SP Key Rollover with IdP encryptAssertions="conditional"

Nate Klingenstein ndk at internet2.edu
Thu Sep 22 01:49:02 BST 2011


Warren,

Silly question, perhaps, but did you add another CredentialResolver?

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMultipleCredentials 
#NativeSPMultipleCredentials-KeyRollover

It'd explain the behavior you're witnessing perfectly.  The Wiki  
article has a sentence talking about your experience:

So in this case, you MUST configure both the old and new credentials  
into the SP so that either key can be available for decryption.

Give that a try if you haven't already,
Nate.

On Sep 22, 2011, at 0:38 , Leung, Warren wrote:

> Hi,
>
> We have a SP where a certificate is expiring soon, so we wanted to  
> do an
> SP key rollover.  We added another KeyDescriptor(2 total) into the IdP
> metadata both with no use attribute.  After the metadata is  
> refreshed into
> the IdP we get the following error on the SP
>
> 2011-09-21 15:51:01 ERROR Shibboleth.SSO.SAML2 [1]: Unable to  
> resolve any
> key decryption keys.
>
> The relying-party.xml is configured like the following for SAML2.  No
> errors appear on the IdP logs.
>
>       <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
> includeAttributeStatement="true" assertionLifetime="PT30M"
> assertionProxyCount="0" signResponses="never" signAssertions="always"
> encryptAssertions="conditional" encryptNameIds="never"/>
>
> I could get things to work to by making sure the valid certificate  
> is the
> 2nd KeyDescriptor in the metadata.   It would also work if I made
> encryptAssertions="never".
>
>
> Since we are pushing attributes to the SP, the IdP will pick a  
> certificate
> to encrypt the assertion to the SP and if it is wrong then the error
> occurs.  If it was a pull the SP would present a cert and thus the IdP
> would know what to use to encrypt it back to the SP.  Is my  
> understanding
> of this correct?
>
> Is there some configuration or a step I missed that would resolve  
> this?
>
> Thanks
>
> Warren Leung
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20110922/cf899807/attachment-0001.html 


More information about the users mailing list