Azure ADFS with Shibboleth SP 2.6 validation issues
habanero9999
luke at brandwatch.com
Fri Mar 2 11:20:54 EST 2018
Peter Schober wrote
>> When we load (the non-validated) metadata on to the service provider and
>> the client attempts to access the protected resource we see these errors
>> in
>> the logs:
>>
>> 2018-03-02 12:47:35 DEBUG OpenSAML.MessageDecoder.SAML2 [1]: extracting
>> issuer from SAML 2.0 protocol message
>
> The error and those messages are not from loading the metadata, so I
> think the whole premise of your question is wrong.
>
> The error comes from trying to validate the SAML message from the IDP,
> and falling through to PKIX checking (which is not what you want) and
> ultimately failing. Short version
Thanks Peter, I have seen other threads mentioning not to use PKIX - how is
this achieved? Can it be done on a per MetaDataProvider basis?
Peter Schober wrote
>> 2018-03-02 12:47:35 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [1]:
>> unable to verify message signature with supplied trust engine
>
> The IDP likely is not signing the protocol message with a key you have
> the matching certificate in metadata for.
Would the use of PKIX and it not working mean that the next error (and
therefore your suggestion that the there is an IDP key / metadata cert
mismatch) be misleading - or is that most likely the ultimate reason for the
protocol message failure?
--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
More information about the users
mailing list