shibboleth-dev - Shibboleth SP Beta Problem (or maybe IDP problem)
Subject: Shibboleth Developers
List archive
- From: <>
- To: <>
- Subject: Shibboleth SP Beta Problem (or maybe IDP problem)
- Date: Fri, 21 Sep 2007 03:52:00 -0400
I am running under RHEL 4. I built the RPMs from the SRPMs.
When a signed assertion from the Shib 2 IDP arrives, the SP fails to
verify the signature (note this same SP is verifying the signature on
assertions from my Ping IDP) and produces the following error trace:
2007-09-21 02:45:40 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [2]:
validating signature profile
2007-09-21 02:45:40 DEBUG XMLTooling.KeyInfoResolver.Inline [2]:
resolving ds:X509Certificate
2007-09-21 02:45:40 DEBUG XMLTooling.KeyInfoResolver.Inline [2]:
resolved 1 certificate(s)
2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]:
attempting to validate signature with the peer's credentials
2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]: public
key did not validate signature: Caught an XMLSecurity exception
verifying signature: Error allocating memory
2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]: no
peer credentials validated the signature
2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.PKIX [2]: validating
signature using certificate from within the signature
2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.PKIX [2]: Caught an
XMLSecurity exception verifying signature: Error allocating memory
2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.PKIX [2]: failed to
verify signature with embedded certificates
2007-09-21 02:45:40 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [2]:
unable to verify message signature with supplied trust engine
I did a cursory comparison between the Shib 2 SAML response and the Ping
SAML response, and I noticed a couple differences:
1) Shibboleth reponse starts with <?xml version="1.0"
encoding="UTF-8"?>, the Ping response starts immediately with
<samlp:Response ...> which is the 2nd line of the Shibboleth response.
2) The Ping signature is signing the saml:Assertion (contained inside
the samlp:Response). The Shibboleth signature is signing the
samlp:Response (which contains a saml:Assertion).
3) The Shibboleth signature includes a copy of the signing Certificate,
the Ping response does not include a signing certificate. (I did verify
I didn't do anything too stupid, the signing certificate included by the
Shib 2 IDP matches my metadata).
Let me know what I can do to help figure this one out. Nothing about
the SAML response from the Shib IDP looks incorrect, but I have only
glanced at it.
Thanks,
Jeff
- Shibboleth SP Beta Problem (or maybe IDP problem), Jeff.Krug, 09/21/2007
- RE: Shibboleth SP Beta Problem (or maybe IDP problem), Scott Cantor, 09/21/2007
- Re: Shibboleth SP Beta Problem (or maybe IDP problem), Brent Putman, 09/22/2007
- RE: Shibboleth SP Beta Problem (or maybe IDP problem), Jeff.Krug, 09/23/2007
Archive powered by MHonArc 2.6.16.