[Shib-Users] Problems Verifying IdP Metadata Signature

131 views
Skip to first unread message

Daniel McCallum

unread,
Nov 16, 2009, 7:18:15 PM11/16/09
to shibbole...@internet2.edu
Hello,

We're having difficulty verifying an IdP metadata using a MetadataFilter
of type Signature in a 2.2.1 SP. shibd and samlsign both fail to
validate the signature and both generate the same error. The
MetadataProvider is configured to download the metadata document from an
https URL. Other SPs integrated with the same IdP and theoretically
running the same SP library versions do not report this problem. With
IdP metadata signature validation disabled, the SP integrates perfectly
with that IdP.

This is 64-bit CentOS:

$ cat /etc/redhat-release
CentOS release 5 (Final)
$ uname -a
Linux qa-sakaipilot.unc.edu 2.6.18-xenU-ec2-v1.0 #2 SMP Mon Feb 18
14:28:43 UTC 2008 x86_64 x86_64 x86_64 GNU/Linux

We've tried both RPMs and building from source with the same result.

Here are logs and configuration, starting with the actual errors from
the shibd log.

Thank you.

- Dan

== Start error from shibd logs ==
2009-11-10 15:03:51 WARN OpenSAML.MetadataFilter.Signature : filtering
out group at root of instance after failed signature check:
CredentialResolver did not supply a successful verification key.
2009-11-10 15:03:51 CRIT OpenSAML.Metadata.Chaining : failure
initializing MetadataProvider: SignatureMetadataFilter unable to verify
signature at root of metadata instance.
== End error from shibd logs ==

