SP error: Unable to establish security of incoming assertion.
Wong, Wesley
wesley.wong at anderson.ucla.edu
Fri May 3 19:24:33 EDT 2019
Hi, I am trying to troubleshoot a test setup of Shibboleth IDP (version 3.4.3) server and SP (version 3.0.4) server. I am running into an issue where after authentication, the SP returns the following error:
opensaml::FatalProfileException
The system encountered an error at Fri May 3 15:59:28 2019
To report this problem, please contact the site administrator at root at localhost<mailto:root at localhost>.
Please include the following message in any email:
opensaml::FatalProfileException at (https://XXXXX.XXXX..edu/Shibboleth.sso/SAML2/POST)
Unable to establish security of incoming assertion.
I looked through the shibd.log file and found the following errors for it:
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling DOM element (saml2:SubjectConfirmationData)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling attributes for DOM element (saml2:SubjectConfirmationData)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing generic attribute
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing generic attribute
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing generic attribute
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing generic attribute
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling child nodes of DOM element (saml2:SubjectConfirmationData)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: element had no children
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObjectBuilder [2] [default]: located XMLObjectBuilder for element name: saml2:Conditions
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling child element (saml2:Conditions)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling DOM element (saml2:Conditions)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling attributes for DOM element (saml2:Conditions)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing generic attribute
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing generic attribute
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling child nodes of DOM element (saml2:Conditions)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObjectBuilder [2] [default]: located XMLObjectBuilder for element name: saml2:AudienceRestriction
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling child element (saml2:AudienceRestriction)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling DOM element (saml2:AudienceRestriction)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling child nodes of DOM element (saml2:AudienceRestriction)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObjectBuilder [2] [default]: located XMLObjectBuilder for element name: saml2:Audience
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling child element (saml2:Audience)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling DOM element (saml2:Audience)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling child nodes of DOM element (saml2:Audience)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing text content at position (0)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObjectBuilder [2] [default]: located XMLObjectBuilder for element name: saml2:AuthnStatement
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling child element (saml2:AuthnStatement)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling DOM element (saml2:AuthnStatement)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling attributes for DOM element (saml2:AuthnStatement)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing generic attribute
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing generic attribute
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling child nodes of DOM element (saml2:AuthnStatement)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObjectBuilder [2] [default]: located XMLObjectBuilder for element name: saml2:SubjectLocality
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling child element (saml2:SubjectLocality)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling DOM element (saml2:SubjectLocality)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling attributes for DOM element (saml2:SubjectLocality)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing generic attribute
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling child nodes of DOM element (saml2:SubjectLocality)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: element had no children
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObjectBuilder [2] [default]: located XMLObjectBuilder for element name: saml2:AuthnContext
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling child element (saml2:AuthnContext)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling DOM element (saml2:AuthnContext)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling child nodes of DOM element (saml2:AuthnContext)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObjectBuilder [2] [default]: located XMLObjectBuilder for element name: saml2:AuthnContextClassRef
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling child element (saml2:AuthnContextClassRef)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling DOM element (saml2:AuthnContextClassRef)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: unmarshalling child nodes of DOM element (saml2:AuthnContextClassRef)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing text content at position (0)
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: starting to marshal saml2:Assertion
2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: XMLObject has a usable cached DOM, reusing it
2019-05-03 15:59:28 DEBUG Shibboleth.SSO.SAML2 [2] [default]: decrypted Assertion: <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_1d4eadb4846243f1d622c4e9850a9942" IssueInstant="2019-05-03T22:59:28.834Z" Version="2.0"><saml2:Issuer>https://XXXXX.XXXX.XXXX.edu/idp</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://XXXXXXXX.edu/idp" SPNameQualifier="https://XXXXXXXXXX.edu/shibboleth">AAdzZWNyZXQxQXao7JAfEuB1fCCjWz2s1kpcGBuqgzTPTii0dVCUCg7j1P9Zsi5e8Zx7ISeAwApBppw/v2kCmStQ5pCeY51KqgqNOCqiq2ptgvF39dIvyGNXJ7itoAiGA8k+YYeQrTrynSIPaKfJSAqiU2q8/NK0lgg0Qw==</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData Address="XXX.XXX.XXXX.24" InResponseTo="_82fa939948f3263b4518f2b9522d76fc" NotOnOrAfter="2019-05-03T23:04:28.842Z" Recipient="https://XXXXXXXXXXXXXXXXXX/Shibboleth.sso/SAML2/POST"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2019-05-03T22:59:28.834Z" NotOnOrAfter="2019-05-03T23:04:28.834Z"><saml2:AudienceRestriction><saml2:Audience>https://ssoapp-dev.anderson.ucla.edu/shibboleth</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2019-05-03T22:59:28.827Z" SessionIndex="_86d1c07189c0a4a163a3d97b2a809531"><saml2:SubjectLocality Address="164.67.135.24"/><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion>
2019-05-03 15:59:28 DEBUG Shibboleth.SSO.SAML2 [2] [default]: extracting issuer from SAML 2.0 assertion
2019-05-03 15:59:28 DEBUG Shibboleth.SSO.SAML2 [2] [default]: searching metadata for assertion issuer...
2019-05-03 15:59:28 WARN Shibboleth.SSO.SAML2 [2] [default]: no metadata found, can't establish identity of issuer (https://XXXXXXXXXXXXXXXXXXXXXX/idp)
2019-05-03 15:59:28 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [2] [default]: evaluating message flow policy (replay checking on, expiration 60)
2019-05-03 15:59:28 DEBUG XMLTooling.StorageService [2] [default]: inserted record (_1d4eadb4846243f1d622c4e9850a9942) in context (MessageFlow) with expiration (1556924608)
2019-05-03 15:59:28 DEBUG OpenSAML.SecurityPolicyRule.ClientCertAuth [2] [default]: ignoring message, no issuer metadata supplied
2019-05-03 15:59:28 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [2] [default]: ignoring message, no issuer metadata supplied
2019-05-03 15:59:28 DEBUG OpenSAML.SecurityPolicyRule.SimpleSigning [2] [default]: ignoring message, no issuer metadata supplied
2019-05-03 15:59:28 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation [2] [default]: assertion satisfied bearer confirmation requirements
2019-05-03 15:59:28 WARN Shibboleth.SSO.SAML2 [2] [default]: detected a problem with assertion: Unable to establish security of incoming assertion.
2019-05-03 15:59:28 WARN Shibboleth.SSO.SAML2 [2] [default]: error processing incoming assertion: Unable to establish security of incoming assertion.
2019-05-03 16:13:05 INFO XMLTooling.StorageService : purged 4 expired record(s) from storage
Any suggestions on what to check would be great. Thanks!
wesley
Wesley Wong
System Administrator
Anderson Computing & Information Services | ACIS
[ucla-logo---new_smaller]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190503/62f14915/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 7243 bytes
Desc: image001.png
URL: <http://shibboleth.net/pipermail/users/attachments/20190503/62f14915/attachment.png>
More information about the users
mailing list