Error encrypting assertion while testing with testshib.org -
Guillaume Gilbert
Gilbert.Guillaume at lacsq.org
Wed May 13 10:59:57 EDT 2015
illegal key size
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
I'm facing an issue where I'm getting an Illegal Key Size error message
while encrypting the assertion (from what I can understand).
I've looked around and I installed the Java JCE unlimited strength
jurisdiction policy files on both my JRE and JDK installation. Still
getting the same error.
To install those policy files, I've copied both files in the
/lib/security folder of my JRE installation. I've overwrite the files
that were already there.
Questions :
1. Is there something else to do to install the unlimited strength
policy files ?
2. Is there another cause for the illegal key size error?
Notes :
The certificates and domain are for testing purpose, nothing to hide
there (that I know of).
Regards,
Guillaume Gilbert
****
IDP log file (sorry I had to include so much) :
015-05-12 17:42:44,707 - DEBUG
[org.opensaml.saml.saml2.profile.impl.AddGeneratedKeyToAssertions:117] -
Profile Action AddGeneratedKeyToAssertions: No session key to add,
nothing to do
2015-05-12 17:42:44,707 - DEBUG
[net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] -
Profile Action PopulateAuditContext: Adding 1 value for field 'ac'
2015-05-12 17:42:44,707 - DEBUG
[net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] -
Profile Action PopulateAuditContext: Skipping field 'd' not included in
audit format
2015-05-12 17:42:44,708 - DEBUG
[net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] -
Profile Action PopulateAuditContext: Skipping field 't' not included in
audit format
2015-05-12 17:42:44,708 - DEBUG
[net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] -
Profile Action PopulateAuditContext: Skipping field 'f' not included in
audit format
2015-05-12 17:42:44,708 - DEBUG
[net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] -
Profile Action PopulateAuditContext: Skipping field 'x' not included in
audit format
2015-05-12 17:42:44,708 - DEBUG
[net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:206] -
Profile Action PopulateAuditContext: Adding 1 value(s) for field 'i'
2015-05-12 17:42:44,709 - DEBUG
[net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] -
Profile Action PopulateAuditContext: Adding 1 value for field 'n'
2015-05-12 17:42:44,710 - DEBUG
[org.opensaml.saml.saml2.profile.impl.AbstractEncryptAction:128] -
Profile Action EncryptNameIDs: No encryption parameters, nothing to do
2015-05-12 17:42:44,711 - DEBUG
[org.opensaml.saml.saml2.profile.impl.AbstractEncryptAction:128] -
Profile Action EncryptAttributes: No encryption parameters, nothing to
do
2015-05-12 17:42:44,711 - DEBUG
[org.opensaml.saml.common.profile.impl.SignAssertions:142] - Profile
Action SignAssertions: Will not sign assertions because no security
parameters context is available
2015-05-12 17:42:44,713 - DEBUG
[org.opensaml.saml.saml2.profile.impl.EncryptAssertions:132] - Profile
