Simple signature validation failed

[Les LaCroix]

Good afternoon.  Yesterday afternoon we started to receive errors "Simple
signature validation (with no request-derived credentials) failed" while
trying to log in to our Edublogs instance.  (The report didn't make it to
me until about noon today.)  As far as I have been able to figure out, this
can come from a mismatch between the cert in the SP's metadata and the cert
the SP is using to sign the request.  Are there other likely ways that
error could pop up?

Our last configuration changes were on Monday, and this is first being
reported today.  We are getting the metadata from the InCommon feed, and
have no other configuration that explicitly mentions this SP.  There is a
clean break when things started failing: consistently successful logins
before 3:48 PM yesterday, consistent failure afterwards.  Our InCommon
metadata often updates right around then, and I am checking with the sysads
to see if I can recover a copies of the InCommon metadata files from before
and after to see if anything changed for that relying party.  We are also
contacting the provider to see if they made any changes.

In the mean time, is there a relying-party configuration change I can make
for this one SP to get past this error?  (Preferably one that isn't a
terrible idea.)  We are at the end of our term and this is a bad time for
an academic service to be unavailable.

Thanks, -Les

------------------------------
Les LaCroix '79 | Strategic Technologist
Carleton College | 1 N. College St. | MS 3-ITS | Northfield, MN 55057
507.222.5455 | free/busy
<https://calendar.google.com/calendar/embed?src=llacroix%40carleton.edu&ctz=America/Chicago>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181116/330ed4fb/attachment.html>