SP failing to decrypt assertion

David Bantz dabantz at alaska.edu
Wed May 14 15:09:42 EDT 2014 

yes indeed; we fixed that even though using dev boxes now

db


On Wed, 14 May 2014, at 11:04 , Keith Hazelton <hazelton at wisc.edu> wrote:

> sp-key.pem should NOT be world-readable, that’s the private key part of the key pair.    —Keith
> ___________
> On May 14, 2014, at 14:02 , David Bantz <dabantz at alaska.edu> wrote:
> 
>> Yes, sp-key.pem and sp-cert.pem are world readable / owned by root.
>> 
>> Changed the owner to sibd just in case…same results - “no credential resolver”
>> 
>> shibd.log does say Unable to load private key; restarted the shibd service - this time correctly loaded the key, built the CredentialResolver and now decrypts assertion from IdP.
>> 
>> I don’t know what a restart was needed, but probably should have done that on principle; mea culpa.
>> 
>> David
>> 
>> On Wed, 14 May 2014, at 10:40 , Nate Klingenstein <ndk at internet2.edu> wrote:
>> 
>>> David,
>>> 
>>> Did you check permissions on the files?  You will probably also see something very explicit in the SP's log at startup.
>>> 
>>> Thanks,
>>> Nate.
>>> 
>>> On May 14, 2014, at 12:34 PM, David Bantz <dabantz at alaska.edu>
>>> wrote:
>>> 
>>>> I agree that’s what the log message seems to say, but both sp-cert.pem and sp-key.pem are in the same directory as the shibboleth2.xml config file that refers to them as sp-cert.pem and so-key.pem.  All in /etc/shibboleth
>>>> 
>>>> David
>>>> 
>>>> 
>>>> On Wed, 14 May 2014, at 10:29 , Tom Scavo <trscavo at gmail.com> wrote:
>>>> 
>>>>> On Wed, May 14, 2014 at 2:27 PM, David Bantz <dabantz at alaska.edu> wrote:
>>>>>> Shibbolizing an app (CentOS platform), we’re seeing the following error after authenticating against the IdP:
>>>>>> 
>>>>>> 2014-05-14 10:13:03 WARN Shibboleth.SSO.SAML2 [10]: found encrypted assertions, but no CredentialResolver was available
>>>>>> 2014-05-14 10:13:03 ERROR Shibboleth.SSO.SAML2 [10]: failed to decrypt assertion: No CredentialResolver supplied to provide decryption keys.
>>>>>> 
>>>>>> Shibboleth2.xml retains the default simple credential resolver:
>>>>>> 
>>>>>> <CredentiaResolver type=“File” key=“sp-key.pem” certificate=“sp-cert.pem”/>
>>>>>> 
>>>>>> and manually inspecting, the certificate matches that used to encrypt the assertion in the IdP log.
>>>>>> 
>>>>>> What are we doing wrong?
>>>>> 
>>>>> Not sure but my guess is the Shib SP is not finding the key and cert files.
>>>>> 
>>>>> Tom
>>>>> --
>>>>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>>>> 
>>>> --
>>>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>>> 
>>> --
>>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>> 
>> --
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://shibboleth.net/pipermail/users/attachments/20140514/ede6fe2f/attachment.bin

More information about the users mailing list