FW: Shibboleth SP 2.5.4 on Apache 2.4.10.1-64

Milligan, Jeff jeff.milligan at vce.com
Thu Jul 30 12:42:13 EDT 2015 

Hi

I am getting an error  "unable to verify message signature with supplied trust engine" every once in a while with my shibboleth SP setup.  I currently have it sitting behind a F5 will SSL offloading however it is forwarding the 443 traffic for /Shibboleth.sso.  I have copied the logs for both a working validation and a broken one.  I'm not sure what could be the issue due to the seemingly randomness of the error below.  As you can see below it worked 30 seconds before it didn't work.  Any ideas on how to troubleshoot or know of this issue?

Thanks
Jeff Milligan

2015-07-30 11:14:56 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [1]: evaluating message flow policy (replay checking on, expiration 60)
2015-07-30 11:14:56 DEBUG XMLTooling.StorageService [1]: inserted record (b124293104daaebbef7c8ce587229ed1) in context (MessageFlow) with expiration (1438269536)
2015-07-30 11:14:56 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: validating signature profile
2015-07-30 11:14:56 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: attempting to validate signature with the peer's credentials
2015-07-30 11:14:56 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: public key did not validate signature: Digital signature does not validate with the supplied key.
2015-07-30 11:14:56 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: no peer credentials validated the signature
2015-07-30 11:14:56 ERROR XMLTooling.TrustEngine.PKIX [1]: unable to perform PKIX validation, signature does not contain any certificates
2015-07-30 11:14:56 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [1]: unable to verify message signature with supplied trust engine
2015-07-30 11:14:56 DEBUG Shibboleth.Listener [1]: dispatching message (default/Login::run::SAML2SI)
2015-07-30 11:14:56 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: validating input
2015-07-30 11:14:56 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: marshalling, deflating, base64-encoding the message
2015-07-30 11:14:56 DEBUG XMLTooling.XMLObject [1]: starting to marshal samlp:AuthnRequest
2015-07-30 11:14:56 DEBUG XMLTooling.XMLObject [1]: creating root element to marshall
2015-07-30 11:14:56 DEBUG XMLTooling.XMLObject [1]: marshalling namespace attributes for XMLObject
2015-07-30 11:14:56 DEBUG XMLTooling.XMLObject [1]: marshalling text and child elements for XMLObject
2015-07-30 11:14:56 DEBUG XMLTooling.XMLObject [1]: starting to marshalling saml:Issuer
2015-07-30 11:14:56 DEBUG XMLTooling.XMLObject [1]: creating root element to marshall

2015-07-30 11:14:36 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [1]: evaluating message flow policy (replay checking on, expiration 60)
2015-07-30 11:14:36 DEBUG XMLTooling.StorageService [1]: inserted record (ff089c24c2bcadd242e5a58408bd5410) in context (MessageFlow) with expiration (1438269516)
2015-07-30 11:14:36 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: validating signature profile
2015-07-30 11:14:36 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: attempting to validate signature with the peer's credentials
2015-07-30 11:14:36 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: signature validated with credential
2015-07-30 11:14:36 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: signature verified against message issuer
2015-07-30 11:14:36 DEBUG Shibboleth.SSO.SAML2 [1]: processing message against SAML 2.0 SSO profile
2015-07-30 11:14:36 DEBUG Shibboleth.SSO.SAML2 [1]: extracting issuer from SAML 2.0 assertion
2015-07-30 11:14:36 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [1]: evaluating message flow policy (replay checking on, expiration 60)
2015-07-30 11:14:36 DEBUG XMLTooling.StorageService [1]: inserted record (bc11f189958a7959efc6a776176f2684) in context (MessageFlow) with expiration (1438269516)
2015-07-30 11:14:36 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation [1]: assertion satisfied bearer confirmation requirements
2015-07-30 11:14:36 DEBUG Shibboleth.SSO.SAML2 [1]: SSO profile processing completed successfully
2015-07-30 11:14:36 DEBUG Shibboleth.SSO.SAML2 [1]: extracting pushed attributes...
2015-07-30 11:14:36 DEBUG Shibboleth.AttributeExtractor.XML [1]: unable to extract attributes, unknown XML object type: samlp:Response
2015-07-30 11:14:36 DEBUG Shibboleth.AttributeExtractor.XML [1]: skipping unmapped NameID with format (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)
2015-07-30 11:14:36 DEBUG Shibboleth.AttributeExtractor.XML [1]: unable to extract attributes, unknown XML object type: saml:AuthnStatement
2015-07-30 11:14:36 DEBUG Shibboleth.AttributeDecoder.String [1]: decoding SimpleAttribute (EmailID) from SAML 2 Attribute (EmailID) with 1 value(s)
2015-07-30 11:14:36 DEBUG Shibboleth.AttributeFilter [1]: filtering 1 attribute(s) from (http://fim.emc.com/idp/vcexact)
2015-07-30 11:14:36 DEBUG Shibboleth.AttributeFilter [1]: applying filtering rule(s) for attribute (EmailID) from (http://fim.emc.com/idp/vcexact)
2015-07-30 11:14:36 DEBUG Shibboleth.SSO.SAML2 [1]: resolving attributes...
2015-07-30 11:14:36 DEBUG Shibboleth.AttributeResolver.Query [1]: found AttributeStatement in input to new session, skipping query
2015-07-30 11:14:36 DEBUG Shibboleth.SessionCache [1]: creating new session


