SP failing to decrypt assertion

Keith Hazelton hazelton at wisc.edu
Wed May 14 15:04:54 EDT 2014


sp-key.pem should NOT be world-readable, that’s the private key part of the key pair.    —Keith
___________
On May 14, 2014, at 14:02 , David Bantz <dabantz at alaska.edu> wrote:

> Yes, sp-key.pem and sp-cert.pem are world readable / owned by root.
> 
> Changed the owner to sibd just in case…same results - “no credential resolver”
> 
> shibd.log does say Unable to load private key; restarted the shibd service - this time correctly loaded the key, built the CredentialResolver and now decrypts assertion from IdP.
> 
> I don’t know what a restart was needed, but probably should have done that on principle; mea culpa.
> 
> David
> 
> On Wed, 14 May 2014, at 10:40 , Nate Klingenstein <ndk at internet2.edu> wrote:
> 
>> David,
>> 
>> Did you check permissions on the files?  You will probably also see something very explicit in the SP's log at startup.
>> 
>> Thanks,
>> Nate.
>> 
>> On May 14, 2014, at 12:34 PM, David Bantz <dabantz at alaska.edu>
>> wrote:
>> 
>>> I agree that’s what the log message seems to say, but both sp-cert.pem and sp-key.pem are in the same directory as the shibboleth2.xml config file that refers to them as sp-cert.pem and so-key.pem.  All in /etc/shibboleth
>>> 
>>> David
>>> 
>>> 
>>> On Wed, 14 May 2014, at 10:29 , Tom Scavo <trscavo at gmail.com> wrote:
>>> 
>>>> On Wed, May 14, 2014 at 2:27 PM, David Bantz <dabantz at alaska.edu> wrote:
>>>>> Shibbolizing an app (CentOS platform), we’re seeing the following error after authenticating against the IdP:
>>>>> 
>>>>> 2014-05-14 10:13:03 WARN Shibboleth.SSO.SAML2 [10]: found encrypted assertions, but no CredentialResolver was available
>>>>> 2014-05-14 10:13:03 ERROR Shibboleth.SSO.SAML2 [10]: failed to decrypt assertion: No CredentialResolver supplied to provide decryption keys.
>>>>> 
>>>>> Shibboleth2.xml retains the default simple credential resolver:
>>>>> 
>>>>> <CredentiaResolver type=“File” key=“sp-key.pem” certificate=“sp-cert.pem”/>
>>>>> 
>>>>> and manually inspecting, the certificate matches that used to encrypt the assertion in the IdP log.
>>>>> 
>>>>> What are we doing wrong?
>>>> 
>>>> Not sure but my guess is the Shib SP is not finding the key and cert files.
>>>> 
>>>> Tom
>>>> --
>>>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>>> 
>>> --
>>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>> 
>> --
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://shibboleth.net/pipermail/users/attachments/20140514/7a3e187c/attachment.bin 


More information about the users mailing list