Issue with a ServiceProvider authenticating against testshib.org IdP

Alessandro Molina alessandro.molina at axant.it
Mon Oct 5 12:44:18 EDT 2015


Not Found
The requested URL /entities was not found on this server.

:P

Tried to set a very strange entityID on my side: 
https://localhost/asdf2gbhjkl/sprovide.xml
But I still get the same error, so it's probably not an entityID 
collision :(

Il 05/10/15 18:37, Kevin Foote ha scritto:
> Most likely your entiyID is not unique.
> Check the testshib.org/entities <http://testshib.org/entities> page to 
> make sure
>
> - sent from mobile
>
> On Oct 5, 2015, at 12:33 PM, Alessandro Molina 
> <alessandro.molina at axant.it <mailto:alessandro.molina at axant.it>> wrote:
>
>> I'm currently trying to check a ServiceProvider configuration against 
>> testshib.org <http://testshib.org> (using testshib.org 
>> <http://testshib.org> as an IdP),
>> but testshib.org <http://testshib.org> si currently failing with the 
>> following traceback:
>>
>> 12:07:04.650 - ERROR 
>> [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:927] 
>> - Could not resolve a key encryption credential for peer entity: 
>> https://localhost/sprovide.xml
>> 12:07:04.651 - ERROR 
>> [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:289] 
>> - Unable to construct encrypter
>> org.opensaml.xml.security.SecurityException: Could not resolve key 
>> encryption credential
>>     at 
>> edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.getEncrypter(AbstractSAML2ProfileHandler.java:928) 
>> ~[shibboleth-identityprovider-2.4.0.jar:na]
>>     at 
>> edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.buildResponse(AbstractSAML2ProfileHandler.java:286) 
>> ~[shibboleth-identityprovider-2.4.0.jar:na]
>>
>> I'm able to get to the login page and login with the myself-myself 
>> user, but then that traceback is produced when trying to send back 
>> the answer to my application.
>> Here is the service provider .xml file uploaded to 
>> http://www.testshib.org/register.html
>>
>> <?xml version='1.0' encoding='UTF-8'?>
>> <ns0:EntityDescriptor 
>> xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata" 
>> xmlns:xs="http://www.w3.org/2001/XMLSchema"
>> xmlns:ns1="urn:oasis:names:tc:SAML:metadata:attribute"
>> xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" 
>> xmlns:ns4="http://www.w3.org/2000/09/xmldsig#"
>>                       
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
>> entityID="https://localhost/sprovide.xml">
>>     <ns0:Extensions>
>>         <ns1:EntityAttributes>
>>             <ns2:Attribute Name="http://macedir.org/entity-category"
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>>                 <ns2:AttributeValue 
>> xsi:type="xs:string">http://www.geant.net/uri/dataprotection-code-of-conduct/v1
>>                 </ns2:AttributeValue>
>>             </ns2:Attribute>
>>         </ns1:EntityAttributes>
>>     </ns0:Extensions>
>>     <ns0:SPSSODescriptor AuthnRequestsSigned="false" 
>> WantAssertionsSigned="true"
>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>>         <ns0:KeyDescriptor use="signing">
>>             <ns4:KeyInfo>
>>                 <ns4:X509Data>
>> <ns4:X509Certificate>MIIC7zCCAdegAwIBAgIJAKNUFVpcL0KLMA0GCSqGSIb3DQEBBQUAMBIxEDAOBgNV
>> BAMTB0xQdWxzYXIwHhcNMTUxMDA1MTYwNTAyWhcNMjUxMDAyMTYwNTAyWjASMRAw
>> DgYDVQQDEwdMUHVsc2FyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
>> 04Dvyk0OAmkcjFIzptAJyluGcfP8WsmdE01XOvIV0bi40Cc1c3SCfdXM+AU7kiz6
>> Ew37m9kXz1FbIw9n9Zsv3ImJ7lqQ1/ZKUkzB/Aj49p85XsoqMwtRq8Zwun9sLAME
>> +sjWh4+OyQH2Dr/Na7WnafuuYeIl72rFAoUg2IDEodZ5b204suKp1qi0GQwYm2Jp
>> Ahh0f46RhXawcYVmTMPUS6XQjJ+WH95sDxxxV6Yjfw7d3uZNQ+cNAec7hFxSSAka
>> nShkimm6KfC5x04jgjz1YA4iNXPoj2Pi2E0l3EBl16qBmhjXoppagriHfN+xIxcD
>> hEggCSaYLui2Qm/8maeqQwIDAQABo0gwRjAlBgNVHREEHjAcggdMUHVsc2FyhhFo
>> dHRwczovL2xvY2FsaG9zdDAdBgNVHQ4EFgQUQbbmEqIJlFT8GRdSPE56N+dGZi8w
>> DQYJKoZIhvcNAQEFBQADggEBAC8jKuZWkHx/AhM1GL2vHq/h9SxHoHFcyYDipVyC
>> Ql5VB5PjTaLdQ9RZCtJhlJa75DeVfW6hncDY5Q2phb7MwH2GfWm/bZwmPyfwsEeI
>> uzOcfyWU24582ITtWBNGkaxkE3uI5cDRvmKfO6fTrAdvw+emtVzYOUcAxzqz0PAQ
>> B5f2jLbg2sTLB6d4KawGPoq3JtVXPgagIANZ5IsR/dem3FIsZFj8nsztibFFTH/O
>> ljUAfZledVW5KIfApmHMc4qLvAuSSOSmax6ksBjPE4LVZx/9iftHQOMsucW1O4Ob
>> ykh4ttyYdRoNP1es5xuzTF3Qw2XRMK1N4ZgFsOQudlEexik=
>>                     </ns4:X509Certificate>
>>                 </ns4:X509Data>
>>             </ns4:KeyInfo>
>>         </ns0:KeyDescriptor>
>>         <ns0:SingleLogoutService 
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>>                                  
>> Location="https://localhost/slo/redirect"/>
>>         <ns0:SingleLogoutService 
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>>                                  Location="https://localhost/slo/post"/>
>>         <ns0:AssertionConsumerService 
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>>                                       
>> Location="https://localhost/acs/post" index="1"/>
>>     </ns0:SPSSODescriptor>
>> </ns0:EntityDescriptor>
>>
>> We are currently using PySAML2 which has also generated the previous XML.
>> It something wrong that I'm missing? The whole testshib.org 
>> <http://testshib.org> traceback is attached to the email
>>
>>
>> -- 
>> Alessandro Molina
>> Chief Technical Officer & Director of Operations
>>
>> Axant s.n.c. -http://www.axant.it  
>> Phone: +39 346 739 9923
>> Fax: +39 011 412 1756
>> <traceback.txt>
>> -- 
>> To unsubscribe from this list send an email to 
>> users-unsubscribe at shibboleth.net 
>> <mailto:users-unsubscribe at shibboleth.net>
>
>


-- 
Alessandro Molina
Chief Technical Officer & Director of Operations

Axant s.n.c. - http://www.axant.it
Phone: +39 346 739 9923
Fax: +39 011 412 1756

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151005/f1a9aafe/attachment-0001.html>


More information about the users mailing list