IdP "Unable to encrypt assertion"

Brent Putman putmanb at
Mon Sep 26 22:18:29 BST 2011

On 9/26/11 4:19 PM, Cantor, Scott wrote:
> Ian noted privately that one oddity about the metadata you had was the
> EncryptionMethod element. I don't know of the IdP using that, or doing
> anything but ignoring it, but you might try removing it.

I don't think that EncryptionMethod should cause any issue, it's
basically ignored at this point.

However: if the metadata snippet that was previously sent was literally
what you are loading: that's not valid, b/c KeyInfo, X509Data and
X509Certificate elements don't have a namespace prefix. Due to the
default namespace being declared to the SAML 2.0 metadata one, they
would be in that namespace and hence "unknown".  Since I think we ignore
unknown elements, they would therefore not be "seen" effectively, so the
key would not be resolved. Double-check that and, if missing, try adding
the appropriate xmlns decl and prefix to those elements from the XML
Signature namespace.

Otherwise, Scott already covered all the issues I can think of, it's
some variant on one of those.  One remote possibility is that your Java
JRE platform might be defaulting to a security provider which produces
Key objects where in this case the algorithm is something other than the
string "RSA". I think we should be logging what it's matching on
somewhere on either DEBUG or TRACE.  But double-check the above issue

More information about the users mailing list