Best debug logging to enable
Cantor, Scott
cantor.2 at osu.edu
Thu Sep 6 12:29:16 EDT 2018
On 9/6/18, 11:45 AM, "users on behalf of Dan McLaughlin" <users-bounces at shibboleth.net on behalf of dmclaughlin at tech-consortium.com> wrote:
> What's the best logging to enable to debug the following error?
That's probably a signature bug in their code, debugging that requires knowledge of XML Signature and using very low level options.
The best case is that it's not a signing bug but they're using a different key to sign and it isn't showing up in the message or the metadata. That's unlikely.
> Questions 1) Should wildcard certs coming from an IDP work for signing
> and encryption? They worked before, so I'm assuming the answer is yes.
The public key matters. Nothing else matters.
> Question 2) Is it normal for the SAML 2 response to contain the CA's
> public key that signed their signing/encryption certificate?
It doesn't matter.
> What else should we be looking at and is there any additional logging
> we can enable to help get to the bottom of the issue?
There's an old page in the V2 space about it.
https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUserManSigErrors
You need to move as fast as possible to some form of independent verification they have a bug to get it on their plate.
-- Scott
More information about the users
mailing list