== Start full shibd log ==
2009-11-10 15:03:51 INFO Shibboleth.Config : Library versions: Xerces-C
3.0.1, XML-Security-C 1.5.1, XMLTooling-C 1.2.1, OpenSAML-C 2.2.1,
Shibboleth 1.2.1
2009-11-10 15:03:51 INFO Shibboleth.Config : building ListenerService of
type UnixListener...
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (set::RelayState)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (get::RelayState)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (set::PostData)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (get::PostData)
2009-11-10 15:03:51 INFO Shibboleth.Config : building StorageService
(mem) of type Memory...
2009-11-10 15:03:51 INFO Shibboleth.Config : building ReplayCache on top
of StorageService (mem)...
2009-11-10 15:03:51 INFO Shibboleth.Config : building in-memory
ArtifactMap...
2009-11-10 15:03:51 INFO Shibboleth.Config : building SessionCache of
type StorageService...
2009-11-10 15:03:51 INFO Shibboleth.SessionCache : bound to
StorageService (mem)
2009-11-10 15:03:51 INFO Shibboleth.SessionCache : No StorageServiceLite
specified. Using standard StorageService.
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (find::StorageService::SessionCache)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (remove::StorageService::SessionCache)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (touch::StorageService::SessionCache)
2009-11-10 15:03:51 INFO OpenSAML.SecurityPolicyRule.Conditions :
building SecurityPolicyRule of type Audience
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (run::AssertionLookup)
2009-11-10 15:03:51 DEBUG Shibboleth.SessionInitiator.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2009-11-10 15:03:51 DEBUG Shibboleth.SessionInitiator.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2009-11-10 15:03:51 DEBUG Shibboleth.SessionInitiator.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2009-11-10 15:03:51 DEBUG Shibboleth.SessionInitiator.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/Login::run::SAML2SI)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/Login::run::Shib1SI)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SAML2/POST)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SAML2/POST-SimpleSign)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SAML2/Artifact)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SAML2/ECP)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SAML/POST)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SAML/Artifact)
2009-11-10 15:03:51 DEBUG Shibboleth.LogoutInitiator.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2009-11-10 15:03:51 DEBUG Shibboleth.LogoutInitiator.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2009-11-10 15:03:51 DEBUG Shibboleth.LogoutInitiator.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2009-11-10 15:03:51 DEBUG Shibboleth.LogoutInitiator.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/Logout::run::SAML2LI)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/Logout::run::LocalLI)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SLO/SOAP)
2009-11-10 15:03:51 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2009-11-10 15:03:51 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2009-11-10 15:03:51 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2009-11-10 15:03:51 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SLO/Redirect)
2009-11-10 15:03:51 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2009-11-10 15:03:51 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2009-11-10 15:03:51 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2009-11-10 15:03:51 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SLO/POST)
2009-11-10 15:03:51 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2009-11-10 15:03:51 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2009-11-10 15:03:51 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2009-11-10 15:03:51 DEBUG Shibboleth.Logout.SAML2 : supporting outgoing
binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/SLO/Artifact)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/NIM/SOAP)
2009-11-10 15:03:51 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2009-11-10 15:03:51 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2009-11-10 15:03:51 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2009-11-10 15:03:51 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/NIM/Redirect)
2009-11-10 15:03:51 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2009-11-10 15:03:51 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2009-11-10 15:03:51 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2009-11-10 15:03:51 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/NIM/POST)
2009-11-10 15:03:51 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2009-11-10 15:03:51 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2009-11-10 15:03:51 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2009-11-10 15:03:51 DEBUG Shibboleth.NameIDMgmt.SAML2 : supporting
outgoing binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/NIM/Artifact)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/Artifact/SOAP::run::SAML2Artifact)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/Metadata)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default/Status)
2009-11-10 15:03:51 INFO Shibboleth.Application : building
MetadataProvider of type Chaining...
2009-11-10 15:03:51 INFO OpenSAML.Metadata.Chaining : building
MetadataProvider of type XML
2009-11-10 15:03:51 INFO OpenSAML.Metadata : building MetadataFilter of
type RequireValidUntil
2009-11-10 15:03:51 INFO OpenSAML.Metadata : building MetadataFilter of
type Signature
2009-11-10 15:03:51 INFO XMLTooling.SecurityHelper : loading
certificate(s) from file (/etc/shibboleth/fedsigner.pem)
2009-11-10 15:03:51 DEBUG OpenSAML.MetadataProvider.XML : using remote
resource (https://sso-test.isis.unc.edu/metadata/unc)
2009-11-10 15:03:51 DEBUG OpenSAML.MetadataProvider.XML : backup remote
resource with (/var/run/shibboleth/federation-metadatatest.xml)
2009-11-10 15:03:51 DEBUG OpenSAML.MetadataProvider.XML : will reload
remote resource at most every 7200 seconds
2009-11-10 15:03:51 DEBUG OpenSAML.MetadataProvider.XML : loading
configuration from external resource...
2009-11-10 15:03:51 INFO XMLTooling.StorageService : cleanup thread
started...running every 900 seconds
2009-11-10 15:03:51 INFO OpenSAML.MetadataProvider.XML : loaded XML
resource (https://sso-test.isis.unc.edu/metadata/unc)
2009-11-10 15:03:51 DEBUG OpenSAML.MetadataProvider.XML : backing up
remote resource to (/var/run/shibboleth/federation-metadatatest.xml)
