Help Needed with Shibboleth SSO Configuration for Indico Service


I’m setting up Shibboleth SSO for an Indico instance and encountering a challenging issue. Our setup involves two Fully Qualified Domain Names (FQDNs):

  1. Installation FQDN: (the FQDN used during the Shibboleth Service Provider (SP) installation)
  2. Service FQDN: (the FQDN users use to access the Indico service)

We’ve registered our metadata with SwamID and are able to reach the Identity Provider (IdP). However, upon attempting to log in using my credentials, I encounter the following error:

Error details: MSIS3200: No AssertionConsumerService is configured on the relying party trust '' that is a prefix match of the AssertionConsumerService URL '' specified by the request.

Additionally, the shibd.log shows:

ERROR Shibboleth.Application : AssertionConsumerService handler at duplicate Location (/SAML2/POST) will not be processed for application (default)

Here’s the relevant portion of my Shibboleth SP configuration in /etc/shibboleth/shibboleth2.xml

<md:AssertionConsumerService Location="/SAML2/POST" index="1"

And here’s the Apache directive from /etc/apache/sites-available/indico.conf

<LocationMatch "^(/Shibboleth\.sso|/login/shib-sso/shibboleth)">
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    ShibExportAssertion Off
    Require valid-user

Please let me know if I’ve missed any vital or important details in my post. Any help with this issue would be greatly appreciated.

I’m running indico 3.2.9

That sounds like an error on the Shibboleth side, so before Indico is involved at all.

Unfortunately we cannot really help you there since none of us have used Shibboleth in the last few years since we moved to OAuth/OIDC. However, maybe someone else from our user community is using Shibboleth and can help you…

I guess Shibboleth is quite strict in the domains it accepts, so after the name change you need to register the new instance again with you provider.