Error configuring a new SP (Softdocs Etrieve): Failed to resolve both a data and a key encryption credential
Ben Poliakoff
benp at reed.edu
Wed Aug 15 18:26:18 EDT 2018
We updated our IDP from v2.x to 3.3.2 a few months ago, it's been running
smoothly, routinely interoperating with about a dozen different service
providers.
I'm running into issues adding a new SP running a software package called
Etrieve. The IDP isn't able/willing to make assertions with this SP, I'm
seeing this in the logs:
[WARN] BasicEncryptionParametersResolver Validation failure: Failed to
resolve both a data and a key encryption credential:
[WARN] PopulateEncryptionParameters Profile Action
PopulateEncryptionParameters: Resolver returned no EncryptionParameters:
[WARN] LogEvent A non-proceed event occurred while processing the
request: InvalidSecurityConfiguration:
[INFO] SSO
20180815T212303Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|id4417c48b799044b48adb42ece67aeffc|<sp_entityid>|
http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp.reed.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_dcaead3a7ebd72367b312e20c43f7591||||||
<client_ip>:
The SP's metadata is pretty spare (and notably doesn't contain a public
key):
<EntityDescriptor xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
ID="_140069ef-260e-4db3-b3b7-ef810b661681" entityID="<sp_entityid>"
cacheDuration="PT42S">
<SPSSODescriptor WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="<return_url>" index="0" isDefault="true" />
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="<return_url>" index="1" isDefault="false" />
</SPSSODescriptor>
</EntityDescriptor>
The relying party config stanza looks like this:
<rp:RelyingParty id="<sp_entityid>" provider="
https://idp.reed.edu/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
encryptAssertions="false" encryptNameIds="false" />
</rp:RelyingParty>
We do have other working SPs that don't include a pub key in their metadata
(using a very similar config). I've been fiddling with the relying party
for some time now but haven't been able to make any headway. Any
suggestions on how to proceed or troubleshoot would be gratefully accepted!
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180815/afd67814/attachment.html>
More information about the users
mailing list