2009-11-10 15:03:51 INFO OpenSAML.Metadata : applying metadata filter
(RequireValidUntil)
2009-11-10 15:03:51 INFO OpenSAML.Metadata : applying metadata filter
(Signature)
2009-11-10 15:03:51 WARN OpenSAML.MetadataFilter.Signature : filtering
out group at root of instance after failed signature check:
CredentialResolver did not supply a successful verification key.
2009-11-10 15:03:51 CRIT OpenSAML.Metadata.Chaining : failure
initializing MetadataProvider: SignatureMetadataFilter unable to verify
signature at root of metadata instance.
2009-11-10 15:03:51 INFO Shibboleth.Application : building TrustEngine
of type Chaining...
2009-11-10 15:03:51 INFO XMLTooling.TrustEngine.Chaining : building
TrustEngine of type ExplicitKey
2009-11-10 15:03:51 INFO XMLTooling.TrustEngine.Chaining : building
TrustEngine of type PKIX
2009-11-10 15:03:51 INFO Shibboleth.Application : building
AttributeExtractor of type XML...
2009-11-10 15:03:51 DEBUG Shibboleth.AttributeExtractor.XML : using
local resource (/etc/shibboleth/attribute-map.xml), will monitor for changes
2009-11-10 15:03:51 DEBUG Shibboleth.AttributeExtractor.XML : loading
configuration from external resource...
2009-11-10 15:03:51 INFO Shibboleth.AttributeExtractor.XML : loaded XML
resource (/etc/shibboleth/attribute-map.xml)
2009-11-10 15:03:51 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:oid:1.3.6.1.4.1.10411.3103.1.1.1.1
2009-11-10 15:03:51 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:oid:0.9.2342.19200300.100.1.1
2009-11-10 15:03:51 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:mace:dir:attribute-def:eduPersonPrincipalName
2009-11-10 15:03:51 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.6
2009-11-10 15:03:51 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:mace:dir:attribute-def:eduPersonScopedAffiliation
2009-11-10 15:03:51 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.9
2009-11-10 15:03:51 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:mace:dir:attribute-def:eduPersonAffiliation
2009-11-10 15:03:51 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.1
2009-11-10 15:03:51 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:mace:dir:attribute-def:eduPersonEntitlement
2009-11-10 15:03:51 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.7
2009-11-10 15:03:51 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.11
2009-11-10 15:03:51 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:mace:dir:attribute-def:eduPersonTargetedID
2009-11-10 15:03:51 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.10
2009-11-10 15:03:51 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
2009-11-10 15:03:51 INFO Shibboleth.Application : building
AttributeFilter of type XML...
2009-11-10 15:03:51 DEBUG Shibboleth.AttributeFilter : using local
resource (/etc/shibboleth/attribute-policy.xml), will monitor for changes
2009-11-10 15:03:51 DEBUG Shibboleth.AttributeFilter : loading
configuration from external resource...
2009-11-10 15:03:51 INFO Shibboleth.AttributeFilter : loaded XML
resource (/etc/shibboleth/attribute-policy.xml)
2009-11-10 15:03:51 INFO Shibboleth.Application : building
AttributeResolver of type Query...
2009-11-10 15:03:51 INFO Shibboleth.Application : building
CredentialResolver of type File...
2009-11-10 15:03:51 INFO XMLTooling.SecurityHelper : loading private key
from file (/etc/shibboleth/sp-key.pem)
2009-11-10 15:03:51 DEBUG XMLTooling.SecurityHelper : key encoding
format for (/etc/shibboleth/sp-key.pem) dynamically resolved as (PEM)
2009-11-10 15:03:51 INFO XMLTooling.SecurityHelper : loading
certificate(s) from file (/etc/shibboleth/sp-cert.pem)
2009-11-10 15:03:51 INFO Shibboleth.Listener : registered remoted
message endpoint (default::getHeaders::Application)
2009-11-10 15:03:51 INFO Shibboleth.Listener : listener service starting
2009-11-10 15:35:31 DEBUG Shibboleth.Listener [1]: dispatching message
(default/Metadata)
2009-11-10 15:35:31 DEBUG Shibboleth.MetadataGenerator [1]: processing
metadata request
2009-11-10 15:35:37 DEBUG Shibboleth.Listener [1]: dispatching message
(default/Login::run::SAML2SI)
2009-11-10 15:35:37 WARN Shibboleth.SessionInitiator.SAML2 [1]: unable
to locate metadata for provider (https://sso-test.isis.unc.edu/idp)
2009-11-10 15:37:46 INFO Shibboleth.Listener : listener service shutting
down
2009-11-10 15:37:46 INFO Shibboleth.Config : shibboleth 2.2.1 library
shutting down
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default::getHeaders::Application)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (run::AssertionLookup)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/Login::run::SAML2SI)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/Login::run::Shib1SI)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/SAML2/POST)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/SAML2/POST-SimpleSign)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/SAML2/Artifact)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/SAML2/ECP)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/SAML/POST)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/SAML/Artifact)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/Logout::run::SAML2LI)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/Logout::run::LocalLI)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/SLO/SOAP)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/SLO/Redirect)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/SLO/POST)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/SLO/Artifact)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/NIM/SOAP)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/NIM/Redirect)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/NIM/POST)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/NIM/Artifact)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/Artifact/SOAP::run::SAML2Artifact)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/Metadata)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (default/Status)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (find::StorageService::SessionCache)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (remove::StorageService::SessionCache)
2009-11-10 15:37:46 INFO Shibboleth.Listener : unregistered remoted
message endpoint (touch::StorageService::SessionCache)
2009-11-10 15:37:46 INFO XMLTooling.StorageService : cleanup thread finished
2009-11-10 15:37:46 INFO XMLTooling.XMLToolingConfig : xmltooling 1.2.2
library shutdown complete
2009-11-10 15:37:46 INFO OpenSAML.SAMLConfig : opensaml 2.2.1 library
shutdown complete
2009-11-10 15:37:46 INFO Shibboleth.Config : shibboleth 2.2.1 library
shutdown complete
== End full shibd log ==

