The following errors are commonly encountered by users, usually when initially setting up their SP.
| Table of Contents |
|---|
opensaml::SecurityPolicyException: Message expired, was issued too long ago.
Barring an actual replay attack, your SP's clock isn't synchronized with the clock of the IdP that issued the message. All servers using SAML <strong>MUST</strong> MUST maintain accurate time. Refer to your OS documentation for information on how to synchronize with a reliable time source.
...
- The certificate in the metadata is different from the one configured in
relying-party.xml, and hence, the one in the message. You should change them so they match. - If PKIX(CN matching with a signed root) is being used, the CN of the certificate used to sign the message is not the same as the CN expected by the KeyName of that provider's metadata.
- The IdP is using the wrong entityID and mistakenly trying to spoof another IdP.
Unable to establish security of incoming assertion
This error will be presented in the browser for a variety of different underlying reasons. Check shibd.log for more useful debugging information.
Unable to locate metadata for identity provider (https://identities.supervillain.edu/idp/shibboleth).
...