribute></Rule><Rule><Target><Requester>https://wiki.it.ohio-state.edu/shibboleth</Requester><AnyResource></AnyResource></Target><Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"><AnyValue release="permit"></AnyValue></Attribute></Rule><Rule><Description>Released to any undefined requester</Description><Target><AnyTarget></AnyTarget></Target><Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation"><AnyValue release="permit"></AnyValue></Attribute><Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"><AnyValue release="permit"></AnyValue></Attribute><Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"><AnyValue release="permit"></AnyValue></Attribute><Attribute name="urn:mace:dir:attribute-def:samaccountname"><AnyValue release="permit"></AnyValue></Attribute><Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID"><AnyValue release="permit"></AnyValue></Attribute></Rule></AttributeReleasePolicy>
2008-02-22 14:19:13,168 DEBUG [IdP] 1601944776                          - Computed possible attribute release set.
2008-02-22 14:19:13,168 DEBUG [IdP] 1601944776                          - Possible attribute: urn:mace:dir:attribute-def:eduPersonAffiliation
2008-02-22 14:19:13,168 DEBUG [IdP] 1601944776                          - Possible attribute: urn:mace:dir:attribute-def:samaccountname
2008-02-22 14:19:13,168 DEBUG [IdP] 1601944776                          - Possible attribute: urn:mace:dir:attribute-def:eduPersonTargetedID
2008-02-22 14:19:13,168 DEBUG [IdP] 1601944776                          - Possible attribute: urn:mace:dir:attribute-def:eduPersonScopedAffiliation
2008-02-22 14:19:13,168 DEBUG [IdP] 1601944776                          - Possible attribute: urn:mace:dir:attribute-def:eduPersonPrincipalName
2008-02-22 14:19:13,168 DEBUG [IdP] 1601944776                          - Received a query for all policies applicable to principal: (comxxxxxx).
2008-02-22 14:19:13,168 DEBUG [IdP] 1601944776                          - Attempting to load site ARP from: (file:/c:/shib-idp/etc/arps/arp.site.xml).
2008-02-22 14:19:13,168 DEBUG [IdP] 1601944776                          - Loading XML from (null) with Schema validation
2008-02-22 14:19:13,168 DEBUG [IdP] 1601944776                          - Returning site policy.
2008-02-22 14:19:13,168 DEBUG [IdP] 1601944776                          - Attempting to load user (comxxxxxx) ARP from: (file:/c:/shib-idp/etc/arps/arp.user.comxxxxxx.xml).
2008-02-22 14:19:13,168 DEBUG [IdP] 1601944776                          - No ARP found.
2008-02-22 14:19:13,168 DEBUG [IdP] 1601944776                          - Creating effective ARP from (1) polic(y|ies).
2008-02-22 14:19:13,200 DEBUG [IdP] 1601944776                          - Dumping ARP:
<AttributeReleasePolicy xmlns="urn:mace:shibboleth:arp:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd"><Description>Internet2 Shibboleth Wiki</Description><Rule><Description>Internet2 Shibboleth Wiki</Description><Target><Requester>https://wiki.it.ohio-state.edu/shibboleth</Requester><AnyResource></AnyResource></Target><Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"><AnyValue release="permit"></AnyValue></Attribute></Rule><Rule><Description>Internet2 Shibboleth Wiki2</Description><Target><Requester>https://spaces.internet2.edu/shibboleth</Requester><AnyResource></AnyResource></Target><Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"><AnyValue release="permit"></AnyValue></Attribute></Rule><Rule><Description>SquirrelWS Distributed Online CV Builder</Description><Target><Requester>https://shibsp.ntu.ac.uk/squirrelws</Requester><AnyResource></AnyResource></Target><Attribute name="urn:mace:dir:attribute-def:samaccountname"><AnyValue release="permit"></AnyValue></Attribute></Rule><Rule><Target><Requester>https://wiki.it.ohio-state.edu/shibboleth</Requester><AnyResource></AnyResource></Target><Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"><AnyValue release="permit"></AnyValue></Attribute></Rule><Rule><Description>Released to any undefined requester</Description><Target><AnyTarget></AnyTarget></Target><Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation"><AnyValue release="permit"></AnyValue></Attribute><Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"><AnyValue release="permit"></AnyValue></Attribute><Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"><AnyValue release="permit"></AnyValue></Attribute><Attribute name="urn:mace:dir:attribute-def:samaccountname"><AnyValue release="permit"></AnyValue></Attribute><Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID"><AnyValue release="permit"></AnyValue></Attribute></Rule></AttributeReleasePolicy>
2008-02-22 14:19:13,200 INFO  [IdP] 1601944776                          - Resolving attribute: (urn:mace:dir:attribute-def:eduPersonScopedAffiliation)
2008-02-22 14:19:13,200 DEBUG [IdP] 1601944776                          - Attribute (urn:mace:dir:attribute-def:eduPersonScopedAffiliation) depends on attribute (urn:mace:dir:attribute-def:eduPersonAffiliation).
