The AAF strongly recommends that deployers and developers work with the latest versions of the Shibboleth software. The latest stable point releases address security vulnerabilities, the resolution of bugs and fixes and avoids iteration over resolved issues. Log files and level of logging provide good indicators which assist in troubleshooting issues.
The Shibboleth Wiki is an excellent source of both configuration and troubleshooting information. The troubleshooting guides do require some understanding of the product configuration and how the identity provider and service provider components interact with a user web browser. This general knowledge will assist in pinpointing common issues.
The Shibboleth Wiki article on Troubleshooting the Service Provider is a good starting point to begin resolving issues with the Service Provider software https://wiki.shibboleth.net/confluence/display/SP3/Troubleshooting
The following list, copied verbatim from the Shibboleth Wiki, presents a few errors commonly encountered by deployers, usually when initially setting up their Service Provider version 3.
- opensaml::SecurityPolicyException: Message expired, was issued too long ago.
- Message was signed, but signature could not be verified.
- Unable to establish security of incoming assertion
- Unable to locate metadata for identity provider (https://identities.supervillain.edu/idp/shibboleth).
- HTTP POST form data is lost when Shibboleth session expired or does not exist yet
- SAML message delivered with POST to incorrect server URL.
- opensaml::saml2md::MetadataException: Security of SAML 1.x SSO POST response not established.
- opensaml::FatalProfileException: A valid authentication statement was not found in the incoming message.
- supplied TrustEngine failed to validate SSL/TLS server certificate
- Unable to resolve any key decryption keys
- ERROR Shibboleth.AttributeResolver : exception during SAML query to <url>: CURLSOAPTransport failed while contacting SOAP responder: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
- ERROR Shibboleth.AttributeResolver.Query : exception during SAML query to <url>: CURLSOAPTransport failed while contacting SOAP endpoint (<url>): error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
- Can't connect to listener process
Shibboleth Consortium Wiki
Shibboleth Service Provider v3 Troubleshooting