Shibd process crashes shibd.exe version 2.53
Nate Klingenstein
ndk at internet2.edu
Fri May 16 16:56:52 EDT 2014
P,
I don't believe that the SAML 2.0 specification explicitly precludes sending a signed assertion that can't be validated by the SP because the SP has no trusted public key for that IdP. The Web Browser SSO Profile does specifically require the SP to validate any signatures present, so sending signed assertions without giving the SP a key is effectively guaranteeing that this error will always occur. Shibboleth and most implementations get this trusted key from metadata.
TestShib provides nice example metadata for IdP's and SP's that is reasonably well <!-- commented -->. It's not signed but it should show where stuff goes.
http://testshib.org/metadata/testshib-providers.xml
They really ought to be providing a key for the IdP (and make sure that the non-redacted entityID is a URI in a namespace they control).
Hope this helps,
Nate.
On May 16, 2014, at 2:41 PM, "pvenkatesh at moxiesoft.com" <pvenkatesh at moxiesoft.com>
wrote:
I am looking at their IDP metadata XML they sent over. Their
IDPSSODescriptordoes not seem to have ANY child elements related to the
keydescriptors at all.
<EntityDescriptor ID="SM1543418b14458559b3f14af35920277e273007281199"
entityID="TESTIDP">
<IDPSSODescriptor ID="SM297c611d66b7a37042611045c87dd7d1745005bae94"
WantAuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://test.com/affwebservices/public/saml2sso"/>
</IDPSSODescriptor>
</EntityDescriptor>
The cert details are within the initial <signature element . The above
section is almost at the end of the XML with no key descriptor values.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140516/889dba7e/attachment-0001.html
More information about the users
mailing list