Could not resolve a key encryption credential
Trevor Cooley
trevor.s.cooley at gmail.com
Fri Nov 28 12:11:43 EST 2014
Hi,
I have been trying to set up an SP and using the TestShib IDP for
testing the deployment. After being redirected to the IDP logon page I
am getting an error from the IDP "unable to encrypt assertion". The IDP
error log contains the errors:
ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:927] - Could not resolve a key encryption credential for peer entity: https://tcooley.xps13/shibboleth
10:00:15.137 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:289] - Unable to construct encrypter
org.opensaml.xml.security.SecurityException: Could not resolve key encryption credential
The SP metadata that I uploaded contains the correct certificate in the
KeyDescriptor element (I have tried use="signing" and use="encryption"
to no avail) and I am at a loss to understand why the IDP cannot encrypt
the assertion. I am wondering if there is something up with the
certificate that I'm using; the KeyName doesn't match up with anything
but I don't think that this is required and the certificate was
generated using the shib-keygen command so I would have thought that it
was OK. See below the KeyDescriptor that was registered with TestShib;
any ideas on what might be wrong would be greatly appreciated.
Thanks,
Trevor.
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>trevor-XPS13-9333</ds:KeyName>
<ds:X509Data>
<ds:X509SubjectName>CN=trevor-XPS13-9333</ds:X509SubjectName>
<ds:X509Certificate>MIIC+jCCAeKgAwIBAgIJAJEpR4gHM6rwMA0GCSqGSIb3DQEBBQUAMBwxGjAYBgNV
BAMTEXRyZXZvci1YUFMxMy05MzMzMB4XDTE0MTEyNjIzNTU1MFoXDTI0MTEyMzIz
NTU1MFowHDEaMBgGA1UEAxMRdHJldm9yLVhQUzEzLTkzMzMwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDKK+NCxnUoWOUQjvOlF5E4iYyjFLgzgj318br1
Cdbyy4rQmHXj1YDKuHbH32bMOFXy33X3NlWb9XXcVvrJd92FnPCS3QIKeITu4H1u
G1D7HMgAtwrAQ7mJpEZxpzcLXlESLaBtd95/TThiEt8sDmgKtYozvzeHGWktgMVJ
HHiJvGuuECEhAdFDzDoGSa7IL9TTdiTkbrDjjL12smWao1Qyw5oEGsy53CaCJYa5
onajRFnulCjiVVc2gQ/DbUSrk6ZUipX4NZEVX7zhLRV/lbVwwU2xcy3040r1UtEZ
FoiPssi8S2ojld3NN3TboL1yT/J3t+2AnwwfcnrFtZ3NTxDnAgMBAAGjPzA9MBwG
A1UdEQQVMBOCEXRyZXZvci1YUFMxMy05MzMzMB0GA1UdDgQWBBQ4+xLmXipxLveN
6P5cHQIHAEq8iDANBgkqhkiG9w0BAQUFAAOCAQEAtj54TiFwgYiENR7kBd8IKXpP
I23RbY4srT3XyvfyHx4WFqn42Clff65f7FnWVlk/bVv+0ykGzH9glUquUrdQdfdF
uhpAVm9pmI9ENbw0vmEejsVsngbEyi1/4gbLKkBFVV2wfkwO02E0gWXATbZD0rQp
yVqCmpChUCld3CrIAonREI+whHmuVGJ7GMO6mJsw7FwlqIebBEN+4M98t9mpAjU9
d6x4k+E5ZOBO9Cuc7GAcQMO6Xcii5L5OgUAciX59jeb7dxkEc5TAIA5nIC+VDG+I
2e4hBKvb48Cqy0skd5zoJZKTT8ggS4fQc3c0fgizW5mWSeNsnI7EGLYuFrk3Ag==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
</md:KeyDescriptor>
More information about the users
mailing list