supplied TrustEngine failed to validate SSL/TLS server certificate - while validating the saml response send by idp to SP

anuptiwary anup.kr.tiwary at gmail.com
Fri Jul 27 02:36:47 EDT 2018 

Thank you! for response peter. Expecting your further revert, kindly help me
out.

Please find below inline reply 
shibboleth2.xml
<http://shibboleth.1660669.n2.nabble.com/file/t398706/shibboleth2.xml>  

*Q.* Why are you using Attribute Queries at all? Is that by design or 
unintentional? (If the latter: "If it hurts stop doing it.") 
*AnupTiwary>>* Since it's idp initiated SSO so in response we are expecting
user header information in the form of attribute.
or else how to use the same session to redirect it to application dashboard
instead of login page?
if I remove below line from shibboleht2.xml, then I am not getting any
certificate error which is obvious.
...
<AttributeResolver type="Query" subjectMatch="true"/>

*Q.* If intentional, what's the certificate the IDP presents on port 8443? 
*AnupTiwary>>*Used the same certificate which was generated while installing
the idp. (Renewed after configuration as well).
configured in tomcat using connector port for AJP protocol, since I am using
httpd as proxy. Below is the tomcat server.xml configuration for idp
certificate.
...
<Connector SSLEnabled="true"
SSLImplemention="edu.internet2.middleware.security.tomcat7.DelegateToApplicationJSSEImplementation"
clientAuth="false" keystoreFile="D:\opt\shibboleth-idp\credentials\idp.jks"
keystorePass="changeit" maxThreads="150" port="8443"
protocol="org.apache.coyote.http11.Http11Protocol" scheme="https"
secure="true" sslProtocol="TLS"/>

<Connector packetSize="65536" port="8009" protocol="AJP/1.3"
redirectPort="8443" tomcatAuthentication="false"/>
	
*Q.*How exactly did you configure the IDP (or Tomcat) wrt that port? Did you
configure Tomcat to use the idp-backchannel.p12 key pair for 8443? 
*AT >>* Same as above

*Q.* Does the SP have this certificate available from the IDP's metadata
*AT>>* I have uploaded (Manually copied idp-metadata.xml) in sp installation
path (C:\opt\shibboleth-sp\etc\shibboleth)
	and below is the configuration for shibboleth.xml to present idp metadata
	
	<MetadataProvider type="XML" validate="true" file="idp-metadata.xml"/>
	for specifics I am attaching shibboleht2.xml for your reference.
	
*Q.* From the image you sent it's not clear at all how the IDP is exposed to
the network SP and what role Apache httpd plays here. 
*AT>>* Since it is on the same network and same box and configured withing
the shibboleht2.xml so as per my thinking it should work, if you have
diffrent thoughts then please suggest.
Apache httpd is used for to implement proxy to redirect the to flow to AJP
connector and further additional application configuration. 

*Q.* And all of this is simply a demo setup, since you seem to be running
the IDP and the SP all *AT>>* on the same box? Or what else is this for? 
This is POC so that we could move the same approach in actual environment.

Please help me out on this, struggling since long at same point. as it seems
I am almost there but due to lack of knowledge I am not able to think in
required direction.



--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html

More information about the users mailing list