detected a problem with assertion: Message was signed, but signature could not be verified

Roy Spectech roygspectech8 at gmail.com
Mon Apr 28 14:08:34 EDT 2014


I believe this has been discussed on this list previously.
However, there seems to be disagreement on the solution tasks.

We're the SP in this equation, our customer is the IdP side.
When people reach our product site, they are redirected to the Shibboleth
Challenge Page (a.k.a. Login Page) of the Customer.

So far so good.

However, after entering User/Pass this error appears in the Browser and in
the Shib Logs:

Browser Error:

opensaml::FatalProfileException

opensaml::FatalProfileException at (https://corp.com/customer0102/Shibboleth
.sso/SAML2/POST)

Message was signed, but signature could not be verified.



>From the SP-side logs:


>From Shibd.log:

2014-04-22 20:48:32 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]:
validating signature profile
2014-04-22 20:48:32 DEBUG XMLTooling.KeyInfoResolver.Inline [1]: resolving
ds:X509Certificate
2014-04-22 20:48:32 DEBUG XMLTooling.KeyInfoResolver.Inline [1]: resolved 1
certificate(s)
2014-04-22 20:48:32 DEBUG XMLTooling.KeyInfoResolver.Inline [1]: resolved 0
CRL(s)
2014-04-22 20:48:32 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [1]:
unable to verify message signature with supplied trust engine
2014-04-22 20:48:32 WARN Shibboleth.SSO.SAML2 [1]: detected a problem with
assertion: Message was signed, but signature could not be verified.


>From Shibd_warn.log:

2014-04-22 20:48:32 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [2]:
unable to verify message signature with supplied trust engine
2014-04-22 20:48:32 WARN Shibboleth.SSO.SAML2 [2]: detected a problem with
assertion: Message was signed, but signature could not be verified




native.log:

2014-04-22 20:48:12 DEBUG Shibboleth.Listener [24441] shib_check_user:
sending message (customer0102::getHeaders::Application)
2014-04-22 20:48:12 DEBUG Shibboleth.Listener [24441] shib_check_user:
trying to connect to listener
2014-04-22 20:48:12 DEBUG Shibboleth.Listener [24441] shib_check_user:
socket (59) connected successfully
2014-04-22 20:48:12 DEBUG Shibboleth.Listener [24441] shib_check_user: send
completed, reading response message
2014-04-22 20:48:12 DEBUG Shibboleth.Listener [24441] shib_check_user:
sending message (customer0102/Login::run::SAML2SI)
2014-04-22 20:48:12 DEBUG Shibboleth.Listener [24441] shib_check_user: send
completed, reading response message
2014-04-22 20:48:32 DEBUG Shibboleth.Listener [24446] shib_handler: sending
message (customer0102/SAML2/POST)
2014-04-22 20:48:32 DEBUG Shibboleth.Listener [24446] shib_handler: trying
to connect to listener
2014-04-22 20:48:32 DEBUG Shibboleth.Listener [24446] shib_handler: socket
(56) connected successfully
2014-04-22 20:48:32 DEBUG Shibboleth.Listener [24446] shib_handler: send
completed, reading response message
2014-04-22 20:48:32 ERROR Shibboleth.Listener [24446] shib_handler:
remotedmessage returned an error: Message was signed, but signature
could not be
verified.
2014-04-22 20:48:32 ERROR Shibboleth.Apache [24446] shib_handler: Message
was signed, but signature could not be verified.


native_warn.log:

2014-04-22 20:48:12 DEBUG Shibboleth.Listener [24441] shib_check_user:
sending message (customer0102::getHeaders::Application)
2014-04-22 20:48:12 DEBUG Shibboleth.Listener [24441] shib_check_user:
trying to connect to listener
2014-04-22 20:48:12 DEBUG Shibboleth.Listener [24441] shib_check_user:
socket (59) connected successfully
2014-04-22 20:48:12 DEBUG Shibboleth.Listener [24441] shib_check_user: send
completed, reading response message
2014-04-22 20:48:12 DEBUG Shibboleth.Listener [24441] shib_check_user:
sending message (customer0102/Login::run::SAML2SI)
2014-04-22 20:48:12 DEBUG Shibboleth.Listener [24441] shib_check_user: send
completed, reading response message
2014-04-22 20:48:32 DEBUG Shibboleth.Listener [24446] shib_handler: sending
message (customer0102/SAML2/POST)
2014-04-22 20:48:32 DEBUG Shibboleth.Listener [24446] shib_handler: trying
to connect to listener
2014-04-22 20:48:32 DEBUG Shibboleth.Listener [24446] shib_handler: socket
(56) connected successfully
2014-04-22 20:48:32 DEBUG Shibboleth.Listener [24446] shib_handler: send
completed, reading response message
2014-04-22 20:48:32 ERROR Shibboleth.Listener [24446] shib_handler:
remotedmessage returned an error: Message was signed, but signature
could not be
verified.
2014-04-22 20:48:32 ERROR Shibboleth.Apache [24446] shib_handler: Message
was signed, but signature could not be verified.


OK, so either our side is signing with the wrong key or the IdP side is
using the wrong key to decrypt. It all comes down to which side needs to
change? Is there a deterministic method of determining which side is using
the wrong key? What log at the IdP side would we look at for that level of
error?

Of course, we at the SP side currently have no issues with our other
customers. I'm sure the admin team on the customer0102 side will say their
IdP is authenticating everyone just fine on their side too.

...asprin just doesn't cut it sometimes...



Thanks so much in advance.

-- RGS

==================================
Roy G. Specter
roygspectech8 at gmail.com
========================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140428/b7ae4297/attachment.html 


More information about the users mailing list