Shibboleth Developers

[Scott Cantor <>]

Is your SP running with more than one key? The logging sequence is odd, 
because that exception message normally would either indicate the wrong key 
was used to attempt decryption, or some other error occured (which would be 
logged ahead of that message).

Even if the wrong key was used, the code's not expecting that result. There 
are two spots where that exception message is thrown, and one of them just 
doesn't fit. The other one happens if the result of a decryption attempt 
returns an unexpected number of decrypted bytes (<0), so I may have misread 
the documentation (i.e. the code) in the xmlsec library for the decryption 
method.

But if your SP is running with one key and it matches what the IdP encrypted 
the symmetric key with, there's probably a crypto bug, which is unlikely to 
be fixable by me, at least in a Shibboleth capacity.

I don't think the problem is with the lack of the KeyInfo. That would cause 
other errors to show up if it literally couldn't come up with a key to try 
(namely "Unable to resolve any key decryption keys.").

-- Scott