SAML IdP - encrypt assertions

380 views

Skip to first unread message

Robert Kornmesser

unread,

Nov 15, 2016, 5:17:17 AM11/15/16

to CAS Community

Hi all,

I am successfully running a CAS 5.0.0 with SAML IdP. I can authenticate against shibbolized service providers as long as i am not encrypting assertions. When i activate "encryptAssertions" in my service i get this error:

A valid authentication statement was not found in the incoming message.

Using a shibboleth 3 IDP worked before.

Here are some Logs:

shibd.log

2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]:  
----- BEGIN SIGNATURE DEBUG -----



2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]: <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>

<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"></ds:SignatureMethod>

<ds:Reference URI="#_1658058603619518521">

<ds:Transforms>

<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>

</ds:Transforms>

<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"></ds:DigestMethod>

<ds:DigestValue>zfQy3P72YVRFnpL92vmedxCZ/cmetKLLKS46qohlIBpg28d6D5uYX8jBvFqzRy3/qxhoo49Ew4R4

gC0lwBhS/Q==</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]:  
2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]:  
----- END SIGNATURE DEBUG -----



2016-11-15 11:12:41 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: signature validated with credential

2016-11-15 11:12:41 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: signature verified against message issuer

2016-11-15 11:12:41 DEBUG Shibboleth.SSO.SAML2 [1]: processing message against SAML 2.0 SSO profile

2016-11-15 11:12:41 DEBUG XMLTooling.KeyInfoResolver.Inline [1]: resolved 0 certificate(s)

2016-11-15 11:12:41 DEBUG XMLTooling.CredentialCriteria [1]: key algorithm didn't match ('AES' != 'RSA')

2016-11-15 11:12:41 WARN XMLTooling.Decrypter [1]: XMLSecurity exception while decrypting key: OpenSSL:RSA privateKeyDecrypt - Error removing OAEPadding

2016-11-15 11:12:41 WARN XMLTooling.Decrypter [1]: unable to decrypt key, generating random key for defensive purposes

2016-11-15 11:12:41 ERROR Shibboleth.SSO.SAML2 [1]: failed to decrypt assertion: XMLSecurity exception while decrypting: Errors occured during de-serialisation of decrypted element content

If you need more logs, please tell me.

Any one else having problems with encrypted assertions?

Misagh Moayyed

unread,

Nov 15, 2016, 11:09:52 AM11/15/16

to cas-...@apereo.org

This is probably the least tested bit of the saml2 feature. Do open up an issue, and provide your config and CAS logs so we can better diagnose this.

--Misagh

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/edb2535a-c79b-49bc-8949-3f95193374fe%40apereo.org.

Reply all

Reply to author

Forward

0 new messages