Shibd process crashes shibd.exe version 2.53

Brent Putman putmanb at
Fri May 16 14:06:20 EDT 2014

On 5/16/14 11:45 AM, pvenkatesh at wrote:
> I am comparing this with  the IDP Metadata XML they sent over( being fed to
> our SP) .  
> MEdatadata XML also has ,  
> <ds:DigestValue> , <ds:SignatureValue> and   <ds:X509Certificate>

Ok, sounds like they are giving you signed metadata.  That's fine. 

> BUT, only the <ds:X509Certificate> information matches , 
> the content in the <ds:DigestValue> , <ds:SignatureValue>  is DIFFERENT.

That's expected.  The signature over the metadata document has nothing
to do with the signature over their responses.  So naturally the
DigestValue and SignatureValue will be different.

For the X509Certificate:  what you've said is a little ambiguous.  That
element can appear within the KeyInfo of the Signature, in which case it
isn't (necessarily) related to verifying their responses (could be the
same cert, but that's irrelevant).

What is relevant, and what you should be looking for, is the
KeyDescriptor(s) and child elements that appear under the
IDPSSODescriptor within the IdP's metadata.  The keys/certs which appear
there are what will be used to verify the response and assertion
signatures by your SP.  The public keys and/or certs there have to match
what they are signing their responses and assertions with.

>  Is this causing the problem and giving out the ""Message was signed,
> signature could not be verified"  message? 


> If i need to provide their key in SP somewhere where do i do it? 

In your SP, you need to load their metadata.  That's how the SP knows
about the keys and other info it needs to process the IdP's response. 
That's covered in the SP install docs as one of the basic steps in
initial setup and configuration.

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list