Could not resolve a key encryption credential for peer entity
Fong, Trevor
trevor.fong at ubc.ca
Thu Sep 22 18:44:16 BST 2011
Hi Everyone,
Yup - we have turned off encryption for their SP, exactly as uChicago and Nate have suggested. We have the following in our relying-party.xml:
<RelyingParty id="https://xxxx.service-now.com"
provider="https://xxxxx/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration
xsi:type="saml:SAML2SSOProfile"
encryptAssertions="never"
encryptNameIds="never" />
</RelyingParty>
So still no dice...
Thanks,
Trev
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Nate Klingenstein
Sent: September-21-11 1:01 PM
To: Shib Users
Subject: Re: Could not resolve a key encryption credential for peer entity
Trev,
Your immediate problem is that there is no way to encrypt assertions sent to Service-Now, according to the guide you referenced. As such, that's usually turned off strictly for that SP by this configuration:
<!-- relying party for service-now -->
<RelyingParty id="https://uchicagotest.service-now.com"
provider="https://matlock.uchicago.edu/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>
... which you may be missing.
Their parsing code is probably not ultra sophisticated, and it interprets the error code the IdP sends as a response missing an assertion with a subject in it. Which, I guess is true, in a very narrow sense...
Make sure you're not trying to encrypt assertions sent to them,
Nate.
On Sep 21, 2011, at 19:54 , Fong, Trevor wrote:
Hi Guys,
We're trying to integrate with Service-Now also and are trying to follow uChicago's recipe from https://docs.google.com/document/d/1yApSgHn0C02z09zYC3CD_edX7s3DbnuGgJ-kI-BhqYI/edit?hl=en_US&authkey=CPK1ppQN&pli=1
We've also commented out some of the lines in Service-Now scripts to do with SPNameQualifier as suggested by James Bardin.
However, we still have a problem: when someone tries to login, they get the Service-Now error message "Could not extract //Subject/NameID from SAMLResponse"
Delving into our idp-process.log, we see:
10:24:24.448 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:888] - Could not resolve a key encryption credential for peer entity: https://xxxx.service-now.com
10:24:25.913 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:275] - Unable to construct encrypter
org.opensaml.xml.security.SecurityException: Could not resolve key encryption credential
at edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.getEncrypter(AbstractSAML2ProfileHandler.java:889) ~[shibboleth-identityprovider-2.2 .0.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.buildResponse(AbstractSAML2ProfileHandler.java:272) ~[shibboleth-identityprovider-2.
2.0.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.completeAuthenticationRequest(SSOProfileHandler.java:280) [shibboleth-identityprovider-2.2.0.j
ar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:164) [shibboleth-identityprovider-2.2.0.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:84) [shibboleth-identityprovider-2.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83) [shibboleth-common-1.2.0.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.29]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.29]
at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:77) [shibboleth-identityprovider-2.2.0.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.29]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.29]
at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:51) [shibboleth-common-1.2.0.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.29]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.29]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:6.0.29]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.29]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.29]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.29]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.29]
at org.terracotta.modules.tomcat.tomcat_5_5.SessionValve55.invoke(SessionValve55.java:88) [na:na]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) [catalina.jar:6.0.29]
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-coyote.jar:6.0.29]
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) [tomcat-coyote.jar:6.0.29]
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774) [tomcat-coyote.jar:6.0.29]
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703) [tomcat-coyote.jar:6.0.29]
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:896) [tomcat-coyote.jar:6.0.29]
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote.jar:6.0.29]
at java.lang.Thread.run(Thread.java:662) [na:1.6.0_24]
... <snip> ...
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
<saml2p:StatusMessage>Unable to encrypt assertion</saml2p:StatusMessage>
</saml2p:Status>
Any ideas?
Thanks a lot,
Trev
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20110922/c7dc0a46/attachment-0001.html
More information about the users
mailing list