key algorithm didn't match ('AES' != 'RSA') failed to decrypt assertion: Unable to locate an encrypted key.

Cantor, Scott cantor.2 at
Thu Sep 20 22:46:34 EDT 2018

If you control the IdP, I would probably suggest reverting the "fix" and turning off encryption at the end just to get more into the processing and see what it does. I would imagine it would throw an audience condition failure like people used to get when they had overrides mis-configured.

This is too basic a scenario to seem like a bug to me, I would have to think there's an Apache issue getting the Location block applied the way it seems it should.

-- Scott

On 9/20/18, 10:14 PM, "Cantor, Scott" <cantor.2 at> wrote:

On 9/20/18, 9:59 PM, "users on behalf of Lipscomb, Gary" <users-bounces at on behalf of glipscomb at> wrote:

> Have I missed something when using ShibRequestSetting entityIDSelf ?

It was trying to decrypt believing itself to be operating with a different name and the IdP inserts the name it knew in the key recipient field and they don't match. Bug maybe, or something else not in evidence preventing it from applying that setting to the handler location(s).
-- Scott

More information about the users mailing list