Action EncryptAssertions: Assertion before encryption:
<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="_99fe4448949e736d1293cd24b6938769"
IssueInstant="2015-05-12T21:42:44.685Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://example.com/idp/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://example.com/idp/shibboleth"
SPNameQualifier="https://sp.testshib.org/shibboleth-sp">AAdzZWNyZXQxFa2mIOoEVvEE7udjo5z2AvsVhwg+jgknHU3VyxVqjN+9WNWK/jmbDmaX39eeQ3qLM/HU+SVfqljhox0p0KMk2LegajzG+xM0+E3PC/lRUCFYjPGiBr/yIrDk7jo44QJrdF0RPLyQZFeF</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="127.0.0.1"
InResponseTo="_556a60220dd9a393812a945cdb0887be"
NotOnOrAfter="2015-05-12T21:47:44.700Z"
Recipient="https://sp.testshib.org/Shibboleth.sso/SAML2/POST"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBe <saml2:AudienceRestriction>
<saml2:Audience>https://sp.testshib.org/shibboleth-sp</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2015-05-12T21:42:44.658Z"
SessionIndex="_1c5099e2814fd68928b3e977e243ad32">
<saml2:SubjectLocality Address="127.0.0.1"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
2015-05-12 17:42:44,714 - DEBUG
[org.opensaml.saml.saml2.encryption.Encrypter:329] - Assertion before
encryption:
<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="_99fe4448949e736d1293cd24b6938769"
IssueInstant="2015-05-12T21:42:44.685Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://example.com/idp/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://example.com/idp/shibboleth"
SPNameQualifier="https://sp.testshib.org/shibboleth-sp">AAdzZWNyZXQxFa2mIOoEVvEE7udjo5z2AvsVhwg+jgknHU3VyxVqjN+9WNWK/jmbDmaX39eeQ3qLM/HU+SVfqljhox0p0KMk2LegajzG+xM0+E3PC/lRUCFYjPGiBr/yIrDk7jo44QJrdF0RPLyQZFeF</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="127.0.0.1"
InResponseTo="_556a60220dd9a393812a945cdb0887be"
NotOnOrAfter="2015-05-12T21:47:44.700Z"
Recipient="https://sp.testshib.org/Shibboleth.sso/SAML2/POST"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2015-05-12T21:42:44.685Z"
NotOnOrAfter="2015-05-12T21:47:44.685Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://sp.testshib.org/shibboleth-sp</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2015-05-12T21:42:44.658Z"
SessionIndex="_1c5099e2814fd68928b3e977e243ad32">
<saml2:SubjectLocality Address="127.0.0.1"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
2015-05-12 17:42:44,719 - ERROR
[org.opensaml.xmlsec.encryption.support.Encrypter:542] - Error
encrypting XMLObject
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key
size
at
org.apache.xml.security.encryption.XMLCipher.encryptData(XMLCipher.java:1186)
Caused by: java.security.InvalidKeyException: Illegal key size
at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1039)
2015-05-12 17:42:44,724 - WARN
[org.opensaml.saml.saml2.profile.impl.EncryptAssertions:140] - Profile
Action EncryptAssertions: Error encrypting assertion
org.opensaml.xmlsec.encryption.support.EncryptionException: Error
encrypting XMLObject
at
