Best debug logging to enable

Cantor, Scott cantor.2 at
Thu Sep 6 12:29:16 EDT 2018

On 9/6/18, 11:45 AM, "users on behalf of Dan McLaughlin" <users-bounces at on behalf of dmclaughlin at> wrote:

> What's the best logging to enable to debug the following error?

That's probably a signature bug in their code, debugging that requires knowledge of XML Signature and using very low level options.

The best case is that it's not a signing bug but they're using a different key to sign and it isn't showing up in the message or the metadata. That's unlikely.

> Questions 1) Should wildcard certs coming from an IDP work for signing
> and encryption? They worked before, so I'm assuming the answer is yes.

The public key matters. Nothing else matters.

> Question 2) Is it normal for the SAML 2 response to contain the CA's
> public key that signed their signing/encryption certificate?

It doesn't matter.

> What else should we be looking at and is there any additional logging
> we can enable to help get to the bottom of the issue?

There's an old page in the V2 space about it.

You need to move as fast as possible to some form of independent verification they have a bug to get it on their plate.

-- Scott

More information about the users mailing list