Error configuring a new SP (Softdocs Etrieve): Failed to resolve both a data and a key encryption credential

Ben Poliakoff benp at
Wed Aug 15 18:26:18 EDT 2018

We updated our IDP from v2.x to 3.3.2 a few months ago, it's been running
smoothly, routinely interoperating with about a dozen different service

I'm running into issues adding a new SP running a software package called
Etrieve. The IDP isn't able/willing to make assertions with this SP, I'm
seeing this in the logs:

  [WARN] BasicEncryptionParametersResolver Validation failure: Failed to
resolve both a data and a key encryption credential:

  [WARN] PopulateEncryptionParameters Profile Action
PopulateEncryptionParameters: Resolver returned no EncryptionParameters:

  [WARN] LogEvent A non-proceed event occurred while processing the
request: InvalidSecurityConfiguration:

The SP's metadata is pretty spare (and notably doesn't contain a public

  <EntityDescriptor xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_140069ef-260e-4db3-b3b7-ef810b661681" entityID="<sp_entityid>"
  <SPSSODescriptor WantAssertionsSigned="true"
Location="<return_url>" index="0" isDefault="true" />
Location="<return_url>" index="1" isDefault="false" />

The relying party config stanza looks like this:

  <rp:RelyingParty id="<sp_entityid>" provider=""
      <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
encryptAssertions="false" encryptNameIds="false" />

We do have other working SPs that don't include a pub key in their metadata
(using a very similar config). I've been fiddling with the relying party
for some time now but haven't been able to make any headway. Any
suggestions on how to proceed or troubleshoot would be gratefully accepted!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list