Skip to main content
OCLC Support

Error message "SAML unable to locate SSO Location"

Symptom
  • SAML authentication does not work
  • EZproxy shows the standard login page instead of redirecting to the identity provider (IdP)
  • messages.txt entries like these when opening the EZproxy URL:
    2024-03-11 00:09:17 SAML unable to locate SSO Location for 'https://idp.example.com/shibboleth'
    2024-03-11 00:09:17 Shibboleth IDP20 entity not found: https://idp.example.com/shibboleth
Applies to
  • EZproxy and SAML / Shibboleth authentication    
Resolution

1. View the IdP metadata referenced at the URL and/or File option in config.txt:

ShibbolethMetadata \
-EntityID=https://ezproxy.example.com/shibboleth \
-URL=https://idp.example.com/Shibboleth.sso/Metadata \
-File=example-metadata.xml \
-SignResponse=false -SignAssertion=false -EncryptAssertion=false \  
-Cert=2

 

2. The metadata needs to contain an element named IDPSSODescriptor

Some examples how this element can start:

<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
...
<ns27:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
...
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
...

If the metadata does not contain this information, work with the team responsible for the identity provider to get metadata that contains an IDPSSODescriptor.

 

3. The metadata needs to contain an entityID attribute that matches the IDP line in user.txt

Example metadata:

<md:EntityDescriptor xmlns:md="..." ID="..." entityID="https://idp.example.com/shibboleth">

Example user.txt:

::Shibboleth
Group NULL
IDP20 https://idp.example.com/shibboleth
/Shibboleth

The content of the metadata in entityID="..." and of user.txt after IDP20... need to match.

 

Additional information

An element in the metadata like SPSSODescriptor (for Service Provider Metadata) will not work.

 

Page ID
54931