sp testshib certificate validation on attribute query

Rod Widdowson rdw at steadingsoftware.com
Wed May 31 10:31:59 EDT 2017

> > 2017-05-31 09:15:54 DEBUG XMLTooling.TrustEngine.ExplicitKey [1582]: no keys within this peer's key information matched the given
> end-entity certificate
> > The metadata doesn't have the correct key information
> Can you give me some hint? In my metadata I have the reference to the certificates generated automatically by shibboleth IdP.
> Instead in the error message I see it's complaining about the tomcat ssl certificate generated with letsencrypt.

My best guess is that:

- This is because your IdP hasn't issued any attributes on the front channel.
- So the SP (TestShib) has asked for them on the back channel
- Which Tomcat is protecting with you letsEncrypt key (not the Shib generated one, which it should be).

So in order of importance:

1) Decide whether you need to support back channel attribute queries (you almost certainly don't, particularly if you don't know what I'm talking about)

1a) If you don’t remove that configuration from Tomcat and also from the IdP's metadata (you have to do both for secure operation)
1b) If you do, fix tomcat so that it is using the correct key/certificate pair on the back channel

2) Fix your IdP to release attributes.  Check your logs and turn net.shibboleth.idp.attribute up to debug

You have to do (1) before (2) otherwise the problem will appear to go away, but you will still have a broken system and in 3 months you'll have the same error and have to learn this all again.


More information about the users mailing list