org.opensaml.SAMLException: Unauthenticated principal. This protocol handler requires that authentication information be provided from the servlet container.

Shibboleth 1.3 and earlier doesn't perform user authentication itself, but instead relies on its environment for this information. This is an error that occurs when the IdP is handed the user session without an associated principal name. There's two primary causes of this problem; no authentication is performed, or mod_jk isn't successfully handing that authentication information to the IdP.

If you are asked to authenticate before receiving this error:

If you aren't asked to authenticate before receiving this error:

<Location /shibboleth-idp/SSO>
	AuthType Basic
	AuthName "Villain Verification Service (VVS)"
	AuthUserFile /usr/local/apache/conf/user.db
	require valid-user
</Location>