| Excerpt |
|---|
org.opensaml.SAMLException: Unauthenticated principal. This protocol handler requires that authentication information be provided from the servlet container. |
Shibboleth 1.3 and earlier doesn't perform user authentication itself, but instead relies on its environment for this information. This is an error that occurs when the ! IdP is handed the user session without an associated principal name. There's two primary causes of this problem; no authentication is performed, or mod_jk isn't successfully handing that authentication information to the ! IdP.
If you are asked to authenticate before receiving this error:
...
- If you're using Apache authentication, make sure that there is a properly defined
<Location>block protecting the SSO handler within the correct virtual host (usually port 443) like the following:
| Code Block |
|---|
<Location <Location /shibboleth-idp/SSO>SSO> AuthType Basic AuthName "Villain Verification Service (VVS)" AuthUserFile /usr/local/apache/conf/user.db require valid-user </Location></Location> |
- If your deployment is entirely contained in Tomcat, make sure that you've got a properly defined authentication filter in place.
...