SP unable to verify signed SAML assertion

IAM David Bantz dabantz at alaska.edu
Mon May 22 16:37:45 EDT 2017 

We're migrating from in-house hosted service to vendor-hosting. The vendor
appears to be using Shibboleth SP, but is unable to verify signed
assertions from our IdP. They provided the following excerpt from their
logs:

2017-05-20 13:29:45 DEBUG OpenSAML.MessageDecoder.SAML2 [1]: extracting
> issuer from SAML 2.0 protocol message
> 2017-05-20 13:29:45 DEBUG OpenSAML.MessageDecoder.SAML2 [1]: message from
> (urn:mace:incommon:alaska.edu)
> 2017-05-20 13:29:45 DEBUG OpenSAML.MessageDecoder.SAML2 [1]: searching
> metadata for message issuer...
> 2017-05-20 13:29:45 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [1]:
> evaluating message flow policy (replay checking on, expiration 60)
> 2017-05-20 13:29:45 DEBUG XMLTooling.StorageService [1]: inserted record (_
> f1db1a5bc3a248790476a36a027abc1f) in context (MessageFlow) with
> expiration (1495301616)
> 2017-05-20 13:29:45 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]:
> validating signature profile
> 2017-05-20 13:29:45 DEBUG XMLTooling.CredentialCriteria [1]: keys didn't
> match
> 2017-05-20 13:29:45 DEBUG XMLTooling.CredentialCriteria [1]: keys didn't
> match
> 2017-05-20 13:29:45 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: unable
> to validate signature, no credentials available from peer
> 2017-05-20 13:29:45 DEBUG XMLTooling.TrustEngine.PKIX [1]: validating
> signature using certificate from within the signature
> 2017-05-20 13:29:45 DEBUG XMLTooling.TrustEngine.PKIX [1]: signature
> verified with key inside signature, attempting certificate validation...
> 2017-05-20 13:29:45 DEBUG XMLTooling.TrustEngine.PKIX [1]: checking that
> the certificate name is acceptable
> 2017-05-20 13:29:45 DEBUG XMLTooling.TrustEngine.PKIX [1]: adding to list
> of trusted names (urn:mace:incommon:alaska.edu)
> 2017-05-20 13:29:45 DEBUG XMLTooling.TrustEngine.PKIX [1]: certificate
> subject: CN=idp.alaska.edu
> 2017-05-20 13:29:45 DEBUG XMLTooling.TrustEngine.PKIX [1]: unable to match
> DN, trying TLS subjectAltName match
> 2017-05-20 13:29:45 DEBUG XMLTooling.TrustEngine.PKIX [1]: unable to match
> subjectAltName, trying TLS CN match
> 2017-05-20 13:29:45 ERROR XMLTooling.TrustEngine.PKIX [1]: certificate
> name was not acceptable
> 2017-05-20 13:29:45 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [1]:
> unable to verify message signature with supplied trust engine


It looks as though they're using incorrect metadata for our IdP.
What else might cause this?

David Bantz
UA OIT IAM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170522/fc500c12/attachment-0001.html>

More information about the users mailing list