Troubleshooting

Problem: How to sets a default authentication mechanism for the relying party?

...

(...)
    <DefaultRelyingParty provider="https://aai-logon.com/idp/shibboleth"
                         defaultSigningCredentialRef="IdPCredential"
                         defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
(...)

...

Problem:  Checksum error

Log:

Sep 6, 2010 11:44:22 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet jsp threw exception
java.security.GeneralSecurityException: Checksum failed
 at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:406)
 at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:91)

Solution: There are two things you can try:
1. If you are using a version of the JDK that is less than 1.5.0_07 then, update to a newer version of Java.
2. On the Active Directory accounts on your domain server, make sure you check the box "use DES encryption type" for the client and service accounts.

...

Problem: GSSException: Channel binding mismatch (Mechanism level: ChannelBinding not provided!)

...

http://stackoverflow.com/questions/1785199/why-do-i-get-a-gssexception-when-using-active-directory-sso-from-microsoft-ie-to

...

Problem:  HTTP Error 400 - Bad Request
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.

...

Attention: Changing the Apache "LimitRequestFieldSize" is not a good idea because:

• This directive gives the server administrator greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks.
• Your browser will potently send the same "huge" Authorization header for other servers, causing the same error.

Source: https://kc.mcafee.com/corporate/index?page=content&id=KB60332&pmv=print

...