1

I have service provider application http://sp.example.com/sp and when user accesses it through a browser, user is redirected from my SP application to IdP server which is configured on PingFederate server with an SP connection(http://sp.example.com/sp) as entity id. User is redirected through SAML protocol with SAML AuthnRequest to IdP. But on Ping server I keep getting this error which says 

unable to lookup idp connection metadata for entityid='http://sp.example.com/sp'

Does anyone have face similar error before with Ping? This is SP-initiated SSO.

Request I am sending to PingFederate

<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://sp.example.com/sp" Destination="https://idp.com/sp/ACS.saml2" ForceAuthn="false" ID="_93313f7882ff7b3274da46502c4cf072" IsPassive="false" IssueInstant="2014-04-29T15:15:04.666Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Version="2.0"><samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.example.com/sp</samlp:Issuer><saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="true" SPNameQualifier="https://sp.example.com/sp"/><saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml2p:RequestedAuthnContext></samlp:AuthnRequest>
yogsma
  • 10,142
  • 31
  • 97
  • 154
  • Can you post your metadata somewhere, https://gist.github.com/ maybe? – Stefan Rasmusson Apr 29 '14 at 06:10
  • @Stefan Here you go https://gist.github.com/yogsma/11404390 – yogsma Apr 29 '14 at 15:54
  • I have not worked with PIng but it soundlike something is wrong with your idp-metadata. could you import it correctly to Ping? – Stefan Rasmusson Apr 29 '14 at 18:27
  • Yes and I sent the metadata and all details to Ping Support, they didn't find anything wrong. They are not able to resolve the issue yet. – yogsma Apr 29 '14 at 20:43
  • 3
    As your support engineer indicated in your case you have with us, the destination that you have defined in your SP configuration is wrong. Instead of pointing it to https://idp.com/sp/ACS.saml2, it needs to point to https://idp.com/idp/SSO.saml2. The engineer you have working with you is very good, and she knows what she's talking about. I would bet that the conference call that she has scheduled for you will clear it all up. – Andrew K. Apr 30 '14 at 13:04
  • @AndyK.-PingIdentity Thanks Andy. It resolved the issue last evening. – yogsma Apr 30 '14 at 15:58

1 Answers1

4

You can find possible solutions to your problem in Ping's support center:

https://www.pingidentity.com/support/solutions/index.cfm/SSO-fails-with-Unable-to-lookup-sp-or-idp-connection-metadata-for-entityid

In the server.log, the error "Unable to lookup sp connection metadata for entityid" is seen. This is usually an indication that there is a mismatch between the Partner Entity ID (Connection ID) configured in the IDP-side PingFederate SP Connection and the actual entity ID of the partner, and therefore PF cannot determine which SP Connection to use when a SAML AuthnRequest comes in from the SP in the SP-initiated SSO use case.

https://www.pingidentity.com/support/solutions/index.cfm/Unable-to-lookup-sp-connection-metadata-for-entityid

Since Entity ID is case sensitive, if there is a mismatch between the value entered for the Partner's Entity ID (Connection ID) field in the PingFederate Administrative Console and what the partner is sending in the SAML protocol message, then the SSO attempt will fail with the "Unable to lookup sp (or idp) connection" error message.

The solution is to verify the Partner's Entity ID (Connection ID) setting matches exactly what is sent by the partner in the SAML messages.

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
  • I have checked those solutions from Ping, but those have not helped to resolve the issue. Only thing I am finding fishy is that the error says "unable to lookup idp connection meta data for entity id='http://sp.example.com/sp'" and that entity id I have used in SP connection in Ping as an entity ID. I am not sure if I have done correct configuration in Ping – yogsma Apr 28 '14 at 19:32
  • So your SP is *not* using PingFederate if I understand your setup correctly? Can you show us what the AuthnRequest looks like you are generating and sending to the IDP (PF)? – Ian Apr 29 '14 at 14:54
  • @Ian I posted AuthnRequest. – yogsma Apr 29 '14 at 15:47