Encryption works against samltest.id but not local Shibboleth IdP

Mak, Steve makst at upenn.edu
Thu Jul 30 12:31:13 UTC 2020 

Make sure the SP metadata is listing the correct encryption pub cert.

Your SP might actually be using a different encryption key pair, which is why it's reporting that the decryption is failing to find an assertion.

Double check your shibboleth2.xml and make sure the files line up and restart shibd to make sure it's actually using that config.


The IdP is not doing anything wrong, it's given an encryption pub cert and encrypts with it and sends it along and it's up to the private key owner to decrypt it. If there's a failure to decrypt it probably means the IdP was given the wrong encryption pub cert.

From: users <users-bounces at shibboleth.net> on behalf of Raymond DeCampo <ray at decampo.org>
Reply-To: Shib Users <users at shibboleth.net>
Date: Thursday, July 30, 2020 at 08:24
To: Shib Users <users at shibboleth.net>
Subject: Encryption works against samltest.id but not local Shibboleth IdP

I have Shibboleth 4.0.1 IdP installed locally and have verified it using samltest.id<http://samltest.id> as the SP.

I also have mod_auth_mellon on Apache httpd on another server which I would like to use as the SP.  I have verified that it works with samltest.id<http://samltest.id> as the IdP either with a both encryption and signing <KeyDescriptor> elements or only with a signing <KeyDescriptor>.

When I configure my SP to use my local Shibboleth installation as the IdP, it will work successfully if I only have the signing key.  But it does not work if I include the encryption key.

When using the encryption key in my SP metadata, it appears to login successfully but when redirected back to the AssertionConsumerService URL, I get a 400 Bad Request response from the SP with the following message in the logs:
[Thu Jul 30 07:04:45.374462 2020] [auth_mellon:error] [pid 29013] [client 10.0.2.2:60010<http://10.0.2.2:60010>] Error processing authn response. Lasso error: [-427] When looking for an assertion we did not found it., SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Success", StatusCode2="(null)", StatusMessage="(null)", referer: https://samldev.promergent.com:8443/idp/profile/SAML2/Redirect/SSO?execution=e2s3

The SP metadata:

<EntityDescriptor entityID="https://localhost/rayDevEntityID" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#<http://www.w3.org/2000/09/xmldsig>">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#<http://www.w3.org/2000/09/xmldsig>">
        <ds:X509Data>
          <ds:X509Certificate>MIICpDCCAYwCCQDKXGOSlGjvKTANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjAwNzI4MTgwNTU5WhcNMzAwNzI4MTgwNTU5WjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf
cl7EEjxKo+ymMGKhQqnR9SBHdAriRcJf3Kl7prO8D1jjPtHjEopYhPyVntLVJWZs
ayZG5Y2R9gf9FQzMH/c1pe1lE5aci3lSCV0yhhkN3CHdecmazGfCXzAslMHMIIHc
y81MTRHTPE4LK6uXuEp1v9+X8ih4ep1Cb6Cp+5zPY8HqcfKxyEpdTr0I/L4L5azC
CLsRQtTc9I9MDzRz2dVkJCpd9gTz1r35PZbP/AdJvmVvz6Ie9yEJ1IOoY1kzFWGD
Yoat9KkVNkUDWkBuoghDgK1sRtrjbiwI6X1FJA/DpIc3H8he9u7gH5jPsLOptzTE
gybgUMC/wwoqpFM8quYdAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKeGvDpHoJK/
k+tTmy5bB/qwPQr9LgTt8xjzgpE95iteiVcMEJ2+YZogna1380kny6srNpSk0419
+Coyw3R1FgtS6v6NzlCTQoVlIJpsPILg5EDkacusieHOmtUD+4Bg4TEPZLde/YH/
zPQFUpli5oE2kQkHeKXc3IjYKDE4HVaKsSyGnDA+KjZ4aHtNObs8tYLmWENJuDER
yZRm9e1xqTISRxDV6RX1oxJxs36nuaKCA8gqnkxkn1kFneEjuAHk1f2n/mVhyFnj
KpfI8aH2fu3uLR8cH5OFFhIPr//7wxn/yeWwwS1RjqvMbRbIFQaME3uq80SP+4Vk
ab0lp8OoAXY=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#<http://www.w3.org/2000/09/xmldsig>">
        <ds:X509Data>
          <ds:X509Certificate>MIICpDCCAYwCCQDKXGOSlGjvKTANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjAwNzI4MTgwNTU5WhcNMzAwNzI4MTgwNTU5WjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf
cl7EEjxKo+ymMGKhQqnR9SBHdAriRcJf3Kl7prO8D1jjPtHjEopYhPyVntLVJWZs
ayZG5Y2R9gf9FQzMH/c1pe1lE5aci3lSCV0yhhkN3CHdecmazGfCXzAslMHMIIHc
y81MTRHTPE4LK6uXuEp1v9+X8ih4ep1Cb6Cp+5zPY8HqcfKxyEpdTr0I/L4L5azC
CLsRQtTc9I9MDzRz2dVkJCpd9gTz1r35PZbP/AdJvmVvz6Ie9yEJ1IOoY1kzFWGD
Yoat9KkVNkUDWkBuoghDgK1sRtrjbiwI6X1FJA/DpIc3H8he9u7gH5jPsLOptzTE
gybgUMC/wwoqpFM8quYdAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKeGvDpHoJK/
k+tTmy5bB/qwPQr9LgTt8xjzgpE95iteiVcMEJ2+YZogna1380kny6srNpSk0419
+Coyw3R1FgtS6v6NzlCTQoVlIJpsPILg5EDkacusieHOmtUD+4Bg4TEPZLde/YH/
zPQFUpli5oE2kQkHeKXc3IjYKDE4HVaKsSyGnDA+KjZ4aHtNObs8tYLmWENJuDER
yZRm9e1xqTISRxDV6RX1oxJxs36nuaKCA8gqnkxkn1kFneEjuAHk1f2n/mVhyFnj
KpfI8aH2fu3uLR8cH5OFFhIPr//7wxn/yeWwwS1RjqvMbRbIFQaME3uq80SP+4Vk
ab0lp8OoAXY=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/mellon/logout"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/mellon/postResponse" index="0"/>
  </SPSSODescriptor>
</EntityDescriptor>

The Shibboleth IdP metadata is the sample which comes with the install, updated for the expiration date and adding the port to the URLs.

I cranked up the logging on the IdP and have attached the results.

Thanks again,
Ray
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200730/5ab41e5e/attachment.htm>

More information about the users mailing list