== Start shibboleth2.xml ==
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
logger="syslog.logger" clockSkew="180">

<!-- The OutOfProcess section contains properties affecting the
shibd daemon. -->
<OutOfProcess logger="shibd.logger">
<!--
<Extensions>
<Library path="odbc-store.so" fatal="true"/>
</Extensions>
-->
</OutOfProcess>

<!-- The InProcess section conrains settings affecting web server
modules/filters. -->
<InProcess logger="native.logger">
<!--ISAPI normalizeRequest="true" safeHeaderNames="true"-->
<!--
Maps IIS Instance ID values to the host scheme/name/port.
The name is
required so that the proper <Host> in the request map above
is found without
having to cover every possible DNS/IP combination the user
might enter.
-->
<!--Site id="1" name="qa-sakaipilot.unc.edu"/-->
<!--
When the port and scheme are omitted, the HTTP request's
port and scheme are used.
If these are wrong because of virtualization, they can be
explicitly set here to
ensure proper redirect generation.
-->
<!--
<Site id="42" name="qa-sakaipilot.unc.edu" scheme="https"
port="443"/>
-->
<!--/ISAPI-->
</InProcess>

<!-- Only one listener can be defined, to connect in-process
modules to shibd. -->
<UnixListener address="shibd.sock"/>
<!-- <TCPListener address="127.0.0.1" port="12345"
acl="127.0.0.1"/> -->

<!-- This set of components stores sessions and other persistent
data in daemon memory. -->
<StorageService type="Memory" id="mem" cleanupInterval="900"/>
<SessionCache type="StorageService" StorageService="mem"
cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="mem"/>
<ArtifactMap artifactTTL="180"/>

<!-- This set of components stores sessions and other persistent
data in an ODBC database. -->
<!--
<StorageService type="ODBC" id="db" cleanupInterval="900">
<ConnectionString>

DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
</ConnectionString>
</StorageService>
<SessionCache type="StorageService" StorageService="db"
cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="db"/>
<ArtifactMap StorageService="db" artifactTTL="180"/>
--> <!-- To customize behavior, map hostnames and path
components to applicationId and other settings. -->
<RequestMapper type="Native">
<RequestMap applicationId="default">
<!--
The example requires a session for documents in /secure on
the containing host with http and
https on the default ports. Note that the name and port in
the <Host> elements MUST match
Apache's ServerName and Port directives or the IIS Site
name in the <ISAPI> element
below.
-->
<Host name="qa-sakaipilot.unc.edu">
<Path name="secure" authType="shibboleth"
requireSession="true"/>
</Host>
<!-- Example of a second vhost mapped to a different
applicationId. -->
<!--
<Host name="admin.example.org" applicationId="admin"
authType="shibboleth" requireSession="true"/>
-->
</RequestMap>
</RequestMapper>

<!--
The ApplicationDefaults element is where most of Shibboleth's SAML
bits are defined.
Resource requests are mapped by the RequestMapper to an
applicationId that
points into to this section.
-->
<ApplicationDefaults id="default" policyId="default"
entityID="https://qa-sakaipilot.unc.edu/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id"
signing="false" encryption="false">

<!--
Controls session lifetimes, address checks, cookie handling,
and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each
of your applications.
The value can be a relative path, a URL with no hostname
(https:///path) or a full URL.
The system can compute a relative value based on the virtual
host. Using handlerSSL="true"
will force the protocol to be https. You should also add a
cookieProps setting of "; path=/; secure"
in that case. Note that while we default checkAddress to
"false", this has a negative
impact on the security of the SP. Stealing cookies/sessions is
much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/Shibboleth.sso" handlerSSL="false"

exportLocation="https://qa-sakaipilot.unc.edu/Shibboleth.sso/GetAssertion"
exportACL="127.0.0.1"
idpHistory="false" idpHistoryDays="7">

<!--
SessionInitiators handle session requests and relay them to
a Discovery page,
or to an IdP if possible. Automatic session setup will use
the default or first
element (or requireSessionWith can specify a specific id to
use).
-->

<!-- Default example directs to a specific IdP's SSO
service (favoring SAML 2 over Shib 1). -->
<SessionInitiator type="Chaining" Location="/Login"
isDefault="true" id="Intranet"
relayState="cookie"
entityID="https://sso-test.isis.unc.edu/idp">
<SessionInitiator type="SAML2" defaultACSIndex="1"
template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
</SessionInitiator>
<!-- An example using an old-style WAYF, which means Shib 1
only unless an entityID is provided. -->
<!--SessionInitiator type="Chaining" Location="/WAYF"
id="WAYF" relayState="cookie">
<SessionInitiator type="SAML2" defaultACSIndex="1"
template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
<SessionInitiator type="WAYF" defaultACSIndex="5"
URL="https://wayf.example.org/WAYF"/>
</SessionInitiator-->

