shibboleth-dev - Re: Shib 2 IdP, problem encrypting assertion
Subject: Shibboleth Developers
List archive
- From: Brent Putman <>
- To:
- Subject: Re: Shib 2 IdP, problem encrypting assertion
- Date: Tue, 04 Dec 2007 23:56:35 -0500
Well, one immediate issue that I see is that in your metadata for your
SP, in the SPSSODescriptor, there is no KeyDescriptor defined that
specifies a key that can be used for encryption. The only one there has
"use='signing'". You need to either add another KeyDescriptor with
"use='encryption'", or if you want to use the same key for both, then
omit the 'use' attribute entirely. If this was generated by the
TestShib metadata generator, then I suppose this needs to be addressed
one way or the other.
Can you see what happens if you make this adjustment in your metadata?
We have successfully tested encrypted assertions, so I'm fairly certain
that's the issue.
However, it also uncovers another issue that the IdP isn't checking that
an encryption key for the SP was resolved before it goes and tries to
encrypt the assertions. I'll look at fixing that tomorrow, unless Chad
beats me to it.
Also, the encrypter(s) are supposed to be doing some parameter sanity
checking to ensure that a key encryption key is supplied before they
attempt to do anything, and fail more gracefully if not. I'm not
immediately seeing why that it hasn't happening in this case. I'll look
into that also.
--Brent
wrote:
> Log file available here:
>
> http://stc-test11.cis.brown.edu/idp-process.log
>
> Metadata available here:
>
> http://stc-test11.cis.brown.edu/testshib-metadata-test11.xml
>
> The msg is:
>
> Error encrypting XMLObject
>
> org.apache.xml.security.encryption.XMLEncryptionException: Illegal key
> size or default parameters
>
> (The log file is logging both the IdP and OpenSAML at DEBUG. There's
> also a null pointer exception in the file; I provide info about that
> tomorrow.)
>
> Suggestions about what I did wrong?
>
> Here's the matching element from relying-party.xml:
>
> <!-- stc -->
> <RelyingParty id="urn:mace:shibboleth:testshib"
>
> provider="https://stc-test11.cis.brown.edu/idp/profile/saml/metadata";
> defaultSigningCredentialRef="TestShib">
> <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
> <ProfileConfiguration
> xsi:type="saml:SAML1AttributeQueryProfile" />
> <ProfileConfiguration
> xsi:type="saml:SAML1ArtifactResolutionProfile" />
>
> <!-- stc added encryptAssertion -->
> <ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
> encryptAssertions="true" />
> <ProfileConfiguration
> xsi:type="saml:SAML2AttributeQueryProfile" />
> <ProfileConfiguration
> xsi:type="saml:SAML2ArtifactResolutionProfile" />
> </RelyingParty>
- Shib 2 IdP, problem encrypting assertion, Steven_Carmody, 12/04/2007
- Re: Shib 2 IdP, problem encrypting assertion, Brent Putman, 12/04/2007
- Re: Shib 2 IdP, problem encrypting assertion, Brent Putman, 12/05/2007
- Re: Shib 2 IdP, problem encrypting assertion, Steven_Carmody, 12/05/2007
- RE: Shib 2 IdP, problem encrypting assertion, Scott Cantor, 12/05/2007
- Message not available
- Re: Shib 2 IdP, problem encrypting assertion, Brent Putman, 12/05/2007
- RE: Shib 2 IdP, problem encrypting assertion, Scott Cantor, 12/05/2007
- Message not available
- Re: Shib 2 IdP, problem encrypting assertion, Brent Putman, 12/05/2007
- RE: Shib 2 IdP, problem encrypting assertion, Scott Cantor, 12/05/2007
- Re: Shib 2 IdP, problem encrypting assertion, Chad La Joie, 12/05/2007
- RE: Shib 2 IdP, problem encrypting assertion, Scott Cantor, 12/05/2007
- Re: Shib 2 IdP, problem encrypting assertion, Brent Putman, 12/05/2007
- Re: Shib 2 IdP, problem encrypting assertion, Steven_Carmody, 12/05/2007
- Re: Shib 2 IdP, problem encrypting assertion, Brent Putman, 12/05/2007
- <Possible follow-up(s)>
- Fwd: Re: Shib 2 IdP, problem encrypting assertion, Steven_Carmody, 12/05/2007
- Re: Shib 2 IdP, problem encrypting assertion, Brent Putman, 12/04/2007
Archive powered by MHonArc 2.6.16.