SP Configuration: Certificate error.

430 views
Skip to first unread message

Rampage

unread,
Mar 15, 2012, 9:32:11 PM3/15/12
to Shib Users
Hello everyone
it's been a while since my last post, i've read throught many threads and searched on google but couldn't find anything specifically related to this issue, so i'm begging for your help.

here is the point:

i'm following instructions provided an IdP service to set up shibboleth to use the IdP for single sign on purposes.

i've followed everything accordingly but when it comes to login i get this error in the debug log:

2012-03-16 02:10:26 DEBUG OpenSAML.MessageDecoder.SAML1 [1]: extracting issuer from SAML 1.x Response
2012-03-16 02:10:26 DEBUG OpenSAML.MessageDecoder.SAML1 [1]: response from (https://idpcrl.crs.lombardia.it//scauth)
2012-03-16 02:10:26 DEBUG OpenSAML.MessageDecoder.SAML1 [1]: searching metadata for response issuer...
2012-03-16 02:10:26 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [1]: evaluating message flow policy (replay checking on, expiration 60)
2012-03-16 02:10:26 DEBUG XMLTooling.StorageService [1]: inserted record (_6419ffa3b558fbe3ccc83eed7a39910b) in context (MessageFlow)
2012-03-16 02:10:26 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: validating signature profile
2012-03-16 02:10:26 ERROR XMLTooling.KeyInfoResolver.Inline [1]: caught XML-Security exception loading certificate: OpenSSL:X509 - Error transating Base64 DER encoding into OpenSSL X509 structure
2012-03-16 02:10:26 ERROR XMLTooling.TrustEngine.PKIX [1]: certificate name was not acceptable
2012-03-16 02:10:26 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [1]: unable to verify message signature with supplied trust engine


they say to specify the SAML file as follows: (used pastebin to prevent flooding)

http://pastebin.com/dpr00fcJ

am i doing something wrong?
it's always been a pain with certificates and this IdP, and now recently they decided it was time to chance up a bunch of things and write their own documentation on how to set it up properly.. and obviously everything messed up

as i can understand there is something wrong in the trust engine? maybe i have to set up something in shibboleth2.xml too?

thanks in advice for the help
best regards
Francesco

Cantor, Scott

unread,
Mar 15, 2012, 10:29:51 PM3/15/12
to us...@shibboleth.net
On 3/15/12 9:32 PM, "Rampage" <atomi...@email.it> wrote:
>
> they say to specify the SAML file as follows: (used pastebin to
> prevent flooding)
>
> http://pastebin.com/dpr00fcJ
>
>
> am i doing something wrong?

No, but that metadata is invalid. There's a bogus certificate blob sitting
in empty space and an empty X509Certificate element after it. That's the
one triggering the error I would guess.

And the order of the certs is wrong. Shibboleth does not understand
multiple certificates inside a single KeyDescriptor, but if you do it, it
will only look at the first one. In this case, that's a CA, not the peer's
key.

-- Scott


--
To unsubscribe from this list send an email to users-un...@shibboleth.net

Atomikramp

unread,
Mar 16, 2012, 4:14:44 AM3/16/12
to Shib Users
Sorry for the top quoting, i'm off-site and this webmail is kind of troublesome to handle proper quoting with :)
anyway, yes i was provided with the CA certificates, not peer, and
ohh my... it was like 3am and i didn't notice the syntax error, hope this is gonna fix it, but i won't know for a couple of hours when i get back home for testing.
thanks for the help
Francesco
----
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it

Sponsor:
Conto Arancio al 4,20%. Zero spese e massima liberta', aprilo in due minuti!
Clicca qui

Rampage

unread,
Mar 16, 2012, 8:31:22 AM3/16/12
to Shib Users
oh man...
it was 3 am :) i didn't notice the wrong open/close tags

i've fixed it but now i get a different error in the log:

2012-03-16 13:29:25 DEBUG OpenSAML.MessageDecoder.SAML1 [2]: extracting

issuer from SAML 1.x Response

2012-03-16 13:29:25 DEBUG OpenSAML.MessageDecoder.SAML1 [2]: response
from (https://idpcrl.crs.lombardia.it//scauth)
2012-03-16 13:29:25 DEBUG OpenSAML.MessageDecoder.SAML1 [2]: searching
metadata for response issuer...
2012-03-16 13:29:25 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [2]:

evaluating message flow policy (replay checking on, expiration 60)

2012-03-16 13:29:25 DEBUG XMLTooling.StorageService [2]: inserted record
(_f0fcc07abb9ae502ddcfd20bfd3a447e) in context (MessageFlow)
2012-03-16 13:29:25 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [2]:
validating signature profile
2012-03-16 13:29:25 ERROR XMLTooling.TrustEngine.PKIX [2]: certificate
name was not acceptable
2012-03-16 13:29:25 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [2]:

unable to verify message signature with supplied trust engine

am i still missing something?
mhhhh

Thanks agan
Francesco

Cantor, Scott

unread,
Mar 16, 2012, 11:09:35 AM3/16/12
to us...@shibboleth.net
>am i still missing something?

The metadata's obviously still wrong. All the documentation on how trust
engines work is in the wiki. That's all the help I can give you on what
has to be in the metadata.

I don't know what trust engine you're trying to make work. ExplicitKey
works one way, and PKIX works another.

Reply all
Reply to author
Forward
0 new messages