Error Shibboleth.sso.saml2 Unable To Resolve Any Key Decryption Keys
Contents |
Militante Reply | Threaded Open this post in threaded view ♦ ♦ | Report Content as Inappropriate ♦ ♦ Unable to resolve any key decryption keys. Our IdP is
Unable To Locate Metadata For Identity Provider Shibboleth
configured to encrypt a SAML assertion to our SP, we're receiving opensaml::FatalProfileException browser unable to locate metadata for identity provider adfs errors and 2009-06-03 09:40:52 ERROR Shibboleth.SSO.SAML2 [2]: Unable to resolve any key decryption keys shibd.log errors on the SP. The opensaml::saml2md::metadataexception shib wiki says Unable to resolve any key decryption keys The SP received encrypted XML (usually an EncryptedAssertion) and couldn't decrypt it. The SP's metadata probably doesn't contain the same public key(s)
Opensaml::fatalprofileexception
the SP is configured to use (or the credentials didn't load). -this is a special circumstance that probably requires some explanation. Our SP is 'faking' an attribute query on the IdP on behalf of a non-shibboleth SP that is not able to query the IdP Directly - we have configured the entityID of our SP in shibboleth2.xml with the entityID of the non-shib SP, and
Unable To Establish Security Of Incoming Assertion.
we've created special metadata on the IdP using the non-shib SP's entityID and cert information that points to our SP's ACS binding in order to make this 'fake' attribute query. Once the query arrives at our SP, we have a script that will GET the raw SAML response from our SP's Shib_Assertion_NN URL and POST it via a form to the non-shib SP's ACS. This error indicates that our SP is attempting to decrypt the encrypted assertion sent from the IdP using the crt and key it's configured to use in CredentialResolver. CredentialResolver in our SP's shibboleth2.xml currently looks like
messages Aravindhan A Reply | Threaded Open this post in threaded view ♦ ♦ | Report Content as Inappropriate ♦ ♦ Shibboleth SP -- "opensaml::FatalProfileException" Hi, I am implementing shibboleth IDP and message was signed, but signature could not be verified. SP. I have installed in my machine and tested it with testshib.org , both(IDP&SP)
Saml Response Reported An Idp Error
are working fine. I am trying to use my own IDP with my SP. Once I access no metadata found, can't establish identity of issuer the protected resource, SP redirects to the IDP login page correctly, after authentication is successful, it is redirected to the SP with the SAML encrypted response (With the servlet status code 500) http://shibboleth.1660669.n2.nabble.com/Unable-to-resolve-any-key-decryption-keys-td3018952.html Which shows the following error , "opensaml::FatalProfileException at (https://127.0.0.1/Shibboleth.sso/SAML2/POST) A valid authentication statement was not found in the incoming message." I checked the native log which shows the following message. "2013-08-29 20:22:36 ERROR Shibboleth.Listener [28868] shib_handler: remoted message returned an error: A valid authentication statement was not found in the incoming message. 2013-08-29 20:22:36 ERROR Shibboleth.Apache [28868] shib_handler: A valid authentication statement http://shibboleth.1660669.n2.nabble.com/Shibboleth-SP-quot-opensaml-FatalProfileException-quot-td7589643.html was not found in the incoming message." I attached the logs and configuration files used by me. How can I rectify this problem? INFO:IDP : https://127.0.0.1:8443/idp/shibboleth(tomcat) SP: https://127.0.0.1/shibboleth(apache) I used the metadata from the location /opt/shibboleth-idp/metadata/idp-metadata.xml(Attached with the name idp-metadata.xml) Regards,Aravindhan A. -- To unsubscribe from this list send an email to [hidden email] shibboleth2.xml (7K) Download Attachment SAML_RESPONSE_BASE64_DECODED (11K) Download Attachment idp-metadata.xml (18K) Download Attachment Cantor, Scott E. Reply | Threaded Open this post in threaded view ♦ ♦ | Report Content as Inappropriate ♦ ♦ Re: Shibboleth SP -- "opensaml::FatalProfileException" On 8/29/13 11:38 AM, "Charles A" <[hidden email]> wrote: > Once I access the protected resource, SP redirects to the IDP login >page correctly, after authentication is successful, it is redirected to >the SP with the SAML encrypted response (With > the servlet status code 500) Which shows the following error , Using IP addresses is guaranteed to get you into trouble, but that aside, > I checked the native log which shows the following message. That log won't help you, you need to check the shibd log. Most likely your metadata's wrong and the Id
