SP failing to decrypt assertion

David Bantz dabantz at alaska.edu
Wed May 14 15:02:00 EDT 2014 

Yes, sp-key.pem and sp-cert.pem are world readable / owned by root.

Changed the owner to sibd just in case…same results - “no credential resolver”

shibd.log does say Unable to load private key; restarted the shibd service - this time correctly loaded the key, built the CredentialResolver and now decrypts assertion from IdP.

I don’t know what a restart was needed, but probably should have done that on principle; mea culpa.

David

On Wed, 14 May 2014, at 10:40 , Nate Klingenstein <ndk at internet2.edu> wrote:

> David,
> 
> Did you check permissions on the files?  You will probably also see something very explicit in the SP's log at startup.
> 
> Thanks,
> Nate.
> 
> On May 14, 2014, at 12:34 PM, David Bantz <dabantz at alaska.edu>
> wrote:
> 
>> I agree that’s what the log message seems to say, but both sp-cert.pem and sp-key.pem are in the same directory as the shibboleth2.xml config file that refers to them as sp-cert.pem and so-key.pem.  All in /etc/shibboleth
>> 
>> David
>> 
>> 
>> On Wed, 14 May 2014, at 10:29 , Tom Scavo <trscavo at gmail.com> wrote:
>> 
>>> On Wed, May 14, 2014 at 2:27 PM, David Bantz <dabantz at alaska.edu> wrote:
>>>> Shibbolizing an app (CentOS platform), we’re seeing the following error after authenticating against the IdP:
>>>> 
>>>> 2014-05-14 10:13:03 WARN Shibboleth.SSO.SAML2 [10]: found encrypted assertions, but no CredentialResolver was available
>>>> 2014-05-14 10:13:03 ERROR Shibboleth.SSO.SAML2 [10]: failed to decrypt assertion: No CredentialResolver supplied to provide decryption keys.
>>>> 
>>>> Shibboleth2.xml retains the default simple credential resolver:
>>>> 
>>>> <CredentiaResolver type=“File” key=“sp-key.pem” certificate=“sp-cert.pem”/>
>>>> 
>>>> and manually inspecting, the certificate matches that used to encrypt the assertion in the IdP log.
>>>> 
>>>> What are we doing wrong?
>>> 
>>> Not sure but my guess is the Shib SP is not finding the key and cert files.
>>> 
>>> Tom
>>> --
>>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>> 
>> --
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://shibboleth.net/pipermail/users/attachments/20140514/05fda21f/attachment.bin

More information about the users mailing list