Problem with ProtectNetwork IdP and signing ...

Thu Nov 13 11:36:15 EST 2014

We currently deal with two separate federations that include the
ProtectNetwork IdP (https://idp.protectnetwork.org/protectnetwork-idp):

InCommon
UK Federation

The following comes from the ssl_access_log ...
10.242.0.145 - - [13/Nov/2014:08:47:41 +0000] "GET
/Shibboleth.sso/DS?SAMLDS=1&target=https%3A%2F%
2Fshibboleth-sp.prod.proquest.com
%2FONE_SEARCH&entityID=urn%3Amace%3Aincommon%3Aidp.protectnetwork.org
HTTP/1.1" 200 2060
10.242.0.145 - - [13/Nov/2014:08:47:42 +0000] "POST
/Shibboleth.sso/SAML2/POST HTTP/1.1" 500 1000

But from the shibd.log I see the following ...
=================================================
2014-11-13 08:47:42 DEBUG OpenSAML.MessageDecoder.SAML2 [92]: extracting
issuer from SAML 2.0 protocol message
2014-11-13 08:47:42 DEBUG OpenSAML.MessageDecoder.SAML2 [92]: message from (
https://idp.protectnetwork.org/protectnetwork-idp)
2014-11-13 08:47:42 DEBUG OpenSAML.MessageDecoder.SAML2 [92]: searching
metadata for message issuer...
2014-11-13 08:47:42 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [92]:
evaluating message flow policy (replay checking on, expiration 60)
2014-11-13 08:47:42 DEBUG XMLTooling.StorageService [92]: inserted record
(_24617369cbd44218f0e5fa3e2acb5493) in context (MessageFlow) with
expiration (1415868700)
2014-11-13 08:47:42 DEBUG Shibboleth.SSO.SAML2 [92]: processing message
against SAML 2.0 SSO profile
2014-11-13 08:47:42 DEBUG XMLTooling.CredentialCriteria [92]: key algorithm
didn't match ('AES' != 'RSA')
2014-11-13 08:47:42 DEBUG XMLTooling.CredentialCriteria [92]: key algorithm
didn't match ('AES' != 'RSA')
2014-11-13 08:47:42 DEBUG XMLTooling.CredentialCriteria [92]: credential
name(s) didn't overlap
2014-11-13 08:47:42 DEBUG Shibboleth.SSO.SAML2 [92]: decrypted Assertion:
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_3cbe96a95c2a597c3c4df1bcced595ad"
IssueInstant="2014-11-13T08:47:40.964Z" Version="2.0" xmlns:xs="
http://www.w3.org/2001/XMLSchema"><saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://idp.protectnetwork.org/protectnetwork-idp</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_3cbe96a95c2a597c3c4df1bcced595ad"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1
"/><ds:DigestValue>ZC2yh72IgfUuaXW9XZ4Ua+KG4ys=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>HoPm4J1Vf7Zn4YzEyftx9kLxtCx1hANsRDjR0Kz4m34W8y/3oAcfLpP9SCeiTSucfyc9fPZHLGTv9OY+NU23R/TRmORb3rtNFmxSlk9NIw10ZEucmAtEHgcreoV/tzDxVdmJ0FnBUfPvMSdjH/du98HegaMoQH5e9nWNvYstzGiPPW1tkFxEnFLkO0tcQeCPdNsRjLI/v8ME+JOMaN2XAo0V1BqauSGlYCI8oXq22hmBH1BkR4IlnrWFiOZC7yrydaAM6eFNOXE5NLdMCzCiEskPBNq/lfxEekmWREClPEqFrqDETcmw4pj9HmdzN21QdB3vq+JzF1SVmKKMoU0gwQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEMDCCAxigAwIBAgIJALJxC01MGf/hMA0GCSqGSIb3DQEBBQUAMG0xCzAJBgNVBAYTAlVTMQ4w
DAYDVQQIEwVUZXhhczEPMA0GA1UEBxMGQXVzdGluMRcwFQYDVQQKEw5Qcm90ZWN0TmV0d29yazEk
MCIGA1UEAxMbdGNhcy1pZHAucHJvdGVjdG5ldHdvcmsub3JnMB4XDTExMDcyMTE2MzMxN1oXDTIx
MDcxODE2MzMxN1owbTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMQ8wDQYDVQQHEwZBdXN0
aW4xFzAVBgNVBAoTDlByb3RlY3ROZXR3b3JrMSQwIgYDVQQDExt0Y2FzLWlkcC5wcm90ZWN0bmV0
d29yay5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWh2R4Tus8Thwl4Fnlmz6Q
rwL/imYN5di4q0gmWMJ03oBfIGireuZKfiI1FXeBsAq2p5XKZRQvWyKXJ1z2Z+FbG1Og5s6bZSzI
jq7bGac0FPtJ+0vgIy74RKJZDZNR2rzzlW2WCIe1zHUhbF0K1RVJZz8nbMDQ+H2Zf74Gi4dXwgQn
LCkkPV9ocinv3bq6Iq0H/ySgHGdmazzvvSW8C1Ny2WDfEqCWUkR9AKnTjyww3/f0PgHKuuvSKs6K
ArC00rD+v2hE+PT4M0oaTqSIbM5uu6f+Xfu10EQVG7O7Wmj2aAN0/D8/+Eeeh/8Se6XX81S7h/dN
RrQh7yKM6WIp2pPPAgMBAAGjgdIwgc8wHQYDVR0OBBYEFKWOH8Lch5mEhcxZR+E1w8nvx6HlMIGf
BgNVHSMEgZcwgZSAFKWOH8Lch5mEhcxZR+E1w8nvx6HloXGkbzBtMQswCQYDVQQGEwJVUzEOMAwG
A1UECBMFVGV4YXMxDzANBgNVBAcTBkF1c3RpbjEXMBUGA1UEChMOUHJvdGVjdE5ldHdvcmsxJDAi
BgNVBAMTG3RjYXMtaWRwLnByb3RlY3RuZXR3b3JrLm9yZ4IJALJxC01MGf/hMAwGA1UdEwQFMAMB
Af8wDQYJKoZIhvcNAQEFBQADggEBAACHlDYkgEzbaCatnF1IYcvy5j/T7dpOlvww+vJSK9Al3BlO
mESHrEIS46XO9vfk/PgNUM3oYG5prW+azSUJVDfJspSzH0d8IFCI95UlItC9Ivmxpuo1ZcH60fpI
M4Kb8fLeOfmsbpVZsxj8tSRByARlK4tzHf2+rLOn7jZRTsPcoxrxYIyesbbshhDyv2ZE+NoOehZX
aAYgZkB3PE0s6Ph+pUYIRSZ7bud1YNlx9QkUoYuwgR+hX895l19ZfouPZ1KljFoiTY8iwjRUUNV2
Lx2hZUsDHj/4Ea23TY+fc/7OSS4K0BIO4LmUQo1Zqg057Ao66R7RAwvB3jNS9ydAiNM=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="
