Hello,
I’m setting up Shibboleth SSO for an Indico instance and encountering a challenging issue. Our setup involves two Fully Qualified Domain Names (FQDNs):
- Installation FQDN:
installation.domain.com(the FQDN used during the Shibboleth Service Provider (SP) installation) - Service FQDN:
indico.domain.com(the FQDN users use to access the Indico service)
We’ve registered our metadata with SwamID and are able to reach the Identity Provider (IdP). However, upon attempting to log in using my credentials, I encounter the following error:
Error details: MSIS3200: No AssertionConsumerService is configured on the relying party trust 'https://installation.domain.com/shibboleth' that is a prefix match of the AssertionConsumerService URL 'https://indico.domain.com/Shibboleth.sso/SAML2/POST' specified by the request.
Additionally, the shibd.log shows:
ERROR Shibboleth.Application : AssertionConsumerService handler at duplicate Location (/SAML2/POST) will not be processed for application (default)
Here’s the relevant portion of my Shibboleth SP configuration in /etc/shibboleth/shibboleth2.xml
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
conf:ignoreNoPassive="true"/>
And here’s the Apache directive from /etc/apache/sites-available/indico.conf
<LocationMatch "^(/Shibboleth\.sso|/login/shib-sso/shibboleth)">
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibExportAssertion Off
Require valid-user
</LocationMatch>
Please let me know if I’ve missed any vital or important details in my post. Any help with this issue would be greatly appreciated.
I’m running indico 3.2.9