500 error when trying to access Shibboleth SP Metadata

Question

I'm trying to configure the Shibboleth SP with the samltest.id IdP. My setup is as follows:

Windows Server 2008 R2, IIS7.5, Shibboleth SP 3.0

I've got almost everything working - when trying to access protected pages, it correctly redirects the user to the samltest page, and samltest spits back the correct "Web Login Service - Unsupported Request" error, as I haven't configured my SP with samltest.

I try using https://samltest.id/upload.php to upload my configuration, but at this point I'm hitting a wall. The fetch option doesn't work at all, and I'm sure this is because the Metadata file simply isn't being generated. Trying to generate said file from https://{MySite}/Shibboleth.sso/Metadata gives a 500 error, and I can't find any information anywhere to tell me why this is happening.

I've checked the Windows Event Viewer, IIS LogFiles, shibd log file - nothing indicates what I've done wrong.

Here's a stripped-down version of my shibboleth.xml file, in case there's something obvious I'm missing:

<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config" clockSkew="180">
<OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
<InProcess>
    <ISAPI normalizeRequest="true" safeHeaderNames="true">
        <Site id="{MySiteID}" name="{MySite}" scheme="https" port="443"/>
    </ISAPI>
</InProcess>
<RequestMapper type="Native">
    <RequestMap>
        <Host name="{MySite}">
            <Path name="content" authType="shibboleth" requireSession="true"/>
        </Host>
    </RequestMap>
</RequestMapper>
<ApplicationDefaults entityID="https://{MySite}/shibboleth" REMOTE_USER="eppn subject-id pairwise-id persistent-id" cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
    <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="true" handlerSSL="true" cookieProps="https">
        <SSO entityID="https://samltest.id/saml/idp">SAML2</SSO>
        <Logout>SAML2 Local</Logout>
    </Sessions>
    <Errors supportContact="{MyEmail}" helpLocation="/error.aspx" styleSheet="/styles/style.css"/>
<MetadataProvider type="XML" validate="true" url="https://samltest.id/saml/idp" backingFilePath="SAMLtest.xml"></MetadataProvider>          
    <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
    <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
    <CredentialResolver type="File" use="signing" key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
    <CredentialResolver type="File" use="encryption" key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

If anyone has any advice on where I can look, I'd love it.

Answer 1

For anyone stumbling upon this question, there's a whole bunch of "Of course" things that I missed.

For starters, the Shibboleth.sso pages are all accessible only from within the server itself. I'd been trying to access them externally, and by default, external requests to those pages are blocked.

Once I tried accessing them from within the server, I got a different error - "Shibboleth handler invoked at an unconfigured location". The reason for that, is that within my shibboleth2.xml file, I didn't have Handler mappings for the paths I was trying to access. For example, the /Metadata page requires a Handler mapping such as :

<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

(not entirely sure what the signing="false" entry does, I just left it as-is)

Answer 2

I got this when I had SELinux enabled (installing on RHEL8) Symptoms are 500 error from Apache, shibd logs don't record any request coming in. (Strangely, the /Shibboleth.sso/Session url did work)

Check logs in /var/log/audit, set SELINUX=permissive in /etcv/selinux/config (+reboot) to see if this is the issue.