<!-- An example supporting the new-style of discovery
service. -->
<!--SessionInitiator type="Chaining" Location="/DS" id="DS"
relayState="cookie">
<SessionInitiator type="SAML2" defaultACSIndex="1"
template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
<SessionInitiator type="SAMLDS"
URL="https://ds.example.org/DS/WAYF"/>
</SessionInitiator-->

<!--
md:AssertionConsumerService locations handle specific SSO
protocol bindings,
such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault
and index attributes
are used when sessions are initiated to determine how to
tell the IdP where and
how to return the response.
-->
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService
Location="/SAML2/POST-SimpleSign" index="2"

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact"
index="3"

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService Location="/SAML/POST" index="5"

Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact"
index="6"

Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>

<!-- LogoutInitiators enable SP-initiated local or
global/single logout of sessions. -->
<LogoutInitiator type="Chaining" Location="/Logout"
relayState="cookie">
<LogoutInitiator type="SAML2"
template="bindingTemplate.html"/>
<LogoutInitiator type="Local"/>
</LogoutInitiator>

<!-- md:SingleLogoutService locations handle single logout
(SLO) protocol messages. -->
<md:SingleLogoutService Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="/SLO/Redirect"
conf:template="bindingTemplate.html"

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="/SLO/POST"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Artifact"
conf:template="bindingTemplate.html"

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>

<!-- md:ManageNameIDService locations handle NameID
management (NIM) protocol messages. -->
<md:ManageNameIDService Location="/NIM/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:ManageNameIDService Location="/NIM/Redirect"
conf:template="bindingTemplate.html"

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:ManageNameIDService Location="/NIM/POST"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:ManageNameIDService Location="/NIM/Artifact"
conf:template="bindingTemplate.html"

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>

<!--
md:ArtifactResolutionService locations resolve artifacts
issued when using the
SAML 2.0 HTTP-Artifact binding on outgoing messages,
generally uses SOAP.
-->
<md:ArtifactResolutionService Location="/Artifact/SOAP"
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>

<!-- Extension service that generates "approximate"
metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>

<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>

<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session"
showAttributeValues="false"/>

</Sessions>

<!--
You should customize these pages! You can add attributes with
values that can be plugged
into your templates. You can remove the access attribute to
cause the module to return a
standard 403 Forbidden error code if authorization fails, and
then customize that condition
using your web server.
-->
<Errors session="sessionError.html"
metadata="metadataError.html"
access="accessError.html"
ssl="sslError.html"
localLogout="localLogout.html"
globalLogout="globalLogout.html"
supportContact="root@localhost"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>

<!-- Uncomment and modify to tweak settings for specific IdPs
or groups. -->
<!-- <RelyingParty Name="SpecialFederation"
keyName="SpecialKey"/> -->

<!-- Chains together all your metadata sources. -->
<MetadataProvider type="Chaining">
<!-- Example of remotely supplied batch of signed metadata. -->
<MetadataProvider type="XML"
uri="https://sso-test.isis.unc.edu/metadata/unc"
backingFilePath="federation-metadatatest.xml"
reloadInterval="7200">
<MetadataFilter type="RequireValidUntil"
maxValidityInterval="2419200"/>
<MetadataFilter type="Signature"
certificate="fedsigner.pem"/>
</MetadataProvider>

<!-- Example of locally maintained metadata. -->
<!--
<MetadataProvider type="XML" file="partner-metadata.xml"/>
-->
</MetadataProvider>

<!-- Chain the two built-in trust engines together. -->
<TrustEngine type="Chaining">
<TrustEngine type="ExplicitKey"/>
<TrustEngine type="PKIX"/>
</TrustEngine>

<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" path="attribute-map.xml"/>

<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query"/>

<!-- Default filtering policy for recognized attributes, lets
other data pass. -->
<AttributeFilter type="XML" path="attribute-policy.xml"/>

<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="sp-key.pem"
certificate="sp-cert.pem"/>

<!-- Example of a second application (using a second vhost)
that has a different entityID. -->
<!-- <ApplicationOverride id="admin"
entityID="https://admin.example.org/shibboleth"/> -->

