Shibboleth NativeSP on FreeBSD 10.0

Dan Turner dan.turner at
Thu May 15 06:05:25 EDT 2014

Hi Scott,

Thank you for your quick reply.

To clarify, should I be looking for the shibboleth-sp x509 certificate
(sp-cert.pem in my case) in the response from the IdP?

I turned logging up to debug, which output the response received from
the IdP into the logs, and manually compared the x509 certificates in
the response from the IdP (in the element <ds:X509Certificate>) and
found that the certificate did not feature in there.

I've also checked the IdP metadata (in this case,
/var/db/shibboleth/testshib-two-idp-metadata.xml) and the x509
certificate given in there. This cert also does not show up in the

Given that I upload the metadata from /Shibboleth.sso/Metadata, and I
can verify that my certificate (sp-cert.pem) appears in the SP
Metadata. As you said in your message, I think that the IdP is not
encrypting the response attributes with the certificate which the SP
is expecting (and putting in the SP's Metadata). Are there any ways
that I might be able to force the IdP to switch which certificates
it's associating with my machine without actually controlling the IdP?


Dan Turner

More information about the users mailing list