Unable to decode incoming request
Michael Dahlberg
olgamirth at gmail.com
Tue Mar 13 15:43:35 EDT 2018
Tom:
Thank you very much. However, the reason I wasn't able to provide more
info is because that's all I've got ... unable to decode incoming request,
followed by the opensaml error and finally another entry that says unable
to decode request, error must be handled locally. This is from a system
where the logging level is turned up to debug, so there's really nothing
else: no encrypted request, no attempts to decrypt it. Do you know of
anything other tools to capture that data (not SAML tracer ... already
tried and there was nothing there)?
Thanks again,
Mike
On Tue, Mar 13, 2018 at 12:38 PM, Tom Scavo <trscavo at gmail.com> wrote:
> On Tue, Mar 13, 2018 at 12:19 PM, Tom Scavo <trscavo at gmail.com> wrote:
> >
> > On Tue, Mar 13, 2018 at 11:43 AM, Michael Dahlberg <olgamirth at gmail.com>
> wrote:
> >>
> >> I've
> >> checked the X509 cert in their metadata and it looks good. Are there
> any
> >> other reasons why the IdP would be unable to decode the request?
> >
> > You don't give enough information for me to be sure but my guess is
> > that the IdP is rejecting a signature based on the SHA-1 digest
> > algorithm.
>
> You can easily check this by inspecting the signature itself (not the
> signing certificate in metadata). What are the values of the following
> attributes in the signed AuthnRequest?
>
> @SignatureMethod
> @DigestMethod
>
> If the value of either attribute indicates SHA-1, that is your
> problem. The easiest thing to do is just stop signing the request.
>
> Tom
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180313/d257ab53/attachment.html>
More information about the users
mailing list