org.opensaml.xmlsec.encryption.support.Encrypter.encryptElement(Encrypter.java:543)
Caused by: org.apache.xml.security.encryption.XMLEncryptionException:
Illegal key size
at
org.apache.xml.security.encryption.XMLCipher.encryptData(XMLCipher.java:1186)
Caused by: java.security.InvalidKeyException: Illegal key size
at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1039)
2015-05-12 17:42:44,725 - DEBUG
[org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:184]
- Error event UnableToEncrypt will be handled with response
2015-05-12 17:42:44,726 - DEBUG
[org.opensaml.saml.saml2.profile.impl.AbstractResponseShellAction:217] -
Profile Action AddStatusResponseShell: Setting Issuer to
https://example.com/idp/shibboleth
2015-05-12 17:42:44,727 - DEBUG
[org.opensaml.saml.common.profile.impl.AddInResponseToToResponse:110] -
Profile Action AddInResponseToToResponse: Attempting to add InResponseT2015-05-12 17:42:44,729 - DEBUG
[org.opensaml.saml.saml2.profile.impl.AddStatusToResponse:195] - Profile
Action AddStatusToResponse: Detailed errors are disabled
2015-05-12 17:42:44,730 - DEBUG
[org.opensaml.saml.saml2.profile.impl.AddStatusToResponse:224] - Profile
Action AddStatusToResponse: Setting StatusMessage to defaulted value
2015-05-12 17:42:44,731 - DEBUG
[net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] -
Profile Action PopulateAuditContext: Adding 1 value for field 'bb'
2015-05-12 17:42:44,731 - DEBUG
[net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] -
Profile Action PopulateAuditContext: Skipping field 'DD' not included in
audit format
2015-05-12 17:42:44,731 - DEBUG
[net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] -
Profile Action PopulateAuditContext: Skipping field 'II' not included in
audit format
2015-05-12 17:42:44,732 - DEBUG
[net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] -
Profile Action PopulateAuditContext: Skipping field 'SS' not included in
audit format
2015-05-12 17:42:44,732 - DEBUG
[net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] -
Profile Action PopulateAuditContext: Skipping field 's' not included in
audit format
2015-05-12 17:42:44,732 - DEBUG
[net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] -
Profile Action PopulateAuditContext: Skipping field 'S' not included in
audit format
2015-05-12 17:42:44,732 - DEBUG
[net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] -
Profile Action PopulateAuditContext: Adding 1 value for field 'u'
2015-05-12 17:42:44,733 - DEBUG
[net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] -
Profile Action PopulateAuditContext: Adding 1 value for field 'III'
2015-05-12 17:42:44,733 - DEBUG
[net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] -
Profile Action PopulateAuditContext: Skipping field 'SM' not included in
audit format
2015-05-12 17:42:44,735 - DEBUG
[net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:159] -
Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of
type 'org.opensaml.messaging.handler.impl.BasicMessageHandlerChain' on
OUTBOUND message context
