Shibboleth Developers

[Scott Cantor <>]

 wrote:
> Does the Shibboleth SP have a requirement that Encrypted Assertions must 
> include a copy of the x509 certificate used to encrypt the KeyInfo?

No.

> I am trying to test the Shibboleth SP with a different SAML IDP product, 
> and it is not including a copy of the SP’s encryption certificate, and 
> here is the sequence of messages I see in the logfile:

Without the XML, there's really no way I could begin to diagnose it, but 
most likely there's a bug, or the EncryptedKey is invalid in some fashion, 
or not "typical" in some fashion.

> The logging differences make me think the issue is the lack of including 
> the X509Certificate, but I am not entirely sure if the problem is 
> related to the KeyInfo encryption algorithm (another point of variance, 
> the Shibboleth IDP uses rsa-oaep-mgf1p, but this product is using 
> rsa-1_5 by default, and I have not fully investigated changing this 
> algorithm).

I don't think we've explored the issues around padding and other factors 
that are supposedly buggy in either Java or OpenSSL, so it's entirely 
possible it's the algorithm. Or it could be something very simple.

-- Scott