2008-02-22 14:19:13,200 DEBUG [IdP] 1601944776                          - Attribute (urn:mace:dir:attribute-def:eduPersonAffiliation) depends on connector (static).
2008-02-22 14:19:13,200 DEBUG [IdP] 1601944776                          - Resolving connector: (static)
2008-02-22 14:19:13,200 DEBUG [IdP] 1601944776                          - static resolving for principal: (comxxxxxx)
2008-02-22 14:19:13,200 DEBUG [IdP] 1601944776                          - Resolving attribute: (urn:mace:dir:attribute-def:eduPersonAffiliation)
2008-02-22 14:19:13,200 DEBUG [IdP] 1601944776                          - Found value(s) for attribute (urn:mace:dir:attribute-def:eduPersonAffiliation).
2008-02-22 14:19:13,200 DEBUG [IdP] 1601944776                          - Resolving attribute: (urn:mace:dir:attribute-def:eduPersonScopedAffiliation)
2008-02-22 14:19:13,200 DEBUG [IdP] 1601944776                          - Found value(s) for attribute (urn:mace:dir:attribute-def:eduPersonScopedAffiliation).
2008-02-22 14:19:13,200 INFO  [IdP] 1601944776                          - Resolving attribute: (urn:mace:dir:attribute-def:eduPersonAffiliation)
2008-02-22 14:19:13,200 DEBUG [IdP] 1601944776                          - Attribute (urn:mace:dir:attribute-def:eduPersonAffiliation) already resolved for this request.  No need for further resolution.
2008-02-22 14:19:13,200 INFO  [IdP] 1601944776                          - Resolving attribute: (urn:mace:dir:attribute-def:samaccountname)
2008-02-22 14:19:13,200 DEBUG [IdP] 1601944776                          - Attribute (urn:mace:dir:attribute-def:samaccountname) depends on connector (directory).
2008-02-22 14:19:13,200 WARN  [IdP] 1601944776                          - Skipping referral: ldap://ForestDnsZones.ads.ntu.ac.uk/DC=ForestDnsZones,DC=ads,DC=ntu,DC=ac,DC=uk
2008-02-22 14:19:13,200 DEBUG [IdP] 1601944776                          - Resolving attribute: (urn:mace:dir:attribute-def:samaccountname)
2008-02-22 14:19:13,200 DEBUG [IdP] 1601944776                          - Found value(s) for attribute (urn:mace:dir:attribute-def:samaccountname).
2008-02-22 14:19:13,200 INFO  [IdP] 1601944776                          - Resolving attribute: (urn:mace:dir:attribute-def:eduPersonPrincipalName)
2008-02-22 14:19:13,200 DEBUG [IdP] 1601944776                          - Attribute (urn:mace:dir:attribute-def:eduPersonPrincipalName) depends on connector (echo).
2008-02-22 14:19:13,200 DEBUG [IdP] 1601944776                          - Resolving connector: (echo)
2008-02-22 14:19:13,200 DEBUG [IdP] 1601944776                          - echo resolving for principal: (comxxxxxx)
2008-02-22 14:19:13,215 DEBUG [IdP] 1601944776                          - Resolving attribute: (urn:mace:dir:attribute-def:eduPersonPrincipalName)
2008-02-22 14:19:13,215 DEBUG [IdP] 1601944776                          - Found value(s) for attribute (urn:mace:dir:attribute-def:eduPersonPrincipalName).
2008-02-22 14:19:13,215 INFO  [IdP] 1601944776                          - Resolving attribute: (urn:mace:dir:attribute-def:eduPersonTargetedID)
2008-02-22 14:19:13,215 DEBUG [IdP] 1601944776                          - Attribute (urn:mace:dir:attribute-def:eduPersonTargetedID) depends on connector (echo).
