shibboleth-dev - Re: IdP 2.0 - SP 1.3 attribute request fails - Problem (probably) found
Subject: Shibboleth Developers
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: IdP 2.0 - SP 1.3 attribute request fails - Problem (probably) found
- Date: Tue, 26 Feb 2008 19:56:04 +0100
- Organization: SWITCH
That error was caused by another bug, which I've fixed and Lukas picked up the change earlier this morning and is now getting the expected Client cert auth error.
Brent Putman wrote:
Hi Lukas,
Well, the explanation of the problem that you had a week or so ago (client cert failure on attribute query from 1.3 SP), and that Chad and I talked about off-list, was what you describe below: the default "out of the box" 2.0 IdP config currently only supports keys embedded in metadata. It does not by default support validation of TLS certs and signatures using the PKIX trust engine(s). It can be configured, it's just not (currently) in there by default.
However, the message you posted to the list last night is a different problem:
09:20:57.065 ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler:174] - Message did not meet security requirements
org.opensaml.xml.security.SecurityException: Unable to select security policy, no communication profile criteria available.
That's not the client cert auth failure you were having previously. I don't know exactly what's causing that. I saw some recent check-ins around that message decoder code, don't know if that fixed this bug or perhaps is causing it. Maybe Chad knows. But in any event, it seems to be a different issue altogether, so I just wanted to point out.
--Brent
Lukas Haemmerle wrote:
Thanks to Chad's explanations we probably know the reason for this problem.
Apparently this request fails because the SP doesn't have certificates embedded in the metadata but only has the CN of the certificate subject included. Although the certificate was signed by one of the embedded root CA certificates, the request apparently fails because the current configuration expects the certificate to be embedded and cannot fall back to the validation using the certificate subject.
Lukas
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
- IdP 2.0 - SP 1.3 attribute request fails, Lukas Haemmerle, 02/26/2008
- Re: IdP 2.0 - SP 1.3 attribute request fails - Problem (probably) found, Lukas Haemmerle, 02/26/2008
- Re: IdP 2.0 - SP 1.3 attribute request fails - Problem (probably) found, Brent Putman, 02/26/2008
- Re: IdP 2.0 - SP 1.3 attribute request fails - Problem (probably) found, Chad La Joie, 02/26/2008
- Re: IdP 2.0 - SP 1.3 attribute request fails - Problem (probably) found, Brent Putman, 02/26/2008
- Re: IdP 2.0 - SP 1.3 attribute request fails - Problem (probably) found, Lukas Haemmerle, 02/26/2008
Archive powered by MHonArc 2.6.16.