key algorithm didn't match ('AES' != 'RSA') failed to decrypt assertion: Unable to locate an encrypted key.

Lipscomb, Gary glipscomb at csu.edu.au
Thu Sep 20 23:16:15 EDT 2018 

Hi Scott,

Now getting after setting to this

    <ApplicationDefaults entityID="default"

2018-09-21 13:10:22 ERROR OpenSAML.SecurityPolicyRule.AudienceRestriction [2] [default]: unacceptable AudienceRestriction in assertion (<saml2:AudienceRestriction xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Audience>https://mydummyapp.csu.edu.au/shibboleth</saml2:Audience></saml2:AudienceRestriction>)
2018-09-21 13:10:22 WARN Shibboleth.SSO.SAML2 [2] [default]: detected a problem with assertion: Assertion contains an unacceptable AudienceRestriction.
2018-09-21 13:10:22 WARN Shibboleth.SSO.SAML2 [2] [default]: error processing incoming assertion: Assertion contains an unacceptable AudienceRestriction.

Gary

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Friday, 21 September 2018 12:47
To: Shib Users <users at shibboleth.net>
Subject: Re: key algorithm didn't match ('AES' != 'RSA') failed to decrypt assertion: Unable to locate an encrypted key.

If you control the IdP, I would probably suggest reverting the "fix" and turning off encryption at the end just to get more into the processing and see what it does. I would imagine it would throw an audience condition failure like people used to get when they had overrides mis-configured.

This is too basic a scenario to seem like a bug to me, I would have to think there's an Apache issue getting the Location block applied the way it seems it should.

-- Scott

On 9/20/18, 10:14 PM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:

On 9/20/18, 9:59 PM, "users on behalf of Lipscomb, Gary" <users-bounces at shibboleth.net on behalf of glipscomb at csu.edu.au> wrote:

> Have I missed something when using ShibRequestSetting entityIDSelf ?

It was trying to decrypt believing itself to be operating with a different name and the IdP inserts the name it knew in the key recipient field and they don't match. Bug maybe, or something else not in evidence preventing it from applying that setting to the handler location(s).
 
-- Scott



-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list