2008-02-22 14:19:13,215 DEBUG [IdP] 1601944776                          - Connector (echo) already resolved for this request, using cached version
2008-02-22 14:19:13,215 DEBUG [IdP] 1601944776                          - Resolving attribute: (urn:mace:dir:attribute-def:eduPersonTargetedID)
2008-02-22 14:19:13,215 ERROR [IdP] 1601944776                          - Specified source data not supplied from dependencies.  Unable to create ID.
2008-02-22 14:19:13,215 INFO  [IdP] 1601944776                          - Applying Attribute Release Policies.
2008-02-22 14:19:13,215 DEBUG [IdP] 1601944776                          - Processing the following attributes:
2008-02-22 14:19:13,215 DEBUG [IdP] 1601944776                          - Attribute: (urn:mace:dir:attribute-def:eduPersonScopedAffiliation)
2008-02-22 14:19:13,215 DEBUG [IdP] 1601944776                          - Attribute: (urn:mace:dir:attribute-def:eduPersonAffiliation)
2008-02-22 14:19:13,215 DEBUG [IdP] 1601944776                          - Attribute: (urn:mace:dir:attribute-def:samaccountname)
2008-02-22 14:19:13,215 DEBUG [IdP] 1601944776                          - Attribute: (urn:mace:dir:attribute-def:eduPersonPrincipalName)
2008-02-22 14:19:13,215 DEBUG [IdP] 1601944776                          - Received a query for all policies applicable to principal: (comxxxxxx).
2008-02-22 14:19:13,215 DEBUG [IdP] 1601944776                          - Attempting to load site ARP from: (file:/c:/shib-idp/etc/arps/arp.site.xml).
2008-02-22 14:19:13,215 DEBUG [IdP] 1601944776                          - Loading XML from (null) with Schema validation
2008-02-22 14:19:13,215 DEBUG [IdP] 1601944776                          - Returning site policy.
2008-02-22 14:19:13,215 DEBUG [IdP] 1601944776                          - Attempting to load user (comxxxxxx) ARP from: (file:/c:/shib-idp/etc/arps/arp.user.comxxxxxx.xml).
2008-02-22 14:19:13,215 DEBUG [IdP] 1601944776                          - No ARP found.
2008-02-22 14:19:13,215 DEBUG [IdP] 1601944776                          - Creating effective ARP from (1) polic(y|ies).
2008-02-22 14:19:13,231 DEBUG [IdP] 1601944776                          - Dumping ARP:
<AttributeReleasePolicy xmlns="urn:mace:shibboleth:arp:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd"><Description>Internet2 Shibboleth Wiki</Description><Rule><Description>Internet2 Shibboleth Wiki</Description><Target><Requester>https://wiki.it.ohio-state.edu/shibboleth</Requester><AnyResource></AnyResource></Target><Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"><AnyValue release="permit"></AnyValue></Attribute></Rule><Rule><Description>Internet2 Shibboleth Wiki2</Description><Target><Requester>https://spaces.internet2.edu/shibboleth</Requester><AnyResource></AnyResource></Target><Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"><AnyValue release="permit"></AnyValue></Attribute></Rule><Rule><Description>SquirrelWS Distributed Online CV Builder</Description><Target><Requester>https://shibsp.ntu.ac.uk/squirrelws</Requester><AnyResource></AnyResource></Target><Attribute name="urn:mace:dir:attribute-def:samaccountname"><AnyValue release="permit"></AnyValue></Attribute></Rule><Rule><Target><Requester>https://wiki.it.ohio-state.edu/shibboleth</Requester><AnyResource></AnyResource></Target><Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"><AnyValue release="permit"></AnyValue></Attribute></Rule><Rule><Description>Released to any undefined requester</Description><Target><AnyTarget></AnyTarget></Target><Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation"><AnyValue release="permit"></AnyValue></Attribute><Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"><AnyValue release="permit"></AnyValue></Attribute><Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"><AnyValue release="permit"></AnyValue></Attribute><Attribute name="urn:mace:dir:attribute-def:samaccountname"><AnyValue release="permit"></AnyValue></Attribute><Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID"><AnyValue release="permit"></AnyValue></Attribute></Rule></AttributeReleasePolicy>
2008-02-22 14:19:13,231 INFO  [IdP] 1601944776                          - Found 4 attribute(s) for comxxxxxx
2008-02-22 14:19:13,231 DEBUG [IdP] 1601944776                          - Adding defult scope of (ntu.ac.uk) to value.
