Encryption configuration issue

Raymond DeCampo ray at decampo.org
Wed Jul 29 15:48:14 UTC 2020 

Hello,

I have an installation of Shibboleth IdP 4.0.1 and I have been able to
verify that it works by using https://samltest.id/ as the SP.

Furthermore I have an installation of Apache httpd with
mod_auth_mellon (a SAML library for Apache) configured as an SP.  I am
able to verify that this works against the IdP at
https://samltest.id/.

So far so good.  Now I want my SP and IdP to be integrated.  However,
when I try this I get the following log messages from Shibboleth:

2020-07-29 11:35:57,343 - 10.42.0.200 - WARN
[org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver:234] -
Validation failure: Failed to resolve both a data and a key encryption
credential
2020-07-29 11:35:57,345 - 10.42.0.200 - DEBUG
[net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:318]
- Profile Action PopulateEncryptionParameters: Failed to resolve
EncryptionParameters
2020-07-29 11:35:57,345 - 10.42.0.200 - WARN
[net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:335]
- Profile Action PopulateEncryptionParameters: Resolver returned no
EncryptionParameters
2020-07-29 11:35:57,351 - 10.42.0.200 - WARN
[org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event
occurred while processing the request: InvalidSecurityConfiguration

Now comes all the files you probably want or need.  I added the
following in conf/metadata-providers.xml:

     <MetadataProvider id="RayDev"
         xsi:type="FilesystemMetadataProvider"
         metadataFile="%{idp.home}/metadata/https_localhost_rayDevEntityID.xml">
     </MetadataProvider>

Here is the contents of metadata/https_localhost_rayDevEntityID.xml:

<EntityDescriptor entityID="https://localhost/rayDevEntityID"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="ht
tp://www.w3.org/2000/09/xmldsig#">
  <SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIICpDCCAYwCCQDKXGOSlGjvKTANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjAwNzI4MTgwNTU5WhcNMzAwNzI4MTgwNTU5WjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf
cl7EEjxKo+ymMGKhQqnR9SBHdAriRcJf3Kl7prO8D1jjPtHjEopYhPyVntLVJWZs
ayZG5Y2R9gf9FQzMH/c1pe1lE5aci3lSCV0yhhkN3CHdecmazGfCXzAslMHMIIHc
y81MTRHTPE4LK6uXuEp1v9+X8ih4ep1Cb6Cp+5zPY8HqcfKxyEpdTr0I/L4L5azC
CLsRQtTc9I9MDzRz2dVkJCpd9gTz1r35PZbP/AdJvmVvz6Ie9yEJ1IOoY1kzFWGD
Yoat9KkVNkUDWkBuoghDgK1sRtrjbiwI6X1FJA/DpIc3H8he9u7gH5jPsLOptzTE
gybgUMC/wwoqpFM8quYdAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKeGvDpHoJK/
k+tTmy5bB/qwPQr9LgTt8xjzgpE95iteiVcMEJ2+YZogna1380kny6srNpSk0419
+Coyw3R1FgtS6v6NzlCTQoVlIJpsPILg5EDkacusieHOmtUD+4Bg4TEPZLde/YH/
zPQFUpli5oE2kQkHeKXc3IjYKDE4HVaKsSyGnDA+KjZ4aHtNObs8tYLmWENJuDER
yZRm9e1xqTISRxDV6RX1oxJxs36nuaKCA8gqnkxkn1kFneEjuAHk1f2n/mVhyFnj
KpfI8aH2fu3uLR8cH5OFFhIPr//7wxn/yeWwwS1RjqvMbRbIFQaME3uq80SP+4Vk
ab0lp8OoAXY=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://localhost/mello
n/logout"/>
    <AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost/mell
on/postResponse" index="0"/>
  </SPSSODescriptor>
</EntityDescriptor>

For the IdP metadata, I used the sample which comes with Shibboleth,
changing the expiration date and adding port 8443 to the URLs.  (This
is the metadata I used successfully with samltest.id as the SP).

Any feedback is appreciated.

Thanks,
Ray

More information about the users mailing list