Shibd process crashes shibd.exe version 2.53

Cantor, Scott cantor.2 at
Mon May 19 18:41:52 EDT 2014

On 5/19/14, 11:00 PM, "pvenkatesh at"
<pvenkatesh at> wrote:
>Thanks Guys ! Unfortunately we are still stuck with that error message.

Did the metadata change, or did the IdP correct the signing key? If not,
the error won't change.

>Is there an option of availing paid Shibboleth support for couple of

There is no paid support option. I'm happy to charge you personally for
doing the same work described below.

>If Yes- how do we reach them?  We need someone to validate our
>configurations and get past the whole issues being encountered.

Your own configuration has no connection to this error, the problem is
with the IdP or its metadata, and the key is missing or wrong. That's it.

The metadata you described earlier contained no KeyDescriptor element. By
definition, this is not going to work. Nothing you do to your own system
will fix that until the metadata contains a key, and it's the right key.

If you want to simply trust what they send you in the message is valid,
then turn up logging in shibd.logger where it mentions how to log protocol
messages, on DEBUG. Then look at the message logged, and pull the
X509Certificate element's contents from the signature block out of the log.

Create a KeyDescriptor element in their metadata (see example-metadata.xml
in etc/shibboleth for an example) containing that certificate content.

That will correct the problem based on what you described. If an attacker
sent you a message and you did that, you would then be trusting that
attacker. In other words, the key is supposed to come from the metadata
you get from a trusted source.

-- Scott

More information about the users mailing list