Shibboleth Developers

[<>]

Does the Shibboleth SP have a requirement that Encrypted Assertions must include a copy of the x509 certificate used to encrypt the KeyInfo?  When the Shibboleth IDP encrypts an assertion, it includes a copy of the SP’s x509 certificate, although I am unsure as to whether this is strictly required (could it not be assumed?).

 

I am trying to test the Shibboleth SP with a different SAML IDP product, and it is not including a copy of the SP’s encryption certificate, and here is the sequence of messages I see in the logfile:

 

2008-03-11 17:48:57 DEBUG Shibboleth.SSO.SAML2 [9]: processing message against SAML 2.0 SSO profile

2 2008-03-11 17:48:57 DEBUG XMLTooling.KeyInfoResolver.Inline [9]: resolved 0 certificate(s)

2008-03-11 17:48:57 ERROR Shibboleth.SSO.SAML2 [9]: Unable to decrypt key.

 

Vs. working decryption of an EncryptedAssertion as encrypted by the Shibboleth IDP:

 

2008-03-07 20:38:13 DEBUG Shibboleth.SSO.SAML2 [2]: processing message against SAML 2.0 SSO profile

2008-03-07 20:38:13 DEBUG XMLTooling.KeyInfoResolver.Inline [2]: resolved 0 certificate(s)

2008-03-07 20:38:13 DEBUG XMLTooling.KeyInfoResolver.Inline [2]: resolving ds:X509Certificate

2008-03-07 20:38:13 DEBUG XMLTooling.KeyInfoResolver.Inline [2]: resolved 1 certificate(s)

2008-03-07 20:38:13 DEBUG Shibboleth.SSO.SAML2 [2]: decrypted Assertion:

 

The logging differences make me think the issue is the lack of including the X509Certificate, but I am not entirely sure if the problem is related to the KeyInfo encryption algorithm (another point of variance, the Shibboleth IDP uses rsa-oaep-mgf1p, but this product is using rsa-1_5 by default, and I have not fully investigated changing this algorithm).