Validation of protocol message signature failed

Vince Johnson vince.walsh at qvc.com
Mon Apr 7 22:04:46 EDT 2014 

Thanks Scott for the quick response.  Your note on duplicate entries got me
in the right direction.  I found in the trace logs the idp-metadata was
loading the EntityID correctly, and the sp-metadata file was loading, but
not loading the correct EntityID.

A few days ago I used the Spring SAML sample page to regenerate the SP
Metadata.  I thought I configured the Shibboleth IdP and the Spring SAML SP
to use the new SP metadata.  The SP Sample was still sending the old SP
format with the old EntityID in the Authn Message.  I compared the SP
metadata EntityID to the Authn Request Issuer in the trace file, and found
the issue. 

For anyone else new to the process hitting this error, these steps may help:

Turning logging level in the  ${SHIB_HOME}/config/logging.xml to TRACE or
ALL.  
    
    <logger name="edu.internet2.middleware.shibboleth" level="ALL"/>   

    
    <logger name="org.opensaml" level="ALL"/>   
    
    
    <logger name="edu.vt.middleware.ldap" level="ALL"/> 
	
	
Compare the Entity ID in SP metadata:

entityID="https://testserver.com:8443/spring-security-saml2-sample/saml/metadata/alias/defaultAlias"

Confirm sp metadata files are loading with logs like:
	22:27:46.048 - DEBUG
[edu.internet2.middleware.shibboleth.common.config.metadata.FilesystemMetadataProviderBeanDefinitionParser:52]
- Metadata provider 'MyMetadata' reading metadata from:
c:/java/shibboleth-idp/metadata/sp-test-metadata.xml

Find AuthN Request messages with logs like:
	15:34:21.682 - TRACE
[org.opensaml.saml2.binding.decoding.HTTPPostDecoder:128] - Decoded SAML
message:
	<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://testserver.com:8443/spring-security-saml2-sample/saml/SSO/alias/defaultAlias"
Destination="https://testserver.com:8445/idp/profile/SAML2/POST/SSO"
ForceAuthn="false" ID="a464276a922661j199e0j24g1b87j2" IsPassive="false"
IssueInstant="2014-04-07T16:09:52.125Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Version="2.0"><saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://testserver.com:8443/spring-security-saml2-sample/saml/metadata/alias/defaultAlias
	....

Look for the saml2:Issuer Element or the AssertionConsumerServiceURL
attribute.  This should match the SP metadata EntityID.







--
View this message in context: http://shibboleth.1660669.n2.nabble.com/Validation-of-protocol-message-signature-failed-tp7598445p7598461.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.

More information about the users mailing list