Encryption works against samltest.id but not local Shibboleth IdP

Raymond DeCampo ray at decampo.org
Thu Jul 30 12:23:05 UTC 2020 

I have Shibboleth 4.0.1 IdP installed locally and have verified it using
samltest.id as the SP.

I also have mod_auth_mellon on Apache httpd on another server which I would
like to use as the SP.  I have verified that it works with samltest.id as
the IdP either with a both encryption and signing <KeyDescriptor> elements
or only with a signing <KeyDescriptor>.

When I configure my SP to use my local Shibboleth installation as the IdP,
it will work successfully if I only have the signing key.  But it does not
work if I include the encryption key.

When using the encryption key in my SP metadata, it appears to login
successfully but when redirected back to the AssertionConsumerService URL,
I get a 400 Bad Request response from the SP with the following message in
the logs:

[Thu Jul 30 07:04:45.374462 2020] [auth_mellon:error] [pid 29013] [client
10.0.2.2:60010] Error processing authn response. Lasso error: [-427] When
looking for an assertion we did not found it., SAML Response:
StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Success",
StatusCode2="(null)", StatusMessage="(null)", referer:
https://samldev.promergent.com:8443/idp/profile/SAML2/Redirect/SSO?execution=e2s3


The SP metadata:

<EntityDescriptor entityID="https://localhost/rayDevEntityID"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="
http://www.w3.org/2000/09/xmldsig#">
  <SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>

<ds:X509Certificate>MIICpDCCAYwCCQDKXGOSlGjvKTANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjAwNzI4MTgwNTU5WhcNMzAwNzI4MTgwNTU5WjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf
cl7EEjxKo+ymMGKhQqnR9SBHdAriRcJf3Kl7prO8D1jjPtHjEopYhPyVntLVJWZs
ayZG5Y2R9gf9FQzMH/c1pe1lE5aci3lSCV0yhhkN3CHdecmazGfCXzAslMHMIIHc
y81MTRHTPE4LK6uXuEp1v9+X8ih4ep1Cb6Cp+5zPY8HqcfKxyEpdTr0I/L4L5azC
CLsRQtTc9I9MDzRz2dVkJCpd9gTz1r35PZbP/AdJvmVvz6Ie9yEJ1IOoY1kzFWGD
Yoat9KkVNkUDWkBuoghDgK1sRtrjbiwI6X1FJA/DpIc3H8he9u7gH5jPsLOptzTE
gybgUMC/wwoqpFM8quYdAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKeGvDpHoJK/
k+tTmy5bB/qwPQr9LgTt8xjzgpE95iteiVcMEJ2+YZogna1380kny6srNpSk0419
+Coyw3R1FgtS6v6NzlCTQoVlIJpsPILg5EDkacusieHOmtUD+4Bg4TEPZLde/YH/
zPQFUpli5oE2kQkHeKXc3IjYKDE4HVaKsSyGnDA+KjZ4aHtNObs8tYLmWENJuDER
yZRm9e1xqTISRxDV6RX1oxJxs36nuaKCA8gqnkxkn1kFneEjuAHk1f2n/mVhyFnj
KpfI8aH2fu3uLR8cH5OFFhIPr//7wxn/yeWwwS1RjqvMbRbIFQaME3uq80SP+4Vk
ab0lp8OoAXY=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>

<ds:X509Certificate>MIICpDCCAYwCCQDKXGOSlGjvKTANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjAwNzI4MTgwNTU5WhcNMzAwNzI4MTgwNTU5WjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf
cl7EEjxKo+ymMGKhQqnR9SBHdAriRcJf3Kl7prO8D1jjPtHjEopYhPyVntLVJWZs
ayZG5Y2R9gf9FQzMH/c1pe1lE5aci3lSCV0yhhkN3CHdecmazGfCXzAslMHMIIHc
y81MTRHTPE4LK6uXuEp1v9+X8ih4ep1Cb6Cp+5zPY8HqcfKxyEpdTr0I/L4L5azC
CLsRQtTc9I9MDzRz2dVkJCpd9gTz1r35PZbP/AdJvmVvz6Ie9yEJ1IOoY1kzFWGD
Yoat9KkVNkUDWkBuoghDgK1sRtrjbiwI6X1FJA/DpIc3H8he9u7gH5jPsLOptzTE
gybgUMC/wwoqpFM8quYdAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKeGvDpHoJK/
k+tTmy5bB/qwPQr9LgTt8xjzgpE95iteiVcMEJ2+YZogna1380kny6srNpSk0419
+Coyw3R1FgtS6v6NzlCTQoVlIJpsPILg5EDkacusieHOmtUD+4Bg4TEPZLde/YH/
zPQFUpli5oE2kQkHeKXc3IjYKDE4HVaKsSyGnDA+KjZ4aHtNObs8tYLmWENJuDER
yZRm9e1xqTISRxDV6RX1oxJxs36nuaKCA8gqnkxkn1kFneEjuAHk1f2n/mVhyFnj
KpfI8aH2fu3uLR8cH5OFFhIPr//7wxn/yeWwwS1RjqvMbRbIFQaME3uq80SP+4Vk
ab0lp8OoAXY=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
https://localhost/mellon/logout"/>
    <AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://localhost/mellon/postResponse" index="0"/>
  </SPSSODescriptor>
</EntityDescriptor>


The Shibboleth IdP metadata is the sample which comes with the install,
updated for the expiration date and adding the port to the URLs.

I cranked up the logging on the IdP and have attached the results.

Thanks again,
Ray
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200730/c293db5e/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shibboleth.log
Type: text/x-log
Size: 41087 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20200730/c293db5e/attachment.bin>

More information about the users mailing list