</ApplicationDefaults>

<!-- Each policy defines a set of rules to use to secure messages. -->
<SecurityPolicies>
<!--
The predefined policy enforces replay/freshness, standard
condition processing, and permits signing and client TLS.
-->
<Policy id="default" validate="false">
<PolicyRule type="MessageFlow" checkReplay="true"
expires="60"/>
<PolicyRule type="Conditions">
<PolicyRule type="Audience"/>
<!-- Enable Delegation rule to permit delegated access. -->
<!-- <PolicyRule type="Delegation"/> -->
</PolicyRule>
<PolicyRule type="ClientCertAuth" errorFatal="true"/>
<PolicyRule type="XMLSigning" errorFatal="true"/>
<PolicyRule type="SimpleSigning" errorFatal="true"/>
</Policy>
</SecurityPolicies>

</SPConfig>
== End shibboleth2.xml ==

== Start /etc/shibboleth/fedsigner.pem ==
-----BEGIN CERTIFICATE-----
MIIGejCCBWKgAwIBAgIRAILiYV8t9JgB8T6PZDoDXRswDQYJKoZIhvcNAQEFBQAw
gZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtl
IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMY
aHR0cDovL3d3dy51c2VydHJ1c3QuY29tMR8wHQYDVQQDExZVVE4tVVNFUkZpcnN0
LUhhcmR3YXJlMB4XDTA5MDQyODAwMDAwMFoXDTEyMDQyNzIzNTk1OVowggFKMQsw
CQYDVQQGEwJVUzETMBEGA1UEERMKMjc1OTktMzQyMDEXMBUGA1UECBMOTm9ydGgg
Q2Fyb2xpbmExFDASBgNVBAcTC0NoYXBlbCBIaWxsMRAwDgYDVQQJEwdDQiAzNDIw
MTQwMgYDVQQKEytVbml2ZXJzaXR5IG9mIE5vcnRoIENhcm9saW5hIGF0IENoYXBl
bCBIaWxsMSgwJgYDVQQLEx9JbmZvcm1hdGlvbiBUZWNobm9sb2d5IFNlcnZpY2Vz
MUkwRwYDVQQLE0BJc3N1ZWQgdGhyb3VnaCBVbml2ZXJzaXR5IG9mIE5vcnRoIENh
cm9saW5hIGF0IENoYXBlbCBIaWxsIEUtUEtJMRowGAYDVQQLExFDb21vZG8gSW5z
dGFudFNTTDEeMBwGA1UEAxMVc3NvLXRlc3QuaXNpcy51bmMuZWR1MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmB8X2nGOjCOv3Vhyan1x/XzzY3CJWNFi
3z9EeuRZVNP5E6kmTHHmAwVP0m97b7391DMafD2jQwyynBVY8HUtzXidTn6o8xtd
dyekv0Cn/uR8zs7NXelHozX3/fogd7knlfV/op6DF7PNQVf34IV9Ee1tX5GMMSon
TMCsH4KOxKP22JFeTSmRvG7pC2qbD3Sow4SIcbA6vc7BfVqUAL4umqgxyj1e2mr9
KVhwhliZJDXpTjZFdy3i7S09R8UslDfcB5WDkF5GXyW127PevbdK85DIaqDMO9Zw
gtDW87q/dcXVnaXI/vjlKtx5w0KosxCMuxFQH9u7FZ0w+x63X5KXhQIDAQABo4IC
CTCCAgUwHwYDVR0jBBgwFoAUoXJfJhsomEOVXQc31YWWnUvSw0UwHQYDVR0OBBYE
FOeEQvoeE/JZu0FGQDceUEWmZATTMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8E
AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjARBglghkgBhvhCAQEE
BAMCBsAwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAwQwKzApBggrBgEFBQcCARYd
aHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMwewYDVR0fBHQwcjA4oDagNIYy
aHR0cDovL2NybC5jb21vZG9jYS5jb20vVVROLVVTRVJGaXJzdC1IYXJkd2FyZS5j
cmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9VVE4tVVNFUkZpcnN0LUhh
cmR3YXJlLmNybDBxBggrBgEFBQcBAQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9j
cnQuY29tb2RvY2EuY29tL1VUTkFkZFRydXN0U2VydmVyQ0EuY3J0MCQGCCsGAQUF
BzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wOwYDVR0RBDQwMoIVc3NvLXRl
c3QuaXNpcy51bmMuZWR1ghl3d3cuc3NvLXRlc3QuaXNpcy51bmMuZWR1MA0GCSqG
SIb3DQEBBQUAA4IBAQB+ZuDZmAfaD34xyFGRERN79Fv11gkkGa8dZBR7OiMhihzl
7RfqSJM0Vv4mXMMikC/7h81GHtYu9uYl7CaXv2Q96bxBKF68kCfepVGcMxI1Wowo
Lk/nVUpaXgxgIk5nHe0JmgegAsU0G2cOhTStoYHIpOd/D18/lZohfO27dah9+cOi
FsY/Rr5DpeZ3O944UKc0iZpXcX72KVPYix9Uh7dUknoJBKkDkYOXhFoXxEcjFyKE
WyyiXEPzttUReWWHVLWBlQMohQbuURsl+HY6Bv9k/hVBSwnTiot3YhPmDMPI5iqd
vJ/ETKGGh1pJfkTuigj7Wk8kbMWOI/LmvbWKoK6T
-----END CERTIFICATE-----
== End /etc/shibboleth/fedsigner.pem ==

