Unable to establish security of incoming assertion

Nate Klingenstein ndk at internet2.edu
Thu Jun 27 17:05:13 EDT 2013 

Justin,

This is just the in-process counterpart of the other error.  You're unlikely to discover anything new about the error without putting shibd.logger on DEBUG and retrying with this IdP, and as Scott mentioned, it's not likely to be a common problem.

Thanks,
Nate.

On Jun 27, 2013, at 20:56 , Justin Russo wrote:

> Hi,
> My native.log log has the below error - can you help me with this ?
> 
> 2013-06-27 16:54:49 INFO XMLTooling.Config : xmltooling 1.5.2 library initialization complete
> 2013-06-27 16:54:49 INFO Shibboleth.Config : shibboleth 2.5.1 library initialization complete
> 2013-06-27 16:54:49 INFO Shibboleth.Config : reload thread started...running when signaled
> 2013-06-27 16:54:49 INFO Shibboleth.Config : loaded XML resource (C:/opt/shibboleth-sp/etc/shibboleth/shibboleth2.xml)
> 2013-06-27 16:54:49 INFO Shibboleth.Config : Shibboleth SP Version 2.5.1
> 2013-06-27 16:54:49 INFO Shibboleth.Config : Library versions: log4shib 1.0.5, Xerces-C 3.1.1, XMLTooling-C 1.5.2, Shibboleth 1.5.1
> 2013-06-27 16:54:49 INFO Shibboleth.Config : building ListenerService of type TCPListener...
> 2013-06-27 16:54:49 INFO Shibboleth.Config : building SessionCache of type StorageService...
> 2013-06-27 16:54:49 WARN Shibboleth.SessionCache : cacheTimeout property is deprecated in favor of cacheAllowance (see documentation)
> 2013-06-27 16:54:49 INFO Shibboleth.Config : building RequestMapper of type Native...
> 2013-06-27 16:54:49 INFO Shibboleth.SessionCache : cleanup thread started...run every 900 secs; timeout after 900 secs
> 2013-06-27 16:54:49 INFO Shibboleth.AssertionLookup : installing default ACL (127.0.0.1 ::1)
> 2013-06-27 16:54:58 ERROR Shibboleth.Listener [4848] isapi_shib_extension: remoted message returned an error: Unable to establish security of incoming assertion.
> 2013-06-27 16:54:58 ERROR Shibboleth.ISAPI [4848] isapi_shib_extension: Unable to establish security of incoming assertion.
> 
> thanks
> 
> Justin
> 
> From: Nate Klingenstein <ndk at internet2.edu>
> To: Shib Users <users at shibboleth.net> 
> Sent: Thursday, June 27, 2013 4:17 PM
> Subject: Re: Unable to establish security of incoming assertion
> 
> Session initiation should be fine and I see nothing wrong with your SP configuration.  The problem is likely something in the incoming message.  If you turn up shibd.logger to DEBUG, you should be able to see that incoming message.
> 
> On Jun 27, 2013, at 20:11 , Justin Russo wrote:
> 
> > Hi Scott,
> > thanks for the quick reply.
> > here is some more info.
> > Initially when i set up shibboleth for the first time i test using University of south California idp.
> > Now when im trying to connect to my IDP provider "ABC Company" i used the existing shibboleth2.xml file and modified it accordingly. 
> > Currently when i check i have the below questionable stuff in my shibboleth2.xml
> > 
> > <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
> >                    relayState="cookie" entityID="https://abccompany.org/SAML2/IDP"
> >                    acsByIndex="false">
> >                <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
> >                <SessionInitiator type="Shib1" acsIndex="5"/>
> >            </SessionInitiator>
> > 
> >            
> >            <!-- An example using an old-style WAYF, which means Shib 1 only unless an entityID is provided. -->
> >            <SessionInitiator type="Chaining" Location="/WAYF/shibboleth.usc.edu" id="usc" relayState="cookie">
> >                <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
> >                <SessionInitiator type="Shib1" acsIndex="5"/>
> >                <SessionInitiator type="WAYF" acsIndex="5" URL="https://shibboleth-test.usc.edu/idp/profile/Shibboleth/SSO"/>
> >            </SessionInitiator>
> > 
> > I know im nbot using University of south California idp any more, can i remove the WAYF Session initiator attribute ?
> > 
> > do you think this is the cause
> > 
> > thanks
> > Justin
> > 
> > From: "Cantor, Scott" <cantor.2 at osu.edu>
> > To: Shib Users <users at shibboleth.net> 
> > Sent: Thursday, June 27, 2013 4:04 PM
> > Subject: Re: Unable to establish security of incoming assertion
> > 
> > On 6/27/13 3:49 PM, "justin9" <justin9 at ymail.com> wrote:
> > 
> > >Hi Nate,
> > >The file attached here.
> > >shibd.log 
> > ><http://shibboleth.1660669.n2.nabble.com/file/n7587944/shibd.log>
> > 
> > I would turn up logging to DEBUG to see if anything more comes out, but
> > the sparseness of information leads me to believe the error is something
> > extremely unusual, like a non-Shibboleth IdP that isn't signing anything
> > in the response. It's not normal to get that error without more in the log
> > than that one warning.
> > 
> > -- Scott
> > 
> > 
> > --
> > To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> > 
> > 
> > --
> > To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> 
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> 
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list