IdP "Unable to encrypt assertion"
yancey at unt.edu
Mon Sep 26 18:21:23 BST 2011
To date, we interoperated with Shibboleth SPs only and had no trouble with this. This past week, we tried to add a new outside vendor's SP (which is not running Shibboleth) and our IdP says it is "Unable to encrypt assertion" with this SP. Perhaps someone will help educate me on this topic. I have a guess, but want to confirm before going back to the vendor with this.
Here's my best guess so far:
Must the X.509 subject name CN value in the SP's certificate match the SP's DNS host name?
Here is the SP metadata that we received from the vendor. I redacted references to the vendor and certificate data.
<EntityDescriptor entityID="[redacted]" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://proofing.[redacted]/saml/unt" />
The X.509 certificate contained in the SP metadata has a valid date range. However, the CN value in the X.509 subject name does not match the SP's DNS host name (from Location="https://proofing.[redacted]/saml/unt"). The SP's certificate contains saml.vendor.com and the SP's DNS host name is proofing.vendor.com. A name mismatch is the only thing I can see that may be causing the IdP to refuse to encrypt assertions, but the debug level logging output does not explicitly say why. So I am asking an expert to confirm (or reject) my hypothesis.
The debug output from idp-process.log from this morning.
08:51:33.684 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:73] - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria
08:51:33.685 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:73] - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
08:51:33.685 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:73] - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria
08:51:33.685 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:104] - Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria
08:51:33.686 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:904] - Could not resolve a key encryption credential for peer entity: [redacted]
08:51:33.702 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:289] - Unable to construct encrypter
org.opensaml.xml.security.SecurityException: Could not resolve key encryption credential [deleted stack trace followed this]
More information about the users