2008-02-22 14:19:13,231 DEBUG [IdP] 1601944776                          - Adding defult scope of (ntu.ac.uk) to value.
2008-02-22 14:19:13,231 DEBUG [IdP] 1601944776                          - Dumping generated SAML Response:
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" InResponseTo="_d599a21239c7828286e398d325c889f2" IssueInstant="2008-02-22T14:19:13.231Z" MajorVersion="1" MinorVersion="1" ResponseID="_cd39e66b76a56f505ff22e64f6a1e966"><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_3168f1240d5d1106eba6a21af38e68fd" IssueInstant="2008-02-22T14:19:13.231Z" Issuer="https://shibidp.ntu.ac.uk/shibboleth" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2008-02-22T14:19:13.231Z" NotOnOrAfter="2008-02-22T14:49:13.231Z"><AudienceRestrictionCondition><Audience>https://shibsp.ntu.ac.uk/shibboleth</Audience><Audience>http://ukfederation.org.uk</Audience></AudienceRestrictionCondition></Conditions><AttributeStatement><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="https://shibidp.ntu.ac.uk/shibboleth">_b6981024a50f41849faec95019de4a1e</NameIdentifier></Subject><Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue Scope="ntu.ac.uk" xsi:type="typens:AttributeValueType">staff2</AttributeValue></Attribute><Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue xsi:type="typens:AttributeValueType">staff2</AttributeValue></Attribute><Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:mace:dir:attribute-def:samaccountname" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue xsi:type="typens:AttributeValueType">comxxxxxx</AttributeValue></Attribute><Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue Scope="ntu.ac.uk" xsi:type="typens:AttributeValueType">comxxxxxx</AttributeValue></Attribute></AttributeStatement></Assertion></Response>
2008-02-22 14:19:13,231 INFO  [IdP] 1601944776                          - Successfully created response for principal (comxxxxxx).
2008-02-22 14:19:14,043 DEBUG [IdP] Core                                - Checking for updates to resource (file:/c:/shib-idp/etc/ukfederation-metadata.xml)

Solutions or workarounds:  There are probably a number of reasons this error can appear.  In our case we knew the IDP and SP configuration were corrected and should work perfectly as we were rebuilding our real SP from the files from a VMWARE machine that we had been using to impersonate the real machine.

Possible solutions:

  • Try uninstalling and reinstalling the Service provider package as it is a very quick process.   (In our case the uninstall wouldn't work and hung until we forced a quit)
  • As we had experienced problems during the ISAPI filter un-install and install we first tried reinstalling over the top of the SP install then replace the configuation files to see if the reinstall would re-register the ISAPI filter.

When that failed we moved onto comparing the IIS Metabase.xml (C:\WINDOWS\system32\inetsrv\" file of our two servers to see if there was any major differences.
The metabase.xml seemed to be missing some pieces, the following sections should be found with a working IIS + Shib ISAPI configuration. 

In ScriptMaps section check .sso,C:\opt\shibboleth-sp\libexec\isapi_shib.dll,1" exists
in WebSvcExtRestrictionList section  check 1,C:\opt\shibboleth-sp\libexec\isapi_shib.dll,1,ShibGroup,Shibboleth Web Service Extension exists
In <IIsFilters Location ="/LM/W3SVC/1/Filters" section, check FilterLoadOrder="ASP.NET_1.1.4322.2407,Shibboleth" exists (only the Shibboleth part is needed)
Check the section below exists within your metabase file and flags

<IIsFilter Location ="/LM/W3SVC/Filters/Shibboleth"
        FilterDescription="Shibboleth ISAPI Filter"
        FilterFlags="NotifySecurePort | NotifyNonSecurePort | NotifyPreProcHeaders | NotifyLog | NotifyOrderHigh"
        FilterPath="C:\opt\shibboleth-sp\libexec\isapi_shib.dll"
        FilterState="1"
    >
</IIsFilter>
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.6.2 Build:#919 Nov 26, 2007) - Bug/feature request - Contact Administrators