Error message "SAML unable to locate SSO Location"
Symptom
- SAML authentication does not work
- EZproxy shows the standard login page instead of redirecting to the identity provider (IdP)
- messages.txt entries like these when opening the EZproxy URL:
2024-03-11 00:09:17 SAML unable to locate SSO Location for 'https://idp.example.com/shibboleth'
2024-03-11 00:09:17 Shibboleth IDP20 entity not found: https://idp.example.com/shibboleth
Applies to
- EZproxy and SAML / Shibboleth authentication
Resolution
1. View the IdP metadata referenced at the URL and/or File option in config.txt:
ShibbolethMetadata \ -EntityID=https://ezproxy.example.com/shibboleth \ -URL=https://idp.example.com/Shibboleth.sso/Metadata \ -File=example-metadata.xml \ -SignResponse=false -SignAssertion=false -EncryptAssertion=false \ -Cert=2
2. The metadata needs to contain an element named IDPSSODescriptor
Some examples how this element can start:
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> ...
<ns27:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> ...
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> ...
If the metadata does not contain this information, work with the team responsible for the identity provider to get metadata that contains an IDPSSODescriptor.
3. The metadata needs to contain an entityID attribute that matches the IDP line in user.txt
Example metadata:
<md:EntityDescriptor xmlns:md="..." ID="..." entityID="https://idp.example.com/shibboleth">
Example user.txt:
::Shibboleth Group NULL IDP20 https://idp.example.com/shibboleth /Shibboleth
The content of the metadata in entityID="..." and of user.txt after IDP20... need to match.
Additional information
An element in the metadata like SPSSODescriptor (for Service Provider Metadata) will not work.