Could not resolve a key encryption credential for peer entity

Nate Klingenstein ndk at internet2.edu
Wed Sep 21 21:01:05 BST 2011 

Trev,

Your immediate problem is that there is no way to encrypt assertions  
sent to Service-Now, according to the guide you referenced.  As such,  
that's usually turned off strictly for that SP by this configuration:

<!-- relying party for service-now -->
     <RelyingParty id="https://uchicagotest.service-now.com"
         provider="https://matlock.uchicago.edu/idp/shibboleth"
         defaultSigningCredentialRef="IdPCredential">
     <ProfileConfiguration xsi:type="saml:SAML2SSOProfile"  
encryptAssertions="never" encryptNameIds="never" />
     </RelyingParty>

... which you may be missing.

Their parsing code is probably not ultra sophisticated, and it  
interprets the error code the IdP sends as a response missing an  
assertion with a subject in it.  Which, I guess is true, in a very  
narrow sense...

Make sure you're not trying to encrypt assertions sent to them,
Nate.

On Sep 21, 2011, at 19:54 , Fong, Trevor wrote:

>
> Hi Guys,
>
> We're trying to integrate with Service-Now also and are trying to  
> follow uChicago's recipe from https://docs.google.com/document/d/1yApSgHn0C02z09zYC3CD_edX7s3DbnuGgJ-kI-BhqYI/edit?hl=en_US&authkey=CPK1ppQN&pli=1
>
> We've also commented out some of the lines in Service-Now scripts to  
> do with SPNameQualifier as suggested by James Bardin.
>
> However, we still have a problem:  when someone tries to login, they  
> get the Service-Now error message "Could not extract //Subject/ 
> NameID from SAMLResponse"
>
> Delving into our idp-process.log, we see:
>
> 10:24:24.448 - ERROR  
> [edu 
> .internet2 
> .middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler: 
> 888] - Could not resolve a key encryption credential for peer  
> entity: https://xxxx.service-now.com
> 10:24:25.913 - ERROR  
> [edu 
> .internet2 
> .middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler: 
> 275] - Unable to construct encrypter
> org.opensaml.xml.security.SecurityException: Could not resolve key  
> encryption credential
>        at  
> edu 
> .internet2 
> .middleware 
> .shibboleth 
> .idp 
> .profile 
> .saml2 
> .AbstractSAML2ProfileHandler 
> .getEncrypter(AbstractSAML2ProfileHandler.java:889) ~[shibboleth- 
> identityprovider-2.2 .0.jar:na]
>        at  
> edu 
> .internet2 
> .middleware 
> .shibboleth 
> .idp 
> .profile 
> .saml2 
> .AbstractSAML2ProfileHandler 
> .buildResponse(AbstractSAML2ProfileHandler.java:272) ~[shibboleth- 
> identityprovider-2.
> 2.0.jar:na]
>        at  
> edu 
> .internet2 
> .middleware 
> .shibboleth 
> .idp 
> .profile 
> .saml2 
> .SSOProfileHandler 
> .completeAuthenticationRequest(SSOProfileHandler.java:280)  
> [shibboleth-identityprovider-2.2.0.j
> ar:na]
>        at  
> edu 
> .internet2 
> .middleware 
> .shibboleth 
> .idp 
> .profile 
> .saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:164)  
> [shibboleth-identityprovider-2.2.0.jar:na]
>        at  
> edu 
> .internet2 
> .middleware 
> .shibboleth 
> .idp 
> .profile 
> .saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:84)  
> [shibboleth-identityprovider-2.2.0.jar:na]
>        at  
> edu 
> .internet2 
> .middleware 
> .shibboleth 
> .common 
> .profile 
> .ProfileRequestDispatcherServlet 
> .service(ProfileRequestDispatcherServlet.java:83) [shibboleth- 
> common-1.2.0.jar:na]
>        at javax.servlet.http.HttpServlet.service(HttpServlet.java: 
> 717) [servlet-api.jar:na]
>        at  
> org 
> .apache 
> .catalina 
> .core 
> .ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java: 
> 290) [catalina.jar:6.0.29]
>        at  
> org 
> .apache 
> .catalina 
> .core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java: 
> 206) [catalina.jar:6.0.29]
>        at  
> edu 
> .internet2 
> .middleware 
> .shibboleth 
> .idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:77)  
> [shibboleth-identityprovider-2.2.0.jar:na]
>        at  
> org 
> .apache 
> .catalina 
> .core 
> .ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java: 
> 235) [catalina.jar:6.0.29]
>        at  
> org 
> .apache 
> .catalina 
> .core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java: 
> 206) [catalina.jar:6.0.29]
>        at  
> edu 
> .internet2 
> .middleware 
> .shibboleth 
> .common 
> .log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:51)  
> [shibboleth-common-1.2.0.jar:na]
>        at  
> org 
> .apache 
> .catalina 
> .core 
> .ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java: 
> 235) [catalina.jar:6.0.29]
>        at  
> org 
> .apache 
> .catalina 
> .core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java: 
> 206) [catalina.jar:6.0.29]
>        at  
> org 
> .apache 
> .catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java: 
> 219) [catalina.jar:6.0.29]
>        at  
> org 
> .apache 
> .catalina.core.StandardContextValve.invoke(StandardContextValve.java: 
> 191) [catalina.jar:6.0.29]
>        at  
> org 
> .apache 
> .catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)  
> [catalina.jar:6.0.29]
>        at  
> org 
> .apache 
> .catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)  
> [catalina.jar:6.0.29]
>        at  
> org 
> .apache 
> .catalina.core.StandardEngineValve.invoke(StandardEngineValve.java: 
> 109) [catalina.jar:6.0.29]
>        at  
> org 
> .terracotta 
> .modules.tomcat.tomcat_5_5.SessionValve55.invoke(SessionValve55.java: 
> 88) [na:na]
>        at  
> org 
> .apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java: 
> 298) [catalina.jar:6.0.29]
>        at  
> org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java: 
> 190) [tomcat-coyote.jar:6.0.29]
>        at  
> org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)  
> [tomcat-coyote.jar:6.0.29]
>        at  
> org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774)  
> [tomcat-coyote.jar:6.0.29]
>        at  
> org 
> .apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java: 
> 703) [tomcat-coyote.jar:6.0.29]
>        at org.apache.jk.common.ChannelSocket 
> $SocketConnection.runIt(ChannelSocket.java:896) [tomcat-coyote.jar: 
> 6.0.29]
>        at org.apache.tomcat.util.threads.ThreadPool 
> $ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote.jar:6.0.29]
>        at java.lang.Thread.run(Thread.java:662) [na:1.6.0_24]
>
> ... <snip> ...
>
>   <saml2p:Status>
>      <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder 
> "/>
>      <saml2p:StatusMessage>Unable to encrypt assertion</ 
> saml2p:StatusMessage>
>   </saml2p:Status>
>
>
> Any ideas?
>
> Thanks a lot,
> Trev
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20110921/60070226/attachment.html

More information about the users mailing list