Shibboleth Developers

[Nate Klingenstein <>]

Keith,

That means that TestShib was unable to verify the signature on the  
assertion your IdP sent.

MIIDzDCCArSgAwIBAgIBATANBgkqhkiG9w0BAQQFADBSMREwDwYDVQQKEwhUZXN0U2hpYjEj 
MCEG
A1UEAxMaVGVzdFNoaWIgSWRlbnRpdHkgUHJvdmlkZXIxGDAWBgNVBAMTD2dpbGVhZC51YW1z 
LmVk
dTAeFw0wNzEyMTAxOTMyMzZaFw0wOTEyMTAxOTMyMzZaMFIxETAPBgNVBAoTCFRlc3RTaGli 
MSMw
IQYDVQQDExpUZXN0U2hpYiBJZGVudGl0eSBQcm92aWRlcjEYMBYGA1UEAxMPZ2lsZWFkLnVh 
bXMu
ZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmHNnErH/ 
x0mWzeBGwWLVrOUYLxyc
OATr8oulp0+zpy/RD4DmPaVENN6t04BZT+OvWBqE5ypC4mbpwD4kfpk/ 
94g85y1eTfM0M9Ee8Mgb
mr8Gqp5Bfgt1xs2hjzlqVls/B646yzW5nOk8UVViKVBQSiLrd/cr5gj 
+grUEqQvfOMrPvGMXGMAK
78S 
+s4SwommNzgtgKuYvTOUKcsS7LXyJPbrz9h0i0V1njAjM8Rqg3e1INhpvy5hKnLZt5ctJCRi 
W
ecAOc8dOZv1h+Oq7z7v3CTd0MTbRNvKtisxTcqanpTmCTC2uuY99m 
+K8I4om3TNvU2mDxq12dnBZ
mEWIdW3IXwIDAQABo4GsMIGpMB0GA1UdDgQWBBQ4E9qjH8ARpunniZpkvccSeD 
+KHjB6BgNVHSME
czBxgBQ4E9qjH8ARpunniZpkvccSeD 
+KHqFWpFQwUjERMA8GA1UEChMIVGVzdFNoaWIxIzAhBgNV
BAMTGlRlc3RTaGliIElkZW50aXR5IFByb3ZpZGVyMRgwFgYDVQQDEw9naWxlYWQudWFtcy5l 
ZHWC
AQEwDAYDVR0TBAUwAwEB/ 
zANBgkqhkiG9w0BAQQFAAOCAQEAFXRNhSjayvWxVuhfjQjVXrkIZi7a
vR3aQeFe3OFlYHjd7AQsHY 
+QXnGL1LiRnUb6UwzvLeP0GcFTIvfrvLh7AgrrKWSjx0DH2OMfTNzB
FRX8WZ55LYVf28a1fKO+K532Em1Tmp443ZDfyCQh8w1lN46 
+Rg14hbm4tKe9EVtY7AvGBwDSBOk4
kQ5dJPx3RErk0/ 
W6VYNUPQUvg9bGytHI3rYCOJLpVt6r2aJ7nmfLAEYsr18bS2SNfeEJsCtxScwk
Lf9/vS6fh0Bb9GUV6G5vQBe8r7mYu28U58ixmtTDsbVHXQ2Nwy 
+Zf5jqsHIbZ18Rac47fGwo7V6H
RtEtPjJ5Og==

is the certificate your IdP used.  The one TestShib expects based on  
your metadata is:

MIIDzDCCArSgAwIBAgIBATANBgkqhkiG9w0BAQQFADBSMREwDwYDVQQKEwhUZXN0U2hpYjEj 
MCEG
A1UEAxMaVGVzdFNoaWIgSWRlbnRpdHkgUHJvdmlkZXIxGDAWBgNVBAMTD2dpbGVhZC51YW1z 
LmVk
dTAeFw0wODAxMjgxOTEzMDlaFw0xMDAxMjgxOTEzMDlaMFIxETAPBgNVBAoTCFRlc3RTaGli 
MSMw
IQYDVQQDExpUZXN0U2hpYiBJZGVudGl0eSBQcm92aWRlcjEYMBYGA1UEAxMPZ2lsZWFkLnVh 
bXMu
ZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyNlfdPytHCI/ 
ygN1pCOaviYs4l5J
/6VqZIyF/jOBKWAmZijPJkcSWFBAHAzrgCrafkbG6r9tar+SRON7HvYlqIe 
+PTdfJcR6OMPdTwzu
73f3ApYoR8t8W2d9aZjTol/ 
jamgZiNZmBXsmozOp6unUkwCP1MFQCbJMA5Dg5wMFRZ6iy0h68Kp8
SxIADA3hjC7fauhIX+FcvgAkMtVqCPEvsxU+1YiQ/ 
qyilzegbMeIGleEVR0m7fytSS3CGZPh0wv7
1adcyMaS/kjNAQBv2U7SuMSoml7U4ac+orRlvlgm4j/ 
rge8MZV8aQdhqlWTbvM2gcJ157KcgA0Oz
/lnH6iyhbwIDAQABo4GsMIGpMB0GA1UdDgQWBBTPiTujLQmfbj6ua/ 
8mIGIFmiWuxzB6BgNVHSME
czBxgBTPiTujLQmfbj6ua/ 
8mIGIFmiWux6FWpFQwUjERMA8GA1UEChMIVGVzdFNoaWIxIzAhBgNV
BAMTGlRlc3RTaGliIElkZW50aXR5IFByb3ZpZGVyMRgwFgYDVQQDEw9naWxlYWQudWFtcy5l 
ZHWC
AQEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOCAQEAemAHT6jzxl25hEeNvQ/ 
k4ZSZgakk
jifBCKVdHoEL8j3FFsWHQb1p/ 
MWa8Chw7gIi6uG6ZIIWgt4WNb2m1NXIbqAV2sKbBwzEKKReysOK
Y/9LGSBjxM0xMeOg/fWQslLmQPSIiV+WEMjDyJEQZjL1VrFN/H0QlqhmKfzshC0eQsc/ 
6sPgrmmc
+4K2XreM2UykKFV22XRnFO6WQFkr5oME9sawt+FFL/ 
1Z8p4w2XqXaWiA99MZSZKdNJJ1rCw8eOQI
A96jccvXIQ2iaSeumZgx/ 
CoGFigr0lMQcR48YclooOAYLMok0DhRvQARMVoFE4TnOAT7UMGmu4tS
jRF/pgbTGQ==

As you can see, they don't quite match.  Did you follow steps 1 and 3  
in the configuration directions?

http://www.testshib.org/testshib-two/configure.jsp#IdP

You can also replace the credentials TestShib made for you with the  
ones generated during your installation.  We've decided that giving  
TestShib the certificate during the joining process wouldn't be any  
easier than having TestShib generate a certificate, but we might be  
wrong.  What do you think?

You can do that anyway using the XML Edit if you want.

Take care,
Nate.

On 30 Jan 2008, at 14:31, Keith Powell wrote:

> opensaml::SecurityPolicyException at (https://sp.testshib.org/ 
> Shibboleth.sso/SAML2/POST)
>
> Message was signed, but signature could not be verified.