The following errors are commonly encountered by users, usually when initially setting up their SP.
| Table of Contents |
|---|
opensaml::SecurityPolicyException: Message expired, was issued too long ago.
Barring an actual replay attack, your SP's clock isn't synchronized with the clock of the IdP that issued the message. All servers using SAML <strong>MUST</strong> MUST maintain accurate time. Refer to your OS documentation for information on how to synchronize with a reliable time source.
...
- The certificate in the metadata is different from the one configured in
relying-party.xml, and hence, the one in the message. You should change them so they match. - If PKIX(CN matching with a signed root) is being used, the CN of the certificate used to sign the message is not the same as the CN expected by the KeyName of that provider's metadata.
- The IdP is using the wrong entityID and mistakenly trying to spoof another IdP.
Unable to establish security of incoming assertion
This error will be presented in the browser for a variety of different underlying reasons. Check shibd.log for more useful debugging information.
Unable to locate metadata for identity provider (https://identities.supervillain.edu/idp/shibboleth).
...
Your .te file may obviously contain extra defintions and rules depending upon what your local httpd is trying to access, however, if the above info is in there, then that should cure the Can't connect to listener process issue, even when restarting SELinux in enforcing mode once again.The defintions
Compile and rules in the simplistic module as detailed above should be available in the officially supported module referenced on the Security Enhanced Linux page.install the policy file with:
| No Format |
|---|
checkmodule -m -M -o mod_shib-to-shibd.mod mod_shib-to-shibd.te
semodule_package -o mod_shib-to-shibd.pp -m mod_shib-to-shibd.mod
semodule -i mod_shib-to-shibd.pp |