IdP "Unable to encrypt assertion"

Yeargan, Yancey yancey at
Mon Sep 26 20:20:21 BST 2011

Yes, that metadata (other than redactions to conceal the vendor's identity) is verbatim from the SP metadata file we are using with our IdP (Shibboleth IdP v2.3.2).

Concerning a possible entityID mismatch, if I override SAML2SSOProfile with encryptAssertions="never" for this SP, then the IdP responds by sending a signed assertion containing an attribute statement to the SP and the vendor confirms that the SP received the response and was able to extract the attribute with no errors. For the sake of being thorough, here is the SAML request from the debug logs. I verified that the entityID matches the SP metadata.

08:51:27.131 - DEBUG [PROTOCOL_MESSAGE:112] - 
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://proofing.[redacted]/saml/unt" Destination="" ForceAuthn="false" ID="s2bb6b184b6a1ca93a4554be3c9447ecbedaf53a98" IsPassive="false" IssueInstant="2011-09-26T13:51:27Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">[entityID redacted]</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="[redacted]" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"/>
<samlp:RequestedAuthnContext Comparison="exact" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
      <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>

Concerning the SP certificate itself (possibly being a non-RSA key or something), here [below] is the output from 'openssl x509 -text' on the certificate data contained in the SP metadata.

If not the SP metadata format, the SP certificate format, or an entityID mismatch, what does that leave?

What should I be looking for in debug logs? I keep looking over them and nothing is sticking out yet. My searches of the list archive have not borne any fruit yet.

        Version: 3 (0x2)
        Serial Number: 1276694008 (0x4c18cdf8)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Entrust, Inc., is incorporated by reference, OU=(c) 2009 Entrust, Inc., CN=Entrust Certification Authority - L1C
            Not Before: Sep 17 15:29:31 2010 GMT
            Not After : Jan  1 15:59:30 2014 GMT
        Subject: [redacted]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                    [binary data]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 CRL Distribution Points: 

                Full Name:

            Authority Information Access: 
                OCSP - URI:

            X509v3 Certificate Policies: 
                Policy: 1.2.840.113533.7.75.2

            X509v3 Authority Key Identifier: 

            X509v3 Subject Key Identifier: 
            X509v3 Basic Constraints: 
    Signature Algorithm: sha1WithRSAEncryption
        [binary data]

On Sep 26, 2011, at 12:25 PM, Cantor, Scott wrote:

> If that's the metadata you're using, then it would work, unless the log
> includes some low level indication of why encryption would have failed. I
> would speculate that the cert is unusual in some fundamental way (not an
> RSA key for example), or the entityID isn't correct in the request or
> something like that.
> -- Scott

More information about the users mailing list