SP failing to decrypt assertion
dabantz at alaska.edu
Wed May 14 15:02:00 EDT 2014
Yes, sp-key.pem and sp-cert.pem are world readable / owned by root.
Changed the owner to sibd just in case…same results - “no credential resolver”
shibd.log does say Unable to load private key; restarted the shibd service - this time correctly loaded the key, built the CredentialResolver and now decrypts assertion from IdP.
I don’t know what a restart was needed, but probably should have done that on principle; mea culpa.
On Wed, 14 May 2014, at 10:40 , Nate Klingenstein <ndk at internet2.edu> wrote:
> Did you check permissions on the files? You will probably also see something very explicit in the SP's log at startup.
> On May 14, 2014, at 12:34 PM, David Bantz <dabantz at alaska.edu>
>> I agree that’s what the log message seems to say, but both sp-cert.pem and sp-key.pem are in the same directory as the shibboleth2.xml config file that refers to them as sp-cert.pem and so-key.pem. All in /etc/shibboleth
>> On Wed, 14 May 2014, at 10:29 , Tom Scavo <trscavo at gmail.com> wrote:
>>> On Wed, May 14, 2014 at 2:27 PM, David Bantz <dabantz at alaska.edu> wrote:
>>>> Shibbolizing an app (CentOS platform), we’re seeing the following error after authenticating against the IdP:
>>>> 2014-05-14 10:13:03 WARN Shibboleth.SSO.SAML2 : found encrypted assertions, but no CredentialResolver was available
>>>> 2014-05-14 10:13:03 ERROR Shibboleth.SSO.SAML2 : failed to decrypt assertion: No CredentialResolver supplied to provide decryption keys.
>>>> Shibboleth2.xml retains the default simple credential resolver:
>>>> <CredentiaResolver type=“File” key=“sp-key.pem” certificate=“sp-cert.pem”/>
>>>> and manually inspecting, the certificate matches that used to encrypt the assertion in the IdP log.
>>>> What are we doing wrong?
>>> Not sure but my guess is the Shib SP is not finding the key and cert files.
>>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://shibboleth.net/pipermail/users/attachments/20140514/05fda21f/attachment.bin
More information about the users