SP error: Unable to establish security of incoming assertion.

IAM David Bantz dabantz at alaska.edu
Fri May 3 19:47:53 EDT 2019


019-05-03 15:59:28 WARN Shibboleth.SSO.SAML2 [2] [default]: no metadata
found, can't establish identity of issuer (https:/
<https://xxxxxxxxxxxxxxxxxxxxxx/idp>...



On Fri, May 3, 2019 at 3:24 PM Wong, Wesley <wesley.wong at anderson.ucla.edu>
wrote:

> Hi, I am trying to troubleshoot a test setup of Shibboleth IDP (version
> 3.4.3)  server and SP (version 3.0.4) server. I am running into an issue
> where after authentication, the SP returns the following error:
>
>
> opensaml::FatalProfileException
>
> The system encountered an error at Fri May 3 15:59:28 2019
>
> To report this problem, please contact the site administrator at
> root at localhost.
>
> Please include the following message in any email:
>
> opensaml::FatalProfileException at (https://XXXXX.XXXX.
> .edu/Shibboleth.sso/SAML2/POST)
>
> Unable to establish security of incoming assertion.
>
>
>
> I looked through the shibd.log file and found the following errors for it:
>
>
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling DOM element (saml2:SubjectConfirmationData)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling attributes for DOM element (saml2:SubjectConfirmationData)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing
> generic attribute
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing
> generic attribute
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing
> generic attribute
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing
> generic attribute
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling child nodes of DOM element (saml2:SubjectConfirmationData)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: element had
> no children
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObjectBuilder [2] [default]:
> located XMLObjectBuilder for element name: saml2:Conditions
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling child element (saml2:Conditions)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling DOM element (saml2:Conditions)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling attributes for DOM element (saml2:Conditions)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing
> generic attribute
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing
> generic attribute
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling child nodes of DOM element (saml2:Conditions)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObjectBuilder [2] [default]:
> located XMLObjectBuilder for element name: saml2:AudienceRestriction
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling child element (saml2:AudienceRestriction)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling DOM element (saml2:AudienceRestriction)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling child nodes of DOM element (saml2:AudienceRestriction)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObjectBuilder [2] [default]:
> located XMLObjectBuilder for element name: saml2:Audience
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling child element (saml2:Audience)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling DOM element (saml2:Audience)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling child nodes of DOM element (saml2:Audience)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing
> text content at position (0)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObjectBuilder [2] [default]:
> located XMLObjectBuilder for element name: saml2:AuthnStatement
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling child element (saml2:AuthnStatement)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling DOM element (saml2:AuthnStatement)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling attributes for DOM element (saml2:AuthnStatement)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing
> generic attribute
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing
> generic attribute
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling child nodes of DOM element (saml2:AuthnStatement)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObjectBuilder [2] [default]:
> located XMLObjectBuilder for element name: saml2:SubjectLocality
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling child element (saml2:SubjectLocality)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling DOM element (saml2:SubjectLocality)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling attributes for DOM element (saml2:SubjectLocality)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing
> generic attribute
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling child nodes of DOM element (saml2:SubjectLocality)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: element had
