AW: Exception unwrapping data: Tag mismatch! in "Profile Action ValidateGrant"

Bergmann, Clemens clemens.bergmann at
Sun Apr 10 05:51:28 UTC 2022

Hi Scott,

tanks for pointing me in the right direction.

We did not use the sealer for the other protocols as we use a server-side database storage service.
Now I configure the same sealer JSK for all Servers and everything seems to work fine.
I Could not find an option in the documentation to use server-side storage for OIDC tokens. Is there currently no such option?

Viele Grüße
Clemens (Bergmann)
Clemens Bergmann
Gruppe Nutzermanagement und Entwicklung
Technische Universität Darmstadt
Hochschulrechenzentrum, Alexanderstraße 2, 64289 Darmstadt
Tel. +49 6151 16 71184

> -----Ursprüngliche Nachricht-----
> Von: users <users-bounces at> Im Auftrag von Cantor, Scott
> via users
> Gesendet: Samstag, 9. April 2022 00:23
> An: Shib Users <users at>
> Cc: Cantor, Scott <cantor.2 at>
> Betreff: Re: Exception unwrapping data: Tag mismatch! in "Profile Action
> ValidateGrant"
> On 4/8/22, 5:37 PM, "users on behalf of Bergmann, Clemens" <users-
> bounces at on behalf of clemens.bergmann at tu-
>> wrote:
> > One other noteworthy information is that the Idp is setup as a
> loadbalanced pair. Could it be a problem if
> > Authorization Endpoint and Token Endpoint are served by different IdPs?
> Both are configured exactly the
> > same.
> They are not in sync re: their secret key and they won't work at all in that
> case.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to users-
> unsubscribe at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6377 bytes
Desc: not available
URL: <>

More information about the users mailing list