Encryption configuration issue

Raymond DeCampo ray at decampo.org
Wed Jul 29 16:33:43 UTC 2020 

Thanks Steve, changing the encryption to optional did indeed work.

I should probably investigate how to configure mod_auth_mellon to
support encryption.

Thanks to Rod and Nate as well who also responded.

On Wed, Jul 29, 2020 at 11:58 AM Mak, Steve <makst at upenn.edu> wrote:
>
> Two reasons why you are seeing those errors:
>
> 1. IdP is not configured for encryption optional = true (You can solve this by flipping the property to true)
> 2. SP metadata does not list an encryption pub cert. (You can solve this by removing the "signing" label on the SP metadata
>
> IdP resolves to "encryption is required" but SP can't do encryption, so it results in fail to operate with that SP.
>
> On 7/29/20, 11:54, "users on behalf of Raymond DeCampo" <users-bounces at shibboleth.net on behalf of ray at decampo.org> wrote:
>
>     Hello,
>
>     I have an installation of Shibboleth IdP 4.0.1 and I have been able to
>     verify that it works by using https://samltest.id/ as the SP.
>
>     Furthermore I have an installation of Apache httpd with
>     mod_auth_mellon (a SAML library for Apache) configured as an SP.  I am
>     able to verify that this works against the IdP at
>     https://samltest.id/.
>
>     So far so good.  Now I want my SP and IdP to be integrated.  However,
>     when I try this I get the following log messages from Shibboleth:
>
>     2020-07-29 11:35:57,343 - 10.42.0.200 - WARN
>     [org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver:234] -
>     Validation failure: Failed to resolve both a data and a key encryption
>     credential
>     2020-07-29 11:35:57,345 - 10.42.0.200 - DEBUG
>     [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:318]
>     - Profile Action PopulateEncryptionParameters: Failed to resolve
>     EncryptionParameters
>     2020-07-29 11:35:57,345 - 10.42.0.200 - WARN
>     [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:335]
>     - Profile Action PopulateEncryptionParameters: Resolver returned no
>     EncryptionParameters
>     2020-07-29 11:35:57,351 - 10.42.0.200 - WARN
>     [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event
>     occurred while processing the request: InvalidSecurityConfiguration
>
>     Now comes all the files you probably want or need.  I added the
>     following in conf/metadata-providers.xml:
>
>          <MetadataProvider id="RayDev"
>              xsi:type="FilesystemMetadataProvider"
>              metadataFile="%{idp.home}/metadata/https_localhost_rayDevEntityID.xml">
>          </MetadataProvider>
>
>     Here is the contents of metadata/https_localhost_rayDevEntityID.xml:
>
>     <EntityDescriptor entityID="https://localhost/rayDevEntityID"
>     xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="ht
>     tp://www.w3.org/2000/09/xmldsig#">
>       <SPSSODescriptor
>     protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>         <KeyDescriptor use="signing">
>           <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>             <ds:X509Data>
>               <ds:X509Certificate>MIICpDCCAYwCCQDKXGOSlGjvKTANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAls
>     b2NhbGhvc3QwHhcNMjAwNzI4MTgwNTU5WhcNMzAwNzI4MTgwNTU5WjAUMRIwEAYD
>     VQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf
>     cl7EEjxKo+ymMGKhQqnR9SBHdAriRcJf3Kl7prO8D1jjPtHjEopYhPyVntLVJWZs
>     ayZG5Y2R9gf9FQzMH/c1pe1lE5aci3lSCV0yhhkN3CHdecmazGfCXzAslMHMIIHc
>     y81MTRHTPE4LK6uXuEp1v9+X8ih4ep1Cb6Cp+5zPY8HqcfKxyEpdTr0I/L4L5azC
>     CLsRQtTc9I9MDzRz2dVkJCpd9gTz1r35PZbP/AdJvmVvz6Ie9yEJ1IOoY1kzFWGD
>     Yoat9KkVNkUDWkBuoghDgK1sRtrjbiwI6X1FJA/DpIc3H8he9u7gH5jPsLOptzTE
>     gybgUMC/wwoqpFM8quYdAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKeGvDpHoJK/
>     k+tTmy5bB/qwPQr9LgTt8xjzgpE95iteiVcMEJ2+YZogna1380kny6srNpSk0419
>     +Coyw3R1FgtS6v6NzlCTQoVlIJpsPILg5EDkacusieHOmtUD+4Bg4TEPZLde/YH/
>     zPQFUpli5oE2kQkHeKXc3IjYKDE4HVaKsSyGnDA+KjZ4aHtNObs8tYLmWENJuDER
>     yZRm9e1xqTISRxDV6RX1oxJxs36nuaKCA8gqnkxkn1kFneEjuAHk1f2n/mVhyFnj
>     KpfI8aH2fu3uLR8cH5OFFhIPr//7wxn/yeWwwS1RjqvMbRbIFQaME3uq80SP+4Vk
>     ab0lp8OoAXY=</ds:X509Certificate>
>             </ds:X509Data>
>           </ds:KeyInfo>
>         </KeyDescriptor>
>         <SingleLogoutService
>     Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>     Location="https://localhost/mello
>     n/logout"/>
>         <AssertionConsumerService
>     Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>     Location="https://localhost/mell
>     on/postResponse" index="0"/>
>       </SPSSODescriptor>
>     </EntityDescriptor>
>
>     For the IdP metadata, I used the sample which comes with Shibboleth,
>     changing the expiration date and adding port 8443 to the URLs.  (This
>     is the metadata I used successfully with samltest.id as the SP).
>
>     Any feedback is appreciated.
>
>     Thanks,
>     Ray
>     --
>     For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>     To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list