[LON-CAPA-admin] Single Sign On

Raeburn, Stuart raeburn at msu.edu
Sun Mar 21 16:55:43 EDT 2021

Hello Paul,

This line is odd:
"Identity provider lookup failed at (https:lonn-capa01.aws.bsu.edu/adm/sso)"

I would expect that to be lookup failed at:

IP address: points at lon-capa.bsu.edu
and lon-capa01.aws.bsu.edu has IP address:

If you see: "Unable to locate metadata for identity provider" the standard advice is to check the MetadataProvider element(s) in your shibboleth2.xml file.

Stuart Raeburn
LON-CAPA Academic Consortium
From: LON-CAPA-admin <lon-capa-admin-bounces at mail.lon-capa.org> on behalf of Neubauer, Paul via LON-CAPA-admin <lon-capa-admin at mail.lon-capa.org>
Sent: Sunday, March 21, 2021 2:30 PM
To: list about administration and system updating(lon-capa-admin at mail.lon-capa.org)
Subject: [LON-CAPA-admin] Single Sign On

Hi all,

We (Ball State University) are in the process of updating our identity provider. We are rolling in the changes so individual systems are being moved from using "shibboleth.bsu.edu" to using "federate.bsu.edu". It is lon-capa's turn.

I found all the files that referenced "shibboleth.bsu.edu" and copied them to a different location:

cp /etc/shibboleth/attribute-map.xml /root/sso/attribute-map.xml.old
cp /etc/shibboleth/shibboleth2.xml /root/sso/shibboleth2.xml.old
cp /etc/shibboleth/metadata/shibboleth.bsu.edu.xml /root/sso/shibboleth.bsu.edu.xml

I then made copies of the two .old files as .new and edited them to replace "shibboleth.bsu.edu" with "federate.bsu.edu"
I also got the new metadata (with wget  https://federate.bsu.edu/FederationMetadata/2007-06/FederationMetadata.xml) and saved it as federate.bsu.edu.xml

This morning I stopped shibd, copied the .new files to /etc/shibboleth/ and federate.bsu.edu.xml to /etc/shibboleth/metadata/

I checked for "shibboleth.bsu.edu":
[root at lon-capa01 ~]#  grep -H -r -i 'shibboleth.bsu.edu' /etc
[root at lon-capa01 ~]#
which shows that I had eliminated all references to it.

I restarted shibd and when I tried to log in, I got:

Unknown or unusable identity provider
The identity provider supplying your login credentials is not authorized for use with this service or does not support the necessary capabilities.
To report this problem, please contact the site administrator at security at bsu.edu.
Please include the following error message in any email:
Identity provider lookup failed at (https:lonn-capa01.aws.bsu.edu/adm/sso)
EntityID: http://shibboleth.bsu.edu/sso
opensaml::saml2md::MetadataException: Unable to locate metadata for identity provider (http://shibboleth.bsu.edu/sso)

For some reason it was still looking for the EntityID http://shibboleth.bsu.edu/sso
I did a system reboot but got the same thing.

I reverted to the old files and we are working, but that will only last a couple of weeks before our cert expires for our old identity provider site and it goes down.

I am totally lost. is there somewhere else with shibboleth configuration data?


More information about the LON-CAPA-admin mailing list