SP cannot decrypt EncryptedAssertion responses
Cantor, Scott
cantor.2 at osu.edu
Fri Feb 26 12:24:19 EST 2016
> I couldn't remember if I'd checked the ownership and permissions on the
> keying material itself, but after re-deploying the SP's keying material,
> I had to fix both (user shibd, group shibd; permissions 644 for the
> certificate and 600 for the private key).
Ok. That would have been clearly logged though.
> After reviewing the SAML protocol captures, I saw that Shibboleth was
> not signing the outgoing SAML requests. I'm sorry but I assumed that
> this was the default.
No, it's rarely needed.
> I enabled `signing="true"` and
> `encryption="true"` in the SP's ApplicationDefaults, and I set the
> signature algorithm to SHA-1 in the RP trust. With these changes I was
> able to authenticate to the SP using an EncryptedAssertion response from
> my AD FS IdP.
Those flags had nothing to do with it (nor is use of SHA-1 required).
-- Scott
More information about the users
mailing list