> no children
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObjectBuilder [2] [default]:
> located XMLObjectBuilder for element name: saml2:AuthnContext
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling child element (saml2:AuthnContext)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling DOM element (saml2:AuthnContext)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling child nodes of DOM element (saml2:AuthnContext)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObjectBuilder [2] [default]:
> located XMLObjectBuilder for element name: saml2:AuthnContextClassRef
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling child element (saml2:AuthnContextClassRef)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling DOM element (saml2:AuthnContextClassRef)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]:
> unmarshalling child nodes of DOM element (saml2:AuthnContextClassRef)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: processing
> text content at position (0)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: starting to
> marshal saml2:Assertion
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.XMLObject [2] [default]: XMLObject
> has a usable cached DOM, reusing it
>
> 2019-05-03 15:59:28 DEBUG Shibboleth.SSO.SAML2 [2] [default]: decrypted
> Assertion: <saml2:Assertion
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_1d4eadb4846243f1d622c4e9850a9942"
> IssueInstant="2019-05-03T22:59:28.834Z" Version="2.0"><saml2:Issuer>
> https://XXXXX.XXXX.XXXX.edu/idp</saml2:Issuer><saml2:Subject><saml2:NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="
> https://XXXXXXXX.edu/idp" SPNameQualifier="
> https://XXXXXXXXXX.edu/shibboleth">AAdzZWNyZXQxQXao7JAfEuB1fCCjWz2s1kpcGBuqgzTPTii0dVCUCg7j1P9Zsi5e8Zx7ISeAwApBppw/v2kCmStQ5pCeY51KqgqNOCqiq2ptgvF39dIvyGNXJ7itoAiGA8k+YYeQrTrynSIPaKfJSAqiU2q8/NK0lgg0Qw==</saml2:NameID><saml2:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData
> Address="XXX.XXX.XXXX.24" InResponseTo="_82fa939948f3263b4518f2b9522d76fc"
> NotOnOrAfter="2019-05-03T23:04:28.842Z" Recipient="
> https://XXXXXXXXXXXXXXXXXX/Shibboleth.sso/SAML2/POST"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
> NotBefore="2019-05-03T22:59:28.834Z"
> NotOnOrAfter="2019-05-03T23:04:28.834Z"><saml2:AudienceRestriction><saml2:Audience>
> https://ssoapp-dev.anderson.ucla.edu/shibboleth</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement
> AuthnInstant="2019-05-03T22:59:28.827Z"
> SessionIndex="_86d1c07189c0a4a163a3d97b2a809531"><saml2:SubjectLocality
> Address="164.67.135.24"/><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion>
>
> 2019-05-03 15:59:28 DEBUG Shibboleth.SSO.SAML2 [2] [default]: extracting
> issuer from SAML 2.0 assertion
>
> 2019-05-03 15:59:28 DEBUG Shibboleth.SSO.SAML2 [2] [default]: searching
> metadata for assertion issuer...
>
> 2019-05-03 15:59:28 WARN Shibboleth.SSO.SAML2 [2] [default]: no metadata
> found, can't establish identity of issuer (
> https://XXXXXXXXXXXXXXXXXXXXXX/idp)
>
> 2019-05-03 15:59:28 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [2]
> [default]: evaluating message flow policy (replay checking on, expiration
> 60)
>
> 2019-05-03 15:59:28 DEBUG XMLTooling.StorageService [2] [default]:
> inserted record (_1d4eadb4846243f1d622c4e9850a9942) in context
> (MessageFlow) with expiration (1556924608)
>
> 2019-05-03 15:59:28 DEBUG OpenSAML.SecurityPolicyRule.ClientCertAuth [2]
> [default]: ignoring message, no issuer metadata supplied
>
> 2019-05-03 15:59:28 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [2]
> [default]: ignoring message, no issuer metadata supplied
>
> 2019-05-03 15:59:28 DEBUG OpenSAML.SecurityPolicyRule.SimpleSigning [2]
> [default]: ignoring message, no issuer metadata supplied
>
> 2019-05-03 15:59:28 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation
> [2] [default]: assertion satisfied bearer confirmation requirements
>
> 2019-05-03 15:59:28 WARN Shibboleth.SSO.SAML2 [2] [default]: detected a
> problem with assertion: Unable to establish security of incoming assertion.
>
> 2019-05-03 15:59:28 WARN Shibboleth.SSO.SAML2 [2] [default]: error
> processing incoming assertion: Unable to establish security of incoming
> assertion.
>
> 2019-05-03 16:13:05 INFO XMLTooling.StorageService : purged 4 expired
> record(s) from storage
>
>
>
> Any suggestions on what to check would be great. Thanks!
>
>
>
> wesley
>
>
>
>
>
> Wesley Wong
>
> System Administrator
>
> *Anderson Computing & Information Services | ACIS*
>
> [image: ucla-logo---new_smaller]
>
>
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190503/8d0c8df0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 7243 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20190503/8d0c8df0/attachment.png>


More information about the users mailing list