This error appears when navigating to a web page that is being protected by Shibboleth, such as https://www.example.com/secure.

This error typically means that the URL being used by the relying party is not a valid URL to get the metadata from the IdP. In the example above, the URL being used is https://saml1.software.eng.us/shibboleth.  Navigating to https://saml1.software.eng.us/shibboleth produces a Forbidden message, which confirms that https://saml1.software.eng.us/shibboleth is not a valid URL to get metadata from the IdP.

You will need to determine the valid URL. For example, if the valid URL is https://saml1.software.eng.us:8443/idp/shibboleth, navigating to https://saml1.software.eng.us:8443/idp/shibboleth should display the metadata. The metadata displayed in the browser should be exactly the same as the metadata in your /opt/shibboleth-idp/metadata/idp-metadata.xml file.

You will add the valid URL to $shibboleth_IdP_home/conf/relaying-party.xml.

<rp:AnonymousRelyingParty provider="https://www.example.com/idp/shibboleth" defaultSigningCredentialRef="IdpCrednetail"/>

<rp:DefaultRelyingParty provider="https://www.example.com/idp/shibboleth" defaultSigningCredentialRef="IdpCredential"
  <rp: ProfileConfiguration . . .

Also add the valid URL to $shibboleth_SP_home/shibboleth2.xml.

<ApplicationDefaults entityID="https://saml1.software.eng.us/idp/shibboleth"

Logs

If issues persist, check the $shibboleth_IdP_home/logs/idp-proccess.log file.

SPSSODescriptor role metadata for entityID 'https://saml1.software.eng.us/shibboleth' could not be resolved
No metadata for relaying party https://saml1.software.eng.us/shibboleth, treating party as anonymous
SAML 2 SSO profile is not configured for relaying party https://saml1.software.eng.us/shibboleth