IdP "Unable to encrypt assertion"

Yeargan, Yancey yancey at unt.edu
Mon Sep 26 18:21:23 BST 2011 

To date, we interoperated with Shibboleth SPs only and had no trouble with this. This past week, we tried to add a new outside vendor's SP (which is not running Shibboleth) and our IdP says it is "Unable to encrypt assertion" with this SP. Perhaps someone will help educate me on this topic. I have a guess, but want to confirm before going back to the vendor with this.

Here's my best guess so far:
Must the X.509 subject name CN value in the SP's certificate match the SP's DNS host name?



Here is the SP metadata that we received from the vendor. I redacted references to the vendor and certificate data.

<EntityDescriptor entityID="[redacted]" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
	<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<KeyDescriptor use="encryption">
			<KeyInfo>
				<X509Data>
					<X509Certificate>[redacted]</X509Certificate>
				</X509Data>
			</KeyInfo>
			<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
		</KeyDescriptor>
		<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
		<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://proofing.[redacted]/saml/unt" />
	</SPSSODescriptor>
</EntityDescriptor>

The X.509 certificate contained in the SP metadata has a valid date range. However, the CN value in the X.509 subject name does not match the SP's DNS host name (from Location="https://proofing.[redacted]/saml/unt"). The SP's certificate contains saml.vendor.com and the SP's DNS host name is proofing.vendor.com.  A name mismatch is the only thing I can see that may be causing the IdP to refuse to encrypt assertions, but the debug level logging output does not explicitly say why. So I am asking an expert to confirm (or reject) my hypothesis.


The debug output from idp-process.log from this morning.

08:51:33.684 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:73] - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria

08:51:33.685 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:73] - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria

08:51:33.685 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:73] - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria

08:51:33.685 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:104] - Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria

08:51:33.686 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:904] - Could not resolve a key encryption credential for peer entity: [redacted]

08:51:33.702 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:289] - Unable to construct encrypter 
org.opensaml.xml.security.SecurityException: Could not resolve key encryption credential [deleted stack trace followed this]


Thanks,
Yancey

More information about the users mailing list