IdP3 - Profile Action PopulateEncryptionParameters: Resolver returned no EncryptionParameters
Mathew, Sunil
smathew at hbs.edu
Mon Aug 15 15:50:40 UTC 2022
I was able to resolve it by setting encryptAssertions to false.
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://sso.kaltura.com/s/module.php/saml/sp/metadata.php/1892511_kmc">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" p:encryptAssertions="false" p:encryptNameIDs="never" />
</list>
</property>
</bean>
Another option is to set idp.encryption.optional to false in idp.properties
Sunil
From: users <users-bounces at shibboleth.net> on behalf of Mathew, Sunil via users <users at shibboleth.net>
Date: Saturday, August 6, 2022 at 3:46 AM
To: Users at shibboleth.net <users at shibboleth.net>
Cc: Mathew, Sunil <smathew at hbs.edu>
Subject: IdP3 - Profile Action PopulateEncryptionParameters: Resolver returned no EncryptionParameters
Hi,
I am getting the following error when SP is trying to reach IdP before the login screen:
2022-06-29 05:15:38,124 - WARN [org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver:221] - Validation failure: Failed to resolve both a data and a key encryption credential
2022-06-29 05:15:38,125 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:330] - Profile Action PopulateEncryptionParameters: Failed to resolve EncryptionParameters
2022-06-29 05:15:38,125 - WARN [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:343] - Profile Action PopulateEncryptionParameters: Resolver returned no EncryptionParameters
2022-06-29 05:15:38,128 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:184] - Error event InvalidSecurityConfiguration will be handled with response
Here is the SAML request:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_98a448573be60ae73a3cc5ca7017fa4416c9e103dd"
Version="2.0"
IssueInstant="2022-08-06T07:40:11Z"
Destination="https://sso.hbsstg.org/idp/profile/SAML2/Redirect/SSO"
AssertionConsumerServiceURL="https://sso.kaltura.com/s/module.php/saml/sp/saml2-acs.php/1892511_kmc"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
<saml:Issuer>https://sso.kaltura.com/s/module.php/saml/sp/metadata.php/1892511_kmc</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
AllowCreate="true"
/>
</samlp:AuthnRequest>
Here is the SAML response:
<saml2p:Response
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://sso.kaltura.com/s/module.php/saml/sp/saml2-acs.php/1892511_kmc<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsso.kaltura.com%2Fs%2Fmodule.php%2Fsaml%2Fsp%2Fsaml2-acs.php%2F1892511_kmc&data=05%7C01%7Csmathew%40hbs.edu%7Cad75c93421d34f4b62a308da777fd3eb%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637953688177966361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0ncsnEn8Id2jXyllRTm%2FPNfBCpfSkh%2FBQSHSm6zSMo0%3D&reserved=0>"
ID="_48dea80281a6ef656cb46f21e43af33d"
InResponseTo="_9470e28be2aee1e294581042b83bb7d79d27d4730b"
IssueInstant="2022-06-27T18:04:53.676Z" Version="2.0">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://sso.hbsstg.org/idp/shibboleth</saml2:Issuer<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsso.hbsstg.org%2Fidp%2Fshibboleth%253c%2Fsaml2%3AIssuer&data=05%7C01%7Csmathew%40hbs.edu%7Cad75c93421d34f4b62a308da777fd3eb%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637953688177966361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=paUZolzirkkBkSEJKg6lR7FQHGDUmZU8SACZI23RDQ4%3D&reserved=0>>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Responder"></saml2p:StatusCode>
<saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
</saml2p:Status>
</saml2p:Response>
Here is the vendor metadata:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://sso.kaltura.com/s/module.php/saml/sp/metadata.php/1892511_kmc">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.kaltura.com/s/module.php/saml/sp/saml2-logout.php/1892511_kmc"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.kaltura.com/s/module.php/saml/sp/saml2-acs.php/1892511_kmc" index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://sso.kaltura.com/s/module.php/saml/sp/saml1-acs.php/1892511_kmc" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sso.kaltura.com/s/module.php/saml/sp/saml2-acs.php/1892511_kmc" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://sso.kaltura.com/s/module.php/saml/sp/saml1-acs.php/1892511_kmc/artifact" index="3"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Location="https://sso.kaltura.com/s/module.php/saml/sp/saml2-acs.php/1892511_kmc" index="4"/>
</md:SPSSODescriptor>
<md:ContactPerson contactType="technical">
<md:GivenName>Administrator</md:GivenName>
<md:EmailAddress>rnd.application.dev at kaltura.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
The vendor is only signing (not encrypting) the request. Can anyone please let me know what could be the issue?
Regards,
Sunil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220815/458aa4e2/attachment.htm>
More information about the users
mailing list