Shibboleth Users

Text archives Help


Re: Certificate problems


Chronological Thread 
  • From: Brent Putman < >
  • To:
  • Subject: Re: Certificate problems
  • Date: Wed, 30 Apr 2008 15:58:15 -0400



Roman Haag wrote:
" type="cite">Hello everyone, 

I am having problems with a Shibboleth 2.0 IdP . I can login and authenticate myself from my SP (OLAT), but the Attribute Authority cannot deliver the found attributes to my SP.
Seems to be something with certificates:
 Inbound message issuer was not authenticated.
15:06:13.849 ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler:175] - Message did not meet security requirements
org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.

That error is mentioned here, if you want some troubleshooting ideas:

https://spaces.internet2.edu/display/SHIB2/IdPTroubleshootingCommonErrors

You should see some errors earlier in the process log for ClientCertAuthRule, that will give you more info.

" type="cite">

I made a self-signed certificate for my SP and included it in the referenced metafile in the 
"<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">"
section.

where do I need to add the public Key on the IdP-side? The "extkeytool" is not any more available in 2.0, how to do it?



First you want to make sure that the cert is making it through to the IdP, double-check your AA endpoint SSL/TLS config.

If that's not it, then it is a trust issue as you surmise.  The way that you indicate the SP's cert/public key to the IdP is by including it in the IdP's copy of the SP's metadata, so double-check that as well.

Again, log information from when the ClientCertAuth rule is running will tell you more specifically why it is failing to authenticate the SP's client cert.

HTH,
Brent





Archive powered by MHonArc 2.6.16.

Top of page