Unable to lookup idp connection metadata for entityid='http://sp.example.com/sp'

StackOverflow https://stackoverflow.com/questions/23349178

  •  11-07-2023
  •  | 
  •  

Question

I have service provider application http://sp.example.com/sp and when user accesses it through a browser, user is redirected from my SP application to IdP server which is configured on PingFederate server with an SP connection(http://sp.example.com/sp) as entity id. User is redirected through SAML protocol with SAML AuthnRequest to IdP. But on Ping server I keep getting this error which says 

unable to lookup idp connection metadata for entityid='http://sp.example.com/sp'

Does anyone have face similar error before with Ping? This is SP-initiated SSO.

Request I am sending to PingFederate

<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://sp.example.com/sp" Destination="https://idp.com/sp/ACS.saml2" ForceAuthn="false" ID="_93313f7882ff7b3274da46502c4cf072" IsPassive="false" IssueInstant="2014-04-29T15:15:04.666Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Version="2.0"><samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.example.com/sp</samlp:Issuer><saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="true" SPNameQualifier="https://sp.example.com/sp"/><saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml2p:RequestedAuthnContext></samlp:AuthnRequest>
Was it helpful?

Solution

You can find possible solutions to your problem in Ping's support center:

https://www.pingidentity.com/support/solutions/index.cfm/SSO-fails-with-Unable-to-lookup-sp-or-idp-connection-metadata-for-entityid

In the server.log, the error "Unable to lookup sp connection metadata for entityid" is seen. This is usually an indication that there is a mismatch between the Partner Entity ID (Connection ID) configured in the IDP-side PingFederate SP Connection and the actual entity ID of the partner, and therefore PF cannot determine which SP Connection to use when a SAML AuthnRequest comes in from the SP in the SP-initiated SSO use case.

https://www.pingidentity.com/support/solutions/index.cfm/Unable-to-lookup-sp-connection-metadata-for-entityid

Since Entity ID is case sensitive, if there is a mismatch between the value entered for the Partner's Entity ID (Connection ID) field in the PingFederate Administrative Console and what the partner is sending in the SAML protocol message, then the SSO attempt will fail with the "Unable to lookup sp (or idp) connection" error message.

The solution is to verify the Partner's Entity ID (Connection ID) setting matches exactly what is sent by the partner in the SAML messages.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top