Skip to topic | Skip to bottom
Home
Federation
Hello TWikiGuest

Create personal sidebar
Federation.ArtifactUnauthenticatedSPr1.1 - 26 Mar 2008 - 06:27 - BrucLiongtopic end
Start of topic | Skip to actions

SAML Artifacts cannot be dereferenced for unauthenticated requesters

This relates to UnauthenticatedSP. However, this is more confusing as when you check the log files on both IdP and SP, there won't be much information stating why the error was thrown. This error applicable on Browser/Artifact profile.

Typically, you see the following on the log:

  • IdP recognises the SP during authentication phase, hence authentication assertion was issued correctly. If you turn on attribute push, you even see attribute assertions being sent over as well.
  • SP grabs the artifact and try to ask IdP (on port 8443) to dereference it
  • the IdP merely complains about the error, stating it has no clue who the SP is (despite it had issued and identified the SP on the authentication phase).

What's wrong is somehow when the SP connects to the IdP on port 8443, this vhost is not configured properly, such that there is no information about the SP available to the IdP. For this purpose, you need to check port 8443 of the IdP to:

  • make sure "SSLVerifyClient" is set to optional_no_ca
  • make sure SSLOptions to have +ExportCertData -StdEnvVars

to top
End of topic
Skip to action links | Back to top

Edit | Attach image or document | Printable version | Raw text | More topic actions
Revisions: | r1.1 | Total page history | Backlinks
You are here: Federation > FrequentlyAskedQuestions > ArtifactUnauthenticatedSP

to top

Copyright © 1999-2010 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback