Skip to Content.
Sympa Menu

shibboleth-dev - Re: IdP 2.0 - SP 1.3 attribute request fails - Problem (probably) found

Subject: Shibboleth Developers

List archive

Re: IdP 2.0 - SP 1.3 attribute request fails - Problem (probably) found


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: IdP 2.0 - SP 1.3 attribute request fails - Problem (probably) found
  • Date: Tue, 26 Feb 2008 19:56:04 +0100
  • Organization: SWITCH

That error was caused by another bug, which I've fixed and Lukas picked up the change earlier this morning and is now getting the expected Client cert auth error.

Brent Putman wrote:
Hi Lukas,

Well, the explanation of the problem that you had a week or so ago (client cert failure on attribute query from 1.3 SP), and that Chad and I talked about off-list, was what you describe below: the default "out of the box" 2.0 IdP config currently only supports keys embedded in metadata. It does not by default support validation of TLS certs and signatures using the PKIX trust engine(s). It can be configured, it's just not (currently) in there by default.
However, the message you posted to the list last night is a different problem:

09:20:57.065 ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler:174] - Message did not meet security requirements
org.opensaml.xml.security.SecurityException: Unable to select security policy, no communication profile criteria available.

That's not the client cert auth failure you were having previously. I don't know exactly what's causing that. I saw some recent check-ins around that message decoder code, don't know if that fixed this bug or perhaps is causing it. Maybe Chad knows. But in any event, it seems to be a different issue altogether, so I just wanted to point out.

--Brent


Lukas Haemmerle wrote:
Thanks to Chad's explanations we probably know the reason for this problem.

Apparently this request fails because the SP doesn't have certificates embedded in the metadata but only has the CN of the certificate subject included. Although the certificate was signed by one of the embedded root CA certificates, the request apparently fails because the current configuration expects the certificate to be embedded and cannot fall back to the validation using the certificate subject.

Lukas


--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch




Archive powered by MHonArc 2.6.16.

Top of Page