org.opensaml.SAMLException: Unauthenticated principal. This protocol handler requires that authentication information be provided from the servlet container.
Shibboleth 1.3 and earlier doesn't perform user authentication itself, but instead relies on its environment for this information. This is an error that occurs when the IdP is handed the user session without an associated principal name. There's two primary causes of this problem; no authentication is performed, or
mod_jk isn't successfully handing that authentication information to the IdP.
If you are asked to authenticate before receiving this error:
- Ensure that the AJP 1.3
<Connector>configuration in Tomcat's
tomcatAuthentication="false"for Tomcat 5.0.x and earlier and
request.tomcatAuthentication="false"for all later versions.
If you aren't asked to authenticate before receiving this error:
- If you're using Apache authentication, make sure that there is a properly defined
<Location>block protecting the SSO handler within the correct virtual host (usually port 443) like the following: