I'm setting up, on a test environment with CentOS 7, SSO with Shibboleth SP and Shibboleth IDP. After all configurations, if I try to access a protected source on the server got only an error page:
shibsp::ConfigurationException at (http://server_ip/secure/index.html)
None of the configured SessionInitiators handled the request.
I can find the same message on apache logs (/var/log/httpd/error_log) but in shib_d logs (shibd_warm.log, shibd_d.log) there is nothing about that error. Is there some permissions that need to be set? Or this is the correct behavior?
I think that the error is on metadata files, but the missing logs things is driving me crazy....
PS: if I try to override the login visiting manually the page "http://server_ip/Shibboleth.sso/Login?entityID=my_idp_entity_id" I can reach the login page and the logs files are correctly updated.
UPDATE:
I've configured the Shibboleth embedded Discovery Service (for now with only one IDP) and I have succesfully reached the iIDP login page after requesting the protected resource, and also the logs where correctly updated. This is the configuration I will use and deploy, but why with only one IDP I cannot login? Here are the different SSO tag in shibboleth2.xml One IDP:
<SSO entityId="my_idp_entity_id">
SAML2 SAML1
</SSO>
Discovery service:
<SSO discoveryProtocol="SAMLDS" discoveryURL="http://ip_address/shibboleth-ds/index.html">
SAML2 SAML2
</SSO>
I've managed to get log file, the problem was the permissions of "shibd.log". Even if was created by the shibd service, the owner of this file war root, and only a part of log was reported.
Resolved by changing the user/group owner of the file
chown shibd /var/log/shibboleth/shibd.log
chgrp shibd /var/log/shibboleth/shibd.log