<div dir="ltr">We updated our IDP from v2.x to 3.3.2 a few months ago, it's been running smoothly, routinely interoperating with about a dozen different service providers.<div><br></div><div>I'm running into issues adding a new SP running a software package called Etrieve. The IDP isn't able/willing to make assertions with this SP, I'm seeing this in the logs:</div><div><br></div><div><div>  [WARN] BasicEncryptionParametersResolver Validation failure: Failed to resolve both a data and a key encryption credential:                                         </div><div>  [WARN] PopulateEncryptionParameters Profile Action PopulateEncryptionParameters: Resolver returned no EncryptionParameters:                                         </div><div>  [WARN] LogEvent A non-proceed event occurred while processing the request: InvalidSecurityConfiguration:        </div><div>  [INFO] SSO 20180815T212303Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|id4417c48b799044b48adb42ece67aeffc|<sp_entityid>|<a href="http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp.reed.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_dcaead3a7ebd72367b312e20c43f7591||||||">http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp.reed.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_dcaead3a7ebd72367b312e20c43f7591||||||</a><client_ip>:</div></div><div><br></div><div>The SP's metadata is pretty spare (and notably doesn't contain a public key):</div><div><br></div><div><div>  <EntityDescriptor xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"  xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_140069ef-260e-4db3-b3b7-ef810b661681" entityID="<sp_entityid>" cacheDuration="PT42S"></div><div>  <SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"></div><div>    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="<return_url>" index="0" isDefault="true" /></div><div>    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="<return_url>" index="1" isDefault="false" /></div><div>  </SPSSODescriptor></div><div></EntityDescriptor></div></div><div><br></div><div>The relying party config stanza looks like this:</div><div><br></div><div>  <rp:RelyingParty id="<sp_entityid>" provider="<a href="https://idp.reed.edu/idp/shibboleth">https://idp.reed.edu/idp/shibboleth</a>" defaultSigningCredentialRef="IdPCredential"><br></div><div><div>      <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="false" encryptNameIds="false" /></div><div>   </rp:RelyingParty></div></div><div><br></div><div>We do have other working SPs that don't include a pub key in their metadata (using a very similar config). I've been fiddling with the relying party for some time now but haven't been able to make any headway. Any suggestions on how to proceed or troubleshoot would be gratefully accepted!</div><div><br></div><div>Ben</div></div>