Azure ADFS with Shibboleth SP 2.6 validation issues

habanero9999 luke at
Fri Mar 2 11:20:54 EST 2018

Peter Schober wrote
>> When we load (the non-validated) metadata on to the service provider and
>> the client attempts to access the protected resource we see these errors
>> in
>> the logs:
>> 2018-03-02 12:47:35 DEBUG OpenSAML.MessageDecoder.SAML2 [1]: extracting
>> issuer from SAML 2.0 protocol message
> The error and those messages are not from loading the metadata, so I
> think the whole premise of your question is wrong.
> The error comes from trying to validate the SAML message from the IDP,
> and falling through to PKIX checking (which is not what you want) and
> ultimately failing. Short version

Thanks Peter, I have seen other threads mentioning not to use PKIX - how is
this achieved? Can it be done on a per MetaDataProvider basis?

Peter Schober wrote
>> 2018-03-02 12:47:35 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [1]:
>> unable to verify message signature with supplied trust engine
> The IDP likely is not signing the protocol message with a key you have
> the matching certificate in metadata for.

Would the use of PKIX and it not working mean that the next error (and
therefore your suggestion that the there is an IDP key / metadata cert
mismatch) be misleading - or is that most likely the ultimate reason for the
protocol message failure?

Sent from:

More information about the users mailing list