2015-05-12 17:42:44,736 - DEBUG
[net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] -
Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on
message context containing a message of type
'org.opensaml.saml.saml2.core.impl.ResponseImpl'
2015-05-12 17:42:44,736 - DEBUG
[org.opensaml.saml.common.binding.impl.SAMLOutboundDestinationHandler:62]
- Adding destination to outbound SAML 2 protocol message:
https://sp.testshib.org/Shibboleth.sso/SAML2/POST
2015-05-12 17:42:44,737 - DEBUG
[org.opensaml.saml.common.binding.security.impl.EndpointURLSchemeSecurityHandler:52]
- Message Handler: Checking outbound endpoint for allowed URL scheme:
https://sp.testshib.org/Shibboleth.sso/SAML2/POST
2015-05-12 17:42:44,738 - DEBUG
[org.opensaml.saml.common.SAMLObjectSupport:56] - Examing signed object
for content references with exclusive canonicalization transform
2015-05-12 17:42:44,738 - DEBUG
[org.opensaml.saml.common.SAMLObjectSupport:70] - Saw exclusive
transform, declaring non-visible namespaces on signed object
2015-05-12 17:42:44,739 - DEBUG
[org.opensaml.saml.common.SAMLObjectContentReference:165] - Adding list
of inclusive namespaces for signature exclusive canonicalization
transform
2015-05-12 17:42:44,748 - DEBUG
[net.shibboleth.idp.saml.profile.impl.SpringAwareMessageEncoderFactory:100]
- Looking up message encoder based on binding URI:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
2015-05-12 17:42:44,748 - DEBUG
[org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:159] -
Invoking Velocity template to create POST body
2015-05-12 17:42:44,749 - DEBUG
[org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:192] -
Encoding action url of
'https://sp.testshib.org/Shibboleth.sso/SAML2/POST' with encoded value
'https://sp.2015-05-12 17:42:44,749 - DEBUG
[org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:198] -
Marshalling and Base64 encoding SAML message
2015-05-12 17:42:44,751 - DEBUG
[org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:220] -
Setting RelayState parameter to: 'cookie:1431466959_c001', encoded as
'cookie:1431466959_c001'
2015-05-12 17:42:44,757 - DEBUG [PROTOCOL_MESSAGE:70] -
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response
Destination="https://sp.testshib.org/Shibboleth.sso/SAML2/POST"
ID="_afcd83b6cf3ee4c4b73bc6325aea6862"
InResponseTo="_556a60220dd9a393812a945cdb0887be"
IssueInstant="2015-05-12T21:42:44.726Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://example.com/idp/shibboleth</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
<ds:Reference
URI="#_afcd83b6cf3ee4c4b73bc6325aea6862">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<ds:DigestValue>wbFUCGmDTnfSOBtFTi0Pmhw8fTT2oNztWADtCkg+SEw96baRUWgPGiRGr3SmFiMjXa1AU1TErDXD
JEkF51jplw==</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
MLK/glKt51E68B3pSUcMxqXWOeNoG58MW+Nf1Bx80LRyGm6nebZ6pvEp0GQc1RV1qYpJqfJSjMAX
xum9Y+k1YjebGHruqXtgU0q+EYzTpQZE52+Wr0NJopnsMtypfLSHy7ixDa0JgMRjcHxhIL5URdMy
flS+i8wmiGYw6deF7EDgh3chrCsfo5zv9uy4EFidr/22nVHg64iba3sTejMNYvsB96tNI6VFohab
