[Shib-Users] Inbound message issuer was not authenticated

802 views
Skip to first unread message

davidf...@yahoo.fr

unread,
Jul 27, 2009, 5:11:49 AM7/27/09
to shibbole...@internet2.edu
Hi,

I try thatmty SP 1.3 communicate with my IDP test IDP 2.1.
First step work fine :
I can authenticate (with JAAS) and return to my SP (noet my SP don't use SSL direct http).
Second Step don't work :
receive attributs from IDP, error : Inbound message issuer was not authenticated

Actually I don't configure any resolver, I would like just see if it's work . That why attributXXX.xml files are the default created by install.

I suppose that AA URL is https://myurl:8443/idp/profile/SAML1/SOAP/AttributeQuery because my SP is in 1.3...

My SP 1.3 log is after authentication:

-----------------------------------------------------------
INFO Shibboleth.ShibBrowserProfile [0] sessionNew: verified digital signature over SSO response
INFO shibtarget.SessionCache [0] sessionNew: new session created with session ID (_efbbe24ae8e90a84defe17b0feb4e0e6)
INFO SAML.SAMLSOAPHTTPBinding [1] sessionGet: sending SOAP message to https://myurl:8443/idp/profile/SAML1/SOAP/AttributeQuery
INFO OpenSSL [1] sessionGet: verified server's TLS key/certificate
ERROR shibtarget.SessionCache [1] sessionGet: caught SAML exception during SAML attribute query: Message did not meet security requirements
ERROR shibtarget.SessionCache [1] sessionGet: no response obtained
---------------------------------------------------------------

My IDP 2.1 log after authentication :
-----------------------------------------------------------------------
DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:541] - Encoding response to SAML request null from relying party http://mysp/secure
INFO [Shibboleth-Audit:675] - 20090727T084039Z|urn:mace:shibboleth:1.0:profiles:AuthnRequest||http://mysp/secure|urn:mace:shibboleth:2.0:profiles:saml1:sso|https://myurl/idp/shibboleth|urn:oasis:names:tc:SAML:1.0:profiles:browser-post|_bd7e806832cf98bcb7a208f4d23d0f21|MyName|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||_686375ea9cf229cb52c5906de84acce1|_41f66b3abb2e9082ebe66fc3bff9e829,|
INFO [Shibboleth-Access:72] - 20090727T084039Z|172.20.8.224|myurl:8443|/profile/SAML1/SOAP/AttributeQuery|
DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:85] - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML1/SOAP/AttributeQuery
DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:93] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler
DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler:135] - Decoding message with decoder binding urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding
DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:126] - Looking up relying party configuration for http://mysp/secure
DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:132] - No custom relying party configuration found for http://mysp/secure, looking up configuration based on metadata groups.
DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:155] - No custom or group-based relying party configuration found for http://mysp/secure. Using default relying party configuration.
ERROR [org.opensaml.ws.security.provider.MandatoryAuthenticatedMessageRule:36] - Inbound message issuer was not authenticated.
ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler:171] - Message did not meet security requirements
org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
-----------------------------------------------------------------

Maybe I need element to configure, somewhere in configuration file or simply my AA URL is wrong....
Thanks for your help.

David

Rod Widdowson

unread,
Jul 27, 2009, 5:39:28 AM7/27/09
to shibbole...@internet2.edu
I'd check my Apache config (if you are using that), specifically look for
optional_no_ca on the 8443 port.

Chad La Joie

unread,
Jul 27, 2009, 6:23:40 AM7/27/09
to shibbole...@internet2.edu
The AA URL is correct. The SP can't be authenticated and the IdP
requires that.

The two most common causes would are:
- The back-channel port is not set up properly. See the installation
documents for the correct way to do this
- The certificate in the SP's metadata is wrong.

