SP cannot decrypt EncryptedAssertion responses

Cantor, Scott cantor.2 at osu.edu
Fri Feb 26 12:24:19 EST 2016


> I couldn't remember if I'd checked the ownership and permissions on the
> keying material itself, but after re-deploying the SP's keying material,
> I had to fix both (user shibd, group shibd; permissions 644 for the
> certificate and 600 for the private key).

Ok. That would have been clearly logged though.

> After reviewing the SAML protocol captures, I saw that Shibboleth was
> not signing the outgoing SAML requests.  I'm sorry but I assumed that
> this was the default.

No, it's rarely needed.

>  I enabled `signing="true"` and
> `encryption="true"` in the SP's ApplicationDefaults, and I set the
> signature algorithm to SHA-1 in the RP trust.  With these changes I was
> able to authenticate to the SP using an EncryptedAssertion response from
> my AD FS IdP.

Those flags had nothing to do with it (nor is use of SHA-1 required).

-- Scott



More information about the users mailing list