shibboleth-dev - Re: OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?
Subject: Shibboleth Developers
List archive
- From: Brent Putman <>
- To:
- Subject: Re: OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?
- Date: Fri, 21 Mar 2008 03:29:02 -0400
Hi Peter,
I spent a little time looking into this. You didn't mention the actual error and null pointer exception that you are seeing. Is it this?:
06:34:23.065 ERROR [org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider:161] - Unable to unmarshall metadata
org.opensaml.xml.io.UnmarshallingException: java.lang.NullPointerException
at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.unmarshallMetadata(AbstractMetadataProvider.java:159)
at org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider.refreshMetadata(FilesystemMetadataProvider.java:140)
at org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider.setMetadataFilter(FilesystemMetadataProvider.java:115)
Based on my investigation, looks like we have a fundamental bug with respect to usage of the FilesystemMetadataProvider in conjunction with a filter (maybe all the metadata providers are affected, haven't tried any others yet). BTW, it's apparently with any filter, it has nothing to do with the signature validation filter specifically.
Also, we have another bug, that you didn't actually get to yet, that would prevent the signature on an EntityDescriptor (as opposed to on an EntitiesDescriptor) from being validated. It's not a problem with the signature validation process per se, but rather with the object provider for the EntityDescriptor element.
When the latter EntityDescriptor problem is fixed, I can report that the signature on your metadata does successfully validate using the certificate that you supplied. So at least that's some good news.
So, fortunately or unfortunately, these turned out to be mainstream topics. And congratulations, I think you may have reported the first (two!) post-release bug(s). :-)
Hopefully we'll get these addressed quickly.
Thanks,
Brent
Peter Williams wrote:
At hour 4, I have NOT succeeded to verify the enclosed/attached metadata (a zip file) for a non Shib SP into the Shib2.0.0 IDP. Most of the time was spent on first time install orientation, learning the software package, its tomcat listener and the (very low level) configuration process. The install is on Win2003, Tomcat 6, shib 2.0.0.
The IDP apparently parses and installs the SP's metadata file, but only once one no longer has the machine attempt to verify signatures using the indicated self-signed cert. Debug logs provide no exception reports other than noting a nullpointer exception, during unmarshalling of the Relying party element. Producing variants of signed metadata made no notable difference (e.g. metadata produced to have and not have signer's keyinfo).
If I should use the shib users mailing list from hereon in, redirect me. Good luck on your first few days of a new major release. Focus on mainstream topics, not this issue.
Peter.
- OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?, Peter Williams, 03/18/2008
- RE: OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?, Scott Cantor, 03/18/2008
- RE: OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?, Peter Williams, 03/19/2008
- RE: OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?, Scott Cantor, 03/19/2008
- RE: OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?, Peter Williams, 03/20/2008
- RE: OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?, Scott Cantor, 03/20/2008
- RE: OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?, Peter Williams, 03/20/2008
- Re: OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?, Brent Putman, 03/21/2008
- RE: OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?, Peter Williams, 03/20/2008
- RE: OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?, Scott Cantor, 03/19/2008
- RE: OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?, Peter Williams, 03/19/2008
- RE: OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?, caleb racey, 03/19/2008
- RE: OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?, Scott Cantor, 03/18/2008
Archive powered by MHonArc 2.6.16.