SAML / Shibboleth SSO

I’m getting an “internal server error” after configuring shibboleth. Kindly assist

indico.conf file

      'shib-sso': {
          'type': 'shibboleth',
          'title': 'Single Sign On',
          'attrs_prefix': '',
          'callback_uri': '/login/shib-sso/shibboleth',
          #'logout_uri': ''
      'shib-sso': {
          'type': 'shibboleth',
          'title': 'SSO',
          'identifier_field': 'persistent-id',
          'mapping': {
          'login': 'eppn',
              'displayName': 'displayName',
              'eduPersonTargetedID': 'eduPersonTargetedID',
              'givenName': 'givenName',
              'sn': 'sn',
          'trusted_email': True
  1. Inserted relevant urls into shibboleth2.xml file

  2. Main changes in attribute-map.xml file

<Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
   <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
  <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="eduPersonTargetedID"/>
<Attribute name="urn:oid:1.2.840.113549." id="mail"/>

If you get a plain internal server error, try running indico shell to see a nicer error.

PS: Please wrap configs, logs, etc. in triple backtick fences when posting them so they are shown in monospace and formatted as code.

Noted. WIll do and revert

SSO tab shows now, but getting an;

“Login failed: Identifier missing in shibboleth response” when trying to sign in. Please help

Are you passing the persistent-id from SAML?

I passed persistent-id in here;
‘identifier_field’: ‘persistent-id’

When also input ADFS_ in ‘attrs_prefix’: ‘ADFS_’ the login error changes to;
Login failed: No valid data received;

Probably the cause right? Am I missing anything significant please?

2022-12-01 11:21:30 WARN Shibboleth.Application : insecure cookieProps setting, set to "https" for SSL/TLS-only usage
2022-12-01 11:21:30 WARN Shibboleth.Application : handlerSSL should be enabled for SSL/TLS-enabled web sites
2022-12-01 11:21:30 WARN Shibboleth.Application : no MetadataProvider available, configure at least one for standard SSO usage
2022-12-01 11:21:30 WARN Shibboleth.AttributeExtractor.XML : skipping duplicate Attribute mapping (same name and nameFormat)
2022-12-01 11:21:30 ERROR OpenSSL : error code: 33558530 in bss_file.c, line 398
2022-12-01 11:21:30 ERROR OpenSSL : error data: fopen('/etc/shibboleth/sp-key.pem','r')
2022-12-01 11:21:30 ERROR OpenSSL : error code: 537346050 in bss_file.c, line 400
2022-12-01 11:21:30 CRIT Shibboleth.Application : error building CredentialResolver: Unable to load private key from file (/etc/shibboleth/sp-key.pem).
overall configuration is loadable, check console for non-fatal problems

that sounds like a problem, yes. you probably need to generate the SP key/cert pair and also register it with your IdP.

On it. I generated using ‘shib-keygen’ I see them at /etc/shibboleth. Now i’m stuck on which to send to my idp and how to register. Any luck on an assist for me?

sorry, it’s been a long time since any of us used shibboleth. but AFAIK you only need to share they cert with them since keys are generally meant to be kept private

Noted with thanks will probe further