Shibd process crashes shibd.exe version 2.53

Nate Klingenstein ndk at
Fri May 16 16:56:52 EDT 2014


I don't believe that the SAML 2.0 specification explicitly precludes sending a signed assertion that can't be validated by the SP because the SP has no trusted public key for that IdP.  The Web Browser SSO Profile does specifically require the SP to validate any signatures present, so sending signed assertions without giving the SP a key is effectively guaranteeing that this error will always occur.  Shibboleth and most implementations get this trusted key from metadata.

TestShib provides nice example metadata for IdP's and SP's that is reasonably well <!-- commented -->.  It's not signed but it should show where stuff goes.

They really ought to be providing a key for the IdP (and make sure that the non-redacted entityID is a URI in a namespace they control).

Hope this helps,

On May 16, 2014, at 2:41 PM, "pvenkatesh at" <pvenkatesh at>

I am looking at their IDP metadata XML  they sent over. Their
IDPSSODescriptordoes not seem to have ANY child elements related to the
keydescriptors at all.

<EntityDescriptor ID="SM1543418b14458559b3f14af35920277e273007281199"
       <IDPSSODescriptor ID="SM297c611d66b7a37042611045c87dd7d1745005bae94"

The cert details are within the initial <signature element .  The above
section is almost at the end of the XML with no key descriptor values.

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list