key algorithm didn't match ('AES' != 'RSA') failed to decrypt assertion: Unable to locate an encrypted key.

Lipscomb, Gary glipscomb at csu.edu.au
Thu Sep 20 21:58:42 EDT 2018 

Hi all,

I have this configuration

- vhosts.conf

    <Location />
      AuthType shibboleth
      Require shibboleth
      ShibRequestSetting entityIDSelf https://mydummyapp.csu.edu.au/shibboleth

      Header set Cache-Control no-store
      Header set Pragma no-cache

    </Location>

- shibboleth2.xml

    <ApplicationDefaults entityID="default"
        REMOTE_USER="uid eppn subject-id pairwise-id persistent-id"
        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"
        signing="front"
        encryption="true">



This would allow me to login but gave the decryption errors. No application overrides used.

If I now change shibboleth2.xml from entityID="default" to  entityID=" https://mydummyapp.csu.edu.au/shibboleth "to  it all works as expected.

    <ApplicationDefaults entityID=" https://mydummyapp.csu.edu.au/shibboleth "
        REMOTE_USER="uid eppn subject-id pairwise-id persistent-id"
        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"
        signing="front"
        encryption="true">


Have I missed something when using ShibRequestSetting entityIDSelf ?

Regards

Gary


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Wednesday, 19 September 2018 23:22
To: Shib Users <users at shibboleth.net>
Subject: Re: key algorithm didn't match ('AES' != 'RSA') failed to decrypt assertion: Unable to locate an encrypted key.

On 9/18/18, 10:21 PM, "users on behalf of Lipscomb, Gary" <users-bounces at shibboleth.net on behalf of glipscomb at csu.edu.au> wrote:

> Metadata sent to IdP generated from /Shibboleth.sso/Metadata. The public keys in the metadata for signing and 
> encryption match the appropriate certs on the SP.
> Where do I look next ?

You basically figure out why that statement is in fact not the case.

-- Scott


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list