Could not resolve key encryption credential
Brent Putman
putmanb at georgetown.edu
Wed Oct 7 19:04:01 EDT 2015
I'm not sure. I thought there was a way to see one's own metadata, but
I don't see it anywhere there. Maybe one of the guys who runs testshib
can comment.
On 10/7/15 6:48 PM, Willem D'Haeseleer wrote:
> How can I verify what metadata the IDP has for me ? I have tried
> uploading my metadata file again several times using the same file
> name. I am not aware of another method to update the metadata.
>
>
>
>
> On Wed, Oct 7, 2015 at 3:44 PM, Brent Putman <putmanb at georgetown.edu
> <mailto:putmanb at georgetown.edu>> wrote:
>
>
>
> On 10/7/15 6:10 PM, Willem D'Haeseleer wrote:
>>
>>
>> When I try to login I get redirected back to my SP but the the
>> IDP fails to encrypt the assertion.
>> It gives the following error:
>> 17:55:15.117 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:927] - Could not resolve a key encryption credential for peer entity: http://local.origami42.com:8000/metadata/
>> 17:55:15.117 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:289] - Unable to construct encrypter
>> org.opensaml.xml.security.SecurityException: Could not resolve key encryption credential
>> Why can't the IDP encrypt the assertion ?
>
> Well, it really does mean that the metadata that the IdP has for
> your SP doesn't have an encryption key in it. Since the metadata
> file you attached does seem to have a key descriptor with
> use="encryption", and the entityIDs seem to match up, the logical
> conclusion is that the IdP isn't actually using that metadata.
>
>> Am I using an incorrect certificate / public key, should I
>> update the medata somehow ?
>
> I would double-check what metadata testshib actually has for your
> SP and/or upload it again.
>
> Could also potentially be something on the testshib end, like not
> having reloaded new metadata or something. Occasionally it has
> hiccups.
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> <mailto:users-unsubscribe at shibboleth.net>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151007/94d319ab/attachment-0001.html>
More information about the users
mailing list