Shibboleth Developers

[Alistair Young <>]

I eventually built 1.3f from source on OS X. While I'm rummaging, does  
anyone have any pointers that could help me along? Our IdP worked ok  
with SP 1.2.1, and it works ok with 1.3.1 and 2.0.0 but it seems to  
not work with 1.3f. The SP always reports the error "unable to verify  
signed profile response". I've sampled the signed SAML coming from the  
IdP and run it through a verifier here and it's fine. 1.3.1 and 2.0.0  
verify the signature fine too. I think it's just 1.3f that won't  
verify it.

I know there are some cert experts on this list. Would it be poss to  
have a quick look at the attached saml response to see if anything in  
it might give 1.3f problems? I'm off to config 1.3f now to see if I  
can reproduce the problem.

many thanks,

Alistair

<?xml version="1.0" encoding="ISO-8859-1"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" ResponseID="GUANXI-6ef9b028-1197fe5c729--7ffd" MajorVersion="1" MinorVersion="1" IssueInstant="2008-04-24T10:06:26Z" Recipient="https://shibboleth.ovid.com/Shibboleth.sso/SAML/POST";><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:CanonicalizationMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; URI="">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transform xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="code ds kind rw saml samlp typens #default"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>HtcKC2ojSna2iLbZ5/blKUVKIww=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
qIK9A3Umi8EJEltbn6Jnsh9rfMAtG6I61znihFkav0LPUvkk2mIDnclfh1BO8+vvSKmvWQ28hRSr
9ej7xE+xIXEPuHSC96+aANSyyDMMlJio6PUorIIwwas5Zgi4bkMdk6DvvbNZ/+iMXkuP1wpB34AJ
1lm+rthJ+91YcbBa/Sg=
</ds:SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
MIIEVTCCAz2gAwIBAgILAQAAAAABGVyAAQswDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCQkUx
EzARBgNVBAoTCkN5YmVydHJ1c3QxFzAVBgNVBAsTDkVkdWNhdGlvbmFsIENBMSIwIAYDVQQDExlD
eWJlcnRydXN0IEVkdWNhdGlvbmFsIENBMB4XDTA4MDQxNzEzMDgxM1oXDTA5MDQxNzEzMDgxM1ow
gYMxCzAJBgNVBAYTAkdCMREwDwYDVQQIEwhTY290bGFuZDEVMBMGA1UEBxMMSXNsZSBvZiBTa3ll
MSEwHwYDVQQKExhVSEkgTWlsbGVubml1bSBJbnN0aXR1dGUxDDAKBgNVBAsTA1dXVzEZMBcGA1UE
AxMQZ3VhbnhpLnVoaS5hYy51azCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsEmR6IxwvsGs
M7yGs9x+05M9+mh6BZt/b6imLSdGxDHcSCuDkuKR9SRIrOiHXLEmJAo4F3Mai1dh0ZZXe5NpoWGz
+IUT6SV27s8pjrlyF62pAtTTBhy610HZih0FywLKQ4RmTr7LEWqCdlo+JcxEAznennom1y62Ldx5
b6HK3q8CAwEAAaOCAW8wggFrMFAGA1UdIARJMEcwRQYHKoZIsT4BADA6MDgGCCsGAQUFBwIBFixo
dHRwOi8vd3d3Lmdsb2JhbHNpZ24ubmV0L3JlcG9zaXRvcnkvY3BzLmNmbTAOBgNVHQ8BAf8EBAMC
BaAwHwYDVR0jBBgwFoAUZWWjPdc7EaMKByU3yUJKW3Z3UOEwHQYDVR0OBBYEFHPB/VPLJG6c7zpW
nZQZEm5mrmP+MDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvZWR1
Y2F0aW9uYWwuY3JsME8GCCsGAQUFBwEBBEMwQTA/BggrBgEFBQcwAoYzaHR0cDovL3NlY3VyZS5n
bG9iYWxzaWduLm5ldC9jYWNlcnQvZWR1Y2F0aW9uYWwuY3J0MB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAbBgNVHREEFDASghBndWFueGkudWhpLmFjLnVrMA0GCSqGSIb3DQEBBQUAA4IB
AQCBPYULoWZ5uzVOqn68eIuBs0wkqkUvPthO2kYuv5TH6C3pR76GQ8BvSIK2EVeTdW3wubiecgDI
grLC9N7VOmvnWwYyf7bMHJQ90NUjDmx9K8R2jo1gFMyf9eNF4Dg+ZPYXtGRXkJNGApnT3HBZwANv
TVIiTUEPCzTyOhj2q+rE3Z0l76kiUKJjMWThP0GnEw51Jkk/z4ogqSRZT8YwO1fLCe6EyP2XNYlt
Do2sCWWn9qt27lU8FCOGyxgsdS8qyC6zLHc8RLgzqcnDD3IklFSxyUV2bZqBWpLT9yw3eh6POcN5
XSMXIg+TPHWqWFIC07rCxO4ELbh4LKWWx9kKrDfA
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:RSAKeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Modulus xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
sEmR6IxwvsGsM7yGs9x+05M9+mh6BZt/b6imLSdGxDHcSCuDkuKR9SRIrOiHXLEmJAo4F3Mai1dh
0ZZXe5NpoWGz+IUT6SV27s8pjrlyF62pAtTTBhy610HZih0FywLKQ4RmTr7LEWqCdlo+JcxEAzne
nnom1y62Ldx5b6HK3q8=
</ds:Modulus>
<ds:Exponent xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature><samlp:Status><samlp:StatusCode Value="samlp:Success"/></samlp:Status><saml:Assertion AssertionID="GUANXI-6ef9b028-1197fe5c729--7ffc" MajorVersion="1" MinorVersion="1" Issuer="urn:mace:ac.uk:sdss.ac.uk:provider:identity:uhi.ac.uk" IssueInstant="2008-04-24T10:06:26Z"><saml:Conditions NotBefore="2008-04-24T10:06:26Z" NotOnOrAfter="2008-04-24T10:11:26Z"><saml:AudienceRestrictionCondition><saml:Audience>https://shibboleth.ovid.com/entity</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AuthenticationStatement AuthenticationInstant="2008-04-24T10:06:26Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Subject><saml:NameIdentifier NameQualifier="urn:mace:ac.uk:sdss.ac.uk:provider:identity:uhi.ac.uk">6ef9b028:1197fe5c729:-7fff</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion></samlp:Response>




On 24 Apr 2008, at 09:35, Alistair Young wrote:

> Hi folks,
>
> I have a quick Q. I have a major interop problem with SP 1.3f so I  
> need to install one on the mac but it seems it doesn't support  
> apache 2.2.x?
>
> Syntax error on line 10 of /opt/shibboleth-sp/etc/shibboleth/ 
> apache22.config
> dlopen(/opt/shibboleth-sp/libexec/mod_shib_22.so, 10): image not found
>
> there didn't seem to be a resolution anywhere I could find. Is there  
> something I can do to get it to install on OS X? Should I just use  
> apache 1?
>
> thanks,
>
> Alistair
>
> --------------
> mov eax,1
> mov ebx,0
> int 80h

--------------
mov eax,1
mov ebx,0
int 80h