Versions Compared

Old Version 41

changes.mady.by.user carsi_pku_team

Saved on

compared with

New Version 42

changes.mady.by.user carsi_pku_team

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel7

...

    <MetadataProvider id="HTTPMetadata"
         xsi:type="FileBackedHTTPMetadataProvider"
         backingFile="/opt/shibboleth-idp/metadata/carsifed-metadata.xml"
         minRefreshDelay="PT5M"
         maxRefreshDelay="PT10M"
         metadataURL="https://www.carsi.edu.cn/carsimetadata/carsifed-metadata.xml">
        <MetadataFilter xsi:type="SignatureValidation" certificateFile="/opt/shibboleth-idp/credentials/dsmeta.pem" />
        <MetadataFilter xsi:type="EntityRoleWhiteList">
            <RetainedRole>md:SPSSODescriptor</RetainedRole>
        </MetadataFilter>

        <MetadataFilter xsi:type="Algorithm">
                <!-- CBC-only SPs. -->
                <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
               <Entity><https://sp entity id1</Entity>
<Entity><https://sp entity id2</Entity>
        </MetadataFilter>

   </MetadataProvider>

20. IdP安装配置时,预上线环境测试显示登陆成功,但释放属性部分显示为空,这个一般是什么原因?

...

情况二:如果学校备份不可用,或者备份丢失,请重装IdP,IdP应用安装完成后,与CARSI联盟联系(邮件地址carsi@pku.edu.cn),走下线、上线流程并重新上传metadata。

22. IdP服务器使用CAS认证源,认证成功后,跳转到ds.carsi.edu.cn网页时报错 “opensaml::FatalProfileException at (https://xxx.xxx.edu.cn/Shibboleth.sso/SAML2/POST)”

具体错误信息:

opensaml::FatalProfileException

The system encountered an error at Fri Jul 15 11:17:24 2022

To report this problem, please contact the site administrator at root@localhost.

Please include the following message in any email:

opensaml::FatalProfileException at (https://xxx.xxx.edu.cn/Shibboleth.sso/SAML2/POST)

SAML response reported an IdP error.

Error from identity provider:

Status: urn:oasis:names:tc:SAML:2.0:status:Requester
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
Message: An error occurred.

问题分析:

  1. 查看idp-process.log, 检查是否有以下错误:
    2022-07-15 11:31:29,165 - 192.168.xx.xxx - ERROR [org.jasig.cas.client.util.CommonUtils:439] - SSL error getting response from host: cas-pass.XXXX.edu.cn : Error Message: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
    Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:102)
    Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
    2022-07-15 11:31:29,166 - 192.168.70.235 - ERROR [net.unicon.idp.externalauth.ShibcasAuthServlet:111] - Ticket validation failed, returning InvalidTicket
    java.lang.RuntimeException: javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:440)

  2. 如果有以上错误,请检查CAS认证服务网站数字证书,通常因其证书不完善导致报错。

解决办法:

请学校认证服务器更新完善数字证书。

注:www.myssl.com提供免费网站数字证书检测服务。