od+4Iz02HfpwqpHWNMHFfVQQBG7A7QoJi9xfWdrU3Q0Me+HIDZ7rJ80cAB5yZU+X4sPluuIrM2g4
qatFgThoZSmMTtHL/tim1b7u+3COg6N6EEXzBA==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDGDCCAgCgAwIBAgIVAPTFiJ33HTcDz6CHUkCHfmdwMDtqMA0GCSqGSIb3DQEBCwUAMBYxFDAS
BgNVBAMMC2V4YW1wbGUuY29tMB4XDTE1MDUwNzIxMDgzOFoXDTM1MDUwNzIxMDgzOFowFjEUMBIG
A1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJ9ih5kUed
Q+v7T6GM0du24rIDZzPsx52iayuYeNCTcs8LB2bVJKwoTIUbPvG0K6FoLsDFIJDdGLAxdfZVk8XK
8HnAU0qG+y7omQM0zeO5jn2WEYaxjY6ts9BBIqU1JhffK8XdgTqJvVfsHIdWTqVLXenFYvoL50xK
2eiTJ8uiKEhskZmA03KGku0m4RRoSaQFkUXkHb8arGXdeq5V5Ddr03TqozNsHrYMsMOnLxTnoE1o
eVwD9/yHqkNrMR5KxCdPi1PPG3tKilcrmrHeOc+ZY6Ll/nzY8GjtliKDLTO9tWZIrV7RPfpA2LGA
SfF58Cr+bzKnC1DByx0MCUstKimHAgMBAAGjXTBbMB0GA1UdDgQWBBQ9OWxuMMCcQeH+TFYSRgAC
cFt1wDA6BgNVHREEMzAxggtleGFtcGxlLmNvbYYiaHR0cHM6Ly9leGFtcGxlLmNvbS9pZHAvc2hp
YmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAQEAQ6Epkhj5O9EbSDbw5s3zftIvgxQdnHAA5+eqNCj4
aHLsP+CjewweM4Vq6dHgmbFGU2cGJu4rWZKIT0GmUJxBMahzAnKtPnIYvHIrq/XabqqIq6gvvUdC
h4NtEz1RCvdJp/1lfur8n2S/g1/P/EvzsaX6pJHjPAEVVBvGKCB1N+nWwkjL/x/fN+3YtCalruM5
3jMR+j8BlmhBaHlCwAfVYaAjSuSZ6gj5FBVM1KjJe+5Pdxe1Y31gFmaMucy5X0I34Bl33F8V8eee
UtVN4ywQMOVnkbaJNPwmlR2NXYDMxFtkZj2NXn83DsUP+tCFqvONqxu9pm2AeKPLxrVYdoH0EA==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
<saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
</saml2p:Status>
</saml2p:Response>
2015-05-12 17:42:44,758 - DEBUG
[net.shibboleth.idp.profile.impl.RecordResponseComplete:89] - Profile
Action RecordResponseComplete: Record response complete
2015-05-12 17:42:44,758 - INFO [Shibboleth-Audit.SSO:241] -
20150512T214244Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_556a60220dd9a393812a945cdb0887be|https://sp.testshib.org/shibboleth-sp|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://example.com/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_afcd83b6cf3ee4c4b73bc6325aea6862|johndoe|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||AAdzZWNyZXQxFa2mIOoEVvEE7udjo5z2AvsVhwg+jgknHU3VyxVqjN+9WNWK/jmbDmaX39eeQ3qLM/HU+SVfqljhox0p0KMk2LegajzG+xM0+E3PC/lRUCFYjPGiBr/yIrDk7jo44QJrdF0RPLyQZFeF|_99fe4448949e736d1293cd24b6938769
****
Metadata file :
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:xml="http://www.w3.org/XML/1998/namespace"
xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
entityID="https://example.com/idp/shibboleth">
<IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
<Extensions>
<shibmd:Scope regexp="false">example.com</shibmd:Scope>
<!--
Fill in the details for your IdP here
<mdui:UIInfo>
<mdui:DisplayName xml:lang="en">A Name for the IdP at
example.com</mdui:DisplayName>
<mdui:Description xml:lang="en">Enter a description of
your IdP at example.com</mdui:Description>
<mdui:Logo height="HeightInPixels"
width="WidthInPixels">https://example.com/Path/To/Logo.png</mdui:Logo>
</mdui:UIInfo>
-->
</Extensions>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDGDCCAgCgAwIBAgIVAPTFiJ33HTcDz6CHUkCHfmdwMDtqMA0GCSqGSIb3DQEB
CwUAMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMB4XDTE1MDUwNzIxMDgzOFoXDTM1
MDUwNzIxMDgzOFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCJ9ih5kUedQ+v7T6GM0du24rIDZzPsx52iayuY
eNCTcs8LB2bVJKwoTIUbPvG0K6FoLsDFIJDdGLAxdfZVk8XK8HnAU0qG+y7omQM0
zeO5jn2WEYaxjY6ts9BBIqU1JhffK8XdgTqJvVfsHIdWTqVLXenFYvoL50xK2eiT
J8uiKEhskZmA03KGku0m4RRoSaQFkUXkHb8arGXdeq5V5Ddr03TqozNsHrYMsMOn
LxTnoE1oeVwD9/yHqkNrMR5KxCdPi1PPG3tKilcrmrHeOc+ZY6Ll/nzY8GjtliKD
LTO9tWZIrV7RPfpA2LGASfF58Cr+bzKnC1DByx0MCUstKimHAgMBAAGjXTBbMB0G
A1UdDgQWBBQ9OWxuMMCcQeH+TFYSRgACcFt1wDA6BgNVHREEMzAxggtleGFtcGxl
LmNvbYYiaHR0cHM6Ly9leGFtcGxlLmNvbS9pZHAvc2hpYmJvbGV0aDANBgkqhkiG
9w0BAQsFAAOCAQEAQ6Epkhj5O9EbSDbw5s3zftIvgxQdnHAA5+eqNCj4aHLsP+Cj
ewweM4Vq6dHgmbFGU2cGJu4rWZKIT0GmUJxBMahzAnKtPnIYvHIrq/XabqqIq6gv
vUdCh4NtEz1RCvdJp/1lfur8n2S/g1/P/EvzsaX6pJHjPAEVVBvGKCB1N+nWwkjL
/x/fN+3YtCalruM53jMR+j8BlmhBaHlCwAfVYaAjSuSZ6gj5FBVM1KjJe+5Pdxe1
Y31gFmaMucy5X0I34Bl33F8V8eeeUtVN4ywQMOVnkbaJNPwmlR2NXYDMxFtkZj2N
Xn83DsUP+tCFqvONqxu9pm2AeKPLxrVYdoH0EA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDFzCCAf+gAwIBAgIUU+2B/eiEA1/bHIMVg9KgV3eY89AwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUwNTA3MjEwODQxWhcNMzUw
NTA3MjEwODQxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKGrhPligb4jzMDGvhSygzbAHFjXugot+u3HK3pl
40ZYVcxo8rlpvZ57mkEVxkNUIUoRj192MTI+LHojxfxxxEU3UYNuIMyOMTD5z+o2
CSD6tqRqPr4k3FTIRYEXNLxcY9ALFY05fiATaz0VzL2gcCsUDJvQD6yqeUsAdCTM
jfBtJERhJGrmHekLfHBTcSg3otjalur7L3qzj3uQ+zwQf+ZxJaW54vcUNcizdorq
WfShvIGs/6yRL2XOoMBSW3dc0yaLN61cw26zmkq3UcaZmdS2Ewwt+KJyADY01+OE
7sVBpi8M22Lh5Qwc0fC4xyd0mKC/WyBNepM84ioazkg1KI8CAwEAAaNdMFswHQYD
VR0OBBYEFNvXrLJ0Hln34RYU3Fd455UruP5XMDoGA1UdEQQzMDGCC2V4YW1wbGUu
Y29thiJodHRwczovL2V4YW1wbGUuY29tL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3
DQEBCwUAA4IBAQCOmaKbDTP+ZT/oB8ohZHZr+x7j9ac0kzpZ2A1PE5shpwUhRmHE
ju1dV7fikR01bsCXA7XMb+XiVBOkTzv+k3W7gScsbU2KoqhIWavJ5e9Z1QI5/v2BSOBl+HFVcmd1SGMOMOlchSS3xPYbXuZ1Zv1DRBOOGGm2
H5KBhFBejuaFDzNcQkskSc2OY7lW3+Zm712cYNt+Jm8oJxIBRFt4RF4vDuiZ70aT
7W+ZUoA7QZjsoYG6aJfwxp5dxAWQYtt4JMvqhGR+J2Y40L+wDI3dZiUWlUPIEiYN
paXn3RPO7FXgYAwVD3XW7YXXPQ8icO9HVr5O
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDFzCCAf+gAwIBAgIUZzLtlCbMyksHBl5o8WeBtHOAcIUwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUwNTA3MjEwODQwWhcNMzUw
NTA3MjEwODQwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALEapWaVEgmW5BUV6ZtVqpgg6fI40in/5XQXJ2tO
ItYNUCVqkDZzR/Isq7skV1FJq+s/VHnEKmd3LiOEufY629E2Wzp3+Lt3BbVx/Crx
IsvZY4PW6zUTgKeUjO6nS5QX5aFVOGfik3nphGKUO0UmQvp04erThogY4jXINdWw
Mfqb3/lACOz4CLKbaPA3StuXlfQHaseRncYxt36sgOkIN94geRXqKbAPDh8jPMhe
bBu/EaPyst3KlVh2/91Z3ThVchGJXNt8cvseWPYGklHz5um+UkfG9oQqPni96AOh
QDygWsfjU2f7dDcXv/nCQJ1EkNYCCPVJyySokg82rGdIKHECAwEAAaNdMFswHQYD
VR0OBBYEFLmX2ko+CzGP1lV82yvnpnO4MuWMMDoGA1UdEQQzMDGCC2V4YW1wbGUu
Y29thiJodHRwczovL2V4YW1wbGUuY29tL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3
DQEBCwUAA4IBAQAWm4FfjBTYgn2u9QUVVj8A5OhpfD7TAr11f6WmwZbyIlKFXF/H
AEB26wctKx5qQetc9bTOWq6z7FA/LiFdeKoiXkr28vPU034ZW8/GO4RIEvGRMp/B
plx1uMHFNHhW+v4OfF1/3+easwAi6DvrXdm/zRp/AYfYW2xtRwoabohYnmZwxj+F
