Shibboleth NativeSP on FreeBSD 10.0

Dan Turner dan.turner at york.ac.uk
Fri May 9 11:51:16 EDT 2014 

Hi, I'm having some issues getting the NativeSP up and running on
FreeBSD 10.0-Release-p2.

Some more system info:

% freebsd-version
10.0-RELEASE-p2

% httpd -version
Server version: Apache/2.2.27 (FreeBSD)
Server built:   May  8 2014 12:03:58

% shibd -v
shibboleth 2.5.2

I'm currently trying to get this to work with testshib.org, and so
far, I've managed to get it to an opensaml::FatalProfileException in
the browser. In the logs, this is showing up as

"ERROR Shibboleth.SSO.SAML2 [2]: failed to decrypt assertion: Unable
to resolve any key decryption keys."

I've read through a thread here:

http://shibboleth.net/pipermail/users/2012-July/004947.html

the problem seems to be related, but the suggested fixes don't seem
applicable (they're related to how the IdP is sending the attributes,
which I can't change) or they simply  seem to change the error message
in the logs.

I've looked at the Metadata that I'm uploading to testshib.org, and I
can confirm that the correct certificates are being sent to
testshib.org in the metadata, and I've tried setting
extractNames="false" on the CredentialResolver in shibboleth2.xml,
which simply changes the error in the logs (when set to DEBUG level).

The log is for a login attempt with the attached shibboleth2.xml config file.

With debug turned off and extractNames="false":

"2014-05-09 11:07:20 DEBUG XMLTooling.CredentialCriteria [2]: key
algorithm didn't match ('AES' != 'RSA')
2014-05-09 11:07:20 DEBUG XMLTooling.CredentialCriteria [2]: keys didn't match
2014-05-09 11:07:20 ERROR Shibboleth.SSO.SAML2 [2]: failed to decrypt
assertion: Unable to resolve any key decryption keys."

And without extractNames:

"2014-05-09 10:42:04 DEBUG XMLTooling.CredentialCriteria [1]: key
algorithm didn't match ('AES' != 'RSA')
2014-05-09 10:42:04 DEBUG XMLTooling.CredentialCriteria [1]:
credential name(s) didn't overlap
2014-05-09 10:42:04 ERROR Shibboleth.SSO.SAML2 [1]: failed to decrypt
assertion: Unable to resolve any key decryption keys."

Any insights would be greatly appreciated.


-- Dan Turner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shibd.log
Type: application/octet-stream
Size: 12519 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20140509/84baf7a9/attachment-0001.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shibboleth2.xml
Type: text/xml
Size: 6168 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20140509/84baf7a9/attachment-0001.xml

More information about the users mailing list