Scott Cantor

unread,
Nov 16, 2009, 8:18:57 PM11/16/09
to shibbole...@internet2.edu
> https URL. Other SPs integrated with the same IdP and theoretically
> running the same SP library versions do not report this problem.

"Theoretically" is a pretty loose term. If it works on other CentOS 5, then
I guess I'd say the bytes you're verifying aren't the same and the network
trip is corrupting it. Common sense stuff, in other words.

> Here are logs and configuration, starting with the actual errors from
> the shibd log.

None of that is relevant, nor is the error, that's generic.

-- Scott


Daniel McCallum

unread,
Nov 16, 2009, 8:30:18 PM11/16/09
to shibbole...@internet2.edu

Scott Cantor wrote:
>> https URL. Other SPs integrated with the same IdP and theoretically
>> running the same SP library versions do not report this problem.
>
> "Theoretically" is a pretty loose term. If it works on other CentOS 5, then
> I guess I'd say the bytes you're verifying aren't the same and the network
> trip is corrupting it. Common sense stuff, in other words.

I intentionally used the word "theoretically" b/c hearsay is all I have
to go on at the moment. That said, I do know this does _not_ work on
other CentOS 5 instances. We've been thinking for a while that this is
library version mismatch issue, but if the list has insight into where
exactly the incompatibility might lurk, that would obviously be helpful.

>
>> Here are logs and configuration, starting with the actual errors from
>> the shibd log.
>
> None of that is relevant, nor is the error, that's generic.

Well, just trying to provide as much detail is possible.

>
> -- Scott
>
>

Scott Cantor

unread,
Nov 16, 2009, 8:42:01 PM11/16/09
to shibbole...@internet2.edu
Daniel McCallum wrote on 2009-11-16:
> I intentionally used the word "theoretically" b/c hearsay is all I have
> to go on at the moment. That said, I do know this does _not_ work on
> other CentOS 5 instances. We've been thinking for a while that this is
> library version mismatch issue, but if the list has insight into where
> exactly the incompatibility might lurk, that would obviously be helpful.

Search the list and you'll find plenty of recent material in the last year.
I imagine you have a signer using a broken library and triggering an interop
bug related to the xml namespace.

-- Scott


Daniel McCallum

unread,
Nov 16, 2009, 9:10:50 PM11/16/09
to shibbole...@internet2.edu

Oh we looked before posting, but the specific namespace issues like the
one described in http://bit.ly/2tu6gi didn't seem to apply in this case.
Will have another look through the archives in any event.

>
> -- Scott
>
>

Mike Jennings

unread,
Nov 17, 2009, 2:02:09 PM11/17/09
to shibbole...@internet2.edu
Scott,

I have installed tons of shibboleth sp's in the past few years. I have
been working with Daniel to try to get them configured with our IdP.

Since he was having issues, I went and tried to do this myself, and
nothing works for me. I have installed Centos 5.3 64 and 32 bit
editions and I continue to get the same errors that he is. I have other
boxes that are running shibboleth sp's that are not having this issue
at all. I also have a Centos 5.3 box running a old version of the sp
and this metadata signing does not happen either.

Is there a good way to turn up debugging on the logs to get more
information about what is happening during the signature validation
step? Any help you could provide would be much appreciated. I am doing
nothing different than I have done in the past, but something has
definitely changed.

