configuring metadata for Net+ Box SP

Douglas E. Engert deengert at anl.gov
Mon Jul 8 11:06:56 EDT 2013



On 7/8/2013 9:18 AM, Rob Gorrell wrote:
> So I completed setting up my IdP for the bilateral trust with Box using the metadata file they provided "as is" and i've asked Box to enable SSO for us, but upon initial testing, I'm now having a
> problem. After authenticating at our IdP, their SP is returning the following:
>
> Error - Single Sign-On
> Nonsuccess Response status: urn:oasis:names:tc:SAML:2.0:status:Responder Status Message: Unable to encrypt assertion
> Partner: https://prdidp.uncg.edu/idp/shibboleth
> Target Resource: https://uncg.box.com/sso/ping_federate

After running xmllint to make the box metadata easier to read,
we made one change, so their certificate could be used for encryption:


--- ,boxsamplemetadata-091311.xml       2013-02-21 14:59:30.000000000 -0600
+++ boxsamplemetadata-091311.xml        2013-02-21 15:04:49.000000000 -0600
@@ -46,7 +46,7 @@
      </ds:KeyInfo>
    </ds:Signature>
    <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-    <md:KeyDescriptor use="signing">
+    <md:KeyDescriptor>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:X509Data>


>
> my idp-process.log shows:
> 09:55:13.304 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:966] - Could not resolve a key encryption credential for peer entity: box.net <http://box.net>
> 09:55:13.305 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:276] - Unable to construct encrypter
> org.opensaml.xml.security.SecurityException: Could not resolve key encryption credential
>
> Is this something on my end? or perhaps I didn't provide my IdP's metadata correctly to them or something was lost in translation? https://prdidp.uncg.edu/idp/shibboleth being displayed by them as the
> "Partner" is my correct entityID.
>
> Thanks
> -Rob
>
>
> --
> Robert W. Gorrell
> Middleware Engineer, Identity and Access Management
> University of NC at Greensboro
> 336-334-5954
>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the users mailing list