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch

david t

unread,
Jul 27, 2009, 9:19:32 AM7/27/09
to shibbole...@internet2.edu
I tried to change my apache config  added optionnal_no_cache (My IDP Test : Vista Apache 2.2 with Tomcat 5.5 ->proxypass JRE 1.6).
Now I have another error (I am making progress, I suppose ;) )
In my IDP log :
------------------------------------------------------------
DEBUG [edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:258] - Attempting to retrieve PKIX validation info from metadata for entity: http://mysp/secure
DEBUG [edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:565] - Attempting to retrieve PKIX validation info from cache for Extensions with EntitiesDescriptor parent: urn:mace:shibboleth:mysp
 DEBUG [edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:576] - Read lock over cache acquired
 DEBUG [edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:587] - Read lock over cache released
 DEBUG [edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:589] - Unable to retrieve PKIX validation info from cache using index: org.opensaml.saml2.common.impl.ExtensionsImpl@8697ce
 DEBUG [edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:327] - Resolving PKIX validation info for Extensions with EntitiesDescriptor parent: urn:mace:shibboleth:mysp
ERROR [org.opensaml.ws.security.provider.BaseTrustEngineRule:105] - There was an error evaluating the request's token using the trust engine
org.opensaml.xml.security.SecurityException: Error extracting certificates from KeyAuthority KeyInfo
....
Caused by: java.security.cert.CertificateException: Unable to decode X.509 certificates
....
Caused by: java.security.KeyStoreException: failed to extract any certificates or private keys - maybe bad password?
...
ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler:171] - Message did not meet security requirements
-------------------------------------------------------------------
 
I suppose that I m not use a good keystore file ,  X.509 certificate to decode ? is it the IDP certificat  server, the IDP certificat used for signing or may be a SP certificat for signing?
Because I used Apache for SSL ,I  changed my connector tag in my server.xml file like this (...suppose wrong but I tried...)
----------------
  <Connector port="8009"
               enableLookups="false" redirectPort="8443" protocol="AJP/1.3"
      keystoreFile="mypath/credentials/idp.jks"
      keystorePass="PASSWORD"
      truststoreFile="mypath/credentials/idp.jks"
      truststorePass="PASSWORD"
      truststoreAlgorithm="DelegateToApplication"/>
----------------
Then Where I must configure the keystore path ?
What are the certificates has put in it ?
 and is it enough to make it work ? :)
 
Thanks a lot for your help
 
David
 

De : Chad La Joie <chad....@switch.ch>
À : shibbole...@internet2.edu
Envoyé le : Lundi, 27 Juillet 2009, 12h23mn 40s
Objet : Re: [Shib-Users] Inbound message issuer was not authenticated

davidf...@yahoo.fr

unread,
Jul 27, 2009, 11:54:58 AM7/27/09
to shibbole...@internet2.edu

May be something wrong in my metadata , from the log (before keystore error ):
----------------------------------------------------
eth.common.security.MetadataPKIXValidationInformationResolver:547] - Unable to retrieve PKIX validation info from cache using index: [http://mysp/secure,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:1.1:protocol,SIGNING]

DEBUG [edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:258] - Attempting to retrieve PKIX validation info from metadata for entity: http://mysp/secure
DEBUG [edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:565] - Attempting to retrieve PKIX validation info from cache for Extensions with EntitiesDescriptor parent: urn:mace:shibboleth:name

DEBUG [edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:576] - Read lock over cache acquired
DEBUG [edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:587] - Read lock over cache released
DEBUG [edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:589] - Unable to retrieve PKIX validation info from cache using index: org.opensaml.saml2.common.impl.ExtensionsImpl@19d5fe6
DEBUG [edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver:327] - Resolving PKIX validation info for Extensions with EntitiesDescriptor parent: urn:mace:shibboleth:name

ERROR [org.opensaml.ws.security.provider.BaseTrustEngineRule:105] - There was an error evaluating the request's token using the trust engine
org.opensaml.xml.security.SecurityException: Error extracting certificates from KeyAuthority KeyInfo
-------------------------------------

I use a metadata (metadata.xml) file version 1.3 like this :

In relying party file
-----------------------------------
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">

<!-- Load the IdP's own metadata. This is necessary for artifact support. -->
<MetadataProvider id="IdPMD" xsi:type="ResourceBackedMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" >
<MetadataResource xsi:type="resource:FilesystemResource" file="E:\mypath\shibboleth-idp/metadata/idp-metadata.xml" />
</MetadataProvider>

<MetadataProvider xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
id="entdescel"
metadataFile="E:/mypath/metadata/metadata.xml" />

....
------------------
and my metadata (format 1.3 it's work with my IDP 1.3...)file is like this :
---------------------------------
<EntitiesDescriptor
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
Name="urn:mace:shibboleth:name"
validUntil="2010-01-01T00:00:00Z">
<Extensions>
<shibmd:KeyAuthority xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" VerifyDepth="5">
<!-- ROOT CA -->
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
....