Mike


==============================================================================
Mike Jennings
Identity Management Developer
University of North Carolina at Chapel Hill

Office: (919) 843-5013
Cell: (919) 599-5591
E-mail: mike_j...@unc.edu

Scott Cantor

unread,
Nov 17, 2009, 2:18:51 PM11/17/09
to shibbole...@internet2.edu
> Since he was having issues, I went and tried to do this myself, and
> nothing works for me. I have installed Centos 5.3 64 and 32 bit
> editions and I continue to get the same errors that he is. I have other
> boxes that are running shibboleth sp's that are not having this issue
> at all. I also have a Centos 5.3 box running a old version of the sp
> and this metadata signing does not happen either.

I still believe this is likely a case of a broken signer, but I have nothing
to test. If you have a case of the same library versions with different
behavior on different platforms, that borders on the impossible unless the
openssl layer is involved. And I would always run to Java first either via
the IdP or Oxygen. Once that verifies, the picture clarifies.

> Is there a good way to turn up debugging on the logs to get more
> information about what is happening during the signature validation
> step?

No, it's not our code. The past threads discuss what's involved in getting
at digest material in those libraries. In C++ it requires a source change to
xml-security to get it to spit out hash input logs. In Java there's a log4j
category for it.

-- Scott


Scott Cantor

unread,
Nov 17, 2009, 2:49:20 PM11/17/09
to shibbole...@internet2.edu
Scott Cantor wrote on 2009-11-17:
> No, it's not our code. The past threads discuss what's involved in getting
> at digest material in those libraries. In C++ it requires a source change
to
> xml-security to get it to spit out hash input logs. In Java there's a
log4j
> category for it.

Documented here:

https://spaces.internet2.edu/display/SHIB2/Troubleshooting+Signatures

There are no good or easy answers here, sorry.

-- Scott


Mike Jennings

unread,
Nov 17, 2009, 4:19:38 PM11/17/09
to shibbole...@internet2.edu
Scott,

Without any change to my signature files or configuration I finally got
it to work, even though I don't really like this solution.

I remember that the last time I tried to install a rpm shibboleth
installation, it was when the rpms were hosted on internet2. I decided
to go and download the RHEL/CENTOS rpms from a archived version, which
was here.
http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/archive/2.2/RPMS/x86_64/RHE/5/

Once I used those, everything worked great.

Now I am kinda wondering what is the build process for creating the
Centos and RedHat rpms on this new location? I would be interested in
rebuilding the rpms the way it was originally done, where centos and
redhat used the same rpms, so that I could see if that fixes my problem.

Mike Jennings


==============================================================================
Mike Jennings
Identity Management Developer
University of North Carolina at Chapel Hill

Office: (919) 843-5013
Cell: (919) 599-5591
E-mail: mike_j...@unc.edu

Scott Cantor

unread,
Nov 17, 2009, 4:34:20 PM11/17/09
to shibbole...@internet2.edu
> Without any change to my signature files or configuration I finally got
> it to work, even though I don't really like this solution.

You'd be running a version that's not supported, and with known
vulnerabilities, to start with.



> I remember that the last time I tried to install a rpm shibboleth
> installation, it was when the rpms were hosted on internet2. I decided
> to go and download the RHEL/CENTOS rpms from a archived version, which
> was here.

That isn't the last version built by me, 2.2.1 is.



> Once I used those, everything worked great.

You're probably propagating the signer's bug to the other end.

> Now I am kinda wondering what is the build process for creating the
> Centos and RedHat rpms on this new location?

The process is the same, just automated. It's the same source.

> I would be interested in
> rebuilding the rpms the way it was originally done, where centos and
> redhat used the same rpms, so that I could see if that fixes my problem.

The SRPMs are right there.

I'd start by swapping in xml-security-1.5.1 for 1.5.0 and see if it
continues to work.

-- Scott


Scott Cantor

unread,
Nov 17, 2009, 4:50:36 PM11/17/09
to shibbole...@internet2.edu
Also, if you have something that's produced with either non-Shibboleth code,
the project Java source, or supported SP code (i.e. 2.3 and the associated
library set), and it doesn't verify with 2.3, then you should file a bug and
attach the sample.

-- Scott


Mike Jennings

unread,
Nov 17, 2009, 4:44:31 PM11/17/09
to shibbole...@internet2.edu
Yea, I just upgraded to the newer xml-security-c-1.5.1-4.1
version and everything still works just fine for me.

I will go through and build the rpms from the source rpms and see if
that starts working for me.

Mike


==============================================================================
Mike Jennings
Identity Management Developer
University of North Carolina at Chapel Hill

Office: (919) 843-5013
Cell: (919) 599-5591
E-mail: mike_j...@unc.edu

Reply all
Reply to author
Forward
0 new messages