Unable to establish security of incoming assertion.

[Pavan K]

Thank you Nate.

Here is my log from shib.log file after getting the response message from
IDP

2011-09-06 16:46:46 DEBUG OpenSAML.MessageDecoder.SAML2 [1]: extracting
issuer from SAML 2.0 protocol message
2011-09-06 16:46:46 DEBUG OpenSAML.MessageDecoder.SAML2 [1]: message from
(https://<machineA>:8443/idp/shibboleth)
2011-09-06 16:46:46 DEBUG OpenSAML.MessageDecoder.SAML2 [1]: searching
metadata for message issuer...
2011-09-06 16:46:46 WARN OpenSAML.MessageDecoder.SAML2 [1]: no metadata
found, can't establish identity of issuer (https://
<machineA>:8443/idp/shibboleth)
2011-09-06 16:46:46 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [1]:
evaluating message flow policy (replay checking on, expiration 60)
2011-09-06 16:46:46 DEBUG XMLTooling.StorageService [1]: inserted record
(_7721f6220db9321bf7c363dc18537ec8) in context (MessageFlow) with expiration
(1315353044)
2011-09-06 16:46:46 DEBUG OpenSAML.SecurityPolicyRule.ClientCertAuth [1]:
ignoring message, no issuer metadata supplied
2011-09-06 16:46:46 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]:
ignoring message, no issuer metadata supplied
2011-09-06 16:46:46 DEBUG OpenSAML.SecurityPolicyRule.SimpleSigning [1]:
ignoring message, no issuer metadata supplied
2011-09-06 16:46:46 DEBUG XMLTooling.StorageService [1]: deleted record
(29002348be188467e14a6c3dd62cae72) in context (RelayState)
2011-09-06 16:46:46 DEBUG Shibboleth.SSO.SAML2 [1]: processing message
against SAML 2.0 SSO profile
2011-09-06 16:46:46 DEBUG Shibboleth.SSO.SAML2 [1]: extracting issuer from
SAML 2.0 assertion
2011-09-06 16:46:46 DEBUG Shibboleth.SSO.SAML2 [1]: searching metadata for
assertion issuer...
2011-09-06 16:46:46 WARN Shibboleth.SSO.SAML2 [1]: no metadata found, can't
establish identity of issuer (https://<machineA>:8443/idp/shibboleth)
2011-09-06 16:46:46 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [1]:
evaluating message flow policy (replay checking on, expiration 60)
2011-09-06 16:46:46 DEBUG XMLTooling.StorageService [1]: inserted record
(_e2eac5e3db84c6bddfcc7df5483b002d) in context (MessageFlow) with expiration
(1315353044)
2011-09-06 16:46:46 DEBUG OpenSAML.SecurityPolicyRule.ClientCertAuth [1]:
ignoring message, no issuer metadata supplied
2011-09-06 16:46:46 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]:
ignoring message, no issuer metadata supplied
2011-09-06 16:46:46 DEBUG OpenSAML.SecurityPolicyRule.SimpleSigning [1]:
ignoring message, no issuer metadata supplied
2011-09-06 16:46:46 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation
[1]: assertion satisfied bearer confirmation requirements
2011-09-06 16:46:46 WARN Shibboleth.SSO.SAML2 [1]: detected a problem with
assertion: Unable to establish security of incoming assertion.
2011-09-06 16:46:48 DEBUG Shibboleth.Listener [1]: dispatching message
(default/SAML2/POST)
2011-09-06 16:46:48 DEBUG OpenSAML.MessageDecoder.SAML2POST [1]: validating
input

NOTE: i can acess the IDp metadata by using URl
"https://<machineA>:8443/idp/shibboleth"
url.

Do we need to load the SP metadata on IDP? Is there any configuration i am
missing?

-Pavan

On Tue, Sep 6, 2011 at 5:19 PM, Nate Klingenstein <ndk at internet2.edu> wrote:

> Pavan,
>
> You will need to look at your SP's shibd.log to discover the true problem,
> but most likely the clock on one or the other of your servers is wrong.
>  That message is just a simpler version for browser users.
>
> Take care,
> Nate.
>
> On Sep 7, 2011, at 0:06 , Pavan K wrote:
>
> And when i issue the login url "http://machineA/Shibboleth.sso/Login" user
> is getting authenticated on IDP and i can see the response in SP logs. Bu
> after that i am getting *"Unable to establish security of incoming
> assertion".*
>
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20110906/1bc4096f/attachment.html