Could not resolve key encryption credential

Brent Putman putmanb at georgetown.edu
Wed Oct 7 19:04:01 EDT 2015 

I'm not sure. I thought there was a way to see one's own metadata, but
I don't see it anywhere there.  Maybe one of the guys who runs testshib
can comment.


On 10/7/15 6:48 PM, Willem D'Haeseleer wrote:
> How can I verify what metadata the IDP has for me ? I have tried
> uploading my metadata file again several times using the same file
> name. I am not aware of another method to update the metadata.
>
>
>
>
> On Wed, Oct 7, 2015 at 3:44 PM, Brent Putman <putmanb at georgetown.edu
> <mailto:putmanb at georgetown.edu>> wrote:
>
>
>
>     On 10/7/15 6:10 PM, Willem D'Haeseleer wrote:
>>
>>
>>     When I try to login I get redirected back to my SP but the the
>>     IDP fails to encrypt the assertion. 
>>     It gives the following error:
>>     17:55:15.117 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:927] - Could not resolve a key encryption credential for peer entity: http://local.origami42.com:8000/metadata/
>>     17:55:15.117 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:289] - Unable to construct encrypter
>>     org.opensaml.xml.security.SecurityException: Could not resolve key encryption credential
>>     Why can't the IDP encrypt the assertion ?
>
>     Well, it really does mean that the metadata that the IdP has for
>     your SP doesn't have an encryption key in it.  Since the metadata
>     file you attached does seem to have a key descriptor with
>     use="encryption", and the entityIDs seem to match up, the logical
>     conclusion is that the IdP isn't actually using that metadata.
>
>>     Am I using an incorrect certificate / public key, should I
>>     update the medata somehow ?
>
>     I would double-check what metadata testshib actually has for your
>     SP and/or upload it again.
>
>     Could also potentially be something on the testshib end, like not
>     having reloaded new metadata or something.  Occasionally it has
>     hiccups.
>
>     --
>     To unsubscribe from this list send an email to
>     users-unsubscribe at shibboleth.net
>     <mailto:users-unsubscribe at shibboleth.net>
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151007/94d319ab/attachment-0001.html>

More information about the users mailing list