metadata signature
Jonathan Bricker
I’m adding a Signature metadata filter for my SP. I changed the key and certificate in the my test IDP to do this test. I was unable to get the IDP to generate the new metadata so I put the new public key in the old metadata. Without the filter this it works. With the filter I’m getting this error.
2011-10-03 07:00:01 WARN OpenSAML.MetadataFilter.Signature : filtering out group at root of instance after failed signature check: Root metadata element was unsigned.
2011-10-03 07:00:01 CRIT Shibboleth.Application : error initializing MetadataProvider: SignatureMetadataFilter unable to verify signature at root of metadata instance.
I’m trying to figure out where the problem might be. The Filter looks like this:
<MetadataProvider type="XML" uri="http://localhost:8080/saml-metadata/smd"
backingFilePath="saml-metadata.xml" reloadInterval="60">
<MetadataFilter type="Signature" verifyName="false">
<TrustEngine type="StaticPKIX" verifyDepth="5" checkRevocation="entityOnly">
<CredentialResolver type="Chaining">
<CredentialResolver type="File">
<Certificate format="PKCS12" password="apsswrd">
<Path>/etc/shibboleth/credentials/ec2idp.pfx</Path>
</Certificate>
</CredentialResolver>
</CredentialResolver>
</TrustEngine>
</MetadataFilter>
</MetadataProvider>
The cert CN matches the entity ID. I’m not sure what to look for with this or which parts of the logger I should turn on.
Thanks,
Jonathan Bricker
Senior Software Engineer
ExactTarget
Office | 317.524.2789
Mobile | 317.435.0763
U.S. Technical Support | 866.558.9823
International Technical Support | +1.317.275.5483
Email l jbri...@exacttarget.com
Peter Schober
> I'm adding a Signature metadata filter for my SP. I changed the key
> and certificate in the my test IDP to do this test. I was unable to
> get the IDP to generate the new metadata so I put the new public key
> in the old metadata. Without the filter this it works. With the
> filter I'm getting this error.
Exactly how did you try to "get the IDP to generate the new metadata"?
The IdP has no facility to update its own metadata (the example one
generated during installation as a starting point).
-peter
--
To unsubscribe from this list send an email to users-un...@shibboleth.net
Jonathan Bricker
<metadata:MetadataProvider id="IdPMD" xsi:type="metadata:ResourceBackedMetadataProvider">
<metadata:MetadataResource xsi:type="resource:FilesystemResource" file="/opt/shibboleth-idp/metadata/idp-metadata.xml" />
</metadata:MetadataProvider>
Cantor, Scott
> I changed the key and certificate in the my test IDP to do this test.
>I was unable to get the IDP to generate the new metadata so I put the new
>public key in the old metadata.
The signature filter pertains to the key used to sign the metadata, not
the key "in" the metadata.
> Without the filter this it works. With the filter I¹m getting this
>error.
The metadata isn't signed. I'm not sure what the message could say to make
that clear.
-- Scott
Jonathan Bricker
-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net] On Behalf Of Cantor, Scott
Sent: Monday, October 03, 2011 4:17 PM
To: us...@shibboleth.net
Subject: Re: metadata signature
Peter Schober
> So how can I set up the IDP to sign the metadata?
The IdP does not sign metadata, but there are many tools that do, e.g.
https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUsrManCPPsamlsign
https://wiki.shibboleth.net/confluence/display/SHIB2/XmlSecTool
-peter