[Shib-Users] IdP Message did not meet security requirements

[mxmxm...@yahoo.co.uk]

Hi All,

Sorry I posted the message in the wrong thread Chad,

I'm using
shibboleth-identityprovider-2.1.2

I ran into the exact same problem as Paolo Roccetti

Error Message as I try to test my IdP with testshib:
(https://sp.testshib.org/)
Message did not meet security requirements

it did redirect to my IdP host, and gave that error message

here's the idp-process.log showing the error:
18:19:53.991 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:320] - Message did not meet security requirements

How can I solve this?
Where should I get start to check ? I already check idp.crt, testshib.xml in my metadata folder. Am I missing something here?
Any help would be greatly appreciated.

[Chad La Joie]

There should be more to the error message than that, you should see an
exception. The exception will tell you which security rule failed.
It's almost always either a clock synch issue (so make sure you're
running ntp) or a bad certificate configuration.

So, look at the IdP log files and look for the full error message. It's
usually many tens of lines long, so it tends to be hard to miss.

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch

[Kevin P. Foote]

Hey guys.. Sorry for the perhaps lame observation.

Isn't this they message you get when your IdP is not on correct time ??

------
thanks
kevin.foote

On Tue, 17 Mar 2009, Chad La Joie wrote:

-> There should be more to the error message than that, you should see an
-> exception. The exception will tell you which security rule failed.
-> It's almost always either a clock synch issue (so make sure you're
-> running ntp) or a bad certificate configuration.
->
-> So, look at the IdP log files and look for the full error message. It's
-> usually many tens of lines long, so it tends to be hard to miss.
->
-> mxmxm...@yahoo.co.uk wrote:
-> > Hi All,
-> >
-> > Sorry I posted the message in the wrong thread Chad,
-> >
-> > I'm using
-> > shibboleth-identityprovider-2.1.2
-> >
-> > I ran into the exact same problem as Paolo Roccetti
-> >
-> > Error Message as I try to test my IdP with testshib:
-> > (https://sp.testshib.org/)

-> > Message did not meet security requirements

-> >
-> > it did redirect to my IdP host, and gave that error message
-> >
-> > here's the idp-process.log showing the error:
-> > 18:19:53.991 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:320] - Message did not meet security requirements
-> >
-> > How can I solve this?
-> > Where should I get start to check ? I already check idp.crt, testshib.xml in my metadata folder. Am I missing something here?
-> > Any help would be greatly appreciated.
->
-> --
-> SWITCH
-> Serving Swiss Universities
-> --------------------------
-> Chad La Joie, Software Engineer, Net Services
-> Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
-> phone +41 44 268 15 75, fax +41 44 268 15 68
-> chad....@switch.ch, http://www.switch.ch
->
->

[Chad La Joie]

Well, like I said, that particular message means that one of the
security checks failed. By default the IdP does the following checks:

- Message freshness (this is what gets most people because they aren't
running ntp)
- Message replay
- Whether the message signed (if required)
- Whether the SSL/TLS cert was trusted (if client-auth is used)
- Whether the simple sign signature was valid and trusted (if it's used)
- Whether the requester was authenticated by one of the previous steps
and that identity matched the identity of the issuer in the message

--

SWITCH
Serving Swiss Universities
--------------------------

Chad La Joie, Software Engineer, Net Services

Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland

phone +41 44 268 15 75, fax +41 44 268 15 68

chad....@switch.ch, http://www.switch.ch

[mxmxm...@yahoo.co.uk]

Hi Chad,
I'm terribly sorry, my mistake not to reply to the list..

Yes, I got this

org.opensaml.ws.security.SecurityPolicyException: Message was rejected due to issue instant expiration

And I guess you're right, something wrong with the clock sync issue, already looked up in Shibboleth common error...
(https://spaces.internet2.edu/display/SHIB2/IdPTroubleshootingCommonErrors#IdPTroubleshootingCommonErrors-org.opensaml.ws.security.SecurityPolicyException%3AMessagewasrejectedduetoissueinstantexpiration)

I'm running the ntpdate now,
and it worked... yay!

about the cert trust, I only use self-signed certificate (and so does shibtest.org i guess), would that be a problem?
how can i set the client-auth ?

Thanks a lot for the response...

[Chad La Joie]

It depends. In the default configuration the metadata is the sole
source of trusted material. There is no PKIX validation going on and so
self-signed certs are just fine. This is in fact what we recommend to
people and why we use it as our default. If however you choose to set
up the IdP to do PKIX-based validation then self-signed will make that
much more difficult for you and the people communicating with your IdP.

So, unless you have a *really* good reason to use PKIX and you *really*
know what you're doing, I would suggest you not change anything.

mxmxm...@yahoo.co.uk wrote:
> about the cert trust, I only use self-signed certificate (and so does shibtest.org i guess), would that be a problem?
> how can i set the client-auth ?

--