org.opensaml.SAMLException: Unauthenticated principal. This protocol handler requires that authentication information be provided from the servlet container.

Shibboleth 1.3 and earlier doesn't perform user authentication itself, but instead relies on its environment for this information. This is an error that occurs when the IdP is handed the user session without an associated principal name. There's two primary causes of this problem; no authentication is performed, or mod_jk isn't successfully handing that authentication information to the IdP.

If you are asked to authenticate before receiving this error:

Ensure that the AJP 1.3 <Connector> configuration in Tomcat's server.xml contains tomcatAuthentication="false" for Tomcat 5.0.x and earlier and request.tomcatAuthentication="false" for all later versions.

If you aren't asked to authenticate before receiving this error:

If you're using Apache authentication, make sure that there is a properly defined <Location> block protecting the SSO handler within the correct virtual host (usually port 443) like the following:

<Location /shibboleth-idp/SSO>
	AuthType Basic
	AuthName "Villain Verification Service (VVS)"
	AuthUserFile /usr/local/apache/conf/user.db
	require valid-user
</Location>

If your deployment is entirely contained in Tomcat, make sure that you've got a properly defined authentication filter in place.