Could not resolve a key encryption credential for peer entity

Fong, Trevor trevor.fong at ubc.ca
Thu Sep 22 18:44:16 BST 2011


Hi Everyone,

Yup - we have turned off encryption for their SP, exactly as uChicago and Nate have suggested.  We have the following in our relying-party.xml:

    <RelyingParty id="https://xxxx.service-now.com"
                provider="https://xxxxx/idp/shibboleth"
                defaultSigningCredentialRef="IdPCredential">
       <ProfileConfiguration
                  xsi:type="saml:SAML2SSOProfile"
                  encryptAssertions="never"
              encryptNameIds="never" />
    </RelyingParty>

So still no dice...

Thanks,
Trev


From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Nate Klingenstein
Sent: September-21-11 1:01 PM
To: Shib Users
Subject: Re: Could not resolve a key encryption credential for peer entity

Trev,

Your immediate problem is that there is no way to encrypt assertions sent to Service-Now, according to the guide you referenced.  As such, that's usually turned off strictly for that SP by this configuration:

<!-- relying party for service-now -->
   <RelyingParty id="https://uchicagotest.service-now.com"
       provider="https://matlock.uchicago.edu/idp/shibboleth"
       defaultSigningCredentialRef="IdPCredential">
   <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
   </RelyingParty>

... which you may be missing.

Their parsing code is probably not ultra sophisticated, and it interprets the error code the IdP sends as a response missing an assertion with a subject in it.  Which, I guess is true, in a very narrow sense...

Make sure you're not trying to encrypt assertions sent to them,
Nate.

On Sep 21, 2011, at 19:54 , Fong, Trevor wrote:



Hi Guys,

We're trying to integrate with Service-Now also and are trying to follow uChicago's recipe from https://docs.google.com/document/d/1yApSgHn0C02z09zYC3CD_edX7s3DbnuGgJ-kI-BhqYI/edit?hl=en_US&authkey=CPK1ppQN&pli=1

We've also commented out some of the lines in Service-Now scripts to do with SPNameQualifier as suggested by James Bardin.

However, we still have a problem:  when someone tries to login, they get the Service-Now error message "Could not extract //Subject/NameID from SAMLResponse"

Delving into our idp-process.log, we see:

10:24:24.448 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:888] - Could not resolve a key encryption credential for peer entity: https://xxxx.service-now.com
10:24:25.913 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:275] - Unable to construct encrypter
org.opensaml.xml.security.SecurityException: Could not resolve key encryption credential
       at edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.getEncrypter(AbstractSAML2ProfileHandler.java:889) ~[shibboleth-identityprovider-2.2 .0.jar:na]
       at edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.buildResponse(AbstractSAML2ProfileHandler.java:272) ~[shibboleth-identityprovider-2.
2.0.jar:na]
       at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.completeAuthenticationRequest(SSOProfileHandler.java:280) [shibboleth-identityprovider-2.2.0.j
ar:na]
       at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:164) [shibboleth-identityprovider-2.2.0.jar:na]
       at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:84) [shibboleth-identityprovider-2.2.0.jar:na]
       at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83) [shibboleth-common-1.2.0.jar:na]
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.29]
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.29]
       at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:77) [shibboleth-identityprovider-2.2.0.jar:na]
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.29]
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.29]
       at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:51) [shibboleth-common-1.2.0.jar:na]
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.29]
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.29]
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:6.0.29]
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.29]
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.29]
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.29]
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.29]
       at org.terracotta.modules.tomcat.tomcat_5_5.SessionValve55.invoke(SessionValve55.java:88) [na:na]
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) [catalina.jar:6.0.29]
       at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-coyote.jar:6.0.29]
       at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) [tomcat-coyote.jar:6.0.29]
       at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774) [tomcat-coyote.jar:6.0.29]
       at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703) [tomcat-coyote.jar:6.0.29]
       at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:896) [tomcat-coyote.jar:6.0.29]
       at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote.jar:6.0.29]
       at java.lang.Thread.run(Thread.java:662) [na:1.6.0_24]

... <snip> ...

  <saml2p:Status>
     <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
     <saml2p:StatusMessage>Unable to encrypt assertion</saml2p:StatusMessage>
  </saml2p:Status>


Any ideas?

Thanks a lot,
Trev
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20110922/c7dc0a46/attachment-0001.html 


More information about the users mailing list