Table of Contents | ||||
---|---|---|---|---|
|
...
<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="/opt/shibboleth-idp/metadata/carsifed-metadata.xml"
minRefreshDelay="PT5M"
maxRefreshDelay="PT10M"
metadataURL="https://www.carsi.edu.cn/carsimetadata/carsifed-metadata.xml">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="/opt/shibboleth-idp/credentials/dsmeta.pem" />
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
<MetadataFilter xsi:type="Algorithm">
<!-- CBC-only SPs. -->
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<Entity><https://sp entity id1</Entity>
<Entity><https://sp entity id2</Entity>
</MetadataFilter>
</MetadataProvider>
20. IdP安装配置时,预上线环境测试显示登陆成功,但释放属性部分显示为空,这个一般是什么原因?
...
情况二:如果学校备份不可用,或者备份丢失,请重装IdP,IdP应用安装完成后,与CARSI联盟联系(邮件地址carsi@pku.edu.cn),走下线、上线流程并重新上传metadata。
22. IdP服务器使用CAS认证源,认证成功后,跳转到ds.carsi.edu.cn网页时报错 “opensaml::FatalProfileException at (https://xxx.xxx.edu.cn/Shibboleth.sso/SAML2/POST)”
具体错误信息:
opensaml::FatalProfileException
The system encountered an error at Fri Jul 15 11:17:24 2022
To report this problem, please contact the site administrator at root@localhost.
Please include the following message in any email:
opensaml::FatalProfileException at (https://xxx.xxx.edu.cn/Shibboleth.sso/SAML2/POST)
SAML response reported an IdP error.
Error from identity provider:
Status: urn:oasis:names:tc:SAML:2.0:status:Requester
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
Message: An error occurred.
问题分析:
查看idp-process.log, 检查是否有以下错误:
2022-07-15 11:31:29,165 - 192.168.xx.xxx - ERROR [org.jasig.cas.client.util.CommonUtils:439] - SSL error getting response from host: cas-pass.XXXX.edu.cn : Error Message: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:102)
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
2022-07-15 11:31:29,166 - 192.168.70.235 - ERROR [net.unicon.idp.externalauth.ShibcasAuthServlet:111] - Ticket validation failed, returning InvalidTicket
java.lang.RuntimeException: javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:440)如果有以上错误,请检查CAS认证服务网站数字证书,通常因其证书不完善导致报错。
解决办法:
请学校认证服务器更新完善数字证书。
注:www.myssl.com提供免费网站数字证书检测服务。