https://idp.protectnetwork.org/protectnetwork-idp" SPNameQualifier="
https://shibboleth-sp.prod.proquest.com/shibboleth">_9bb96ec9cfd8e577cd63bda7ece0dc84</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData
Address="165.215.165.5" InResponseTo="_ed4ef80e9642b1cd552f9372de0a5875"
NotOnOrAfter="2014-11-13T08:52:40.964Z" Recipient="
https://shibboleth-sp.prod.proquest.com/Shibboleth.sso/SAML2/POST"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
NotBefore="2014-11-13T08:47:40.964Z"
NotOnOrAfter="2014-11-13T08:52:40.964Z"><saml2:AudienceRestriction><saml2:Audience>
https://shibboleth-sp.prod.proquest.com/shibboleth</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement
AuthnInstant="2014-11-13T08:38:11.807Z"
SessionIndex="6f5b00dba53cf5edb824e0193ebe45af60e741b3489c38162ce775a56210bc1f"><saml2:SubjectLocality
Address="165.215.165.5"/><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute
FriendlyName="eduPersonPrincipalName"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
cbsvq at idp.protectnetwork.org</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
FriendlyName="sn" Name="urn:oid:2.5.4.4"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Blanca
Sancho</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
FriendlyName="givenName" Name="urn:oid:2.5.4.42"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Cristina</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue><saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://idp.protectnetwork.org/protectnetwork-idp"
SPNameQualifier="https://shibboleth-sp.prod.proquest.com/shibboleth">ZZHp7U/oKEG/p3N8wO4qWB1PhqQ=</saml2:NameID></saml2:AttributeValue></saml2:Attribute><saml2:Attribute
FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Cristina Blanca
Sancho</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>
2014-11-13 08:47:42 DEBUG Shibboleth.SSO.SAML2 [92]: extracting issuer from
SAML 2.0 assertion
2014-11-13 08:47:42 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [92]:
evaluating message flow policy (replay checking on, expiration 60)
2014-11-13 08:47:42 DEBUG XMLTooling.StorageService [92]: inserted record
(_3cbe96a95c2a597c3c4df1bcced595ad) in context (MessageFlow) with
expiration (1415868700)
2014-11-13 08:47:42 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [92]:
validating signature profile
2014-11-13 08:47:42 DEBUG XMLTooling.CredentialCriteria [92]: keys didn't
match
2014-11-13 08:47:42 DEBUG XMLTooling.TrustEngine.ExplicitKey [92]: unable
to validate signature, no credentials available from peer
2014-11-13 08:47:42 DEBUG XMLTooling.TrustEngine.PKIX [92]: validating
signature using certificate from within the signature
2014-11-13 08:47:42 DEBUG XMLTooling.TrustEngine.PKIX [92]: signature
verified with key inside signature, attempting certificate validation...
2014-11-13 08:47:42 DEBUG XMLTooling.TrustEngine.PKIX [92]: checking that
the certificate name is acceptable
2014-11-13 08:47:42 DEBUG XMLTooling.TrustEngine.PKIX [92]: adding to list
of trusted names (https://idp.protectnetwork.org/protectnetwork-idp)
2014-11-13 08:47:42 DEBUG XMLTooling.TrustEngine.PKIX [92]: certificate
subject: CN=tcas-idp.protectnetwork.org
,O=ProtectNetwork,L=Austin,ST=Texas,C=US
2014-11-13 08:47:42 DEBUG XMLTooling.TrustEngine.PKIX [92]: unable to match
DN, trying TLS subjectAltName match
2014-11-13 08:47:42 DEBUG XMLTooling.TrustEngine.PKIX [92]: unable to match
subjectAltName, trying TLS CN match
2014-11-13 08:47:42 ERROR XMLTooling.TrustEngine.PKIX [92]: certificate
name was not acceptable
2014-11-13 08:47:42 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [92]:
unable to verify message signature with supplied trust engine
2014-11-13 08:47:42 WARN Shibboleth.SSO.SAML2 [92]: detected a problem with
assertion: Message was signed, but signature could not be verified.
=================================================

The line from above

2014-11-13 08:47:42 DEBUG XMLTooling.TrustEngine.PKIX [92]: certificate
subject: CN=tcas-idp.protectnetwork.org
,O=ProtectNetwork,L=Austin,ST=Texas,C=US

I think is the ProtectNetwork IdP associated with the UK federation (which
seems to have a different certificate).

At this point I am somewhat clueless as to why this happens.

Thanks
Paul Wilt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20141113/693ccbcd/attachment.html 