Here is the same problem with different log level and different time


2015-07-30 10:34:13 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: validating signature profile
2015-07-30 10:34:13 DEBUG XMLTooling.KeyInfoResolver.Inline [1]: resolving ds:X509Certificate
2015-07-30 10:34:13 DEBUG XMLTooling.KeyInfoResolver.Inline [1]: resolved 1 certificate(s)
2015-07-30 10:34:13 DEBUG XMLTooling.KeyInfoResolver.Inline [1]: resolved 0 CRL(s)
2015-07-30 10:34:13 ERROR XMLTooling.TrustEngine.PKIX [1]: unable to perform PKIX validation, signature does not contain any certificates
2015-07-30 10:34:13 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [1]: unable to verify message signature with supplied trust engine
2015-07-30 10:34:13 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: validating input
2015-07-30 10:34:13 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [1]: marshalling, deflating, base64-encoding the message
2015-07-30 10:34:13 DEBUG XMLTooling.XMLObject [1]: starting to marshal samlp:AuthnRequest
2015-07-30 10:34:13 DEBUG XMLTooling.XMLObject [1]: creating root element to marshall
2015-07-30 10:34:13 DEBUG XMLTooling.XMLObject [1]: marshalling namespace attributes for XMLObject
2015-07-30 10:34:13 DEBUG XMLTooling.XMLObject [1]: marshalling text and child elements for XMLObject
2015-07-30 10:34:13 DEBUG XMLTooling.XMLObject [1]: starting to marshalling saml:Issuer
2015-07-30 10:34:13 DEBUG XMLTooling.XMLObject [1]: creating root element to marshall
2015-07-30 10:34:13 DEBUG XMLTooling.XMLObject [1]: marshalling namespace attributes for XMLObject
2015-07-30 10:34:13 DEBUG XMLTooling.XMLObject [1]: marshalling text and child elements for XMLObject
2015-07-30 10:34:13 DEBUG XMLTooling.XMLObject [1]: caching DOM for XMLObject

2015-07-30 10:50:57 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: validating signature profile
2015-07-30 10:50:57 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: signature verified against message issuer
2015-07-30 10:50:57 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [1]: evaluating message flow policy (replay checking on, expiration 60)
2015-07-30 10:50:57 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation [1]: assertion satisfied bearer confirmation requirements
2015-07-30 10:50:57 DEBUG XMLTooling.XMLObject [1]: starting to marshal saml:NameID
2015-07-30 10:50:57 DEBUG XMLTooling.XMLObject [1]: XMLObject has a usable cached DOM, reusing it
2015-07-30 10:50:57 DEBUG XMLTooling.XMLObject [1]: releasing cached DOM representation for parent object with propagation set to true
2015-07-30 10:50:57 DEBUG XMLTooling.XMLObject [1]: releasing cached DOM representation for (saml:Subject)
2015-07-30 10:50:57 DEBUG XMLTooling.XMLObject [1]: releasing cached DOM representation for parent object with propagation set to true
2015-07-30 10:50:57 DEBUG XMLTooling.XMLObject [1]: releasing cached DOM representation for (saml:Assertion)
2015-07-30 10:50:57 DEBUG XMLTooling.XMLObject [1]: releasing cached DOM representation for parent object with propagation set to true
2015-07-30 10:50:57 DEBUG XMLTooling.XMLObject [1]: releasing cached DOM representation for (samlp:Response)
2015-07-30 10:50:57 DEBUG XMLTooling.XMLObject [1]: starting to marshal saml:Assertion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150730/33501e12/attachment-0001.html>

More information about the users mailing list