On Thu, Sep 27, 2012 at 00:38:50 -0700, Julian wrote:
> Hi,
>
> I'm setting up a SP at our University. For that I configured it and added
> the IdPs Metadata. When testing the SP there's that Exception:
>
> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
>
> Backtrace:
> 0 /var/simplesamlphp-1.10.0-rc2/www/module.php:180 (N/A)
> Caused by: Exception: Failed to decrypt XML element.
> Backtrace:
> 6 /var/simplesamlphp-1.10.0-rc2/lib/SAML2/Utils.php:486 (SAML2_Utils::decryptElement)
> 5 /var/simplesamlphp-1.10.0-rc2/lib/SAML2/EncryptedAssertion.php:89 (SAML2_EncryptedAssertion::getAssertion)
> 4 /var/simplesamlphp-1.10.0-rc2/modules/saml/lib/Message.php:350 (sspmod_saml_Message::decryptAssertion)
> 3 /var/simplesamlphp-1.10.0-rc2/modules/saml/lib/Message.php:549 (sspmod_saml_Message::processAssertion)
> 2 /var/simplesamlphp-1.10.0-rc2/modules/saml/lib/Message.php:523 (sspmod_saml_Message::processResponse)
> 1 /var/simplesamlphp-1.10.0-rc2/modules/saml/www/sp/saml2-acs.php:75 (require)
> 0 /var/simplesamlphp-1.10.0-rc2/www/module.php:135 (N/A)
>
>
>
> Apache's error.log gives me that error:
> [Thu Sep 27 09:17:10 2012] [error] [client ****] PHP Warning:
> openssl_pkey_get_details() expects parameter 1 to be resource, boolean
> given in /var/simplesamlphp-1.10.0-rc2/lib/SAML2/Utils.php on line 414,
> referer: https://****/idp/profile/SAML2/Redirect/SSO
>
> It seems that the Assertion cannot be decrypted?!
>
> The authsources looks like that:
> '****' => array(
> 'saml:SP',
> 'entityID' => NULL,
> 'name' => array(
> 'de' => '****',
> ),
> 'OrganizationName' => array(
> 'de' => '****',
> ),
> 'OrganizationURL' => array(
> 'de' => 'http://****.de',
> ),
> 'contacts' => array (
> 'contactType' => 'technical',
> 'givenName' => 'Julian',
> 'surName' => '****',
> 'emailAddress' => 'admin@****.de',
> ),
> 'idp' => 'https://****/idp/shibboleth',
> 'discoURL' => NULL,
> 'certificate' => 'cert-5653817700514965.pem',
> 'privatekey' => 'key.pem',
> 'attributes' => array(
> 'mail',
> 'givenName',
> 'eduPersonScopedAffiliation',
> ),
> 'attributes.required' => array (
> 'mail',
> ),
> 'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
> ),
>
>
> The Metadata for the IdP is based on an XML FIle (BTW. I think there are
> some bugs in the metadata converter?!) and looks like that:
> saml20-idp-remote.php
>
>
>
> $metadata['https://****/idp/shibboleth'] = array(
>
> 'entityid' => 'https://****/idp/shibboleth',
> 'OrganizationName' => '****',
> 'OrganizationDisplayName' => '****',
> 'OrganizationURL' => '
http://www.****.de',
> 'name' => '****',
> 'description' => '****',
> 'url' => '
http://www.****.de',
> 'contacts' => array (
> 0 => array (
> 'contactType' => 'administrative',
> 'givenName' => '****',
> 'surName' => '****',
> 'emailAddress' =>
> array (
> 0 => '****',
> ),
> ),
> 1 => array (
> 'contactType' => 'technical',
> 'givenName' => '****',
> 'surName' => '****',
> 'emailAddress' =>
> array (
> 0 => '****',
> ),
> ),
> ),
> 'SingleSignOnService' => array (
> 0 =>
> array (
> 'Binding' => 'urn:mace:shibboleth:1.0:profiles:AuthnRequest',
> 'Location' => 'https://****/idp/profile/Shibboleth/SSO',
> ),
> 1 =>
> array (
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
> 'Location' => 'https://****/idp/profile/SAML2/POST/SSO',
> ),
> 2 =>
> array (
> 'isDefault' => TRUE,
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
> 'Location' => 'https://****/idp/profile/SAML2/Redirect/SSO',
> ),
> ),
> 'ArtifactResolutionService' => array (
> 0 => array (
> 'Binding' => 'urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding',
> 'Location' => 'https://****:8443/idp/profile/SAML1/SOAP/ArtifactResolution',
> 'index' => 1,
> ),
> 1 => array (
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
> 'Location' => 'https://****:8443/idp/profile/SAML2/SOAP/ArtifactResolution',
> 'index' => 2,
> ),
> ),
> 'certificate' => '****.pem',
> 'certFingerprint' =>
> '4D:14:6A:41:CE:FC:CD:B0:83:F3:66:DF:59:A7:F2:D9:2B:BC:DC:9E',
> 'assertion.encryption' => TRUE,
> 'scope' => array (
> 0 => '****',
> ),
> );
>
> I tried to paste the Certificate of the IdP directly to the Metadata File
> using certData but it didn't worked aswell.
>
> Any Ideas?
My guess is that there is a problem loading the private key of the SP,
or maybe that it is incorrectly formatted.
Best regards,
Olav Morken
UNINETT / Feide