Help with StaticPKIX test

Cantor, Scott cantor.2 at
Wed Sep 7 14:56:32 BST 2011

On 9/7/11 8:23 AM, "Jonathan Bricker" <jbricker at> wrote:

>I¹m trying to set up a StaticPKIX trust engine on our SP.  This is the
>first time I¹ve done this with Shibboleth.   I¹m getting a
>ProfileException that the signature cannot be verified.  This is all in a
>sandbox so I have complete control over my setup.

The purpose of that trust engine is for verifying metadata, not for SAML
message use.

>One question would be my metadata from the Idp.  I do not see attributes
>in the KeyDescriptors or KeyInfo tags.  I assume that this is a config
>problem on the Idp.  How can I make sure that key names from the cert are
>passed so the PKIX will work?

That trust engine doesn't rely on metadata, which is why it's used for
different things. I don't know offhand how or whether it would work in
other contexts. In principal it would not unless the certificate contained
the entityID of the message issuer in every case.

-- Scott

More information about the users mailing list