SP Key Rollover with IdP encryptAssertions="conditional"

Leung, Warren wleung at it.ucla.edu
Thu Sep 22 01:38:14 BST 2011


We have a SP where a certificate is expiring soon, so we wanted to do an
SP key rollover.  We added another KeyDescriptor(2 total) into the IdP
metadata both with no use attribute.  After the metadata is refreshed into
the IdP we get the following error on the SP

2011-09-21 15:51:01 ERROR Shibboleth.SSO.SAML2 [1]: Unable to resolve any
key decryption keys.

The relying-party.xml is configured like the following for SAML2.  No
errors appear on the IdP logs.

       <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
includeAttributeStatement="true" assertionLifetime="PT30M"
assertionProxyCount="0" signResponses="never" signAssertions="always"
encryptAssertions="conditional" encryptNameIds="never"/>

I could get things to work to by making sure the valid certificate is the
2nd KeyDescriptor in the metadata.   It would also work if I made

Since we are pushing attributes to the SP, the IdP will pick a certificate
to encrypt the assertion to the SP and if it is wrong then the error
occurs.  If it was a pull the SP would present a cert and thus the IdP
would know what to use to encrypt it back to the SP.  Is my understanding
of this correct?

Is there some configuration or a step I missed that would resolve this?


Warren Leung

More information about the users mailing list