Skip to Content.
Sympa Menu

shibboleth-dev - UW 1.0: target working, origin maybe

Subject: Shibboleth Developers

List archive

UW 1.0: target working, origin maybe


Chronological Thread 
  • From: "RL 'Bob' Morgan" <>
  • To: Shibboleth Design Team <>
  • Subject: UW 1.0: target working, origin maybe
  • Date: Thu, 29 May 2003 01:15:14 -0700 (PDT)

OK, finally got my 1.0 target working with the Shib Dev origin, you can
try it at https://perq.cac.washington.edu/cgi-bin/ppd . No particular
revelation, just working thru the usual how-could-it-ever-have-worked
things (like file permissions on private key).

I think my 1.0 UW origin might be working (I just reinstalled tomcat with
4.1.24, and Walter's latest), but I can't get a target to trust it (ain't
that just the way it is some times?).

The shib2 target says:

SHIRE failure at (http://shib2.internet2.edu/shib/SHIRE)

Exception: trust failed: ShibPOSTProfile::accept() detected an untrusted
HS for the origin site

which I think is what you'd expect if the site isn't in the sites file
(though I spose this message could be more clear about that).

I modified sites.xml on my target to include the UW origin site info, but
on my target I get (when using the UW origin):

SHIRE failure at (https://perq.cac.washington.edu/shibboleth/SHIRE)

Exception: trust failed: ShibPOSTProfile::verifySignature() cannot
validate the provided signing certificate(s)

It's picking up the site contact info from sites.xml, but obviously not
validating the authn assertion. Potentially relevant lines from shar.log:

2003-05-29 00:47:09 ERROR OpenSSL [6] new_session validate getX509Store:
error code: 185057381 in x509_lu.c, line 336
2003-05-29 00:47:09 ERROR shibtarget.rpc-server [6] new_session: received
SAML exception: ShibPOSTProfile::verifySignature() cannot validate the
provided signing certificate(s)

My origin is using a bossie-signed cert. I didn't modify trust.xml on my
target, but it seems I shouldn't have to, since my origin should fall into
the ^urn:mace:incommon:pilot:.+$ bucket
(urn:mace:incommon:pilot:washington.edu). Have we

So I dunno what's up there, but I'll poke some more. Maybe my site info
(below) could be added to the shib2 target so I can test more against
that.

- RL "Bob"

<OriginSite Name="urn:mace:incommon:pilot:washington.edu">
<Alias>University of Washington</Alias>
<Contact Type="technical" Name="RL 'Bob' Morgan"

Email=""/>
<HandleService
Location="https://shib.cac.washington.edu/shibboleth/HS";
Name="shib.cac.washington.edu"/>
<Domain>washington.edu</Domain>
</OriginSite>


------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--


  • UW 1.0: target working, origin maybe, RL 'Bob' Morgan, 05/29/2003

Archive powered by MHonArc 2.6.16.

Top of Page