Shibboleth Developers

[Keith Powell <>]

Thanks, I see what happened. Somehow my certificate and key files got  
corrupted. I did follow the steps 1-3 to get it that far.

Thanks!


On Jan 30, 2008, at 8:49 AM, Nate Klingenstein wrote:

> Keith,
>
> That means that TestShib was unable to verify the signature on the  
> assertion your IdP sent.
>
> MIIDzDCCArSgAwIBAgIBATANBgkqhkiG9w0BAQQFADBSMREwDwYDVQQKEwhUZXN0U2hpYjEjMCEG
> A1UEAxMaVGVzdFNoaWIgSWRlbnRpdHkgUHJvdmlkZXIxGDAWBgNVBAMTD2dpbGVhZC51YW1zLmVk
> dTAeFw0wNzEyMTAxOTMyMzZaFw0wOTEyMTAxOTMyMzZaMFIxETAPBgNVBAoTCFRlc3RTaGliMSMw
> IQYDVQQDExpUZXN0U2hpYiBJZGVudGl0eSBQcm92aWRlcjEYMBYGA1UEAxMPZ2lsZWFkLnVhbXMu
> ZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmHNnErH/ 
> x0mWzeBGwWLVrOUYLxyc
> OATr8oulp0+zpy/RD4DmPaVENN6t04BZT+OvWBqE5ypC4mbpwD4kfpk/ 
> 94g85y1eTfM0M9Ee8Mgb
> mr8Gqp5Bfgt1xs2hjzlqVls/B646yzW5nOk8UVViKVBQSiLrd/cr5gj 
> +grUEqQvfOMrPvGMXGMAK
> 78S 
> + 
> s4SwommNzgtgKuYvTOUKcsS7LXyJPbrz9h0i0V1njAjM8Rqg3e1INhpvy5hKnLZt5ctJCRiW
> ecAOc8dOZv1h+Oq7z7v3CTd0MTbRNvKtisxTcqanpTmCTC2uuY99m 
> +K8I4om3TNvU2mDxq12dnBZ
> mEWIdW3IXwIDAQABo4GsMIGpMB0GA1UdDgQWBBQ4E9qjH8ARpunniZpkvccSeD 
> +KHjB6BgNVHSME
> czBxgBQ4E9qjH8ARpunniZpkvccSeD 
> +KHqFWpFQwUjERMA8GA1UEChMIVGVzdFNoaWIxIzAhBgNV
> BAMTGlRlc3RTaGliIElkZW50aXR5IFByb3ZpZGVyMRgwFgYDVQQDEw9naWxlYWQudWFtcy5lZHWC
> AQEwDAYDVR0TBAUwAwEB/ 
> zANBgkqhkiG9w0BAQQFAAOCAQEAFXRNhSjayvWxVuhfjQjVXrkIZi7a
> vR3aQeFe3OFlYHjd7AQsHY 
> +QXnGL1LiRnUb6UwzvLeP0GcFTIvfrvLh7AgrrKWSjx0DH2OMfTNzB
> FRX8WZ55LYVf28a1fKO 
> +K532Em1Tmp443ZDfyCQh8w1lN46+Rg14hbm4tKe9EVtY7AvGBwDSBOk4
> kQ5dJPx3RErk0/ 
> W6VYNUPQUvg9bGytHI3rYCOJLpVt6r2aJ7nmfLAEYsr18bS2SNfeEJsCtxScwk
> Lf9/vS6fh0Bb9GUV6G5vQBe8r7mYu28U58ixmtTDsbVHXQ2Nwy 
> +Zf5jqsHIbZ18Rac47fGwo7V6H
> RtEtPjJ5Og==
>
> is the certificate your IdP used.  The one TestShib expects based on  
> your metadata is:
>
> MIIDzDCCArSgAwIBAgIBATANBgkqhkiG9w0BAQQFADBSMREwDwYDVQQKEwhUZXN0U2hpYjEjMCEG
> A1UEAxMaVGVzdFNoaWIgSWRlbnRpdHkgUHJvdmlkZXIxGDAWBgNVBAMTD2dpbGVhZC51YW1zLmVk
> dTAeFw0wODAxMjgxOTEzMDlaFw0xMDAxMjgxOTEzMDlaMFIxETAPBgNVBAoTCFRlc3RTaGliMSMw
> IQYDVQQDExpUZXN0U2hpYiBJZGVudGl0eSBQcm92aWRlcjEYMBYGA1UEAxMPZ2lsZWFkLnVhbXMu
> ZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyNlfdPytHCI/ 
> ygN1pCOaviYs4l5J
> /6VqZIyF/jOBKWAmZijPJkcSWFBAHAzrgCrafkbG6r9tar+SRON7HvYlqIe 
> +PTdfJcR6OMPdTwzu
> 73f3ApYoR8t8W2d9aZjTol/ 
> jamgZiNZmBXsmozOp6unUkwCP1MFQCbJMA5Dg5wMFRZ6iy0h68Kp8
> SxIADA3hjC7fauhIX+FcvgAkMtVqCPEvsxU+1YiQ/ 
> qyilzegbMeIGleEVR0m7fytSS3CGZPh0wv7
> 1adcyMaS/kjNAQBv2U7SuMSoml7U4ac+orRlvlgm4j/ 
> rge8MZV8aQdhqlWTbvM2gcJ157KcgA0Oz
> /lnH6iyhbwIDAQABo4GsMIGpMB0GA1UdDgQWBBTPiTujLQmfbj6ua/ 
> 8mIGIFmiWuxzB6BgNVHSME
> czBxgBTPiTujLQmfbj6ua/ 
> 8mIGIFmiWux6FWpFQwUjERMA8GA1UEChMIVGVzdFNoaWIxIzAhBgNV
> BAMTGlRlc3RTaGliIElkZW50aXR5IFByb3ZpZGVyMRgwFgYDVQQDEw9naWxlYWQudWFtcy5lZHWC
> AQEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOCAQEAemAHT6jzxl25hEeNvQ/ 
> k4ZSZgakk
> jifBCKVdHoEL8j3FFsWHQb1p/ 
> MWa8Chw7gIi6uG6ZIIWgt4WNb2m1NXIbqAV2sKbBwzEKKReysOK
> Y/9LGSBjxM0xMeOg/fWQslLmQPSIiV+WEMjDyJEQZjL1VrFN/H0QlqhmKfzshC0eQsc/ 
> 6sPgrmmc
> +4K2XreM2UykKFV22XRnFO6WQFkr5oME9sawt+FFL/ 
> 1Z8p4w2XqXaWiA99MZSZKdNJJ1rCw8eOQI
> A96jccvXIQ2iaSeumZgx/ 
> CoGFigr0lMQcR48YclooOAYLMok0DhRvQARMVoFE4TnOAT7UMGmu4tS
> jRF/pgbTGQ==
>
> As you can see, they don't quite match.  Did you follow steps 1 and  
> 3 in the configuration directions?
>
> http://www.testshib.org/testshib-two/configure.jsp#IdP
>
> You can also replace the credentials TestShib made for you with the  
> ones generated during your installation.  We've decided that giving  
> TestShib the certificate during the joining process wouldn't be any  
> easier than having TestShib generate a certificate, but we might be  
> wrong.  What do you think?
>
> You can do that anyway using the XML Edit if you want.
>
> Take care,
> Nate.
>
> On 30 Jan 2008, at 14:31, Keith Powell wrote:
>
> > opensaml::SecurityPolicyException at (https://sp.testshib.org/Shibboleth.sso/SAML2/POST 
> > )
> >
> > Message was signed, but signature could not be verified.