Info Admin Archive Post RSS Shared documents Language Selection Català Czech Deutsch Greek, Modern (1453-) English Español Estonian Finnish Français Magyar Italiano 日本語 한국어 Bokmål Nederlands occitan Polish Portuguese (Brazil) Russian Swedish Turkish Vietnamese https://lists.internet2.edu/sympa/arc/shibboleth-users/2009-06/msg00078.html 简体中文 繁體中文 Shibboleth Users Text archives Help Unable to resolve any key decryption keys. Chronological Thread < Chronological > < Thread > From: Redmond Militante < > To: Subject: Unable to resolve any key decryption https://technical.bestgrid.org/index.php/Vladimir's_general_Shibboleth_notes keys. Date: Wed, 3 Jun 2009 10:25:52 -0500 Our IdP is configured to encrypt a SAML assertion to our SP, we're receiving opensaml::FatalProfileException browser errors and 2009-06-03 09:40:52 ERROR Shibboleth.SSO.SAML2 [2]: Unable to resolve any key decryption unable to keys shibd.log errors on the SP. The shib wiki says Unable to resolve any key decryption keys The SP received encrypted XML (usually an EncryptedAssertion) and couldn't decrypt it. The SP's metadata probably doesn't contain the same public key(s) the SP is configured to use (or the credentials didn't load). -this is a special circumstance that probably requires some explanation. Our SP is 'faking' an attribute query on the IdP on behalf of unable to locate a non-shibboleth SP that is not able to query the IdP Directly - we have configured the entityID of our SP in shibboleth2.xml with the entityID of the non-shib SP, and we've created special metadata on the IdP using the non-shib SP's entityID and cert information that points to our SP's ACS binding in order to make this 'fake' attribute query. Once the query arrives at our SP, we have a script that will GET the raw SAML response from our SP's Shib_Assertion_NN URL and POST it via a form to the non-shib SP's ACS. This error indicates that our SP is attempting to decrypt the encrypted assertion sent from the IdP using the crt and key it's configured to use in CredentialResolver. CredentialResolver in our SP's shibboleth2.xml currently looks like
as a place for notes I consider useful for myself... Contents 1 Signing XML documents 1.1 Decrypting encrypted XML documents 1.2 Checking signature on an xml document 2 Shibboleth Logo on SP Error Pages 3 Controlling Scope for an IdP 4 Access control with Shibboleth: requesting a specific attribute 5 Enforcing Canonical Hostnames 6 Adding a new attribute 7 Adding a static attribute 8 Adding a Scriptlet Attribute Definition 9 Terminating MediaWiki sessions when a Shibboleth session expires 10 SLCS client 11 Minor bits of Shibboleth knowledge 11.1 Forcing Attribute-Push for a single SP 11.2 Configuring Admin Contact for Error Messages 11.3 Generating a self-signed certificate 11.4 Generating self-signed certs with CA:FALSE 11.5 HTTP Strict Transport Security 11.6 AAF Pilot Entity Group Names 11.7 Shibboleth 2.0 policy filter 11.8 IdP and SP metadata URLs 11.9 Getting raw assertions 11.10 Configuring multiple DS initiators with ShibSP 2.4 11.11 Tweaking the ShibSP SessionInitiator with query parameters 11.12 Accessing HTTPS URLs from a Shibboleth IdP configuration 11.13 Shib Logout 11.14 Generating a shared token value 11.15 Re-creating the back-channel certificate on an IdP 11.16 Forcing a SAML2 Artifact profile login 11.17 Shibboleth SP 2.5.0 11.18 Upgrading to 2.5.0 11.19 Unsolicited SSO 11.20 IdP Audit Log Structure 11.21 Dumping attribute values 12 Shibbolized systems [edit] Signing XML documents The MAMS testbed federation puts signatures into the federation metadata XML documents. The signatures, inserted at the beginning of the document, have a digest of the canonic form the the remaining on documents, a signature of the digest, and the certificate for the key used to create the signature. I was looking at what are the steps to create such signatures. The Apache XML Security project, http://xml.apache.org/security/, provides a Java and C library which allow to handle, and also create signed XML document. (The C library project is at http://xml.apache.org/security/c/) I was looking for command-line tools which could be used to sign XML documents in a scripting environment. The C library (which is compiled as a part of installing the Shibboleth SP) has the templatesign tool. The tool needs a template for the signature to already exist as the first child of the top-level document. Then, the tool can be simple used as in the following example: ./templatesign --rsakey /etc/certs/mykey.pem "" --x509cert /etc/certs/mycert.pem /tmp/bestgrid-metadata.xml > /tmp/bestgrid-metadata-signed.xml The template to be included is: