(I am also) Using a different SP entity ID with the IdP SAML authn flow

Janne Lauros janne.lauros at csc.fi
Tue Apr 5 15:20:17 UTC 2022 

Hi!

 I have a perfectly fine running SAML2 authentication flow or so I thought. The problem is I do not know how to define relying party override with upstream entity id and have assertions decrypted.

 I have following override:

<util:list id="shibboleth.RelyingPartyOverrides">
  <bean parent="RelyingPartyByName" c:relyingPartyIds="https://upstream-entity.com/idp"  p:responderId="https://upstream-entity.com/sp">  
    <property name="profileConfigurations">
      <list>
        <bean parent="SAML2.SSO" p:checkAddress="false" p:signAssertions="true"/>
      </list>
    </property>
  </bean>
</util:list>

  It runs successfully unless it has to decrypt assertion. In that case it looks like it is not able to locate the default credential.

DEBUG [org.opensaml.saml.saml2.profile.impl.DecryptAssertions:121] - Profile Action DecryptAssertions: Decrypting EncryptedAssertion in Response
DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator:225] - Getting key iterator from next resolver: class org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver
DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator:225] - Getting key iterator from next resolver: class org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver
DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator:225] - Getting key iterator from next resolver: class org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver
DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator:225] - Getting key iterator from next resolver: class org.opensaml.xmlsec.encryption.support.SimpleKeyInfoReferenceEncryptedKeyResolver
DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator:228] - No more resolvers available in the resolver chain

  At the same time Default Relying Party with same <bean parent="SAML2.SSO" p:checkAddress="false" p:signAssertions="true"/> profile works like a charm.

DEBUG [org.opensaml.saml.saml2.profile.impl.DecryptAssertions:121] - Profile Action DecryptAssertions: Decrypting EncryptedAssertion in Response
DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator:225] - Getting key iterator from next resolver: class org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver
DEBUG [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator:245] - Found matching encrypted key: org.opensaml.xmlsec.encryption.impl.EncryptedKeyImpl at 42aea4d3


  What am I missing here? Idp version is 4.1.5 and no, I have not read the wiki well enough. I am happy to be shown the way ;-).

 BR Janne

More information about the users mailing list