99UBBua7DJwmzHtHfSnQhZByCfY3vqknPmTMmWtroavuglBK0uIE5fvMuqlYOFMl
UtwEP6z5q5vdgX2PJPtuuobZysnNgHsc8zZDNjKmzNjzeIq84Ru9QsbYfERneHzL
th58CIQxEyLm57s4HfNiN3eWzqrazqfZLGR1
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<ArtifactResolutionService
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://example.com:8443/idp/profile/SAML1/SOAP/ArtifactResolution"
index="1"/>
<ArtifactResolutionService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://example.com:8443/idp/profile/SAML2/SOAP/ArtifactResolution"
index="2"/>
<!--
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://example.com/idp/profile/SAML2/Redirect/SLO"/>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://example.com/idp/profile/SAML2/POST/SLO"/>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="https://example.com/idp/profile/SAML2/POST-SimpleSign/SLO"/>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://example.com:8443/idp/profile/SAML2/SOAP/SLO"/>
-->
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<SingleSignOnService
Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
Location="https://example.com/idp/profile/Shibboleth/SSO"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://example.com/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="https://example.com/idp/profile/SAML2/POST-SimpleSign/SSO"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://example.com/idp/profile/SAML2/Redirect/SSO"/>
</IDPSSODescriptor>
<AttributeAuthorityDescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
<Extensions>
<shibmd:Scope regexp="false">example.com</shibmd:Scope>
</Extensions>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDGDCCAgCgAwIBAgIVAPTFiJ33HTcDz6CHUkCHfmdwMDtqMA0GCSqGSIb3DQEB
CwUMDUwNzIxMDgzOFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCJ9ih5kUedQ+v7T6GM0du24rIDZzPsx52iayuY
eNCTcs8LB2bVJKwoTIUbPvG0K6FoLsDFIJDdGLAxdfZVk8XK8HnAU0qG+y7omQM0
zeO5jn2WEYaxjY6ts9BBIqU1JhffK8XdgTqJvVfsHIdWTqVLXenFYvoL50xK2eiT
J8uiKEhskZmA03KGku0m4RRoSaQFkUXkHb8arGXdeq5V5Ddr03TqozNsHrYMsMOn
LxTnoE1oeVwD9/yHqkNrMR5KxCdPi1PPG3tKilcrmrHeOc+ZY6Ll/nzY8GjtliKD
LTO9tWZIrV7RPfpA2LGASfF58Cr+bzKnC1DByx0MCUstKimHAgMBAAGjXTBbMB0G
A1UdDgQWBBQ9OWxuMMCcQeH+TFYSRgACcFt1wDA6BgNVHREEMzAxggtleGFtcGxl
LmNvbYYiaHR0cHM6Ly9leGFtcGxlLmNvbS9pZHAvc2hpYmJvbGV0aDANBgkqhkiG
9w0BAQsFAAOCAQEAQ6Epkhj5O9EbSDbw5s3zftIvgxQdnHAA5+eqNCj4aHLsP+Cj
ewweM4Vq6dHgmbFGU2cGJu4rWZKIT0GmUJxBMahzAnKtPnIYvHIrq/XabqqIq6gv
vUdCh4NtEz1RCvdJp/1lfur8n2S/g1/P/EvzsaX6pJHjPAEVVBvGKCB1N+nWwkjL
/x/fN+3YtCalruM53jMR+j8BlmhBaHlCwAfVYaAjSuSZ6gj5FBVM1KjJe+5Pdxe1
Y31gFmaMucy5X0I34Bl33F8V8eeeUtVN4ywQMOVnkbaJNPwmlR2NXYDMxFtkZj2N
Xn83DsUP+tCFqvONqxu9pm2AeKPLxrVYdoH0EA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDFzCCAf+gAwIBAgIUU+2B/eiEA1/bHIMVg9KgV3eY89AwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUwNTA3MjEwODQxWhcNMzUw
NTA3MjEwODQxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKGrhPligb4jzMDGvhSygzbAHFjXugot+u3HK3pl
40ZYVcxo8rlpvZ57mkEVxkNUIUoRj192MTI+LHojxfxxxEU3UYNuIMyOMTD5z+o2
