Error Messages and Solutions

The following is a a semi-official list of errors and solutions by the internet2 people:

which IAMSECT developers found useful.



Cannot load /opt/shibboleth-1.2.1/libexec/ into server: /opt/shibboleth-1.2.1/libexec/ failed to map segment from shibded object: Permission denied

Apparently this is an SELinux factor. /var/log/messages shows:

kernel: audit(1115814837.683:0): avc: denied { execute } for pid=8268 comm=httpd path=/opt/shibboleth-1.2.1/libexec/ dev=sda1 ino=1016775 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file

The solution (which may be temporary) is edit /etc/selinux/config change enforce to permissive, and reboot



...[error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag ...[error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

Take care not to mix up the ‘csr’ (certificate signing request) and ‘crt’ (the signed certificate) in the ssl.conf file. Correcting this and restarting apache solves the problem.

Origin: Invalid assertion consumer service URL

Invalid what consumer what what?!

Logging in at the origin can result in this error to the user:

Handle Service failure at (/shibboleth/HS)

edu.internet2.middleware.shibboleth.hs.Handle Servlet$Invalid Client Data Exception:

Invalid assertion consumer service URL.

And in the HS’s logs: .

... INFO [HS] ... - Handling request.

... DEBUG [HS] ... - Remote provider has identified itself as: ( ... DEBUG [HS] ... - Provider is a member of group (, but no matching Relying Party was found.

... INFO [HS] ... - Could not locate Relying Party configuration for ( Using default Relying Party: (

... INFO [HS] ... - Supplied consumer URL not found in metadata.

... ERROR [HS] ... - Supplied assertion consumer service URL( is NOT valid for provider (

... ERROR [HS] ... - edu.internet2.middleware.shibboleth.hs.HandleServlet$InvalidClientDataException: Invalid assertion consumer service URL.

... DEBUG [HS] ... - servletPath=/hserror.jsp, pathInfo=null, queryString=null, name=null

... DEBUG [HS] ... - Path Based Forward

... DEBUG [HS] ... - Disabling the response for futher output

The solution for this is that the providerId in the target’s shibboleth.xml is still set to the default, You need to either invent a unique URL for it (as per ), or, if you are in a federation, you may have your providerId dictated to you.


You may get the following error:

SHIRE failure at (

Exception: Fatal Profile Error: SAMLPOSTProfile::getSSOAssertion() unable to start session due to policy mismatch (target policies: urn:mace:inqueue,

You should set your providerId to a recognised thing.