The following is a a semi-official list of errors and solutions by the internet2 people: https://umdrive.memphis.edu/wassa/public/shib.faq/shibboleth-faq.html
which IAMSECT developers found useful.
Cannot load
/opt/shibboleth-1.2.1/libexec/mod_shib_20.so into server:
/opt/shibboleth-1.2.1/libexec/mod_shib_20.so: failed to map
segment from shibded object: Permission denied
Apparently this is an SELinux factor. /var/log/messages shows:
kernel: audit(1115814837.683:0): avc:
denied { execute } for pid=8268 comm=httpd
path=/opt/shibboleth-1.2.1/libexec/mod_shib_20.so dev=sda1
ino=1016775 scontext=root:system_r:httpd_t
tcontext=root:object_r:usr_t tclass=file
The solution (which may be temporary) is edit
/etc/selinux/config change
enforce to permissive, and reboot
See http://fedora.redhat.com/docs/selinux-faq-fc3/index.html
...[error] SSL Library Error:
218529960 error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag ...[error] SSL Library
Error: 218595386 error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error
Take care not to mix up the ‘csr’ (certificate signing request) and ‘crt’ (the signed certificate) in the ssl.conf file. Correcting this and restarting apache solves the problem.
Invalid what consumer what what?!
Logging in at the origin can result in this error to the user:
Handle Service failure at
(/shibboleth/HS)
edu.internet2.middleware.shibboleth.hs.Handle Servlet$Invalid Client Data Exception:
Invalid assertion consumer service URL.
And in the HS’s logs: .
... INFO [HS] ... - Handling
request.
... DEBUG [HS] ... - Remote provider
has identified itself as:
(https://example.org/shibboleth/target). ... DEBUG [HS] ... -
Provider is a member of group
(https://example.org/shibboleth), but no matching Relying
Party was found.
... INFO [HS] ... - Could not locate
Relying Party configuration for
(https://example.org/shibboleth/target). Using default
Relying Party:
(urn:mace:ac.uk:sdss.ac.uk:federation:sdss).
... INFO [HS] ... - Supplied consumer
URL not found in metadata.
... ERROR [HS] ... - Supplied assertion
consumer service
URL(http://webdev2.ncl.ac.uk/Shibboleth.shire) is NOT valid
for provider
(https://example.org/shibboleth/target).
... ERROR [HS] ... -
edu.internet2.middleware.shibboleth.hs.HandleServlet$InvalidClientDataException:
Invalid assertion consumer service URL.
... DEBUG [HS] ... -
servletPath=/hserror.jsp, pathInfo=null, queryString=null,
name=null
... DEBUG [HS] ... - Path Based
Forward
... DEBUG [HS] ... - Disabling the
response for futher output
The solution for this is that the providerId in the
target’s shibboleth.xml is still
set to the default, https://example.org/shibboleth/target.
You need to either invent a unique URL for it (as per
http://shibboleth.internet2.edu/guides/deploy-guide-target.html
), or, if you are in a federation, you may have your
providerId dictated to you.
You may get the following error:
SHIRE failure at
(http://webdev2.ncl.ac.uk/Shibboleth.shire)
Exception: Fatal Profile Error: SAMLPOSTProfile::getSSOAssertion() unable to start session due to policy mismatch (target policies: urn:mace:inqueue, https://webdev2.ncl.ac.uk/shibboleth/target)
You should set your providerId to a recognised thing.