</ds:KeyInfo>
</shibmd:KeyAuthority>
</Extensions>

<EntityDescriptor entityID="http://mysp/secure">

<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>sp.com</ds:KeyName>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="http://mysp/secure/Shibboleth.sso/SAML/POST" index="1" isDefault="true"></AssertionConsumerService>
</SPSSODescriptor>

<ContactPerson contactType="technical">
<SurName>Technical contact</SurName>
<EmailAddress>technica...@e.com</EmailAddress>
</ContactPerson>
<ContactPerson contactType="administrative">
<SurName>Administrative contact</SurName>
<EmailAddress>technica...@e.com</EmailAddress>
</ContactPerson>

</EntityDescriptor>

</EntitiesDescriptor>
-----------------------------------
Authentication work, then IDP found my metadata file but don't found certificat ?
Why ?
Need help.

David

Scott Cantor

unread,
Jul 27, 2009, 12:06:38 PM7/27/09
to shibbole...@internet2.edu
> <Extensions>
> <shibmd:KeyAuthority
> xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" VerifyDepth="5">
> <!-- ROOT CA -->
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> ....
>
> </ds:KeyInfo>
> </shibmd:KeyAuthority>
> </Extensions>

Unless you know what you're doing (and if you did you wouldn't need to ask
about this), please do NOT use PKIX-based trust or that extension. You need
to put the peer's certificate into a KeyDescriptor in the SP or IdP role
itself.

-- Scott


davidf...@yahoo.fr

unread,
Jul 28, 2009, 4:07:08 AM7/28/09
to shibbole...@internet2.edu
It's works.
below the elements modified for those who have the same kinds of mistakes :

there were two errors :

1 - certificat error->I forgot to put these lines in my apache configuration :
------------------------------
SSLVerifyClient optional_no_ca
SSLVerifyDepth 10
SSLOptions +StdEnvVars +ExportCertData
---------------------------------

2 - IDP could not find my certificate in my metadata file->old metadata file 1.3 does not seem compatible with the new version of idp 2.
I put the certificate directly to the description of the SP, like this :

---------------------------------------------------------


<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">

<Extensions>
<shibmd:Scope regexp="false">example.org</shibmd:Scope>
</Extensions>

<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>

MIICjzCCAf....

</ds:X509Certificate>
</ds:X509Data>


</ds:KeyInfo>
</KeyDescriptor>


<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="http://mysp/secure/Shibboleth.sso/SAML/POST" index="1" isDefault="true"></AssertionConsumerService>
</SPSSODescriptor>

------------------------------------------------------------

Thanks

David

Nick Howes

unread,
Jul 29, 2009, 5:23:31 AM7/29/09
to shibbole...@internet2.edu
Slight thread hijacking here, but it is the same error with the same
combination of IdP and SP versions.

I am having a similar problem with my 2.1 IdP, though the 1.3 SP is not
ours. Other similarly configured SAML1 SPs are successfully fetching
attributes by providing a client certificate, so I'm fairly confident
that our Apache is set up correctly - besides that, it used to work with
this SP. We're trying to pinpoint what's changed.

Our only changes since it was last known to work was upgrading from 2.0
to 2.1, and more recently adding a MetadataFilter to remove IdPs from
the UK federation metadata.

I have just noticed one other SP in the logs with the same error, not
providing a certificate - which makes me less sure that it's an SP
issue. On the other hand, the first SP mentioned is having similar
problems with other IdPs so it could just be two SPs with the same problem.

Any hints on where to look? Can this error come up when the SP's
certificate has expired?

Chad La Joie

unread,
Jul 29, 2009, 7:04:47 AM7/29/09
to shibbole...@internet2.edu
The only issue you might have, with the IdP directly (that is, the IdP
software and not the container or Apache) is to have metadata whose
attribute authority URLs are wrong. If other SPs are working with the
IdP then that's not likely to be the case. There is no way to
configure the IdP such that it doesn't accept certificates from on
relying party while denying them from others.

--

Reply all
Reply to author
Forward
0 new messages