I am trying to setup an SSO app with an IP and SP much like described in tutorial https://wikis.forgerock.org/confluence/display/openam/SAMLv2+IDP+Proxy+Part+1.+Setting+up+a+simple+Proxy+scenario
However, I am stuck at the test provided at the very end: my SP is not redirected to my IP. Instead, I get the following error:
ERROR: Error sending AuthnRequest
com.sun.identity.saml2.common.SAML2Exception: Error retrieving meta data.
at com.sun.identity.saml2.profile.SPSSOFederate.initiateAuthnRequest(SPSSOFederate.java:253)
at com.sun.identity.saml2.profile.SPSSOFederate.initiateAuthnRequest(SPSSOFederate.java:146)
at org.apache.jsp.saml2.jsp.spSSOInit_jsp._jspService(spSSOInit_jsp.java:140)
Looking at the source of SPSSOFederate.java, the exception is generated because I cannot get the IDP descriptor: sm.getIDPSSODescriptor(realm,idpEntityID); returns null.
I verified that my circles of trust are set as described in the tutorial. Circle of trust COT1 from SP instance includes the proxy; same for the IP instance. And COT1 from proxy includes both the IDP and the SP.
I tried the following changes compared to what the tutorial had:
- replace the proxy url by the IDP url as the IDP proxy list for the IDP component from the proxy config instance (the tutorial calls for using the idp url in step 7 but I wondered if that shouldn't be the proxy url instead)
- add the proxy url to the IDP proxy list for the IDP component from the SP config instance (the tutorial calls for leaving the list blank)
None of these changes got rid of the exception. Any idea what I may be doing wrong? I haven't had any luck so far with the opensso mailing list.
Thanks.