CSD6tqRqPr4k3FTIRYEXNLxcY9ALFY05fiATaz0VzL2gcCsUDJvQD6yqeUsAdCTM
jfBtJERhJGrmHekLfHBTcSg3otjalur7L3qzj3uQ+zwQf+ZxJaW54vcUNcizdorq
WfShvIGs/6yRL2XOoMBSW3dc0yaLN61cw26zmkq3UcaZmdS2Ewwt+KJyADY01+OE
7sVBpi8M22Lh5Qwc0fC4xyd0mKC/WyBNepM84ioazkg1KI8CAwEAAaNdMFswHQYD
VR0OBBYEFNvXrLJ0Hln34RYU3Fd455UruP5XMDoGA1UdEQQzMDGCC2V4YW1wbGUu
Y29thiJodHRwczovL2V4YW1wbGUuY29tL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3
DQEBCwUAA4IBAQCOmaKbDTP+ZT/oB8ohZHZr+x7j9ac0kzpZ2A1PE5shpwUhRmHE
ju1dV7fikR01bsCXA7XMb+XiVBOkTzv+k3W7gScsbU2KMfk/OeHXf6ajm5uhsoxC
oqhIWavJ5e9Z1QI5/v2BSOBl+HFVcmd1SGMOMOlchSS3xPYbXuZ1Zv1DRBOOGGm2
H5KBhFBejuaFDzNcQkskSc2OY7lW3+Zm712cYNt+Jm8oJxIBRFt4RF4vDuiZ70aT
7W+ZUoA7QZjsoYG6aJfwxp5dxAWQYtt4JMvqhGR+J2Y40L+wDI3dZiUWlUPIEiYN
paXn3RPO7FXgYAwVD3XW7YXXPQ8icO9HVr5O
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDFzCCAf+gAwIBAgIUZzLtlCbMyksHBl5o8WeBtHOAcIUwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUwNTA3MjEwODQwWhcNMzUw
NTA3MjEwODQwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALEapWaVEgmW5BUV6ZtVqpgg6fI40in/5XQXJ2tO
ItYNUCVqkDZzR/Isq7skV1FJq+s/VHnEKmd3LiOEufY629E2Wzp3+Lt3BbVx/Crx
IsvZY4PW6zUTgKeUjO6nS5QX5aFVOGfik3nphGKUO0UmQvp04erThogY4jXINdWw
Mfqb3/lACOz4CLKbaPA3StuXlfQHaseRncYxt36sgOkIN94geRXqKbAPDh8jPMhe
bBu/EaPyst3KlVh2/91Z3ThVchGJXNt8cvseWPYGklHz5um+UkfG9oQqPni96AOh
QDygWsfjU2f7dDcXv/nCQJ1EkNYCCPVJyySokg82rGdIKHECAwEAAaNdMFswHQYD
VR0OBBYEFLmX2ko+CzGP1lV82yvnpnO4MuWMMDoGA1UdEQQzMDGCC2V4YW1wbGUu
Y29thiJodHRwczovL2V4YW1wbGUuY29tL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3
DQEBCwUAA4IBAQAWm4FfjBTYgn2u9QUVVj8A5OhpfD7TAr11f6WmwZbyIlKFXF/H
AEB26wctKx5qQetc9bTOWq6z7FA/LiFdeKoiXkr28vPU034ZW8/GO4RIEvGRMp/B
plx1uMHFNHhW+v4OfF1/3+easwAi6DvrXdm/zRp/AYfYW2xtRwoabohYnmZwxj+F
99UBBua7DJwmzHtHfSnQhZByCfY3vqknPmTMmWtroavuglBK0uIE5fvMuqlYOFMl
UtwEP6z5q5vdgX2PJPtuuobZysnNgHsc8zZDNjKmzNjzeIq84Ru9QsbYfERneHzL
th58CIQxEyLm57s4HfNiN3eWzqrazqfZLGR1
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AttributeService
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://example.com:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://example.com:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>
-->
<!-- If you uncomment the above you should add
urn:oasis:names:tc:SAML:2.0:protocol to the protocolSupportEnumeration
above -->
</AttributeAuthorityDescriptor>
</EntityDescriptor>
-----Avis relatif à la confidentialité-----
Le présent courriel et toutes les pièces jointes peuvent contenir de
l'information confidentielle. Toute utilisation ou distribution non
autorisée du contenu de ce courriel est interdite. Si vous n'êtes pas le
destinataire de ce message, veuillez, s'il-vous-plaît, le supprimer et
en informer immédiatement l'expéditeur.
This email communication, including all attachments, may contain
confidential information. Any unauthorized use or distribution of the
contents of this email is prohibited. If you are not the intended
recipient of this email, please delete it and notify the sender
immediately.
More information about the users
mailing list