IdP JSPs are accessible, but 404 error is returned for IdP's servlet /SSO or /AA

Check if you can access https://MY_DNS/shibboleth-idp/login.jsp. This should display bundled IdP login page. If this page returns page not found 404 error, then it means you have not properly configured your mod_jk or mod_proxy. Refer to IdP installation instruction for mod_jk mounting.

However, if the login.jsp is accessible, this means mod_jk works as expected where it maps shibboleth-idp from tomcat to apache. However, when you get 404 error when accessing https://MY_DNS/shibboleth-idp/SSO, this usually indication that either the IdP is dead or tomcat is unable to access required files.

Check if your $TOMCAT_HOME/webapps/shibboleth-idp and $SHIB_HOME is accessible by the tomcat's user (user account used to start tomcat).

In MAMS debian installation, this resolves the problem by executing:

   export SHIB_HOME=/usr/local/shibboleth-idp
   export TOMCAT_HOME=/usr/local/tomcat

   $TOMCAT_HOME/bin/shutdown.sh
   rm -fr $TOMCAT_HOME/work/Catalina/localhost/shibboleth-idp

   chown tomcat55:adm $SHIB_HOME
   chown tomcat55:adm $TOMCAT_HOME/webapps/shibboleth-idp

   $TOMCAT_HOME/bin/startup.sh

Some info on the above:

• user that starts tomcat is tomcat55 with group id adm
• tomcat cache of shibboleth-idp application is removed to avoid tomcat reuses old cache

Trying to access https://MY_DNS/shibboleth-idp/SSO should require you to login and once you've logged in, you should see standard Shibboleth error (as you're not presenting proper parameter to the page). This is the standard response expected.

---

to top